Results 1 to 7 of 7

Thread: Network Time Protocol Vulnerabilities

  1. #1

    Default Network Time Protocol Vulnerabilities

    Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple vulnerabilities with CERT/CC concerning the Network Time Protocol (NTP). As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices. ICS-CERT may release updates as additional information becomes available.
    These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available.
    Products using NTP service prior to NTP-4.2.8 are affected. No specific vendor is specified because this is an open source protocol.

    https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01

    Solutions:

    Remove ntp by using yast or, else:

    zypper rm ntp [ as root in a terminal ]

    A good replacement is chrony, version 1.31
    https://software.opensuse.org/packag...ch_term=chrony

    - select opensue 13.2, home:aevseev
    - select package for your distribution

    download it, and install it by rpm -i [package-name]

    go to
    http://www.pool.ntp.org/en/

    and choose your nearest location, at the right side of the page
    copy serv 0 to 3 to /etc/chrony.conf

    by open chrony.conf, located in /etc

    an example of chrny.conf could be:

    Code:
    # Use public servers from the pool.ntp.org project.
    # Please consider joining the pool (http://www.pool.ntp.org/join.html).
    server 0.de.pool.ntp.org
    server 1.de.pool.ntp.org
    server 2.de.pool.ntp.org
    server 3.de.pool.ntp.org
    
    # Ignore stratum in source selection.
    stratumweight 0
    
    # Record the rate at which the system clock gains/losses time.
    driftfile /var/lib/chrony/drift
    
    # Enable kernel RTC synchronization.
    rtcsync
    
    # In first three updates step the system clock instead of slew
    # if the adjustment is larger than 10 seconds.
    makestep 10 3
    
    # Allow NTP client access from local network.
    #allow 192.168/16
    
    # Listen for commands only on localhost.
    bindcmdaddress 127.0.0.1
    bindcmdaddress ::1
    
    # Serve time even if not synchronized to any NTP server.
    #local stratum 10
    
    keyfile /etc/chrony.keys
    
    # Specify the key used as password for chronyc.
    commandkey 1
    
    # Generate command key if missing.
    generatecommandkey
    
    # Disable logging of client accesses.
    noclientlog
    
    # Send a message to syslog if a clock adjustment is larger than 0.5 seconds.
    logchange 0.5
    
    logdir /var/log/chrony
    #log measurements statistics tracking
    save

    open yast
    enable service chrony in the services manager section

  2. #2
    Join Date
    Jun 2008
    Location
    Netherlands
    Posts
    24,889

    Default Re: Network Time Protocol Vulnerabilities

    As there was a patch to the package ntp a few days ago in the Update repo, are you sure the vulnerability is still there?

    Because Security issues are patched rather soon by th openSUSE team after they are reported and I am not ready to do all the fuss you describe above when my zypper patch of yesterday already solved it.
    Henk van Velden

  3. #3
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,527
    Blog Entries
    15

    Default Re: Network Time Protocol Vulnerabilities

    Update issued two days ago....
    https://bugzilla.opensuse.org/show_bug.cgi?id=910764

    And for something like a primary service, I would not be interested in using a home users package... would rather ask the folks at network:time to update and publish for 13.2.
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  4. #4
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,004

    Default Re: Network Time Protocol Vulnerabilities

    NTP port is firewalled by default so this is not a very high priority issue for.. well anyone who isn't running an NTP server.
    .: miuku #suse @ irc.freenode.net
    :: miuku@opensuse.org

    .: h​ttps://download.opensuse.org/repositories/home:/Miuku/

  5. #5

    Default Re: Network Time Protocol Vulnerabilities

    Quote Originally Posted by SuperDice View Post
    Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple vulnerabilities with CERT/CC concerning the Network

    zypper rm ntp [ as root in a terminal ]

    download it, and install it by rpm -i [package-name]
    And you told to remove packages via zypper then install via rpm? How about that?
    Just saying...
    "Unfortunately time is always against us" -- [Morpheus]

    .:https://github.com/Jetchisel:.

  6. #6
    Join Date
    Mar 2011
    Location
    Sauerland
    Posts
    3,891

    Default AW: Network Time Protocol Vulnerabilities

    As all said, there is no need to install another ntp Package:
    Code:
    rpm -q --changelog ntp
    * Fr Dez 19 2014 max@suse.com
    - bnc#910764: VU#852879 ntp security fixes
      * A potential remote code execution problem was found inside
        ntpd. The functions crypto_recv() (when using autokey
        authentication), ctl_putdata(), and configure() where updated
        to avoid buffer overflows that could be
        exploited. (CVE-2014-9295)
      * Furthermore a problem inside the ntpd error handling was found
        that is missing a return statement. This could also lead to a
        potentially attack vector. (CVE-2014-9296)
    .
    .
    .
    .
    Code:
    zypper se -si ntp
    S | Name             | Typ   | Version        | Arch   | Repository          
    --+------------------+-------+----------------+--------+---------------------
    i | ntp              | Paket | 4.2.6p5-25.5.1 | x86_64 | openSUSE-13.2-Update

  7. #7
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Network Time Protocol Vulnerabilities

    On 2014-12-21 15:26, SuperDice wrote:
    >
    > Google Security Team researchers Neel Mehta and Stephen Roettger have


    ....

    > Solutions:


    You don't need to consider that if you are not running an ntp server
    open to internet.


    > A good replacement is chrony, version 1.31
    > https://software.opensuse.org/packag...ch_term=chrony
    >
    > - select opensue 13.2, home:aevseev


    From a home repo, unverified/unsuported by the openSUSE security team?
    No thanks.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •