[ntp:security] [Bug 1300] savecfg allows writes to any part of the filesystem

Dave Hart via the NTP Bugzilla bugzilla at ntp.org
Sat Sep 12 02:16:48 UTC 2009


http://bugs.ntp.org/1300



----------------------------------------------------------------------------
Additional Comments From hart at ntp.org (Dave Hart)
Submitted on 2009-09-12 02:16

(In reply to comment #13)
> Forget about distribution of keys and controlkey /requestkey the fact is that
> MD5 is trivial to break.

It sounds like you should file a bug and/or do some work to enable an 
alternative hash, just as we used to support DES.  Things will go a lot smoother 
if it can generate a 16 byte hash.  While you're at it you could consider adding 
replay protection to the ntpq subprotocol.  And in the meantime, until your 
replacement is ready, we should presumably disable all support for remote 
configuration of any type (including via ntpdc, :config, and saveconfig) because 
any reconfiguration of ntpd is a potential security hole as so much depends on 
accurate time.


-- 
Dave Hart <hart at ntp.org>



------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


More information about the security mailing list