Zitat von Martin Burnicki <[email protected]>:
Ask Bjørn Hansen wrote:
You are right that strictly speaking in the context of this list
“you should upgrade” is not completely unreasonable, but for
“regular users” knowing more details about the scope and the
mitigation options than was listed in the announcement would be nice.
Most of us running ntpd’s that participate in the NTP Pool also
have numerous other devices with NTP software.
As far as I understand the reports on bugzilla the main
vulnerabilities are in functions where signed packets (symmetric key
or autokey) are used, or dynamic/remote configuration via ntpq
and/or ntpdc is enabled, which, as far as I know also requires some
sort of crypto top be enabled.
So from my understanding disabling crypto in ntp.conf should avoid
the main vulnerabilities as a first, quick step.
Martin
It would be really helpful to get a configuration hint how to avoid at
least most of the problems. We have a standard Linux distribution with
their shippment of ntpd in the pool and as no fix is available from
them and it may take a while our only option is to leave the pool or
to take the risk of loosing the server to the bad ones. For most of us
the servers provided are used for other work and are not dedicated for
ntp so clearly without a configuration workaround we will shutdown
ntpd immediately :-(
So the question still is:
are we save for the first three flaws listed when not using
crypto/auth in any way and what configuration parameter we have to
check ?
is the ctl_putdata() exploitable in any configuration accepting
queries as i suspect ?
what is about "Buffer overflow in configure()" is it only exploitable
when using remote configuration or not?
Thanks for any hints
Andreas
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
