[ntp:questions] What to do for clients less than 4.2.8?

Martin Burnicki martin.burnicki at burnicki.net
Sat Dec 20 09:22:14 UTC 2014


A C wrote:
> I saw the advisory about the potential issues in ntpd before 4.2.8 but I
> don't quite understand whether it affects a pure client (not serving
> time to the outside) or not.
>
> If the issue does affect client-only operation, what can be done for
> systems that can't be upgraded?

As far as I understand the reports on bugzilla the main vulnerabilities 
are in functions where signed packets (symmetric key or autokey) are 
received/checked, or dynamic/remote configuration via ntpq and/or ntpdc 
is enabled, which, as far as I know also requires some sort of crypto 
top be enabled.

So from my understanding disabling crypto in ntp.conf should avoid the 
main vulnerabilities as a first, quick step.

Martin



More information about the questions mailing list