back to article Dangerous NTP hole ruins your Chrissy lunch

Critical holes have been reported in the implementation of the network time protocol (NTP) that could allow unsophisticated attackers root access on servers. System administrators may need to forego the Christmas beers and roasted beasts until they've updated NTP daemons running versions 4.2.8 and below. The grinch bug was …

  1. Destroy All Monsters Silver badge

    "Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code with the privileges of the ntpd process"

    So not root, but some lousy service user.

    Right? RIGHT?

    1. Christian Berger Silver badge

      That depends on your installation

      ntpd is usually heavily guarded, at least on Debian, it can't do very much. I think it needs to be root as it needs to adjust the clock.

      If you are running an actual stratum 0 server, you may in fact even have turned off those additional limitations so your ntpd can talk to your PPS input.

      1. Stuart 22

        Re: That depends on your installation

        " I think it needs to be root as it needs to adjust the clock."

        Yep - its the setup for the attack of the Time Lords in the Christmas Day Dr Who special .. but does that set an inpenetrable time barrier of 1970?

        1. Destroy All Monsters Silver badge
  2. This post has been deleted by its author

    1. Anonymous Coward
      Anonymous Coward

      Am I the only one who thought that was a guy?

  3. NogginTheNog

    about the hottie in the elf hat that you used in the story picture

    She looks rather like Linda McCartney to me? No sausage jokes please...

  4. linicks

    Another knee jerk reaction?

    I don't see how this is an issue. Most (99%) of ntpd servers are on local network, and already the noquery ... restrict commands are default. This is an issue for stratum 0/1 folks, and they are on the ball anyway - and it's not like you have 1000's of ntpd daemons running is it?

    Lastly, I will have my chrissy (WTF is that?) lunch - I just updated both my Slack servers to the latest code building from source in about 30 minutes - it is so easy.

    1. LDS Silver badge

      Re: Another knee jerk reaction?

      You all still believe all attacks come from outside only - that's not true, and also if an attacker has a foothold inside your systems it can try to attack more other sytems exploiting vulnerabilities you may not patch "because this system is not accessible externally". Today you can no longer think "systems on the LAN are secure as long as they are not directly accessible from outside".

      But I see the attitude to dismiss any *nix big bug persists... had it been on a Windows DC (which are not usually accessible from outside as well...) you will be crying loud how Windows systems are unsecure...

  5. Adam 1 Silver badge

    Alternate attack vectors?

    A lot of focus here on pwning the server itself. Fair enough, but these machines are also fully trusted by other machines to set/reset their clocks. Could this not also make it possible to trick clients into accepting expired certs used to sign malware?

    1. Paul Crawford Silver badge

      Re: Alternate attack vectors?

      Theoretically, yes, you could force machine's clocks back/forward to get round some time-related checks.

      In practice it is harder as any sensible NTP system will be using 4 or more time sources to allow the rejection of bad sources (AKA 'false tickers'). Of course, if you p0wn all of the sources as all are on the LAN and no one considered an "inside job" for attack (as LDS pointed out above), then you are free to do so...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019