Package: openntpd Version: 1:5.7p4-1 Severity: important Tags: security In the logs, I get:
Jul 03 14:17:59 zira systemd[1]: Starting OpenNTPd Network Time Protocol... Jul 03 14:17:59 zira ntpd[820]: constraint certificate verification turned off which is really bad from a security point of view, as it defeats the security requirement configured by the user (I have installed openntpd specifically for this, as my laptop is often on an untrusted network, where at least SLAAC attacks occur from time to time). Let's recall what the ntpd.conf(5) man page says: CONSTRAINTS ntpd(8) can be configured to query the ‘Date’ from trusted HTTPS servers via TLS. This time information is not used for precision but acts as an authenticated constraint, thereby reducing the impact of unauthenticated NTP ‘Man-In-The-Middle’ attacks. Received NTP packets with time information falling outside of a range near the constraint will be discarded and such NTP servers will be marked as invalid. But in case of man-in-the-middle attack, the attacker can provide his own server instead of the one expected from the config file. And if the certificate is not check, this will remained unnoticed, and the constraint would be absolutely useless. -- System Information: Debian Release: stretch/sid APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores) Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages openntpd depends on: ii adduser 3.113+nmu3 ii init-system-helpers 1.23 ii libc6 2.19-18 ii netbase 5.3 openntpd recommends no packages. Versions of packages openntpd suggests: pn apparmor <none> -- Configuration Files: /etc/openntpd/ntpd.conf changed: servers 0.debian.pool.ntp.org servers 1.debian.pool.ntp.org servers 2.debian.pool.ntp.org servers 3.debian.pool.ntp.org constraint from www.vinc17.net -- no debconf information _______________________________________________ Secure-testing-team mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
