back to article It's time: Patch Network Time Protocol before it loses track of time

The maintainers of the Network Time Protocol daemon (ntpd) have pushed out a patch for ten security vulnerabilities. Leading the fixfest is a trap-crash turned up by Cisco's Matthew Van Gundy. If ntpd is configured with the trap service enabled, a malformed packet causes a null pointer dereference and crash it. A Windows bug …

  1. Lee D Silver badge

    Only affects Windows, and looks like you have to have yet another of those "if you opened up your NTPd to allow remote people to do things they shouldn't be doing" options - mrulist.

    At this point, if you haven't bothered to "restrict" and "noquery" the options on ntpd as suggested in all the documentation, you probably shouldn't be operating servers in the first place.

    1. Anonymous Coward
      Anonymous Coward

      "Only affects Windows..."

      Following the links leads to 'Vendor Information for VU#633847', almost all of which are marked as affected = "Unknown" (so far).

      So how do you know?

    2. SImon Hobson Bronze badge

      Read the list again, SOME of the vulnerabilities are Windows only, and SOME of the vulnerabilities are configuration dependent. Between them, they account for most of the list - but there's one or two that stand out as more likely to be vulnerable on "normally configured" systems.

  2. Anonymous Coward
    Anonymous Coward

    What no fancy makeup?

    I hope the vulnerability ensemble gets named "Kronos, God of Management Time"

  3. sitta_europea Silver badge

    My servers are running chrony anyway.

  4. Alister

    pretty much any 'net-facing server is running it

    Really?

    Pretty much none of mine do, unless they really need to sync time between themselves. I have a few specific ntp servers which fetch time from pool.ntp.org but the firewalls don't allow inbound connections to them.

    1. Steve the Cynic

      Firewalls? You have firewalls?

      Heretic.

  5. Anonymous Coward
    Anonymous Coward

    Quick tip, if you're going to configure NTP to use a server like uk.pool.ntp.org, it helps enormously if you also specify a DNS server.

    Yeah, I felt pretty stupid when I worked out why a bunch of wireless access points all thought it was 2012.

    doh!

  6. Steve the Cynic

    'Course NTP is important. Especially if...

    Well, like one place I worked around 2000. For ... reasons(1) ... we used SourceSafe. (Yeah, I know, Mistake Number One)

    As you may or may not know, a SourceSafe repository is just a bunch of files on a network share somewhere. Events in the history, therefore, have timestamps based on the only possible time standard: client workstation clocks.

    And, of course, the placement of a label is strictly 100% based on timestamps.

    OK, we're almost there.

    A spate of weird build failures (specifically, that official builds didn't pick up new code commits) was eventually traced to a time sync discrepancy between client workstations where we did our commits and the build-launcher machine that would create a label for the build. Relative to (some of) the client workstations, the build machine was about five minutes in the past, so it inserted the label "earlier" than the commits even though in wallclock time, the commits were made first.

    We installed NTP software (Tardis on Win2000/WinXP) on all the machines, and this problem went away.

    (1) All I'll say here is "reasons". I'm specifically denying that they were good reasons.

  7. EJ

    Link for PoC is 404

    The link for the PoC code is fubar'ed - the URL appears to have been doubled.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like