[HECnet] NTP vulnerability in VMS 8.3

[Ian McLaughlin]

Hello all,

Just got an interesting report of a machine of mine with a public IP address that has a vulnerability in NTP that can be used for amplification attacks.   I've attached a snippet of the report I was given at the end of this email.

If this was Linux, then I'd have no problems dealing with this.   However, for VMS I have no idea.   Anyone else run in to this?   Is there a patch available?   I'm running OpenVMS 8.3 with no patches.

Thanks in advance for any assistance, and anyone else running public-facing might want to see if this affects them.

Ian

(snippet follows)

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity.

CCIRC has received a report indicating a NTP server(s) from your organization could be potentially used in distributed denial of service attacks. In this case, the NTP server is likely open to 'get monlist' requests, which can be leveraged by malicious actors in reflected distributed denial of service attacks.   Organizations should consider testing and deploying the latest version of NTP, which does not use the "monlist" command, at the earliest opportunity. If upgrading to the latest version is not immediately feasible, access to the "monlist" command should be disabled.  

CCIRC recommends organizations review common best practices to harden NTP servers or disable the service if it is not required. Additional guidance on NTP hardening can be found at the following reference:
http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html

For more information on this method of attack, please review the following references:  
https://isc.sans.edu/forums/diary/NTP+reflection+attack/17300

CVE-2013-5211
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5211