CVE-2019-11331

2019-04-26T07:50:17
ID RH:CVE-2019-11331
Type redhatcve
Reporter redhat.com
Modified 2020-02-14T01:14:19

Description

Network Time Protocol (NTP), as specified in RFC 5905, uses port 123 even for modes where a fixed port number is not required, which makes it easier for remote attackers to conduct off-path attacks.

Mitigation

On Red Hat Enterprise Linux 6 and later, switching from ntp to chrony is recommended. Among other design improvements, chrony uses a randomised source port by default.

If using ntp, the source port can be randomised by iptables masquerading rules, effectively mitigating this vulnerability:

iptables -t nat -I POSTROUTING -p udp -m udp --sport 123 -j MASQUERADE --to-ports 60000-61000