NTP The Latest Open Source Security Problem
Written by Harry Fairhead   
Tuesday, 23 December 2014

NTP - Network Time Protocol (or SNTP - Simple Network Time Protocol) is one of the un-sung heros of the Internet. Put simply, it provides the time and data for servers and clients so that they know when something happened. Now we have another security problem to deal with in the Linux NTP code.

The problem was discovered by the Google Security Team which seems to be responsible recently for more than its fair share of vulnerabilities detected. Some of the vulnerabilities are in older versions of the NTP code and have been fixed. So as long as you have been keeping up-to-date there is nothing to worry about. 

ntflogo

Three problems were found in the current code and to remove these you need to upgrade to version 4.2.8. Two of the problems are classical buffer overflows and should prompt the response "will we never learn?" Not as long as we make use of languages that don't protect us from such things or use tools that test for such things.

Three stack buffer overflows have been identified in three different routines. As the security advisory says:

"A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process."

It is often the case that the NTP daemon runs with root access because of the need for it to up-date the system clock. This usually isn't necessary as NTP can run as a non-root user.

The final problem is a missing return statement which causes processing to continue after an error. Currently it isn't clear if this problem can be exploited in any way - given the ingenuity brought to bear on such matters it probably can be. 

The NTP protocol is fine, it is just the implementation that needs some attention. Similarly other implementations not derived directly from the Linux implementation are probably fine - BSD's openntdp is not vulnerable.  Indeed Theo De Raadt of BSD makes the following observations:

"openntpd is a modern piece of code <5000 lines long written using best known practices of the time, whereas ntp.org's codebase is reportedly 100,000 lines of unknown or largely unused code, poorly smithed in the past when these kinds of programming mistakes were not a significant consideration."

 

In the early days of open source and Linux things were not so critical as there were not as many black hats waiting to exploit vulnerabilities for so many commercial purposes. This isn't an excuse; more a nostalgic reminder that programming used to be slightly more fun and relaxed than it is today. 

NTPlogo

If you would like to know more about the NTP protocol and how to work with it, see: SNTP Time Class.

Banner


Eclipse Releases Jakarta EE 8 Spec
16/09/2019

The Eclipse Foundation has released the Jakarta EE 8 Full Platform and Web Profile specifications and related Technology Compatibility Kits. Eclipse says this release provides a new baseline for the e [ ... ]



Microsoft Open Sources C++ Standard Library
20/09/2019

The C++ Standard Library (STL) which ships as part of the MSVC toolset and the Visual Studio IDE is being released as open source by Microsoft. The Microsoft Visual C++ compiler and libraries toolset  [ ... ]


More News

 

graphics

 



 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Tuesday, 23 December 2014 )