[ntp:security] [Bug 2936] Skeleton Key: Missing key check allows impersonation between authenticated peers

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Tue Oct 13 01:35:07 UTC 2015


Danny Mayer <mayer at ntp.org> changed:

           What    |Removed                     |Added
                 CC|                            |mayer at ntp.org

--- Comment #2 from Danny Mayer <mayer at ntp.org> 2015-10-13 01:35:07 UTC ---
I think that there may be a problem here. Once an association has been
authenticated then that packets between the two systems need to continue to use
the key used for creating that association trust. What needs to happen is that
when the trust is established a reference to the key used should be kept until
the association is cleared. Otherwise, according to the report, any other valid
key in the list can be used, probably by a rogue server that has a trusted key
which can spoof the packets.

Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the security mailing list