[system-administrators-guide] noquery access option: add warning and link to CVE

stephenw stephenw at fedoraproject.org
Thu Jul 31 10:39:00 UTC 2014 

commit 786d45d9bb57db9edb2f9511498a7aa3a361baae
Author: Stephen Wadeley <swadeley at redhat.com>
Date:   Thu Jul 31 11:48:32 2014 +0200

    noquery access option: add warning and link to CVE

 en-US/Configuring_NTP_Using_ntpd.xml |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)
---
diff --git a/en-US/Configuring_NTP_Using_ntpd.xml b/en-US/Configuring_NTP_Using_ntpd.xml
index 1246238..eced2f9 100644
--- a/en-US/Configuring_NTP_Using_ntpd.xml
+++ b/en-US/Configuring_NTP_Using_ntpd.xml
@@ -216,7 +216,7 @@ The <option>kod</option> option means a <quote>Kiss-o'-death</quote> packet is t
 The <option>nomodify</option> options prevents any changes to the configuration.
 The <option>notrap</option> option prevents <systemitem class="protocol">ntpdc</systemitem> control message protocol traps.
 The <option>nopeer</option> option prevents a peer association being formed.
-The <option>noquery</option> option prevents <systemitem class="protocol">ntpq</systemitem> and <systemitem class="protocol">ntpdc</systemitem> queries, but not time queries, from being answered.
+The <option>noquery</option> option prevents <systemitem class="protocol">ntpq</systemitem> and <systemitem class="protocol">ntpdc</systemitem> queries, but not time queries, from being answered. The <systemitem class="protocol">ntpq</systemitem> and <systemitem class="protocol">ntpdc</systemitem> queries can be used in amplification attacks (see <ulink url="https://access.redhat.com/security/cve/CVE-2013-5211"><citetitle pubwork="webpage">CVE-2013-5211</citetitle></ulink> for more details), do not remove the <option>noquery</option> option from the <command>restrict default</command> command on publicly accessible systems.
    </para>
       <para>
         Addresses within the range <systemitem class="ipaddress">127.0.0.0/8</systemitem> range are sometimes required by various processes or applications. As the "restrict default" line above prevents access to everything not explicitly allowed, access to the standard loopback address for <systemitem class="protocol">IPv4</systemitem> and <systemitem class="protocol">IPv6</systemitem> is permitted by means of the following lines:
@@ -484,6 +484,9 @@ synchronised to NTP server (10.5.26.10) at stratum 2
    <para>
    To configure rate limit access to not respond at all to a query, the respective <command>restrict</command> command has to have the <option>limited</option> option. If <systemitem class="daemon">ntpd</systemitem> should reply with a <literal>KoD</literal> packet, the <command>restrict</command> command needs to have both <option>limited</option> and <option>kod</option> options.
    </para>
+   <para>
+    The <systemitem class="protocol">ntpq</systemitem> and <systemitem class="protocol">ntpdc</systemitem> queries can be used in amplification attacks (see <ulink url="https://access.redhat.com/security/cve/CVE-2013-5211"><citetitle pubwork="webpage">CVE-2013-5211</citetitle></ulink> for more details), do not remove the <option>noquery</option> option from the <command>restrict default</command> command on publicly accessible systems.
+   </para>
  </section>
 
  <section id="s2_Configure_Rate_Limiting_Access_to_an_NTP_Service">

More information about the docs-commits mailing list