Monitoring, Management & Location Tracking

Resolve NTP vulnerability on Airwave

Introduction : This article talks about resolving the NTP vulnerability on Airwave

 

Configuration Steps : We might get the below information when we run a  Nessus scan against AirWave.

Synopsis
The remote network time service could be used for network reconnaissance or abused in a distributed denial of service attack.

Description
17
The version of ntpd on the remote host has the 'monlist' command enabled. This command returns a list of recent
hosts that have connected to the service. As such, it can be used for network reconnaissance or, along with a spoofed
source IP, a distributed denial of service attack.

See Also
http://bugs.ntp.org/show_bug.cgi?id=1532
https://isc.sans.edu/diary/NTP+reflection+attack/17300

Solution
If using NTP from the Network Time Protocol Project, either upgrade to NTP 4.2.7-p26 or later, or add 'disable
monitor' to the 'ntp.conf'
configuration file and restart the service. Otherwise, contact the vendor.

Risk Factor
Medium
CVSS Base Score
5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score
4.3 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
References
BID 64692
CVE CVE-2013-5211
XREF OSVDB:101576
XREF CERT:348126
Plugin Information:
Publication date: 2014/01/02, Modification date: 2014/01/13

Ports
udp/123
Nessus was able to retrieve the following list of recent hosts to
connect to this NTP server


How can we fix this?

Login to CLI of Airwave as root and add the following line into /etc/ntp.conf:
 
  restrict default noquery
 
Restart ntpd (service ntpd restart)

 

Version History
Revision #:
1 of 1
Last update:
‎07-04-2014 03:07 AM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.