Network Time Protocol Vulnerabilities

SuperDice · December 21, 2014, 3:25pm

Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple vulnerabilities with CERT/CC concerning the Network Time Protocol (NTP). As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices. ICS-CERT may release updates as additional information becomes available.
These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available.
Products using NTP service prior to NTP-4.2.8 are affected. No specific vendor is specified because this is an open source protocol.

https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01

Solutions:

Remove ntp by using yast or, else:

zypper rm ntp as root in a terminal ]

A good replacement is chrony, version 1.31
https://software.opensuse.org/package/chrony?search_term=chrony

select opensue 13.2, home:aevseev
select package for your distribution

download it, and install it by rpm -i [package-name]

go to
http://www.pool.ntp.org/en/

and choose your nearest location, at the right side of the page
copy serv 0 to 3 to /etc/chrony.conf

by open chrony.conf, located in /etc

an example of chrny.conf could be:

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.de.pool.ntp.org
server 1.de.pool.ntp.org
server 2.de.pool.ntp.org
server 3.de.pool.ntp.org

# Ignore stratum in source selection.
stratumweight 0

# Record the rate at which the system clock gains/losses time.
driftfile /var/lib/chrony/drift

# Enable kernel RTC synchronization.
rtcsync

# In first three updates step the system clock instead of slew
# if the adjustment is larger than 10 seconds.
makestep 10 3

# Allow NTP client access from local network.
#allow 192.168/16

# Listen for commands only on localhost.
bindcmdaddress 127.0.0.1
bindcmdaddress ::1

# Serve time even if not synchronized to any NTP server.
#local stratum 10

keyfile /etc/chrony.keys

# Specify the key used as password for chronyc.
commandkey 1

# Generate command key if missing.
generatecommandkey

# Disable logging of client accesses.
noclientlog

# Send a message to syslog if a clock adjustment is larger than 0.5 seconds.
logchange 0.5

logdir /var/log/chrony
#log measurements statistics tracking

save

open yast
enable service chrony in the services manager section

hcvv · December 21, 2014, 4:02pm

As there was a patch to the package ntp a few days ago in the Update repo, are you sure the vulnerability is still there?

Because Security issues are patched rather soon by th openSUSE team after they are reported and I am not ready to do all the fuss you describe above when my zypper patch of yesterday already solved it.

malcolmlewis · December 21, 2014, 4:48pm

Update issued two days ago…
https://bugzilla.opensuse.org/show_bug.cgi?id=910764

And for something like a primary service, I would not be interested in using a home users package… would rather ask the folks at network:time to update and publish for 13.2.

Miuku · December 21, 2014, 5:11pm

NTP port is firewalled by default so this is not a very high priority issue for… well anyone who isn’t running an NTP server.

jetchisel · December 24, 2014, 6:11am

And you told to remove packages via zypper then install via rpm? How about that?
Just saying…

Sauerland · December 24, 2014, 9:35am

As all said, there is no need to install another ntp Package:

rpm -q --changelog ntp
* Fr Dez 19 2014 max@suse.com
- bnc#910764: VU#852879 ntp security fixes
  * A potential remote code execution problem was found inside
    ntpd. The functions crypto_recv() (when using autokey
    authentication), ctl_putdata(), and configure() where updated
    to avoid buffer overflows that could be
    exploited. (CVE-2014-9295)
  * Furthermore a problem inside the ntpd error handling was found
    that is missing a return statement. This could also lead to a
    potentially attack vector. (CVE-2014-9296)
.
.
.
.

zypper se -si ntp
S | Name             | Typ   | Version        | Arch   | Repository          
--+------------------+-------+----------------+--------+---------------------
i | ntp              | Paket | 4.2.6p5-25.5.1 | x86_64 | openSUSE-13.2-Update

robin_listas · December 24, 2014, 1:13pm

On 2014-12-21 15:26, SuperDice wrote:
>
> Google Security Team researchers Neel Mehta and Stephen Roettger have

…

> Solutions:

You don’t need to consider that if you are not running an ntp server
open to internet.

> A good replacement is chrony, version 1.31
> https://software.opensuse.org/package/chrony?search_term=chrony
>
> - select opensue 13.2, home:aevseev

From a home repo, unverified/unsuported by the openSUSE security team?
No thanks.

–
Cheers / Saludos,

Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)