[ntp:questions] What to do for clients less than 4.2.8?
unruh at invalid.ca
Sun Dec 21 21:25:33 UTC 2014
On 2014-12-21, Jochen Bern <Jochen.Bern at LINworks.de> wrote:
> On 12/21/2014 12:38 PM, Rob wrote:
>> David Woolley <david at ex.djwhome.demon.invalid> wrote:
>>> On 21/12/14 10:48, Rob wrote:
>>>> People say "disable crypto" but there is no clear direction in the docs
>>>> on how to do that.
>>> I would assume by not enabling it.
>> Ok, but in that case why the worry about the "millions of vulnerable
>> servers" on the internet, I think most users who just want to get and
>> serve time don't spend the week of time needed to get the crypto working
>> and to coordinate with other servers doing the same.
> According to what I read on
> -- CVE-2014-9293 *might* be exploitable on ntpd's that do *not* have
> explicit crypto settings in the config (but might be stopped by
> proper restrictions, it doesn't say),
> -- CVE-2014-9294 is irrelevant for non-crypto setups,
> -- *One third* of CVE-2014-9295 (the crypto_recv() part) requires an
> autokey setup, but the other two might not, and there's no statement
> of other requirements beyond basic reachability, and
> -- CVE-2014-9296 is *probably* unexploitable.
> As far as I'm concerned, 0.66 * -9295 is enough for me to grab the
> backports from the repos for our outward-serving ntpds right now ...
> J. Bern
There are lots of people who are strongly interested in having good
time, but cannot simply upgrade to 4.2.8. Many businesses have long
testing cycles to make sure a "fix" does not screw everything up
instead. Telling people how to protect their systems even if they cannot
immediately bring up 4.2.8 is crucial. The lack of informtion is a
severe disservice to the users.
The exploits are out there already. "My building is on fire, where are
the extinguishers" "We cannot tell you that because it might allow
firebugs to know how to set fires, just build a new building". "But my
building is on fire right now!"
More information about the questions