[ntp:security] Potential issue with KoD security fix and follow-up bug fix

Jim McCormick jim.mccormick at alcatel-lucent.com
Mon Jan 4 20:19:42 UTC 2016

Hi Harlan,

I was referring to the "potential fix" that is an attachment to bug 2952 
by the Michael Tatarinov.  Thank you for the update, and I will await 
the published fix for 2952.  I am available to inspect the correct fix 
if you would like another set of eyes on it.


On 1/4/2016 3:12 PM, Harlan Stenn wrote:
> Hi Jim,
> What proposed fix for bug 2952?  If it's a proposed  fix that comes 
> with the report we know that doesn't work.  Our fix for 2952 should be 
> published soon.
> I think the patch you suggest is wrong because lighting TEST2 on 
> client packets should still get the packet discarded later in the code.
> Sent from my iPhone - please excuse brevity and typos
> On Jan 4, 2016, at 10:45 AM, Jim McCormick 
> <jim.mccormick at alcatel-lucent.com 
> <mailto:jim.mccormick at alcatel-lucent.com>> wrote:
>> Hi,
>> After picking up the KoD security fix under bug 2901 
>> <http://bugs.ntp.org/show_bug.cgi?id=2901>, we noticed that 
>> active/passive peering was broken.  I see this is being addressed by 
>> bug 2952 <http://bugs.ntp.org/show_bug.cgi?id=2952>, however the 
>> proposed fix for 2952 makes 2901 vulnerable again because after the 
>> origin timestamp is validated the KoD packet is no longer discarded.
>> I want to make sure that 2952 is implemented without opening a known 
>> security hole.  Perhaps instead of commenting out the return 
>> statements in the two places where TEST2 is set, wrap the return 
>> statement a check for server mode:
>>  if (hismode == MODE_SERVER) {
>>     return;   /* Bogus packet from server, we are done. */
>> }
>> Regards,
>> Jim
>> _______________________________________________
>> security mailing list
>> security at lists.ntp.org <mailto:security at lists.ntp.org>
>> http://lists.ntp.org/listinfo/security

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntp.org/private/security/attachments/20160104/d48db443/attachment.html>

More information about the security mailing list