NTP The Latest Open Source Security Problem
Written by Harry Fairhead   
Tuesday, 23 December 2014

NTP - Network Time Protocol (or SNTP - Simple Network Time Protocol) is one of the un-sung heros of the Internet. Put simply, it provides the time and data for servers and clients so that they know when something happened. Now we have another security problem to deal with in the Linux NTP code.

The problem was discovered by the Google Security Team which seems to be responsible recently for more than its fair share of vulnerabilities detected. Some of the vulnerabilities are in older versions of the NTP code and have been fixed. So as long as you have been keeping up-to-date there is nothing to worry about. 


Three problems were found in the current code and to remove these you need to upgrade to version 4.2.8. Two of the problems are classical buffer overflows and should prompt the response "will we never learn?" Not as long as we make use of languages that don't protect us from such things or use tools that test for such things.

Three stack buffer overflows have been identified in three different routines. As the security advisory says:

"A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process."

It is often the case that the NTP daemon runs with root access because of the need for it to up-date the system clock. This usually isn't necessary as NTP can run as a non-root user.

The final problem is a missing return statement which causes processing to continue after an error. Currently it isn't clear if this problem can be exploited in any way - given the ingenuity brought to bear on such matters it probably can be. 

The NTP protocol is fine, it is just the implementation that needs some attention. Similarly other implementations not derived directly from the Linux implementation are probably fine - BSD's openntdp is not vulnerable.  Indeed Theo De Raadt of BSD makes the following observations:

"openntpd is a modern piece of code <5000 lines long written using best known practices of the time, whereas ntp.org's codebase is reportedly 100,000 lines of unknown or largely unused code, poorly smithed in the past when these kinds of programming mistakes were not a significant consideration."


In the early days of open source and Linux things were not so critical as there were not as many black hats waiting to exploit vulnerabilities for so many commercial purposes. This isn't an excuse; more a nostalgic reminder that programming used to be slightly more fun and relaxed than it is today. 


If you would like to know more about the NTP protocol and how to work with it, see: SNTP Time Class.


WCF 1.0 Released With Microsoft Support

Version 1.0 of Windows Communication Foundation (WCF) has been released. WCF is the subset of  the .NET Framework given to the community by Microsoft back in 2019. The new release comes with supp [ ... ]

Gitpod And JetBrains Launch Remote Development Partnership

Gitpod and JetBrains have announced a partnership aimed at improving developers' facilities for remote development. The move adds the ability to use the automated, cloud-based developer environme [ ... ]

More News






or email your comment to: comments@i-programmer.info

Last Updated ( Tuesday, 23 December 2014 )