setting the wrong time
Can't imagine this being a huge source of income for cybercriminals
Cisco has turned over a bunch of Network Time Protocol daemon (ntpd) vulnerabilities to the Linux Foundation's Core Infrastructure Initiative. The vulnerabilities, discovered during its ongoing ntpd evaluation, “allow attackers to craft UDP packets to either cause a denial of service condition or to prevent the correct time …
This is a problem for things like Kerberos where authentication is based on time - so you can make general authentication failures which will then result in a service outage
Secondly, clocks are used for things like logging data time stamps,so this could be part of a larger attack, since evidence in event logs can't be relied on as part of any court action, it would make prosecution more difficult
As a general stance, if there is a bug, then patch and move on.Its good that developers are reviewing code and resolving issues.
Running your own NTP-server is not particularly hard. Essentially you buy a box with an antenna which then acts as an NTP-server without any connection to the Internet. It can get it's time from various sources like GPS/Glonas or your local long wave time transmitter. You can even patch some of them into your local time infrastructure.
Please correct me if I'm wrong here.
Most of these vulnerabilities require ntpd's authentication scheme(s) to be configured, which are horribly fragile by themselves and practically never used outside self-hopping minefields.
That leaves the Xleave problem, although having multiple server associations might protect a little.
Well, auto-update should take care of most of our servers. Only the custom ntpd on a Raspberry Pi w/ GPS needs recompiling.
Biting the hand that feeds IT © 1998–2020