NTP The Latest Open Source Security Problem
Written by Harry Fairhead   
Tuesday, 23 December 2014

NTP - Network Time Protocol (or SNTP - Simple Network Time Protocol) is one of the un-sung heros of the Internet. Put simply, it provides the time and data for servers and clients so that they know when something happened. Now we have another security problem to deal with in the Linux NTP code.

The problem was discovered by the Google Security Team which seems to be responsible recently for more than its fair share of vulnerabilities detected. Some of the vulnerabilities are in older versions of the NTP code and have been fixed. So as long as you have been keeping up-to-date there is nothing to worry about. 

ntflogo

Three problems were found in the current code and to remove these you need to upgrade to version 4.2.8. Two of the problems are classical buffer overflows and should prompt the response "will we never learn?" Not as long as we make use of languages that don't protect us from such things or use tools that test for such things.

Three stack buffer overflows have been identified in three different routines. As the security advisory says:

"A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process."

It is often the case that the NTP daemon runs with root access because of the need for it to up-date the system clock. This usually isn't necessary as NTP can run as a non-root user.

The final problem is a missing return statement which causes processing to continue after an error. Currently it isn't clear if this problem can be exploited in any way - given the ingenuity brought to bear on such matters it probably can be. 

The NTP protocol is fine, it is just the implementation that needs some attention. Similarly other implementations not derived directly from the Linux implementation are probably fine - BSD's openntdp is not vulnerable.  Indeed Theo De Raadt of BSD makes the following observations:

"openntpd is a modern piece of code <5000 lines long written using best known practices of the time, whereas ntp.org's codebase is reportedly 100,000 lines of unknown or largely unused code, poorly smithed in the past when these kinds of programming mistakes were not a significant consideration."

 

In the early days of open source and Linux things were not so critical as there were not as many black hats waiting to exploit vulnerabilities for so many commercial purposes. This isn't an excuse; more a nostalgic reminder that programming used to be slightly more fun and relaxed than it is today. 

NTPlogo

If you would like to know more about the NTP protocol and how to work with it, see: SNTP Time Class.

Banner


Co-founder of OSI Banned From Mailing Lists
11/03/2020

Eric S Raymond, one of the founders of the Open Source Initiative and its president for the first six years, has been banned from two OSI mailing lists following messages whose tone violated the code  [ ... ]



Visual Studio Roadmap Updated For Spring
16/03/2020

Microsoft has produced an updated roadmap for Visual Studio with details of what's planned up till June 2020. The team says it captures significant capabilities that they plan to add, but it’s not a [ ... ]


More News

 

graphics

 



 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Tuesday, 23 December 2014 )