Announcement

Collapse
No announcement yet.

NTP Is The Latest Project Struck By Security Issues

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • NTP Is The Latest Project Struck By Security Issues

    Phoronix: NTP Is The Latest Project Struck By Security Issues

    The latest open-source project being exposed to a number of security vulnerabilities is NTP, the Network Time Protocol...

    http://www.phoronix.com/vr.php?view=MTg3MDY

  • #2
    to me only one of those looks remotely serious
    note that most of these were fixed in prior versions but are just found now (i guess)


    just to drop this here, for comparison
    http://seclists.org/oss-sec/2014/q4/592
    Last edited by gens; 22 December 2014, 11:10 AM.

    Comment


    • #3
      These vulnerabilities could lead to arbitrary code execution with the same privileges as the NTP daemon.
      So why does NTP need to run as a privilleged process?

      Comment


      • #4
        It seems almost impossible for anyone (except Daniel J. Bernstein) to write secure code in C.

        All our critical system components such as OpenSSL, X.Org, NTP, etc are all full of security holes.

        Then you have state agencies which poured millions into development of static code analysis tools, and buying exploits which they sit and hoard.
        We patch one security vulnerabilities, and there are still dozens of others.

        Maybe C is still the way to go for the kernel.
        But maybe we need to replace C for system software and daemons with something else, like Rust?

        Comment


        • #5
          Originally posted by The Walking Glitch View Post
          So why does NTP need to run as a privilleged process?
          Who spoke about privileged access?
          ## VGA ##
          AMD: X1950XTX, HD3870, HD5870
          Intel: GMA45, HD3000 (Core i5 2500K)

          Comment


          • #6
            NTP? NTP what? The server? The client? Which client(s)? There are multiple implementations here.

            Comment


            • #7
              Originally posted by uid313 View Post
              It seems almost impossible for anyone (except Daniel J. Bernstein) to write secure code in C.

              All our critical system components such as OpenSSL, X.Org, NTP, etc are all full of security holes.

              Then you have state agencies which poured millions into development of static code analysis tools, and buying exploits which they sit and hoard.
              We patch one security vulnerabilities, and there are still dozens of others.
              NTP is good enough security wise http://www.cvedetails.com/product/36...vendor_id=2153
              especially considering that it is by far the most advanced NTP server/client

              writing more or less bug-less code is possible, but very time consuming
              http://www.fastcompany.com/28121/they-write-right-stuff

              Comment


              • #8
                Ntimed from PHK

                PHK (Poul-Henning Kamp) is currently in the works of making Ntimed.
                The aim is to replace ntpd.
                You can read about it here https://translate.google.com/transla...-text=&act=url as PHK just wrote a blog post today about his project.
                It will become a series of programs. Currently there is ntimed-client which is a preview release of the client program and thereafter there will be a slave program for stratum 2...14 servers and a master program for stratum 1 servers.

                PHK writes his work is funded by Linux Foundation.
                Source: https://github.com/bsdphk/Ntimed
                Project blog: http://phk.freebsd.dk/time/

                Comment


                • #9
                  Originally posted by The Walking Glitch View Post
                  So why does NTP need to run as a privilleged process?
                  To adjust the system clock - we can't let just any user do that. Most systems have a way for NTP to do that after dropping from root to a lesser-privileged user (e.g. /dev/clockctl on NetBSD).

                  Also, to open the privileged (low-numbered) port 123; but it can drop its privileges after doing that. Debian/Ubuntu normally configures it to do that; NetBSD can optionally do that, and restrict it to a chroot also; OpenBSD has entirely its own ntpd, less featureful but more likely secure.

                  Comment


                  • #10
                    "NTP Is The Latest Project Struck By Security Issues"

                    what the post really means

                    "NTP Is The Latest Project With Revealed Security Issues"

                    pfft journalism FTW

                    Comment

                    Working...
                    X