[ntp:questions] What to do for clients less than 4.2.8?

William Unruh unruh at invalid.ca
Mon Dec 22 06:36:45 UTC 2014


In comp.protocols.time.ntp, you wrote:
> Bill,
>
> Are you willing to improve your deportment?
>
> You are performing an active dis-service.  I find your posts too often
> to be destructive, not constructive.  See below.
>
See below


> William Unruh writes:
>> On 2014-12-21, Jochen Bern <Jochen.Bern at LINworks.de> wrote:
>> > On 12/21/2014 12:38 PM, Rob wrote:
>> >> David Woolley <david at ex.djwhome.demon.invalid> wrote:
>> >>> On 21/12/14 10:48, Rob wrote:
>> >>>> People say "disable crypto" but there is no clear direction in the docs
>> >>>> on how to do that.
>> >>>
>> >>> I would assume by not enabling it.
>> >> 
>> >> Ok, but in that case why the worry about the "millions of vulnerable
>> >> servers" on the internet, I think most users who just want to get and
>> >> serve time don't spend the week of time needed to get the crypto working
>> >> and to coordinate with other servers doing the same.
>> >
>> > According to what I read on
>> >
>> > http://support.ntp.org/bin/view/Main/SecurityNotice#Resolved_Vulnerabilitie
>> s
>> >
>> > -- CVE-2014-9293 *might* be exploitable on ntpd's that do *not* have
>> >    explicit crypto settings in the config (but might be stopped by
>> >    proper restrictions, it doesn't say),
>> > -- CVE-2014-9294 is irrelevant for non-crypto setups,
>> > -- *One third* of CVE-2014-9295 (the crypto_recv() part) requires an
>> >    autokey setup, but the other two might not, and there's no statement
>> >    of other requirements beyond basic reachability, and
>> > -- CVE-2014-9296 is *probably* unexploitable.
>> >
>> > As far as I'm concerned, 0.66 * -9295 is enough for me to grab the
>> > backports from the repos for our outward-serving ntpds right now ...
>> > 								J. Bern
>> 
>> There are lots of people who are strongly interested in having good
>> time, but cannot simply upgrade to 4.2.8. Many businesses have long
>> testing cycles to make sure a "fix" does not screw everything up
>> instead.
>
> There are times when quick action is needed and there are times when
> planning and discussion are needed.

?? And this was which?
This sure looked like quick action was needed, and there was, at
least to my eyes, insufficient information to base that action on. I took
down ntpd on the few ntpd machines running, but the importance of
accurate time on them was low. 

The fixes from ntpd came out fast, and that was great. Unforuntely the
diagnostics-- ie,  who exactly was vulnerable and what could be done to
make oneself less vulnerable (other than reinstalling which is
expensive) was less quick. 

>
> Successful (ie, those that survive) people and businesses know this.
>
> An active security vulnerability is not the right time for long testing
> cycles.  Indeed, I have previously stated that 4.2.7 has undergone a
> very long and thorough testing cycle.  One of the 6 patches has problems
> for some people, and one of the diagnostic updates for a pending patch
> had problems for some people.
>
>> Telling people how to protect their systems even if they cannot
>> immediately bring up 4.2.8 is crucial. The lack of informtion is a
>> severe disservice to the users. 
>
> The information on how to do that is in the security notice:
>
>  http://support.ntp.org/bin/view/Main/SecurityNotice

It was not there on Fri. (I looked) 
All I found were statements to upgrade. 

I am really glad it is there now. Thank you.


>
> See the section on "Resolved Vulnerabilities".
>
>> The exploits are out there already.
>
> Where?  I have see several reports like this but so far nobody has told
> me of any actual cases.  I'm not saying they are not there, I'm just
> saying nobody has told me about them.

I will admit that I do not have evidence of it. I do know that the
reports claim that it is. And that is what we have to go on. 



>
>> "My building is on fire, where are
>> the extinguishers" "We cannot tell you that because it might allow
>> firebugs to know how to set fires, just build a new building". "But my
>> building is on fire right now!"
>
> Yes, so follow the mitigation steps on the security release page, which
> lists some alternatives to an upgrade.

And previously we were told that more information should be withheld
because it might give people ideas of how to attack. that was what I was
responding to.

And it is not at all clear that those are alternatives to an upgrade. 



>
> Better still, let's get more *constructive* help going on.

And what would you find more constructive? Not mentioning concerns? NOt
criticising when I felt something was wrong? 

>
> H



More information about the questions mailing list