General Open NTP Vulnerability letter

UnStable · 24-08-2014, 08:44

I received this yesterday, is it a generic letter they are sending out to everyone or are they targetting people identified as having this vulnerability?
I went to the website mentioned in the letter openntpproject.org but still really have no clue what it is I'm supposed to do

Sirius · 24-08-2014, 09:54

Quote:

Originally Posted by UnStable

I received this yesterday, is it a generic letter they are sending out to everyone or are they targetting people identified as having this vulnerability?
I went to the website mentioned in the letter openntpproject.org but still really have no clue what it is I'm supposed to do

I had one of those, found out it was my clearos router that had a ntp server running. Just turned the ntp server
off and never had another letter.

General Maximus · 24-08-2014, 10:33

it is nice that VM are being proactive in their network security but I think they are digging themselves a hole.

The website they ask you to go to isn't particularly user friendly and they are sort of scaring customers into going to PC World (who are useless) and paying money to get it fixed.

UnStable · 25-08-2014, 10:13

I have a Synology NAS and in the firewall settings for that I found an option to disable NTP Service on port 123 which I've now done.
I'm assuming this is what Virgin were referring to (or at least I hope so) and no I wouldn't go near the numpties at PC World to sort something like this out they wouldn't have a clue

General Maximus · 25-08-2014, 10:24

I would love to walk in and do a survey and see if any of them actually know what ntp is.

jfish · 27-08-2014, 13:36

I assume this is sent out with the recent NTP amplification attack which generated around 400 Gbps traffic

General Maximus · 27-08-2014, 17:01

lol, you just cant imagine having that amount of bandwidth at your fingertips.

qasdfdsaq · 27-08-2014, 23:44

It's really not that exciting.

horseman · 28-08-2014, 10:00

Quote:

Originally Posted by UnStable

I have a Synology NAS and in the firewall settings for that I found an option to disable NTP Service on port 123 which I've now done. ...

What DSM version are you running? CVE-2013-5211 should have been fixed back in one of the DSM 4.3 updates and of course DSM5.0.4493 update4 is also available if your DS model is comparable?
Synology (Amazon cloudfront CDN)website appears temporarily unavailable but worth checking release notes as NTP vulnerability is one of many if you're not up-to-date!

UnStable · 30-08-2014, 08:23

Quote:

Originally Posted by horseman

What DSM version are you running?

I have been on DSM5.0.4493 for a while and updated to update4 this week so not sure what else it could be if not the Synology box?

Qtx · 30-08-2014, 12:28

Are they sending out to everyone who just has an NTP server public facing or only the ones that are actually vulnerable to the monlist type issues? It's the initial question asked in this thread but still no answered and would help everyone to know the answer.

General Maximus · 30-08-2014, 12:41

the way the VM letter is worded it sounds like they have done a port scan and/or other tests and have only sent the letter out to those who are vulnerable.

Qtx · 30-08-2014, 13:14

Quote:

Originally Posted by General Maximus

the way the VM letter is worded it sounds like they have done a port scan and/or other tests and have only sent the letter out to those who are vulnerable.

It does say vulnerable in the letter but I have seen similar letters in different arena's that have been based on nothing more than a port scan. Guess that's why i'm less trusting of these letters and on top of that, its VM

horseman · 30-08-2014, 22:21

Quote:

Originally Posted by UnStable

I have been on DSM5.0.4493 for a while and updated to update4 this week so not sure what else it could be if not the Synology box?

Same here on a DS411J and I haven't received any similar letters. The NTP reflection/amplification vulnerability was also fixed in 4.3 by Synology in March anyway.
DSM5 should already be corrected[**], so unless VM checked prior to March then you shouldn't be causing the problem from the Synology ntp server anyway[*]?

Quote:

Version: 4.3-3827 Update 1

(2014/3/18)

Change Log

Fixed a security issue related to OpenSSL (CVE-2013-4353).
Fixed security issues by upgrading PHP to version 5.3.28 (CVE-2013-4073, CVE-2013-6420).
Fixed a security issue to prevent malicious attacks via NTP service (CVE-2013-5211).

[*] You only need NTP server typically when running Surveillance station (or High Availabilty) options. Using the normal port123 to sync the NAS to an external NTP server is not the vulnerability.

[**] I SSH'd into my DSM5.0.4493-4 and checked ntpdc "monlist" which reassuringly didn't respond. However I note the build was compiled 29May2014 so perhaps if VM ran a check for open NTP servers prior to any DSM5 June build it might have flagged it?