*** This bug is a security vulnerability ***
Public security bug reported:
Ubuntu implements so much security one way or another. So much defenses
against network level man in the middle or malicious proxies or wifi
hotspots. Cryptographic verification generally works well but there is
one big drawback: it requires correct date/time.
NTP in Ubuntu does not use any authentication by default, although it is
supported by NTP.
I conclude, that almost no one is using authenticated NTP, because there
are no instructions in a forum or blog how to enable NTP authentication.
Therefore almost everyone uses standard configuration and is at risk.
An adversary can tamper with the unauthenticated NTP replies and put the
users time several years back, especially, but not limited, if the bios
battery or hardware clock is defect. That issue becomes more relevant
with new devices like RP, which do not even have a hardware clock.
Putting the clock several years back allows an adversary to use already
revoked, broken, expired certificates; replay old, broken, outdated,
known vulnerable updates etc.
** Affects: ntp (Ubuntu)
Importance: Undecided
Status: New
** Visibility changed to: Public
--
You received this bug notification because you are a member of Ubuntu
Server Team, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1039420
Title:
NTP security vulnerability because not using authentication by default
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1039420/+subscriptions
--
Ubuntu-server-bugs mailing list
Ubuntu-server-bugs@lists.ubuntu.com
Modify settings or unsubscribe at:
https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
