Mitigation and Remediation for NTP DDoS attack in ESX/ESXi, and vCenter Server Appliance (CVE-2013-5211)
search cancel

Mitigation and Remediation for NTP DDoS attack in ESX/ESXi, and vCenter Server Appliance (CVE-2013-5211)

book

Article ID: 339370

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

This article provides information on the DDoS amplification attack described in CVE-2013-5211, and its effect on VMware products.

Note: The mitigation information presented in this article was published earlier in Timekeeping best practices for Linux guests (310053).

Symptoms:
The NTP Distributed Denial of Service (DDoS) amplification attack described in CVE-2013-5211 may affect ESX/ESXi, and the vCenter Server Appliance (VCSA):

  • ESX 4.x: The NTP service itself is affected, but it must be manually enabled and the default firewall configuration must be modified for the host to be vulnerable.
     
  • ESXi 4.x: The NTP service itself is affected, but it must be manually enabled.
     
  • ESXi 5.x: The NTP service itself is affected, but it must be manually enabled and the default firewall configuration must be modified for the host to be vulnerable.
     
  • VCSA 5.x: The NTP service itself is affected, but only if the appliance is manually configured to use NTP for time synchronization and not Active Directory.

Customers are advised to implement the mitigation or remediation documented in the Resolution section of this article.

Note: VMware strongly advises against deploying ESX, ESXi, or the VCSA directly on the public internet.

Environment

VMware vCenter Server Appliance 5.0.x
VMware vSphere ESXi 5.5
VMware vSphere ESXi 6.0
VMware ESXi 4.0.x Installable
VMware vSphere ESXi 5.0
VMware ESXi 4.1.x Installable
VMware vCenter Server Appliance 5.1.x
VMware ESXi 4.1.x Embedded
VMware vSphere ESXi 5.1
VMware ESXi 4.0.x Embedded

Resolution

You can mitigate this issue immediately by adding these lines to the ntp.conf file on your respective product:

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1
restrict -6 ::1


If you do not have an organizational reason to serve NTP to the public, incoming UDP requests on port 123 can be blocked at the network perimeter.

Segregating management network traffic is yet another way to mitigate this issue.

Remediation for this issue is documented in VMware Security Advisory VMSA-2014-0002.

Additional Information

For related information, see:

Note: The preceding link was correct as of March 17, 2014. If you find the link is broken, provide feedback and a VMware employee will update the link.
Timekeeping best practices for Linux guests
ESX/ESXi および vCenter Server Appliance における NTP DDoS 攻撃の軽減と修正 (CVE-2013-5211)

Powered by Wolken Software