[ntp:questions] What to do for clients less than 4.2.8?

A C agcarver+ntp at acarver.net
Sat Dec 20 20:54:09 UTC 2014


On 2014-12-20 01:30, David Woolley wrote:
> On 20/12/14 09:22, Martin Burnicki wrote:
> 
>>
>> As far as I understand the reports on bugzilla the main vulnerabilities
>> are in functions where signed packets (symmetric key or autokey) are
>> received/checked, or dynamic/remote configuration via ntpq and/or ntpdc
>> is enabled, which, as far as I know also requires some sort of crypto
>> top be enabled.
>>
> 
> One might be in a pure status enquiry, so you may have to set noquery.
> 
> In any case, except possibly for people using encryption, and maybe not
> even them, these affect neither client nor server mode, only remote
> management.

Ok, so the remaining uncertainty is whether some of the crafted packets
can be the response packets for a normal time exchange or if they're
only query/config packets.  The advisory isn't completely clear on what
types of packets can cause the buffer overflows.

Right now my inbound firewall does not allow UDP port 123 so no outside
system can query my copies of ntpd (it will of course allow a response
packet for an internally initiated time query).  My concern is whether a
standard time packet reply from a remote system (a response to my local
ntpd polling) can cause these issues.




More information about the questions mailing list