Solved CVE-2014-9295 (ntp)

[Elusive]

Can someone shed some light on some discrepancies in the mitigation paths for CVE-2014-9295? While I'm sure it's best to simply upgrade NTP to an unaffected version, ntp.org states the following:

A new set of mode 6 vulnerabilities has been discovered and, while these vulnerabilities can be reduced by making sure you have restrict default … noquery in your ntp.conf file.

http://support.ntp.org/bin/view/Support/AccessRestrictions

However, the FreeBSD security advisory, FreeBSD-SA-14:31.ntp, states:

No workaround is available, but systems not running ntpd(8) are not affected.

Why doesn't the FreeBSD security advisory consider "restrict default noquery" a valid workaround for this issue?

Thank you.

 

[junovitch@]

A "can be reduced" is not the same this as fixing the root cause. One of the issues at the NTP site does not mention "restrict default" being a valid workaround. The simplest, safest, and quickest way to get the word out is to recommend fixing the root cause of the issue. Ultimately, the FreeBSD Security Advisory is just that, an "advisory", on the safest course of action.

 

[Elusive]

A "can be reduced" is not the same this as fixing the root cause.

Fair enough. Thank you.

 

[SirDice]

Why doesn't the FreeBSD security advisory consider "restrict default noquery" a valid workaround for this issue?

Because it's not available in the FreeBSD implementation of ntpd(8). Keep in mind that net/ntp and ntpd(8) are not the same. The FreeBSD advisory is for ntpd(8), not net/ntp.