From owner-freebsd-security@FreeBSD.ORG  Sat Mar 22 00:13:31 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 60829BD3;
 Sat, 22 Mar 2014 00:13:31 +0000 (UTC)
Received: from mail.lariat.net (mail.lariat.net [66.62.230.51])
 by mx1.freebsd.org (Postfix) with ESMTP id 07F6E69F;
 Sat, 22 Mar 2014 00:13:30 +0000 (UTC)
Received: from Toshi.lariat.org (IDENT:ppp1000.lariat.net@localhost
 [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id SAA15675;
 Fri, 21 Mar 2014 18:13:22 -0600 (MDT)
Message-Id: <201403220013.SAA15675@mail.lariat.net>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Fri, 21 Mar 2014 18:13:10 -0600
To: Remko Lodder <remko@freebsd.org>,
 "Ronald F. Guilmette" <rfg@tristatelogic.com>
From: Brett Glass <brett@lariat.org>
Subject: Re: NTP security hole CVE-2013-5211?
In-Reply-To: <8F3083F1-3A20-4FEC-9969-F9968D87569E@FreeBSD.org>
References: <51381.1395429637@server1.tristatelogic.com>
 <8F3083F1-3A20-4FEC-9969-F9968D87569E@FreeBSD.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Mar 2014 00:13:31 -0000

At 03:28 PM 3/21/2014, Remko Lodder wrote:

>Ofcourse the software should be well protected as well, and secteam@ did his
>best to offer the best solution possible. Though as mentioned by Brett for
>example we just cannot force the update of ntpd.conf on user machines because
>every admin could have legitimate reasons for having a configuration in place
>they decided to have. It's risky to change those things and especially enforce
>them on running machines. Most of his ideas were in the advisory already
>except for the 'disable monitor' part, which might be reason to discuss
>whether that makes sense or not.

I've suggested one other thing, and still think it would be a good idea to
thwart attacks: that we compile ntpd to source outgoing queries from randomly
selected ephemeral UDP ports rather than UDP port 123. (This was, 
in fact, done
in earlier releases of FreeBSD and I'm unsure why it was changed.) This makes
stateful firewalling less necessary and improves its performance if it is done.

--Brett Glass