amuck-landowner

Update your NTP servers

wlanboy

Content Contributer
NTF's NTP Project has been notified of a number of vulnerabilities from Neel Mehta and Stephen Roettger of Google's Security Team.

The two most serious of these issues and four less serious issues have been resolved as of ntp-4.2.8, which was released on 18 December 2014.

There are still two less significant issues to be addressed. We're expecting to fix these within the next month.
http://support.ntp.org/bin/view/Main/SecurityNotice

Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(),


ctl_putdata(), and configure() functions. A remote attacker could use


either of these flaws to send a specially crafted request packet that could


crash ntpd or, potentially, execute arbitrary code with the privileges of


the ntp user. Note: the crypto_recv() flaw requires non-default


configurations to be active, while the ctl_putdata() flaw, by default, can


only be exploited via local attackers, and the configure() flaw requires


additional authentication to exploit. (CVE-2014-9295)


It was found that ntpd automatically generated weak keys for its internal


use if no ntpdc request authentication key was specified in the ntp.conf


configuration file. A remote attacker able to match the configured IP


restrictions could guess the generated key, and possibly use it to send


ntpdc query or configuration requests. (CVE-2014-9293)


It was found that ntp-keygen used a weak method for generating MD5 keys.


This could possibly allow an attacker to guess generated MD5 keys that


could then be used to spoof an NTP client or server. Note: it is


recommended to regenerate any MD5 keys that had explicitly been generated


with ntp-keygen; the default installation does not contain such keys).


(CVE-2014-9294)


A missing return statement in the receive() function could potentially


allow a remote attacker to bypass NTP's authentication mechanism.


(CVE-2014-9296)
https://rhn.redhat.com/errata/RHSA-2014-2024.html
 

splitice

Just a little bit crazy...
Verified Provider
Hopefully this decreases the number of people with MONLIST enabled...
 

rds100

New Member
Verified Provider
Lets bid how long it takes until someone writes a "NTP DDoS deflector" - i.e. something that when hit with an NTP reflection attack sends back specially crafted packets to the misconfigured NTP servers used to carry the attack, making them crash.
 

splitice

Just a little bit crazy...
Verified Provider
Not that I would encourage illegal activity but...

There is likely a high correlation between those administrators who have not disabled MONLIST and those not updated, or going to update... 

It could be even considered an act of garbage removal, a public service for the internet.

Of course this is satirical and not my opinion, nor the opinion or stance of X4B.
 
Top
amuck-landowner