Sign in / up

back to article Dangerous NTP hole ruins your Chrissy lunch

Critical holes have been reported in the implementation of the network time protocol (NTP) that could allow unsophisticated attackers root access on servers. System administrators may need to forego the Christmas beers and roasted beasts until they've updated NTP daemons running versions 4.2.8 and below. The grinch bug was …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Destroy All Monsters Silver badge

    "Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code with the privileges of the ntpd process"

    So not root, but some lousy service user.

    Right? RIGHT?

    4 0 Reply
    1. Christian Berger
      Reply Icon

      That depends on your installation

      ntpd is usually heavily guarded, at least on Debian, it can't do very much. I think it needs to be root as it needs to adjust the clock.

      If you are running an actual stratum 0 server, you may in fact even have turned off those additional limitations so your ntpd can talk to your PPS input.

      3 0 Reply
      1. Stuart 22
        Reply Icon

        Re: That depends on your installation

        " I think it needs to be root as it needs to adjust the clock."

        Yep - its the setup for the attack of the Time Lords in the Christmas Day Dr Who special .. but does that set an inpenetrable time barrier of 1970?

        3 0 Reply
        1. Destroy All Monsters Silver badge
          Reply Icon

          Re: That depends on your installation

          ntpd needs root

          Not really. This is why it drops everything immediately after startup.

          The Linux Capabilities mechanism allows ntpd to drop all root privileges, except for the one it actually needs (the privilege to set the system clock). How to use this feature: ...

          6 1 Reply

  2. This post has been deleted by its author

    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Am I the only one who thought that was a guy?

      2 0 Reply
  3. NogginTheNog
    Coat

    about the hottie in the elf hat that you used in the story picture

    She looks rather like Linda McCartney to me? No sausage jokes please...

    1 1 Reply
  4. Anonymous Coward
    Anonymous Coward

    Another knee jerk reaction?

    I don't see how this is an issue. Most (99%) of ntpd servers are on local network, and already the noquery ... restrict commands are default. This is an issue for stratum 0/1 folks, and they are on the ball anyway - and it's not like you have 1000's of ntpd daemons running is it?

    Lastly, I will have my chrissy (WTF is that?) lunch - I just updated both my Slack servers to the latest code building from source in about 30 minutes - it is so easy.

    1 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Another knee jerk reaction?

      You all still believe all attacks come from outside only - that's not true, and also if an attacker has a foothold inside your systems it can try to attack more other sytems exploiting vulnerabilities you may not patch "because this system is not accessible externally". Today you can no longer think "systems on the LAN are secure as long as they are not directly accessible from outside".

      But I see the attitude to dismiss any *nix big bug persists... had it been on a Windows DC (which are not usually accessible from outside as well...) you will be crying loud how Windows systems are unsecure...

      1 0 Reply
  5. Adam 1

    Alternate attack vectors?

    A lot of focus here on pwning the server itself. Fair enough, but these machines are also fully trusted by other machines to set/reset their clocks. Could this not also make it possible to trick clients into accepting expired certs used to sign malware?

    1 0 Reply
    1. Paul Crawford Silver badge
      Reply Icon

      Re: Alternate attack vectors?

      Theoretically, yes, you could force machine's clocks back/forward to get round some time-related checks.

      In practice it is harder as any sensible NTP system will be using 4 or more time sources to allow the rejection of bad sources (AKA 'false tickers'). Of course, if you p0wn all of the sources as all are on the LAN and no one considered an "inside job" for attack (as LDS pointed out above), then you are free to do so...

      0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like