# Strange NTP error



## xy16644 (Jan 16, 2014)

I've just tried to update all my ports and when I list the outdated ports with `portmaster -L` I get:


```
===>>> ntp-4.2.6p5_2
===>>> This port is marked FORBIDDEN
===>>> CVE-2013-5211 / VU
```

Even after updating all my ports I still have this warning. I did have a look in /usr/src/UPDATING but couldn't find anything on NTP.

Any ideas?


----------



## worldi (Jan 16, 2014)

There are problems with this port and it hasn't been patched yet.


----------



## xy16644 (Jan 16, 2014)

Ah, thanks for that!


----------



## DutchDaemon (Jan 16, 2014)

It's the same problem as with the base ntpd: http://www.freebsd.org/security/advisor ... 2.ntpd.asc


----------



## xy16644 (Jan 16, 2014)

I just read the FreeBSD Security Advisory regarding this. I wonder if NTP in FreeBSD 10 STABLE will be fixed?


----------



## DutchDaemon (Jan 16, 2014)

It's already fixed, see 'Corrected:' in SA-14:02.


----------



## xy16644 (Jan 16, 2014)

Great, even more reason to upgrade to FreeBSD 10!


----------



## phreak (Mar 12, 2014)

According to http://www.freebsd.org/security/advisories/FreeBSD-SA-14:02.ntpd.asc, the vulnerability was fixed in FreeBSD 10-RELEASE. However, on my FreeBSD 10.0-RELEASE, the `pkg version` still reports 
	
	



```
ntp-4.2.6p5_2                      =
```
.

I have searched http://www.freshports.org/net/ntp/ which it reports the same version as mine and listed it as FORBIDDEN: CVE-2013-5211 / VU.

I have run `pkg upgrade` for months and no ntp-4.2.7p26 in sight.

Could anyone enlighten me how to get the fix? Thanks a ton.


----------



## SirDice (Mar 12, 2014)

The FreeBSD advisory is regarding ntpd(8), not net/ntp.


----------



## phreak (Mar 13, 2014)

Thanks for your prompt reply.  

However, I have got the following warning from `pkg audit -F`.

```
Vulnxml file up-to-date.
ntp-4.2.6p5_2 is vulnerable:
ntpd DRDoS / Amplification Attack using ntpdc monlist command
CVE: CVE-2013-5211
WWW: http://portaudit.FreeBSD.org/3d95c9a7-7d5c-11e3-a8c1-206a8a720317.html
```

How can I get rid of it? Thanks in advance!


----------



## SirDice (Mar 13, 2014)

phreak said:
			
		

> How can I get rid of it? Thanks in advance!


`pkg delete ntp`


----------



## phreak (Mar 14, 2014)

Many Thanks, @SirDice.


----------



## syl (Apr 11, 2014)

In case you're interested in the NTP client, you can try ntp-devel, i had to do that on a very fresh 10 install:

```
portmaster net/ntp-devel
```


----------



## aevertett (Jun 23, 2014)

Is this issue related to the fact that NTP 4.2.7p26 is a development release and not a production release of the NTP daemon? It's just that we are getting quite a number of customers conducting security scans on our GPS NTP servers which is reporting NTP 4.2.6 as being an old version of NTPd, which is susceptible to the monlist denial of service attack, and needs to be updated to NTP 4.2.7. However, we are very reluctant to provide an update to NTP 4.2.7 when it is not a stable production version of the NTP protocol.

Everett
http://www.timetoolsglobal.com/


----------



## SirDice (Jun 23, 2014)

aevertett said:
			
		

> Is this issue related to the fact that NTP 4.2.7p26 is a development release and not a production release of the NTP daemon?


No, it's related to a security issue:
http://networktimefoundation.org/ntp-wi ... s-attacks/



> It's just that we are getting quite a number of customers conducting security scans on our GPS NTP servers which is reporting NTP 4.2.6 as being an old version of NTPd, which is susceptible to the monlist denial of service attack, and needs to be updated to NTP 4.2.7. However, we are very reluctant to provide an update to NTP 4.2.7 when it is not a stable production version of the NTP protocol.


I'm afraid you don't have much choice, although you may be able to turn off the monitoring option:
http://support.ntp.org/bin/view/Main/Se ... tack_using


----------



## wblock@ (Jun 23, 2014)

Current versions of FreeBSD base and ports are all fixed, AFAIK.  If the security scan only checks the version number, the NTP in base might show a false positive because the version number has not changed even though the bug was fixed.  monlist can also be manually disabled.

(That a security tool would check just a version number seems... well, "too trusting" is not quite the right thing to say.  "Gullible" might be more accurate.  But a lot of these tools do that, apparently.)


----------

