Spectracom - Essential Ingenuity

Verifying NTP Queries are Disabled in NetClock 9200/9300

Question

How do I verify NTP Queries are disabled in NetClock 9200/9300?

Answer

Common Vulnerability and Exposure CVE-2013-5211 documents a problem with “Monlist”, a feature that is part of NTP’s NTPDC functionality. The Spectracom Model 9300 and 9200 series NTP servers allow NTPDC/NTPQ (and therefore Monlist, also) to be disabled (they are both disabled by factory default) to mitigate this potential vulnerability.  Note that NTPQ and NTPDC being disabled does not affect the operation of NTP synchronizing clients on the network.

To verify NTPQ/NTPDC are disabled in order to mitigate this potential vulnerability associated with Monlist, login to the NetClock’s web browser and navigate to the NTP-> General page. On this page, verify the “Allow queries from NTPDC or NTPQ over IPV4” and the  “Allow queries from NTPDC or NTPQ over IPV6” checkboxes are not selected (as shown below).

Monlist


Spectracom's Model 9300 and 9200 series NTP time servers (includes 9383/9283, 9389/9289 and 9388/9288) are end of life or nearing end of life. These units run NTPd 4.2.0 and are not planned to be updated to a later version. The successor models are SecureSync and NetClock 9400.  

Was this information helpful?

 Yes  No