ntpd needs updating?

[schatchaos]

It seems the ntpd in base FreeBSD on 9.1-p9 is

ntpd --version
ntpd - NTP daemon program - Ver. 4.2.4p8

This is exploitable for DOS purposes, via the "monlist" command ntpdc -c monlist. Shouldn't ntpd be updated via freebsd-update? As a workaround, at least ntp.conf should default to:

disable monitor

Source: http://www.symantec.com/connect/blogs/h ... on-attacks etc.

/Søren Schrøder

 

[schatchaos]

Re: ntpd needs updating ?

Update to NTP version 4.2.7, which removes the monlist command entirely.

 

[SirDice]

Keep in mind that the ntpd that's in the base OS isn't the same code. Our version may not have the bug. It wouldn't hurt to contact secteam@freebsd.org though.

http://www.freebsd.org/security/reporting.html

 

[schatchaos]

FreeBSD security is (of course) aware of the issue, and an advisory is about to be issued real soon now.

From secteam:

We are actively working on it. The stable branches had been updated as far as I know, the rest will go
in a Security Advisory, that will be issued as soon as possible.

Let this be a reminder: FreeBSD security is a great team, and a vital part in maintaining the world's best OS.