[ntp:questions] What to do for clients less than 4.2.8?

William Unruh unruh at invalid.ca
Sat Dec 20 19:58:52 UTC 2014


On 2014-12-20, William Unruh <unruh at invalid.ca> wrote:
> On 2014-12-20, David Woolley <david at ex.djwhome.demon.invalid> wrote:
>> On 20/12/14 09:22, Martin Burnicki wrote:
>>
>>>
>>> As far as I understand the reports on bugzilla the main vulnerabilities
>>> are in functions where signed packets (symmetric key or autokey) are
>>> received/checked, or dynamic/remote configuration via ntpq and/or ntpdc
>>> is enabled, which, as far as I know also requires some sort of crypto
>>> top be enabled.
>>>
>>
>> One might be in a pure status enquiry, so you may have to set noquery.
>>
>> In any case, except possibly for people using encryption, and maybe not 
>> even them, these affect neither client nor server mode, only remote 
>> management.
>
> How can we, as users, protect ourselves against these bugs, assuming
> 4.2.8 is not installable at the present time. How would one set no
> crypto in the conf file? How can one disable remote management?
>
>>

The two bugs that might be dangerous are

--------------------------------------------------------

* Buffer overflow in ctl_putdata()

  References: Sec 2668 / CVE-2014-9295 / VU#852879
  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
  Versions: All NTP4 releases before 4.2.8
  Date Resolved: Stable (4.2.8) 18 Dec 2014

  Summary: A remote attacker can send a carefully crafted packet that
   can overflow a stack buffer and potentially allow malicious
   code to be executed with the privilege level of the ntpd process.

  Mitigation: Upgrade to 4.2.8, or later.

  Credit: This vulnerability was discovered by Stephen Roettger of the
   Google Security Team.

* Buffer overflow in configure()

  References: Sec 2669 / CVE-2014-9295 / VU#852879
  CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5
  Versions: All NTP4 releases before 4.2.8
  Date Resolved: Stable (4.2.8) 18 Dec 2014

  Summary: A remote attacker can send a carefully crafted packet that
   can overflow a stack buffer and potentially allow malicious
   code to be executed with the privilege level of the ntpd process.

  Mitigation: Upgrade to 4.2.8, or later.

  Credit: This vulnerability was discovered by Stephen Roettger of the
   Google Security Team.

----------------------------------------------------------------


Both say "carefully crafted packet" but do not say what kind of packet.
Is it an ntp packet (ie a time exchange packet)? is it a control packet
(eg ntpq type packet?) or what?
Ie, unless you use crypto, these two look like they might be dangerous.

I find the lack of information disturbing.



More information about the questions mailing list