[ntp:security] [Bug 2946] Origin Leak: ntpq and ntpdc Disclose Origin Timestamp to Unauthenticated Clients

bugzilla-daemon at ntp.org bugzilla-daemon at ntp.org
Tue May 24 09:26:36 UTC 2016


Miroslav Lichvar <mlichvar at redhat.com> changed:

           What    |Removed                     |Added
                 CC|                            |mlichvar at redhat.com

--- Comment #2 from Miroslav Lichvar <mlichvar at redhat.com> 2016-05-24 09:26:36 UTC ---
When fixing this bug, please hide also the other sensitive timestamps (rec,
dst, xmt) as they can be used to create a valid response in the symmetric
(unauthenticated) mode.

To not break compatibility with monitoring scripts using these values I'd
suggest to just set the fractional part of the reported timestamps to zero, so
they are no longer useful for these attacks.

Configure bugmail: http://bugs.ntp.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.

More information about the security mailing list