Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
ntpd contains multiple vulnerabilities
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
freke
Guru
Guru


Joined: 23 Jan 2003
Posts: 402
Location: Somewhere in Denmark

PostPosted: Sat Dec 20, 2014 8:31 pm    Post subject: ntpd contains multiple vulnerabilities Reply with quote

http://www.kb.cert.org/vuls/id/852879

Seems like only the newly released (not yet in portage) 4.2.8 is (partly) fixed...
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Sat Dec 20, 2014 10:36 pm    Post subject: Reply with quote

freke ... yes, there is a recent blog post on planet.gentoo (by hanno, aka, Hanno Böck) on the subject.

I tried both net-misc/tlsdate 0.0.6 (stable) and 0.0.12 (unstable) but had issues with tlsdate from both ... though tlsdated seems to function as expected. Note however that by default the config/tlsdate{,d} is setup to use google which seems to me unnecessay, by default its the Physikalisch-Technische Bundesanstalt.

best ... khay
Back to top
View user's profile Send private message
Duncan Mac Leod
Apprentice
Apprentice


Joined: 02 May 2004
Posts: 251
Location: Germany

PostPosted: Sun Dec 21, 2014 1:11 pm    Post subject: Reply with quote

Yes, I just read the same in a german forum.

Seems we'll need 4.2.8 asap...
Back to top
View user's profile Send private message
Nicias
Guru
Guru


Joined: 06 Dec 2005
Posts: 444

PostPosted: Sun Dec 21, 2014 9:11 pm    Post subject: Reply with quote

what about openntpd?
Back to top
View user's profile Send private message
Duncan Mac Leod
Apprentice
Apprentice


Joined: 02 May 2004
Posts: 251
Location: Germany

PostPosted: Sun Dec 21, 2014 9:22 pm    Post subject: Reply with quote

Nicias wrote:
what about openntpd?


not vulnerable :D

http://article.gmane.org/gmane.os.openbsd.tech/40107/
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1692

PostPosted: Mon Dec 22, 2014 3:15 am    Post subject: Reply with quote

tried switching over to use openntpd, and the fetch failed due to openntpd_20080406p-6.debian.tar.gz not existing on the hosting servers anymore.

Code:

...

>>> Downloading 'http://ftp.nz.debian.org/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz'
--2014-12-21 21:01:37--  http://ftp.nz.debian.org/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz
Resolving ftp.nz.debian.org... 202.8.47.148
Connecting to ftp.nz.debian.org|202.8.47.148|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2014-12-21 21:01:40 ERROR 404: Not Found.

>>> Downloading 'http://ftp.se.debian.org/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz'
--2014-12-21 21:01:40--  http://ftp.se.debian.org/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz
Resolving ftp.se.debian.org... 130.239.18.173, 130.239.18.163, 130.239.18.165, ...
Connecting to ftp.se.debian.org|130.239.18.173|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://caesar.acc.umu.se/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz [following]
--2014-12-21 21:01:40--  http://caesar.acc.umu.se/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz
Resolving caesar.acc.umu.se... 130.239.18.142, 2001:6b0:e:2018::142
Connecting to caesar.acc.umu.se|130.239.18.142|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2014-12-21 21:01:41 ERROR 404: Not Found.

>>> Downloading 'http://ftp.gr.debian.org/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz'
--2014-12-21 21:01:41--  http://ftp.gr.debian.org/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz
Resolving ftp.gr.debian.org... 147.102.222.211
Connecting to ftp.gr.debian.org|147.102.222.211|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2014-12-21 21:01:45 ERROR 404: Not Found.

>>> Downloading 'http://ftp.cz.debian.org/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz'
--2014-12-21 21:01:45--  http://ftp.cz.debian.org/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz
Resolving ftp.cz.debian.org... 195.113.161.73, 2001:718:1:4::2
Connecting to ftp.cz.debian.org|195.113.161.73|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2014-12-21 21:01:46 ERROR 404: Not Found.

>>> Downloading 'http://ftp.ch.debian.org/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz'
--2014-12-21 21:01:46--  http://ftp.ch.debian.org/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz
Resolving ftp.ch.debian.org... 129.132.53.171, 2001:67c:10ec:3dd1::42
Connecting to ftp.ch.debian.org|129.132.53.171|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2014-12-21 21:01:48 ERROR 404: Not Found.

...


When I went to one of the servers listed and see what version they have available, I got this list
Code:

[b]server: http://ftp2.fr.debian.org/debian/pool/main/o/openntpd/[/b]
[   ] openntpd_20080406p-4.debian.tar.gz              28-Jun-2012 05:35   11K 
[   ] openntpd_20080406p-4.dsc                        28-Jun-2012 05:35  1.9K 
[   ] openntpd_20080406p-4_amd64.deb                  28-Jun-2012 05:35   62K 
[   ] openntpd_20080406p-4_armel.deb                  28-Jun-2012 06:21   62K 
[   ] openntpd_20080406p-4_armhf.deb                  28-Jun-2012 06:21   59K 
[   ] openntpd_20080406p-4_i386.deb                   28-Jun-2012 06:05   63K 
[   ] openntpd_20080406p-4_ia64.deb                   28-Jun-2012 06:21   75K 
[   ] openntpd_20080406p-4_kfreebsd-amd64.deb         28-Jun-2012 06:05   61K 
[   ] openntpd_20080406p-4_kfreebsd-i386.deb          28-Jun-2012 23:34   60K 
[   ] openntpd_20080406p-4_mips.deb                   28-Jun-2012 06:22   60K 
[   ] openntpd_20080406p-4_mipsel.deb                 28-Jun-2012 06:34   60K 
[   ] openntpd_20080406p-4_powerpc.deb                29-Jun-2012 15:25   62K 
[   ] openntpd_20080406p-4_s390.deb                   28-Jun-2012 06:06   64K 
[   ] openntpd_20080406p-4_s390x.deb                  28-Jun-2012 18:12   63K 
[   ] openntpd_20080406p-4_sparc.deb                  28-Jun-2012 07:02   61K 
[   ] openntpd_20080406p-7~bpo70+1.debian.tar.gz      17-Apr-2014 17:10   13K 
[   ] openntpd_20080406p-7~bpo70+1.dsc                17-Apr-2014 17:10  1.9K 
[   ] openntpd_20080406p-7~bpo70+1_amd64.deb          18-Apr-2014 11:34   63K 
[   ] openntpd_20080406p-7~bpo70+1_armel.deb          18-Apr-2014 11:44   62K 
[   ] openntpd_20080406p-7~bpo70+1_armhf.deb          18-Apr-2014 13:25   60K 
[   ] openntpd_20080406p-7~bpo70+1_i386.deb           17-Apr-2014 17:10   63K 
[   ] openntpd_20080406p-7~bpo70+1_ia64.deb           18-Apr-2014 12:14   76K 
[   ] openntpd_20080406p-7~bpo70+1_kfreebsd-amd64.deb 18-Apr-2014 11:44   62K 
[   ] openntpd_20080406p-7~bpo70+1_kfreebsd-i386.deb  18-Apr-2014 11:44   61K 
[   ] openntpd_20080406p-7~bpo70+1_mips.deb           07-May-2014 10:12   61K 
[   ] openntpd_20080406p-7~bpo70+1_mipsel.deb         18-Apr-2014 15:55   61K 
[   ] openntpd_20080406p-7~bpo70+1_powerpc.deb        18-Apr-2014 11:44   62K 
[   ] openntpd_20080406p-7~bpo70+1_s390.deb           18-Apr-2014 11:44   65K 
[   ] openntpd_20080406p-7~bpo70+1_s390x.deb          18-Apr-2014 11:44   64K 
[   ] openntpd_20080406p-7~bpo70+1_sparc.deb          18-Apr-2014 11:49   62K 
[   ] openntpd_20080406p-10.debian.tar.xz             26-Aug-2014 09:37   13K 
[   ] openntpd_20080406p-10.dsc                       26-Aug-2014 09:37  1.9K 
[   ] openntpd_20080406p-10_amd64.deb                 26-Aug-2014 09:37   59K 
[   ] openntpd_20080406p-10_arm64.deb                 26-Aug-2014 13:13   56K 
[   ] openntpd_20080406p-10_armel.deb                 26-Aug-2014 11:27   58K 
[   ] openntpd_20080406p-10_armhf.deb                 26-Aug-2014 11:27   57K 
[   ] openntpd_20080406p-10_i386.deb                  26-Aug-2014 11:17   61K 
[   ] openntpd_20080406p-10_kfreebsd-amd64.deb        26-Aug-2014 11:27   59K 
[   ] openntpd_20080406p-10_kfreebsd-i386.deb         26-Aug-2014 11:27   60K 
[   ] openntpd_20080406p-10_mips.deb                  26-Aug-2014 11:42   58K 
[   ] openntpd_20080406p-10_mipsel.deb                26-Aug-2014 11:27   58K 
[   ] openntpd_20080406p-10_powerpc.deb               26-Aug-2014 11:17   58K 
[   ] openntpd_20080406p-10_ppc64el.deb               26-Aug-2014 18:25   58K 
[   ] openntpd_20080406p-10_s390x.deb                 26-Aug-2014 11:27   59K 
[   ] openntpd_20080406p-10_sparc.deb                 26-Aug-2014 11:32   58K 
[   ] openntpd_20080406p-11.debian.tar.xz             03-Sep-2014 22:28   13K 
[   ] openntpd_20080406p-11.dsc                       03-Sep-2014 22:28  1.9K 
[   ] openntpd_20080406p-11_amd64.deb                 03-Sep-2014 22:28   60K 
[   ] openntpd_20080406p-11_arm64.deb                 22-Oct-2014 23:28   57K 
[   ] openntpd_20080406p-11_armel.deb                 04-Sep-2014 00:59   60K 
[   ] openntpd_20080406p-11_armhf.deb                 04-Sep-2014 00:14   59K 
[   ] openntpd_20080406p-11_i386.deb                  03-Sep-2014 23:59   62K 
[   ] openntpd_20080406p-11_kfreebsd-amd64.deb        03-Sep-2014 23:59   60K 
[   ] openntpd_20080406p-11_kfreebsd-i386.deb         04-Sep-2014 00:04   61K 
[   ] openntpd_20080406p-11_mips.deb                  11-Oct-2014 13:42   61K 
[   ] openntpd_20080406p-11_mipsel.deb                05-Sep-2014 20:31   60K 
[   ] openntpd_20080406p-11_powerpc.deb               03-Sep-2014 23:49   59K 
[   ] openntpd_20080406p-11_ppc64el.deb               06-Sep-2014 13:44   59K 
[   ] openntpd_20080406p-11_s390x.deb                 03-Sep-2014 23:44   60K 
[   ] openntpd_20080406p-11_sparc.deb                 04-Sep-2014 02:25   59K 
[   ] openntpd_20080406p.orig.tar.gz                  08-Mar-2012 19:17  172K 


So I suspect the ebuild needs to be updated to use the current patch set.

Note: I did fix my issue on not finding the necessary file, by manually downloading from a different server (found through google search).
Back to top
View user's profile Send private message
araxon
n00b
n00b


Joined: 25 May 2011
Posts: 48

PostPosted: Mon Dec 22, 2014 12:14 pm    Post subject: Reply with quote

If I just stop the ntpd, am I safe until the patched version gets into the portage?
Code:
/etc/init.d/ntpd stop
Back to top
View user's profile Send private message
charles17
Advocate
Advocate


Joined: 02 Mar 2008
Posts: 2583

PostPosted: Mon Dec 22, 2014 2:02 pm    Post subject: Reply with quote

araxon wrote:
If I just stop the ntpd, am I safe until the patched version gets into the portage?
Code:
/etc/init.d/ntpd stop
If you really want to stop it, also make sure not to have it in a runlevel
Quote:
# rc-update del ntpd
Back to top
View user's profile Send private message
charles17
Advocate
Advocate


Joined: 02 Mar 2008
Posts: 2583

PostPosted: Mon Dec 22, 2014 2:11 pm    Post subject: Reply with quote

khayyam wrote:
I tried both net-misc/tlsdate 0.0.6 (stable) and 0.0.12 (unstable) but had issues with tlsdate from both ... though tlsdated seems to function as expected. Note however that by default the config/tlsdate{,d} is setup to use google which seems to me unnecessay, by default its the Physikalisch-Technische Bundesanstalt.
What about using Ntimed http://phk.freebsd.dk/time/20141221.html as an alternative? Bug 533292 already exists.
Back to top
View user's profile Send private message
khayyam
Watchman
Watchman


Joined: 07 Jun 2012
Posts: 6228
Location: Room 101

PostPosted: Mon Dec 22, 2014 3:43 pm    Post subject: Reply with quote

charles17 wrote:
What about using Ntimed http://phk.freebsd.dk/time/20141221.html as an alternative? Bug 533292 already exists.

charles ... I imagine this will come to be the replacement to ntpd, however, right now there is no official release (the first is expected in Q1 2015) and its not suitable for production as yet. Also, as per the post made by Hanno (link above) there is still the issue that the NTP protocol is inherently insecure, there is no TSL/SSL or such, this means on-the-wire the packets can be tamperd with via MitM and so while the tlsdate doesn't solve all the issues (ie, who actually has the correct time) it does mitigate the primary problem with NTP.

best ... khay
Back to top
View user's profile Send private message
e3k
Guru
Guru


Joined: 01 Oct 2007
Posts: 349
Location: Inner Space

PostPosted: Tue Dec 23, 2014 3:33 pm    Post subject: busybox Reply with quote

does anyone know if the busybox ntpd is also affected? i am searching for that the last 2 days but still no hit.
_________________
((O.o))
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum