Menu
Reply
  • 26
  • 0
  • 0
GerryHill
Tuning in
1,111 Views
Message 1 of 62
Flag for a moderator

NTP vulnerability letter - help needed!

Ive had a letter from VM saying that something on my ip address has an ntp monlist vulnerability. I've followed the instructions to test ip addresses but find them very vague, even though I'm reasonably tech savvy .So far, Ive had no response from the scanning page, whether entering my ip address or internal network addresses. However, the  manual check command  ntpdc is not recognised by Windows XP. Nor can I find ntp.conf anywhere on my pc or NAS. Most of the stuff on Google talks about servers or Linux and I'm left scratching my head.

Could anyone tell me where to find the file I should check and modify, please?

I  have Windowp XP, Windows 7 which i don't use yet, a WD NAS box, an Android tablet and a Samsung "smart" TV all feeding into a Belkin router. Could just one, or all, be the possible culprit?

Alternatively, is it possible to run whatever the bankers' security scanners ran from insider or outside my system  to see if there really is a problem?

TIA

Gerry

0 Kudos
Reply

Helpful Answers
  • 3.51K
  • 202
  • 981
Sololobo
Wise owl
1,019 Views
Message 14 of 62
Flag for a moderator
Helpful Answer

Re: NTP vulnerability letter - help needed!

Found this information which may be of interest.

 

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5211

 

Overview

 

The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013

 

https://www.acunetix.com/blog/articles/ntp-reflection-ddos-attacks/

 

How to prevent the attack?

 

a) If you administer an NTP server

Windows implementations of the NTP protocol do not have this vulnerability as the use of monlist command is banned or reserved.

 

Most of the Unix/Linux implementations do, however, suffer from this vulnerability. The NTP daemons prior to 4.2.7p26 are vulnerable by default.

 

(Apologies for the formatting which is misbehaving again.)




It's What I Do.
I Drink and I
Remember Things.

All Replies
  • 6
  • 0
  • 0
xrmike
Joining in
1,100 Views
Message 2 of 62
Flag for a moderator

Re: NTP vulnerability letter - help needed!

I have had the same letter, I unlike you do have a server running windows server 2012R2. Its the second time I have had this letter, the first time I checked it out running the commands and stuff they give for checking ntp versions etc, to which I was getting unrecognised command (so im assuming that package isnt active on my machine). I dont actually know if these letters are fact there is an issue on your network, or if its scare mungering for you to then use their own gadget rescue service to look at it for you which costs money....its a possibility

0 Kudos
Reply
  • 26
  • 0
  • 0
GerryHill
Tuning in
1,094 Views
Message 3 of 62
Flag for a moderator

Re: NTP vulnerability letter - help needed!

Thanks. Being an old cynic, I did wonder! But I was very surprised that if the vulnerability is so prevalent there is no easy-peasy diagnostic method available. VM Internet  is, after all,a service sold mainly to folk who just want to use their computers and not dig around inside them. They say that an organisation scans on behalf of the banks. Why, if they've scanned my network can they only give me my IP address and not the address or device on the network? Why can't I have access to whatever - surely easy if it's automated - method they are using? 

0 Kudos
Reply
  • 6
  • 0
  • 0
xrmike
Joining in
1,086 Views
Message 4 of 62
Flag for a moderator

Re: NTP vulnerability letter - help needed!

Sadly there is no simple malware scan for it, but its a bit more technically involved because from my understanding its related to servers and the chances are if you have a server you know a thing or two. Like you I was surprised by the lack of information they give, with only a Wide Area Network Ip address, and they provide a date which i dont know what is for whether thats the date they ran the scan on the network or the date they detected strange activity or what.

 

It would also be helpful if they provided us with whatever found this possible vulnerability so like you said can scan internally. Thats what makes me so skeptical of it when they are saying they can have a look for a fee. If VM do get around to this post it might be worth them looking into being more open about how they found it etc, for all we know there could be a bug in whats identifying it, incorrectly picking people out which needs fixing.

 

Heres to hoping we get some solid intel.

0 Kudos
Reply
  • 3
  • 0
  • 0
MJRobinson
Joining in
1,077 Views
Message 5 of 62
Flag for a moderator

Re: NTP vulnerability letter - help needed!

I have also received the letter. I have nothing Linux based that would be used with NTP V2 or below so unsure where this comes from.  Only additional kit I have it BT Hive - which is linux based so checking that part out. Letter points at a page that is supposed to be able to scan the network for Monlist responses which I cannot see.

 

I am a techy so as per previous posts I would like to know how this issue has been identified and how to pinpoint it. 

 

Thanks

Martin

0 Kudos
Reply
  • 2.82K
  • 46
  • 362
Buffer6
Trouble shooter
1,069 Views
Message 6 of 62
Flag for a moderator

Re: NTP vulnerability letter - help needed!

Tags (1)
0 Kudos
Reply
  • 3.51K
  • 202
  • 981
Sololobo
Wise owl
1,045 Views
Message 7 of 62
Flag for a moderator

Re: NTP vulnerability letter - help needed!

https://technet.microsoft.com/en-us/library/cc773061(v=ws.10).aspx




It's What I Do.
I Drink and I
Remember Things.
0 Kudos
Reply
  • 26
  • 0
  • 0
GerryHill
Tuning in
1,027 Views
Message 8 of 62
Flag for a moderator

Re: NTP vulnerability letter - help needed!

Thanks for those last two. The first relates to Unix/Linux which I suppose could just possibly be my Android tablet or my TV at fault.

The second from Microsoft only refers to Windows Server, which would seem to rule out my XP machines.

<scratches head>

Gerry

0 Kudos
Reply
  • 2.82K
  • 46
  • 362
Buffer6
Trouble shooter
1,022 Views
Message 9 of 62
Flag for a moderator

Re: NTP vulnerability letter - help needed!

^ Could it also be that your IP address has been spoofed to send DDos attacks via a vunerable server?

0 Kudos
Reply
  • 3.51K
  • 202
  • 981
Sololobo
Wise owl
1,010 Views
Message 10 of 62
Flag for a moderator

Re: NTP vulnerability letter - help needed!


GerryHill wrote:

Thanks for those last two. The first relates to Unix/Linux which I suppose could just possibly be my Android tablet or my TV at fault.

The second from Microsoft only refers to Windows Server, which would seem to rule out my XP machines.

<scratches head>

Gerry


From the previously posted link see the section under

 

Windows Time Service Tools and Settings

 

 

W32tm.exe: Windows Time

Category

This tool is installed as part of Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server® 2008 R2 default installations.

Version compatibility

This tool works on Windows XP, Windows Vista, Windows 7, Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, and Windows Server 2008 R2 default installations.

W32tm.exe is used to configure Windows Time service settings. It can also be used to diagnose problems with the time service. W32tm.exe is the preferred command line tool for configuring, monitoring, or troubleshooting the Windows Time service.

 




It's What I Do.
I Drink and I
Remember Things.
0 Kudos
Reply