Mitigation and Remediation for NTP DDoS attack in ESX/ESXi, and vCenter Server Appliance (CVE-2013-5211)
Article ID: 339370
Updated On:
Products
VMware vCenter Server
VMware vSphere ESXi
Issue/Introduction
This article provides information on the DDoS amplification attack described in CVE-2013-5211, and its effect on VMware products.
Note: The mitigation information presented in this article was published earlier in Timekeeping best practices for Linux guests (1006427).
Symptoms:
The NTP Distributed Denial of Service (DDoS) amplification attack described in CVE-2013-5211 may affect ESX/ESXi, and the vCenter Server Appliance (VCSA):
Note: VMware strongly advises against deploying ESX, ESXi, or the VCSA directly on the public internet.
Note: The mitigation information presented in this article was published earlier in Timekeeping best practices for Linux guests (1006427).
Symptoms:
The NTP Distributed Denial of Service (DDoS) amplification attack described in CVE-2013-5211 may affect ESX/ESXi, and the vCenter Server Appliance (VCSA):
- ESX 4.x: The NTP service itself is affected, but it must be manually enabled and the default firewall configuration must be modified for the host to be vulnerable.
- ESXi 4.x: The NTP service itself is affected, but it must be manually enabled.
- ESXi 5.x: The NTP service itself is affected, but it must be manually enabled and the default firewall configuration must be modified for the host to be vulnerable.
- VCSA 5.x: The NTP service itself is affected, but only if the appliance is manually configured to use NTP for time synchronization and not Active Directory.
Note: VMware strongly advises against deploying ESX, ESXi, or the VCSA directly on the public internet.
Environment
VMware vCenter Server Appliance 5.0.x
VMware vSphere ESXi 5.5
VMware vSphere ESXi 6.0
VMware ESXi 4.0.x Installable
VMware vSphere ESXi 5.0
VMware ESXi 4.1.x Installable
VMware vCenter Server Appliance 5.1.x
VMware ESXi 4.1.x Embedded
VMware vSphere ESXi 5.1
VMware ESXi 4.0.x Embedded
VMware vSphere ESXi 5.5
VMware vSphere ESXi 6.0
VMware ESXi 4.0.x Installable
VMware vSphere ESXi 5.0
VMware ESXi 4.1.x Installable
VMware vCenter Server Appliance 5.1.x
VMware ESXi 4.1.x Embedded
VMware vSphere ESXi 5.1
VMware ESXi 4.0.x Embedded
Resolution
You can mitigate this issue immediately by adding these lines to the
If you do not have an organizational reason to serve NTP to the public, incoming UDP requests on port 123 can be blocked at the network perimeter.
Segregating management network traffic is yet another way to mitigate this issue.
Remediation for this issue is documented in VMware Security Advisory VMSA-2014-0002.
ntp.conf file on your respective product:
restrict default kod nomodify notrap nopeer noqueryrestrict -6 default kod nomodify notrap nopeer noqueryrestrict 127.0.0.1restrict -6 ::1
If you do not have an organizational reason to serve NTP to the public, incoming UDP requests on port 123 can be blocked at the network perimeter.
Segregating management network traffic is yet another way to mitigate this issue.
Remediation for this issue is documented in VMware Security Advisory VMSA-2014-0002.
Additional Information
For related information, see:
Note: The preceding link was correct as of March 17, 2014. If you find the link is broken, provide feedback and a VMware employee will update the link.
Timekeeping best practices for Linux guests
缓解和修复 ESX/ESXi 和 vCenter Server Appliance 中的 NTP DDoS 攻击 (CVE-2013-5211)
ESX/ESXi および vCenter Server Appliance における NTP DDoS 攻撃の軽減と修正 (CVE-2013-5211)
Timekeeping best practices for Linux guests
缓解和修复 ESX/ESXi 和 vCenter Server Appliance 中的 NTP DDoS 攻击 (CVE-2013-5211)
ESX/ESXi および vCenter Server Appliance における NTP DDoS 攻撃の軽減と修正 (CVE-2013-5211)
Feedback
Yes
No
Powered by
