back to article Time for a patch: six vulns fixed in NTP daemon

Cisco has turned over a bunch of Network Time Protocol daemon (ntpd) vulnerabilities to the Linux Foundation's Core Infrastructure Initiative. The vulnerabilities, discovered during its ongoing ntpd evaluation, “allow attackers to craft UDP packets to either cause a denial of service condition or to prevent the correct time …

  1. tony2heads

    setting the wrong time

    Can't imagine this being a huge source of income for cybercriminals

    1. Stuart Moore
      Boffin

      Re: setting the wrong time

      If it means that the computer thinks all its certificates have expired, it can refuse to connect to other machines - so it's potentially able to take down a server. Think ransom attack rather than stealing credit cards.

    2. Dwarf Silver badge

      Re: setting the wrong time

      This is a problem for things like Kerberos where authentication is based on time - so you can make general authentication failures which will then result in a service outage

      Secondly, clocks are used for things like logging data time stamps,so this could be part of a larger attack, since evidence in event logs can't be relied on as part of any court action, it would make prosecution more difficult

      As a general stance, if there is a bug, then patch and move on.Its good that developers are reviewing code and resolving issues.

    3. Chewi

      Re: setting the wrong time

      PCI auditors, or at least the ones we've spoken to, make a really big deal about NTP servers.

  2. Christian Berger

    Luckily you can run your own time infrastructure

    Running your own NTP-server is not particularly hard. Essentially you buy a box with an antenna which then acts as an NTP-server without any connection to the Internet. It can get it's time from various sources like GPS/Glonas or your local long wave time transmitter. You can even patch some of them into your local time infrastructure.

  3. Anonymous Coward
    Anonymous Coward

    Conclusion

    Please correct me if I'm wrong here.

    Most of these vulnerabilities require ntpd's authentication scheme(s) to be configured, which are horribly fragile by themselves and practically never used outside self-hopping minefields.

    That leaves the Xleave problem, although having multiple server associations might protect a little.

    Well, auto-update should take care of most of our servers. Only the custom ntpd on a Raspberry Pi w/ GPS needs recompiling.

    1. Smooth Newt Silver badge
      FAIL

      Re: Conclusion

      How can something so simple be so broken?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020