Hvad kan vi hjælpe med?
< Alle Emner
Print

Network Time Protocol (NTP) Mode 6 Scanner (CVE-2016-9310)

Postet30 januar 2025
Opdateret30 januar 2025

**Disclaimer**: Please note that the following actions involve making changes to your system. We provide this information for guidance purposes only. We are not responsible for any damage or loss that may occur as a result of implementing these steps. It is recommended to proceed with caution and have a valid backup of your server before making any modifications.

Vulnerability Details 

The NTP Mode 6 Query Vulnerability involves an NTP server responding to Mode 6 queries. These responses can be exploited in NTP amplification attacks, potentially leading to reflected denial-of-service (DoS) conditions. Attackers use the server to amplify traffic toward a target by sending Mode 6 queries with spoofed IP addresses, resulting in larger response traffic.

Severity Rating

Medium

How to Verify if a Device is Vulnerable

Use Nessus plugin ID 97861 to scan the device for this vulnerability.

You can also manually verify it by using network tools. In this example we use the tool called “NTPQ” from https://www.ntp.org/

Send this query to the server:

“ntpq -c rv <ntp_server_ip>”

Watch for any responses.

If you get a response back, your server is vulnerable to this vulnerability.

How to Fix

To remediate this vulnerability, follow these steps to update your NTP configuration:

Edit the NTP Configuration File:
Locate the ntp.conf file, usually found at /etc/ntp.conf.

Restrict Mode 6 Queries:
Add the following lines to restrict Mode 6 queries from all but trusted IP addresses or networks:

restrict default noquery

restrict <trusted_network> nomodify nopeer noquery


Restart the NTP Service:
After modifying the configuration, restart the NTP service using the following command:

sudo systemctl restart ntpd

Rollback

To roll back the changes made to fix the NTP Mode 6 Scanner vulnerability, follow these steps:

  • Edit the NTP Configuration File:

Open the ntp.conf file, usually located at /etc/ntp.conf.

Remove or Comment Out the Restrictive Lines:

“ # restrict default noquery

# restrict <trusted_network> nomodify nopeer noquery “

  • Restart NTP Service:

“ sudo systemctl restart ntp ”

How to Verify the Fix

Retest using Nessus plugin ID 97861 to scan the device for this vulnerability.

Use the NTP Query Tool:

“ ntpq -c rv <ntp_server_ip> ”

If the server does not respond to the query, the fix is in place.

Links (for additional resources and references)

https://www.tenable.com/plugins/nessus/97861

Tags:
Indholdsfortegnelse