On 2014-12-20, William Unruh <un...@invalid.ca> wrote: > On 2014-12-20, David Woolley <david@ex.djwhome.demon.invalid> wrote: >> On 20/12/14 09:22, Martin Burnicki wrote: >> >>> >>> As far as I understand the reports on bugzilla the main vulnerabilities >>> are in functions where signed packets (symmetric key or autokey) are >>> received/checked, or dynamic/remote configuration via ntpq and/or ntpdc >>> is enabled, which, as far as I know also requires some sort of crypto >>> top be enabled. >>> >> >> One might be in a pure status enquiry, so you may have to set noquery. >> >> In any case, except possibly for people using encryption, and maybe not >> even them, these affect neither client nor server mode, only remote >> management. > > How can we, as users, protect ourselves against these bugs, assuming > 4.2.8 is not installable at the present time. How would one set no > crypto in the conf file? How can one disable remote management? > >>
The two bugs that might be dangerous are -------------------------------------------------------- * Buffer overflow in ctl_putdata() References: Sec 2668 / CVE-2014-9295 / VU#852879 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 Versions: All NTP4 releases before 4.2.8 Date Resolved: Stable (4.2.8) 18 Dec 2014 Summary: A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. Mitigation: Upgrade to 4.2.8, or later. Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team. * Buffer overflow in configure() References: Sec 2669 / CVE-2014-9295 / VU#852879 CVSS: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Base Score: 7.5 Versions: All NTP4 releases before 4.2.8 Date Resolved: Stable (4.2.8) 18 Dec 2014 Summary: A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. Mitigation: Upgrade to 4.2.8, or later. Credit: This vulnerability was discovered by Stephen Roettger of the Google Security Team. ---------------------------------------------------------------- Both say "carefully crafted packet" but do not say what kind of packet. Is it an ntp packet (ie a time exchange packet)? is it a control packet (eg ntpq type packet?) or what? Ie, unless you use crypto, these two look like they might be dangerous. I find the lack of information disturbing. _______________________________________________ questions mailing list questions@lists.ntp.org http://lists.ntp.org/listinfo/questions