[ntp:security] EXT :Re: CVE Question

Harlan Stenn stenn at nwtime.org
Fri Oct 30 22:49:32 UTC 2015


I think that fix is inadequate. It's a partial fix though. The exploit window for this problem is pretty small for 4.2.6 (maybe 15 minutes after startup, not sure), and much less with 4.2.8. So I've been told. Still working on the right fix. 

Sent from my iPhone - please excuse brevity and typos

> On Oct 30, 2015, at 1:49 PM, Kloepping, Mark E (IS) <mark.kloepping at ngc.com> wrote:
> 
> Sue
> 
> Thank you for your response.
> 
> Background:  We're building and running ntp in a Windows environment.  
> 
> I received a customer notification that the ntp software was effected by CVE-2015-5300.  I don't yet see the CVE in the NVD or Mitre CVE databases; however, a Google search revealed that Red Hat posted a description of the issue [1] along with a fix [2].  The fix appears to be a one liner in the ntp_loopfilter.c file.  It appears that ntp 4.2.8p4 source bundle from ntp.org does not contain the same fix that Red Hat implemented.  The Red Hat fix was against ntp 4.2.6p5.  Is this fix applicable to ntp 4.2.8p4?  Is ntp 4.2.8p4 vulnerable to CVE-2015-5300? 
> 
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=1271076
> [2]  https://bugzilla.redhat.com/attachment.cgi?id=1082271
> 
> Thanks,
> Mark
> 
> 
> -----Original Message-----
> From: Sue Graves [mailto:sgraves at nwtime.org] 
> Sent: Thursday, October 29, 2015 7:39 PM
> To: Kloepping, Mark E (IS); security at ntp.org
> Cc: Serrano, Joel (IS)
> Subject: EXT :Re: [ntp:security] CVE Question
> 
> Hi Mark and Joel,
> 
> It isn't clear what part of the BU paper CVE-2015-5300 is pointing to.
> I assume you've asked Debian this question? Is NGC running Debian?
> 
> Please let us know what version of Debian OS or NTP you are running. Our
> ntp4.2.8-4 did address the KoD issue and there will be further info coming out on this.
> 
> Thanks
> Sue
> 
>> On 10/29/2015 12:47 PM, Kloepping, Mark E (IS) wrote:
>> NTP Support Team
>> 
>> 
>> 
>> Is NTP effected by CVE-2015-5300.  If so, does NTP 4.2.8p4 resolve 
>> CVE-2015-5300?
>> 
>> 
>> 
>> Thanks,
>> Mark
>> 
>> 
>> 
>> 
>> 
>> *Mark Kloepping*
>> Software Engineer
>> ______________________________
>> *Northrop Grumman - IS*
>> *Work:**703.561.3679
>> Cell: 412.716.7240*
>> *Email:* mark.kloepping at ngc.com <mailto:Mark.kloepping at ngc.com>
>> *Address: 2340 Dulles Corner Blvd,
>>                  Herndon, VA 20171*
>> 
>> 
>> 
>> 
>> 
>> _______________________________________________
>> security mailing list
>> security at lists.ntp.org
>> http://lists.ntp.org/listinfo/security
> 
> --
> Knowing the correct time isn't always important - until it is.
> Join Network Time Consortium http://nwtime.org/join
> 
> _______________________________________________
> security mailing list
> security at lists.ntp.org
> http://lists.ntp.org/listinfo/security
> 



More information about the security mailing list