[ntp:questions] What to do for clients less than 4.2.8?

A C agcarver+ntp at acarver.net
Sat Dec 20 20:56:48 UTC 2014


On 2014-12-20 01:22, Martin Burnicki wrote:
> A C wrote:
>> I saw the advisory about the potential issues in ntpd before 4.2.8 but I
>> don't quite understand whether it affects a pure client (not serving
>> time to the outside) or not.
>>
>> If the issue does affect client-only operation, what can be done for
>> systems that can't be upgraded?
> 
> As far as I understand the reports on bugzilla the main vulnerabilities
> are in functions where signed packets (symmetric key or autokey) are
> received/checked, or dynamic/remote configuration via ntpq and/or ntpdc
> is enabled, which, as far as I know also requires some sort of crypto
> top be enabled.
> 
> So from my understanding disabling crypto in ntp.conf should avoid the
> main vulnerabilities as a first, quick step.
> 

Thanks Martin.  I already have crypto off so now it's a question of
whether a normal time poll packet can also be used against the server.
That's the part I'm not clear about.

Also thank you for getting the Windows version updated soon (seen in
your other email).  I currently have no way of compiling copies for Windows.



More information about the questions mailing list