Zitat von [email protected]:
Zitat von Martin Burnicki <[email protected]>:
Ask Bjørn Hansen wrote:
You are right that strictly speaking in the context of this list
“you should upgrade” is not completely unreasonable, but for
“regular users” knowing more details about the scope and the
mitigation options than was listed in the announcement would be
nice.
Most of us running ntpd’s that participate in the NTP Pool also
have numerous other devices with NTP software.
As far as I understand the reports on bugzilla the main
vulnerabilities are in functions where signed packets (symmetric
key or autokey) are used, or dynamic/remote configuration via ntpq
and/or ntpdc is enabled, which, as far as I know also requires some
sort of crypto top be enabled.
So from my understanding disabling crypto in ntp.conf should avoid
the main vulnerabilities as a first, quick step.
Martin
It would be really helpful to get a configuration hint how to avoid
at least most of the problems. We have a standard Linux distribution
with their shippment of ntpd in the pool and as no fix is available
from them and it may take a while our only option is to leave the
pool or to take the risk of loosing the server to the bad ones. For
most of us the servers provided are used for other work and are not
dedicated for ntp so clearly without a configuration workaround we
will shutdown ntpd immediately :-(
So the question still is:
are we save for the first three flaws listed when not using
crypto/auth in any way and what configuration parameter we have to
check ?
is the ctl_putdata() exploitable in any configuration accepting
queries as i suspect ?
what is about "Buffer overflow in configure()" is it only
exploitable when using remote configuration or not?
Thanks for any hints
Andreas
Ubuntu still has no patches as of now and no one was able or willing
to comment on configuration workarounds so we are out of the pool for
now.
Andreas
_______________________________________________
pool mailing list
[email protected]
http://lists.ntp.org/listinfo/pool
