# ntpd needs updating?



## schatchaos (Jan 6, 2014)

It seems the ntpd in base FreeBSD on 9.1-p9 is 


```
ntpd --version
ntpd - NTP daemon program - Ver. 4.2.4p8
```

This is exploitable for DOS purposes, via the "monlist" command `ntpdc -c monlist`. Shouldn't ntpd be updated via freebsd-update*?* *A*s a workaround, at least ntp.conf should default to:


```
disable monitor
```

*S*ource: http://www.symantec.com/connect/blogs/h ... on-attacks etc.

/Søren Schrøder


----------



## schatchaos (Jan 6, 2014)

*Re: ntpd needs updating ?*

*U*pdate to NTP version 4.2.7, which removes the monlist command entirely.


----------



## SirDice (Jan 6, 2014)

Keep in mind that the ntpd that's in the base OS isn't the same code. Our version may not have the bug. It wouldn't hurt to contact secteam@freebsd.org though. 

http://www.freebsd.org/security/reporting.html


----------



## schatchaos (Jan 6, 2014)

FreeBSD security is (of course) aware of the issue, and an advisory is about to be issued real soon now. 

From secteam:


> We are actively working on it. The stable branches had been updated as far as I know, the rest will go
> in a Security Advisory, that will be issued as soon as possible.



Let this be a reminder: FreeBSD security is a great team, and a vital part in maintaining the world's best OS.


----------

