[ntp:questions] What to do for clients less than 4.2.8?

[Jochen Bern]

On 12/21/2014 12:38 PM, Rob wrote:
> David Woolley <david at ex.djwhome.demon.invalid> wrote:
>> On 21/12/14 10:48, Rob wrote:
>>> People say "disable crypto" but there is no clear direction in the docs
>>> on how to do that.
>>
>> I would assume by not enabling it.
> 
> Ok, but in that case why the worry about the "millions of vulnerable
> servers" on the internet, I think most users who just want to get and
> serve time don't spend the week of time needed to get the crypto working
> and to coordinate with other servers doing the same.

According to what I read on

http://support.ntp.org/bin/view/Main/SecurityNotice#Resolved_Vulnerabilities

-- CVE-2014-9293 *might* be exploitable on ntpd's that do *not* have
   explicit crypto settings in the config (but might be stopped by
   proper restrictions, it doesn't say),
-- CVE-2014-9294 is irrelevant for non-crypto setups,
-- *One third* of CVE-2014-9295 (the crypto_recv() part) requires an
   autokey setup, but the other two might not, and there's no statement
   of other requirements beyond basic reachability, and
-- CVE-2014-9296 is *probably* unexploitable.

As far as I'm concerned, 0.66 * -9295 is enough for me to grab the
backports from the repos for our outward-serving ntpds right now ...

Regards,
								J. Bern
-- 
*NEU* - NEC IT-Infrastruktur-Produkte im <http://www.linworks-shop.de/>:
Server--Storage--Virtualisierung--Management SW--Passion for Performance
Jochen Bern, Systemingenieur --- LINworks GmbH <http://www.LINworks.de/>
Postfach 100121, 64201 Darmstadt | Robert-Koch-Str. 9, 64331 Weiterstadt
PGP (1024D/4096g) FP = D18B 41B1 16C0 11BA 7F8C DCF7 E1D5 FAF4 444E 1C27
Tel. +49 6151 9067-231, Zentr. -0, Fax -299 - Amtsg. Darmstadt HRB 85202
Unternehmenssitz Weiterstadt, Geschäftsführer Metin Dogan, Oliver Michel