Multiple vulnerabilities released in NTP

systemd also has a minimalistic ntp client. It does not implement the full ntp spec but is sufficient for most desktop and server systems.

I never knew how it worked, thanks for that very lucid explanation, I'm sure the devils in the implementation details but nevertheless.

You wouldn't consider a server at stratum 0 and NTP server?

NTP's author, Eric Fair, is actually the son of the founder of Fair-Issac. Very smart cat, but this was all written so, so long ago it was bound to be exploitable sooner or later.

ntpd shouldn't be running as root on modern Linux systems anyway. It supports using capabilities to drop all privileges aside from the ability to set the system time, and I think most distros have it configured that way.

No, rewriting things in memory safe languages is absolutely something that should be done where it makes sense. There is no good reason to write things like ntpd in C anymore.

Anyone who says you'll just have a new set of similar issues is full of crap. You'll likely have issues, but ruling out memory corruption out the door is an indisputable win.

Nowadays it is possible to catch these kinds of errors ahead of time and at runtime with some help from static analyzers and other special tools, like AddressSanitizer. This report itself is likely to be the result of such work. So, rewrite is not worthwhile if your reasoning is to prevent edge cases in managing memory.

If you think introducing Rust (as an example) solves these kinds of problems you are sorely mistaken.

Languages can make it easier for some things, but they're not a magical fix all. If it weren't this problem it would be something else, something that even "the great mythical Rust" can't prevent.

There are 6 bugs that were announced.

#1 Weak default key in config_auth()

If you're only doing local timekeeping, and not using authentication (you'd know if you were) this doesn't apply. Basically the automatically generated key used for authentication (if you didn't specify one) was only 31 bits long and easily guessable.

#2 non-cryptographic random number generator with weak seed used by ntp-keygen to generate symmetric keys

Same as the above. If you're not using keyed sessions with remote hosts, this doesn't apply to you. Even if you are, the worst you're losing here is that someone could potentially mess with your clock.

#3 Buffer overflow in crypto_recv()

If you are using crypto (i.e. your ntp.conf file contains a line starting with "crypto pw"), you are potentially remotely exploitable to remote code execution. You probably do not have that configuration line set unless you know you put it there.

#4 Buffer overflow in ctl_putdata()

From the sound of the post on ntp.org, this is the scary one. "A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process." This makes it sound like everyone is exploitable. However, Redhat says "the ctl_putdata() flaw, by default, can only be exploited via local attackers". This makes me believe if you have your ntp.conf locked down using the 'restrict' lines you might not be vulnerable.

#5 Buffer overflow in configure()

This is the same as #4, ntp.org's advisory is vague enough that it sounds like everyone is vulnerable. Redhat is saying "the configure() flaw requires additional authentication to exploit." I do not know what this means.

#6 receive(): missing return on error

From their description, it's technically possible (but they haven't done it) to get ntpd into a weird state that is unlikely to be exploitable.

TL;DR: You're possibly vulnerable to #4 and #5 on a stock configuration. Redhat says no, ntp.org's advisory is vague enough that I'm not sure.

This should be stated more clearly. Should we all panic?

Does it affect any ntpd asking for time?

Does it affect a ntpd asking a compromised server for time?

Does it only affect ntpds answering to time requests?

It appears to use capabilities:

  $ ps u 561
  USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
  ntp        561  0.0  0.0   5856   780 ?        Ss   Jul14  22:37 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 103:107

  $ /sbin/getpcaps 561
  Capabilities for `561': = cap_net_bind_service,cap_sys_time+ep

Mix in the just-announced CVE-2014-9322, among others, and you have a fairly obvious path to root.

Generally, at any time, it's safer to assume there's at least one active local root exploit in any system.

I've talked to several developers about the state of NTP daemons and neither OpenNTPD nor DragonflyBSD's dntpd are suitable replacements. Neither of those support NTP Authentication nor do they have all of the required algorithms required for proper timekeeping.

The portable version (for Linux and other OSes) is unmaintained and the last release is from 2006. I don't use it on that basis alone.

Also, the last release of non-portable openntpd is from 2009.

There is also systemd-timesyncd and Chrony.

having a host clock that is out of sync can be incredibly troublesome, especially if you have more than one system.

Synchronized network clocks are pretty important for a lot of secure distributed computing. If you aren't doing that, maybe you can get away without it.

There are ways of bypassing stack canaries, depending on the specific application and environment. No exploitation mitigation is ever fool-proof.

Also, in many cases applications will be distributed or have Makefiles without enabling stack canaries or sometimes even DEP and ASLR.

ntp network traffic can be authenticated with symetric keys or autokey currently, and with NTS in the future. Many national labs support authenticated time for free and even more provide authenticated ntp for a fee.[1] Moreover if you care about time you can use a cheap GPS+PPS[2] as a reference or splurge and get a CDMA card. Your "replace it with tlsdate" solution makes little sense; at some point you need NTP or PTP to acquire and synch to UTC.

Why would anyone need encrypted time synch? I do not understand the privacy implications, UTC is not a secret.

[1]: For example: http://www.nist.gov/pml/div688/grp40/auth-ntp.cfm or https://www.nrc-cnrc.gc.ca/eng/solutions/advisory/calibratio...

[2]: My sure gps puck cost $40. It works with the antenna sitting on the window ledge inside my house.

Your article about that:

https://blog.hboeck.de/archives/863-Dont-update-NTP-stop-usi...

I don't understand what attacks are possible... making an enemy late for work when his alarm goes off several hours late?

Or can you circumvent certificate revocations this way?

Actually, NTP has (limited) support for authentication and encryption. I would agree it's pretty lame though.