[Sec 3118] Mode 6 information disclosure and DDoS vector

bk: 57e6c819rh2svWsjdM59G3nj_eyKew

diff --git a/ChangeLog b/ChangeLog
index 0805467dc6b9b1ce7768a039f6a2d87af37546b9..ec4d12e351bb460140c61a389afc02505377bbb2 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+---
+* [Sec 3118] Mode 6 information disclosure and DDoS vector <perlinger@ntp.org>
+  - TRAP config via mode 6 packet requires AUTH now.
+
 ---
 (4.2.8p8) 2016/06/02 Released by Harlan Stenn <stenn@ntp.org>
 

diff --git a/ntpd/ntp_control.c b/ntpd/ntp_control.c
index 07b5697f1536605efed3f4ee726d21ee94a59a70..fa972c097429dcc9060becafb33ac7129712b0fc 100644 (file)
--- a/ntpd/ntp_control.c
+++ b/ntpd/ntp_control.c
@@ -120,14 +120,14 @@ static const struct ctl_proc control_codes[] = {
        { CTL_OP_READVAR,               NOAUTH, read_variables },
        { CTL_OP_WRITEVAR,              AUTH,   write_variables },
        { CTL_OP_READCLOCK,             NOAUTH, read_clockstatus },
-       { CTL_OP_WRITECLOCK,            NOAUTH, write_clockstatus },
-       { CTL_OP_SETTRAP,               NOAUTH, set_trap },
+       { CTL_OP_WRITECLOCK,            AUTH,   write_clockstatus },
+       { CTL_OP_SETTRAP,               AUTH,   set_trap },
        { CTL_OP_CONFIGURE,             AUTH,   configure },
        { CTL_OP_SAVECONFIG,            AUTH,   save_config },
        { CTL_OP_READ_MRU,              NOAUTH, read_mru_list },
        { CTL_OP_READ_ORDLIST_A,        AUTH,   read_ordlist },
        { CTL_OP_REQ_NONCE,             NOAUTH, req_nonce },
-       { CTL_OP_UNSETTRAP,             NOAUTH, unset_trap },
+       { CTL_OP_UNSETTRAP,             AUTH,   unset_trap },
        { NO_REQUEST,                   0,      NULL }
 };