From owner-freebsd-security@FreeBSD.ORG Mon Dec 22 09:55:53 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4C992146 for ; Mon, 22 Dec 2014 09:55:53 +0000 (UTC) Received: from mail.cleverbridge.com (mail.cleverbridge.com [89.1.11.32]) by mx1.freebsd.org (Postfix) with ESMTP id F31C2642B0 for ; Mon, 22 Dec 2014 09:55:52 +0000 (UTC) Received: from homer.cgn.cleverbridge.com (homer.cgn.cleverbridge.com [10.0.5.150]) by mail.cleverbridge.com (Postfix) with ESMTP id 10F699C5FA9 for ; Mon, 22 Dec 2014 10:50:29 +0100 (CET) Received: from localhost (unknown [127.0.0.1]) by homer.cgn.cleverbridge.com (Postfix) with ESMTP id 0D2A88B40099 for ; Mon, 22 Dec 2014 10:50:29 +0100 (CET) Received: from homer.cgn.cleverbridge.com ([127.0.0.1]) by localhost (homer.cgn.cleverbridge.com [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id snOrIAqSpvLN for ; Mon, 22 Dec 2014 10:50:28 +0100 (CET) Received: from localhost (unknown [127.0.0.1]) by homer.cgn.cleverbridge.com (Postfix) with ESMTP id A4A8E8B40474 for ; Mon, 22 Dec 2014 10:50:28 +0100 (CET) X-Virus-Scanned: amavisd-new at homer.cgn.cleverbridge.com Received: from homer.cgn.cleverbridge.com ([127.0.0.1]) by localhost (homer.cgn.cleverbridge.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id Kt-XS2K4Rc_R for ; Mon, 22 Dec 2014 10:50:28 +0100 (CET) Received: from homer.cgn.cleverbridge.com (homer.cgn.cleverbridge.com [10.0.5.150]) by homer.cgn.cleverbridge.com (Postfix) with ESMTP id 7BC398B40099 for ; Mon, 22 Dec 2014 10:50:28 +0100 (CET) Date: Mon, 22 Dec 2014 10:50:28 +0100 (CET) From: Winfried Neessen To: freebsd-security@freebsd.org Message-ID: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> Subject: ntpd vulnerabilities MIME-Version: 1.0 X-Originating-IP: [10.0.38.15] X-Mailer: Zimbra 8.5.0_GA_3042 (ZimbraWebClient - GC39 (Win)/8.5.0_GA_3042) Thread-Topic: ntpd vulnerabilities Thread-Index: y7iH7PKKoRTCoyzRlQfPumSB2U++3g== Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 09:55:53 -0000 Hi everyone, there has been a security advisory for several vulnerabilities in ntpd. Is FreeBSD affected by this? According to http://www.kb.cert.org/vuls/id/852879 OpenBSD is not affected, but I guess that's due to the fact, that they have OpenNTPd. The status for FreeBSD on that page is still "unknown". See also: http://support.ntp.org/bin/view/Main/SecurityNotice https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01 Thanks Winni From owner-freebsd-security@FreeBSD.ORG Mon Dec 22 10:16:36 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5916358F for ; Mon, 22 Dec 2014 10:16:36 +0000 (UTC) Received: from mail2.mbox.lu (mail.mbox.lu [85.93.212.24]) by mx1.freebsd.org (Postfix) with ESMTP id DBDD864BB6 for ; Mon, 22 Dec 2014 10:16:34 +0000 (UTC) Received: from mail2.mbox.lu (localhost [127.0.0.1]) by mail2.mbox.lu (Postfix) with ESMTP id 36A973248D; Mon, 22 Dec 2014 11:07:08 +0100 (CET) Received: from [172.16.100.79] (unknown [178.254.69.231]) by mail2.mbox.lu (Postfix) with ESMTPSA id 10C503248B; Mon, 22 Dec 2014 11:07:07 +0100 (CET) Subject: Re: ntpd vulnerabilities Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Content-Type: multipart/signed; boundary="Apple-Mail=_52A5F12D-142B-40A2-BC85-7A34103D94F9"; protocol="application/pgp-signature"; micalg=pgp-sha512 X-Pgp-Agent: GPGMail 2.5b3 From: Steve Clement In-Reply-To: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> Date: Mon, 22 Dec 2014 11:06:59 +0100 Message-Id: References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> To: Winfried Neessen X-Mailer: Apple Mail (2.1993) X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 10:16:36 -0000 --Apple-Mail=_52A5F12D-142B-40A2-BC85-7A34103D94F9 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Hej, Currently on 10.0 I run: FreeBSD tart 10.0-RELEASE-p14 FreeBSD 10.0-RELEASE-p14 #2 r265783M: Thu = Dec 18 11:14:03 CET 2014 root@tart:/usr/obj/usr/src/sys/TART i386 (ntpd -? | head -1) ntpd - NTP daemon program - Ver. 4.2.4p8 If someone could share a diff between ntpd 4.2.7 and 4.2.8 would be a = good start. Some more technical info can be found here: http://circl.lu/pub/tr-29/ = As soon as there are FreeBSD relevant information we will include it. cheers, Steve > On 22 Dec 2014, at 10:50, Winfried Neessen = wrote: >=20 > Hi everyone, >=20 > there has been a security advisory for several vulnerabilities in = ntpd. Is FreeBSD > affected by this? According to http://www.kb.cert.org/vuls/id/852879 = OpenBSD is > not affected, but I guess that's due to the fact, that they have = OpenNTPd. The > status for FreeBSD on that page is still "unknown". --Apple-Mail=_52A5F12D-142B-40A2-BC85-7A34103D94F9 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJUl+1DAAoJEGmiD1Cb5K7pS4QP/0AodJJsDhpY+376j1/F1t80 //veC5sDIyeDf86JnDSLLSVpCHnKQe95Ohg/mM+4Mey3T/6lpakZPmaoM1Y+FXH8 BiPFD2nipsj+qMzmLOmAMtgbnW2ZUCTHKj0cVcWWbCHPpo22jK647ya6FfgmCOFA UdgOnianFyL+YLbUYo0LA6M7XSts0r62RcDmlg1s1r9zcsRua6FCKXoI59+SeVva myJwJEv30KczUiifxGrQLMlnl0jGXQJwMhIGTJYdfNMYwk2XpONX1oLk8fk/QIc3 Z0fQYEq/Zl16Hhd2vRDlJh8xcVeM9vrI7+b9HqZAshhOuu1T1VDbq8xIRTfpXfCI q09m03qGCGrjRq9UIxrDFa8dgrAngh1eYiVXSKDXCCLLXmufaB1I53WD8aOuG/qY JCuSFtrGoiIBb+thkfDISme2DTQTKpVz9nHHj7rxAvo6gK6v4QFYRNdhwEC4sFSM Myrsh7vwo5SrNqOy/oiDjfXy+N5IVj+Y0fhGbEnhmOZa51q/Hvu/ZUNrgy0mMIGr HOSejQX/oUPoBitq5t98zGaKNJsosLrKaHQxr1/IkgzYRBuwVu2wDsdbzrjGvj+4 qj7jHESHPI9UIKiR8BuQldZwqPPBmGiPyudjClQcs5efKCz0l+qL19PPc5i2lD7+ 6/9mxUahUQRx6q8fp3HZ =piOm -----END PGP SIGNATURE----- --Apple-Mail=_52A5F12D-142B-40A2-BC85-7A34103D94F9-- From owner-freebsd-security@FreeBSD.ORG Mon Dec 22 10:25:25 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8676D80B for ; Mon, 22 Dec 2014 10:25:25 +0000 (UTC) Received: from mail2.mbox.lu (mail.mbox.lu [85.93.212.24]) by mx1.freebsd.org (Postfix) with ESMTP id 1776164CE2 for ; Mon, 22 Dec 2014 10:25:24 +0000 (UTC) Received: from mail2.mbox.lu (localhost [127.0.0.1]) by mail2.mbox.lu (Postfix) with ESMTP id 22DD832516; Mon, 22 Dec 2014 11:25:31 +0100 (CET) Received: from [172.16.100.79] (unknown [178.254.69.231]) by mail2.mbox.lu (Postfix) with ESMTPSA id ED2C032457; Mon, 22 Dec 2014 11:25:30 +0100 (CET) Subject: Re: ntpd vulnerabilities Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Content-Type: multipart/signed; boundary="Apple-Mail=_9D20F298-84D9-431C-93D2-99D16C17A22C"; protocol="application/pgp-signature"; micalg=pgp-sha512 X-Pgp-Agent: GPGMail 2.5b3 From: Steve Clement In-Reply-To: Date: Mon, 22 Dec 2014 11:25:22 +0100 Message-Id: References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> To: Winfried Neessen X-Mailer: Apple Mail (2.1993) X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 10:25:25 -0000 --Apple-Mail=_9D20F298-84D9-431C-93D2-99D16C17A22C Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Chances are good it is vulnerable: = https://svnweb.freebsd.org/base/release/10.0.0/contrib/ntp/ntpd/ntpd.c?vie= w=3Dlog = = https://svnweb.freebsd.org/base/release/10.1.0/contrib/ntp/ntpd/ntpd.c?vie= w=3Dlog = Regarding the diff: diff -ru ntp-dev-4.2.7p486-RC ntp-4.2.8 |wc -l 7723 Cherry picking the patches is easier. ntpd source trees: http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/ = http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ = Luckily that is still up=E2=80=A6 atm ntp.org is down. Here is the cached version of the notice: = http://webcache.googleusercontent.com/search?q=3Dcache:support.ntp.org/bin= /view/Main/SecurityNotice -- Steve Clement https://www.twitter.com/SteveClement mailto:steve@localhost.lu .lu: +352 20 333 55 65 > On 22 Dec 2014, at 11:06, Steve Clement wrote: >=20 > If someone could share a diff between ntpd 4.2.7 and 4.2.8 would be a = good start. --Apple-Mail=_9D20F298-84D9-431C-93D2-99D16C17A22C Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJUl/GSAAoJEGmiD1Cb5K7pyioP/14RmKs/f3Ywu6AblXUjMgXU mZy+RId2eq5xQ+6mVieE1xK+8a5aKwkixekUBX5kB99acvIHfU36J2KIIs6BkuZa 7RAq5XAC8h2TmJVCXsSmhFxKBKdvDfp0lhXvdgPt59BCLxDPTdUDUAyWl29Zodai pdJU2PR/Nb/f45WQVo22bHF890I5vgCnMiSjhGytrPNcm4p1Hilr8UeG5cDPZtNA JjrXmCD8rNJh9IYFGVxtvl3EpqQ2SDSJOiYPTAR9PjPOOvQM8U8w4ZlpsxEv8eRA +94tfqs1UxJgF69hV36zMw8sICWhehD0TgZsYbUoOYf2YZeO0AguUJOg9eNXZa+F y3BxLMpZU0TkWTtKZ3wtu3xwrs5rm2o2USHqWt10AFIm26D1UkkgE1TodfmY+1xB 4DKzJpXnCF3dcf2K8+cSgho8llpFGDGu+J07CFR8c6kN8qdVX1zsYj7MtVBZnipH mC8pHxkSP8P4Xznc0lhWyX8II1/5y9kXwFOEDMJNDeXfCRSuIdHtPoF9KAhZZy4K MVIxmShz7WRCG5DU+Mo2lWTqX1ChYnE88m7gad79zQfiIzKdNaKTVvwcYLCzVh31 BX9GvOU2Alu8uI2H5yNpWMeMNSWVugtwXO2f3QzCUOsYl7nec1HCIEQFsK/Uwe5V 0JNSp6YFiSpNzwcWlDbf =R5sA -----END PGP SIGNATURE----- --Apple-Mail=_9D20F298-84D9-431C-93D2-99D16C17A22C-- From owner-freebsd-security@FreeBSD.ORG Mon Dec 22 16:16:26 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3271A309 for ; Mon, 22 Dec 2014 16:16:26 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id EA49D3F92 for ; Mon, 22 Dec 2014 16:16:25 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id E966593D5; Mon, 22 Dec 2014 16:16:24 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id D4E5047C6; Mon, 22 Dec 2014 17:16:15 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Winfried Neessen Subject: Re: ntpd vulnerabilities References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> Date: Mon, 22 Dec 2014 17:16:15 +0100 In-Reply-To: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> (Winfried Neessen's message of "Mon, 22 Dec 2014 10:50:28 +0100 (CET)") Message-ID: <86a92fzmls.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 16:16:26 -0000 Winfried Neessen writes: > there has been a security advisory for several vulnerabilities in ntpd. I= s FreeBSD=20 > affected by this? According to http://www.kb.cert.org/vuls/id/852879 Open= BSD is=20 > not affected, but I guess that's due to the fact, that they have OpenNTPd= . The=20 > status for FreeBSD on that page is still "unknown".=20 Yes, FreeBSD is vulnerable, and we have informed CERT of that fact, so I don't know why they have us down as "unknown". We are preparing an advisory for tomorrow. As was the case with BIND, this takes more work than for many other operating systems since we maintain older versions in older branches; for instance, 8.4 has 4.2.4. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Dec 22 17:45:47 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E4848DFA for ; Mon, 22 Dec 2014 17:45:47 +0000 (UTC) Received: from mail.lariat.net (mail.lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id ABE1F620 for ; Mon, 22 Dec 2014 17:45:47 +0000 (UTC) Received: from Toshi.lariat.net (IDENT:ppp1000.lariat.net@localhost [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id KAA28186; Mon, 22 Dec 2014 10:45:33 -0700 (MST) Message-Id: <201412221745.KAA28186@mail.lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Mon, 22 Dec 2014 10:39:54 -0700 To: Steve Clement , Winfried Neessen From: Brett Glass Subject: Re: ntpd vulnerabilities In-Reply-To: References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: 8bit X-Mailman-Approved-At: Mon, 22 Dec 2014 17:51:10 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 17:45:48 -0000 I'd like to propose that FreeBSD move to OpenNTPD, which appears to have none of the fixed or unfixed (!) vulnerabilities that are present in ntpd. There's already a port. --Brett Glass At 03:25 AM 12/22/2014, Steve Clement wrote: >Chances are good it is vulnerable: > >https://svnweb.freebsd.org/base/release/10.0.0/contrib/ntp/ntpd/ntpd.c?view=log > >https://svnweb.freebsd.org/base/release/10.1.0/contrib/ntp/ntpd/ntpd.c?view=log > > >Regarding the diff: > > diff -ru ntp-dev-4.2.7p486-RC ntp-4.2.8 |wc -l > 7723 > >Cherry picking the patches is easier. > >ntpd source trees: > >http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/ > >http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ > > >Luckily that is still up… atm ntp.org is down. >Here is the cached version of the notice: >http://webcache.googleusercontent.com/search?q=cache:support.ntp.org/bin/view/Main/SecurityNotice > >-- >Steve Clement >https://www.twitter.com/SteveClement >mailto:steve@localhost.lu >.lu: +352 20 333 55 65 > > > On 22 Dec 2014, at 11:06, Steve Clement wrote: > > > > If someone could share a diff between ntpd 4.2.7 and 4.2.8 > would be a good start. > From owner-freebsd-security@FreeBSD.ORG Mon Dec 22 18:57:29 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 789B3788 for ; Mon, 22 Dec 2014 18:57:29 +0000 (UTC) Received: from sasl.smtp.pobox.com (pb-smtp1.int.icgroup.com [208.72.237.35]) by mx1.freebsd.org (Postfix) with ESMTP id 3358B1986 for ; Mon, 22 Dec 2014 18:57:28 +0000 (UTC) Received: from sasl.smtp.pobox.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id 6AA0B273D5 for ; Mon, 22 Dec 2014 13:52:39 -0500 (EST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=pobox.com; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; s=sasl; bh=OcX7lARNqxRNKLt7RpHTYkynVyQ=; b=MvTRszY O8JfuMbCEIXItlKyqVjsjUdUeAwnPf9nE6kj1MoFY+61iV6828qq5o+TiLe0op5U nKXiniOy7uCR2h08ra+fqOSrPi1tfSvj1YsmNxzPz/CEjSUF2FMH9wdc657oPrWB 3DWb+xrLD5CZs5UmmDf/5Y7vn82gZNSSlJmw= DomainKey-Signature: a=rsa-sha1; c=nofws; d=pobox.com; h=date:from:to :subject:message-id:references:mime-version:content-type :in-reply-to; q=dns; s=sasl; b=OW77nBs1sfk8FrbIKMlT3Zqqe++Tk8RAh ZzBfyNXpV0CNTJGjPEWoQ4tKlDDNujkGHklg8YJAs/cWM4FQ2FourgackVXXPwop PB6Ax3mipawi5L4uvNIKDTZcLR7XHOYRy9cn0nvh5e4MC4DkjrNVaiKDIXPmJIHy cG9/PiADgE= Received: from pb-smtp1.int.icgroup.com (unknown [127.0.0.1]) by pb-smtp1.pobox.com (Postfix) with ESMTP id 61CAB273D4 for ; Mon, 22 Dec 2014 13:52:39 -0500 (EST) Received: from localhost (unknown [50.90.2.70]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pb-smtp1.pobox.com (Postfix) with ESMTPSA id ECC7E273D2 for ; Mon, 22 Dec 2014 13:52:38 -0500 (EST) Date: Mon, 22 Dec 2014 13:52:38 -0500 From: Chris Nehren To: freebsd-security@freebsd.org Subject: Re: ntpd vulnerabilities Message-ID: <20141222185238.GA3308@behemoth.lan> References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> <201412221745.KAA28186@mail.lariat.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr" Content-Disposition: inline In-Reply-To: <201412221745.KAA28186@mail.lariat.net> User-Agent: Mutt/1.5.23 (2014-03-12) X-Pobox-Relay-ID: B38FBBE4-8A0B-11E4-9D76-42529F42C9D4-49531120!pb-smtp1.pobox.com X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 18:57:29 -0000 --liOOAslEiF7prFVr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Dec 22, 2014 at 10:39:54 -0700, Brett Glass wrote: > I'd like to propose that FreeBSD move to OpenNTPD, which appears to=20 > have none of the > fixed or unfixed (!) vulnerabilities that are present in ntpd.=20 > There's already a port. Heartbleed, more than any other vulnerability in recent memory, showed us users on the outside of the Project just how much effort is involved in patching the base system (thank you, again, DES, for being patient and explaining all the details!). Because of this, I am reticent to support more software going into the base system. It should be small enough to build itself and bootstrap the ports tree, with very little else. The more things are in base, the more things the developers need to worry about patching across all the different supported versions of FreeBSD. It's a lot faster to update a port to use a different version. If you want fast security updates, use ports. Or hire developers to patch software for you. --=20 Chris Nehren --liOOAslEiF7prFVr Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQJdBAABCABHBQJUmGhXQBSAAAAAABUAInBrYS1hZGRyZXNzQGdudXBnLm9yZ2Nu ZWhyZW4rZnJlZWJzZC1zZWN1cml0eUBwb2JveC5jb20ACgkQEcD4YkAzS8/tKQ// aRjd8hJfVyKbkRHPh2tpAT5d1YFQunoe6MhS/xi5IX83WdHXTDbxekFZ8stgi29W JKeYtuwtHWJs4+83SC5rzdw4jRueyohFyioBrgT5LOAEk+4C1sKlC3MdZYDyZqpB u7pQE19mzT7lfWDJikzYsprem2ggeE5cuuGvBvZDkzQXECEaG1NuIXkPxMR0wrmf ilMqtvPtvKKTT90V2xs9pfKU4Sm/LDbXjWXW3fdS4HI3WBOtWBqsaJccJWZmU5qu 407YdhCoAdkzt8SNI+ZkXigW/ciBMVE4OZoB+esPm4WeyF6hXW91rl/zGLuYs8gm rTQt6iu/t+hT3dBX37+EzwnVuodPD+8kaiifBRkHC/nFf7SPbwe9LAKCpAaXSqc7 LQfFbmuCFngOlJoDfTZHoZs8q9v1fII1cPI2KBVZJlaPLG1RAtmZU2InBTniJmJI pSIFhnuR0CEfkDvo9SWEJg8feZTRnmY4f2S1zB3JJ+ao1OsF2MSkyWo864mGC+Pn 8pKuXCRCOfrNWNQeuqYYidEWJlj/lEXmR5DNUn1iwd3mYoswstkCQK11xmI7uj2U XQQZ0d6f2/77kEtBph3KDsXD2oYfbkIauWoC5dUg3uMicu53Bg+vvs27MinH6iNL DQYh1OhGGBd2w89KfKAkvIMUw0YZ5dchY9fztAHDPfU= =Efq5 -----END PGP SIGNATURE----- --liOOAslEiF7prFVr-- From owner-freebsd-security@FreeBSD.ORG Mon Dec 22 19:02:25 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 830699B6 for ; Mon, 22 Dec 2014 19:02:25 +0000 (UTC) Received: from out1-smtp.messagingengine.com (out1-smtp.messagingengine.com [66.111.4.25]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 53CD21AD3 for ; Mon, 22 Dec 2014 19:02:25 +0000 (UTC) Received: from compute2.internal (compute2.nyi.internal [10.202.2.42]) by mailout.nyi.internal (Postfix) with ESMTP id 8217A20E55 for ; Mon, 22 Dec 2014 14:02:18 -0500 (EST) Received: from web3 ([10.202.2.213]) by compute2.internal (MEProxy); Mon, 22 Dec 2014 14:02:18 -0500 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=message-id:x-sasl-enc:from:to :mime-version:content-transfer-encoding:content-type:subject :date:in-reply-to:references; s=smtpout; bh=oG14fDg1Orl76GiVXcZm 6l8wYlw=; b=K0b4P652F+B8LfFiPJie5jy94loLWZA3Gy2l2fY8URyPiU8aVDre 2ZbPp9Ge4sMZ/vBNr4wEXmzl4hFmxvjXe4DwxUmYauJ3pNLPhQcx5A/L5rBMMtIh LO1li5q1XOuTaMCRvPiRv7vvPKJy2yHd3DNhrzzoEMuxgE/Yz3thDWw= Received: by web3.nyi.internal (Postfix, from userid 99) id 4FA2E107BF5; Mon, 22 Dec 2014 14:02:18 -0500 (EST) Message-Id: <1419274938.916478.205831685.0E7433EA@webmail.messagingengine.com> X-Sasl-Enc: ykD/WViW6Qc4yZmKbn3lpoH/vPXLFZkh+F0cbRkl8dc2 1419274938 From: Mark Felder To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-31f62092 Subject: Re: ntpd vulnerabilities Date: Mon, 22 Dec 2014 13:02:18 -0600 In-Reply-To: <201412221745.KAA28186@mail.lariat.net> References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> <201412221745.KAA28186@mail.lariat.net> X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 19:02:25 -0000 On Mon, Dec 22, 2014, at 11:39, Brett Glass wrote: > I'd like to propose that FreeBSD move to OpenNTPD, which appears to > have none of the > fixed or unfixed (!) vulnerabilities that are present in ntpd. > There's already a port. > Historically OpenNTPD has been dismissed as a candidate because of its reduced accuracy and missing security features. For example, it doesn't implement the NTPv4 functionality or authentication. Quite literally the OpenNTPD is vulnerable to a MITM attack because of the lack of authentication. Their stance has been that you should trust your NTP servers and suggest using a VPN for the NTP traffic. Probably not a bad idea, honestly. I don't have a qualified opinion, but that should get you on the right track if you want to research further. From owner-freebsd-security@FreeBSD.ORG Mon Dec 22 19:10:20 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ECF7D9E; Mon, 22 Dec 2014 19:10:20 +0000 (UTC) Received: from mail-oi0-x231.google.com (mail-oi0-x231.google.com [IPv6:2607:f8b0:4003:c06::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id AEFC31BDF; Mon, 22 Dec 2014 19:10:20 +0000 (UTC) Received: by mail-oi0-f49.google.com with SMTP id a141so10473894oig.8; Mon, 22 Dec 2014 11:10:20 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=LuupF3RGconCnWTHGXExAwku8eeaq8eYOjsCZmZhXKI=; b=GfQaOz5M8jNh7sQlYHuNNS5B+8aqDiPWs0C/gE92shaLT1m/UfYe15R/aVT1tU4E6y LE8xtlLsB+PMoRyWmzNJU3BBGEqvHR4Fzng2au9mtykYPMiqKCMKwbOq17totNu3BJ+Z AwYqH1izA0GH8xg19MwClQ4lus5+42INGViFrqx7yN6zFAYjRgd9Xb5AyD6YAx6gd2JO ekBNlHlMWiEfIN1Ypa0ThDzSKAmITo8B3bolMORolJkLwt7cyE7YUJcZCTiPQMIdmJ2k vAmYd1aqDNUcdnoIFEmsVW6Xwr00mbUsmrLuhTGJtwt3XV5Rvb1kBzVRTnfnnULiGYcd Fs7A== MIME-Version: 1.0 X-Received: by 10.60.98.240 with SMTP id el16mr9053350oeb.4.1419275419956; Mon, 22 Dec 2014 11:10:19 -0800 (PST) Received: by 10.182.60.104 with HTTP; Mon, 22 Dec 2014 11:10:19 -0800 (PST) In-Reply-To: <1419274938.916478.205831685.0E7433EA@webmail.messagingengine.com> References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> <201412221745.KAA28186@mail.lariat.net> <1419274938.916478.205831685.0E7433EA@webmail.messagingengine.com> Date: Mon, 22 Dec 2014 11:10:19 -0800 Message-ID: Subject: Re: ntpd vulnerabilities From: jungle Boogie To: Mark Felder Content-Type: text/plain; charset=UTF-8 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 19:10:21 -0000 Hi Mark, On 22 December 2014 at 11:02, Mark Felder wrote: > On Mon, Dec 22, 2014, at 11:39, Brett Glass wrote: >> I'd like to propose that FreeBSD move to OpenNTPD, which appears to >> have none of the >> fixed or unfixed (!) vulnerabilities that are present in ntpd. >> There's already a port. >> > > Historically OpenNTPD has been dismissed as a candidate because of its > reduced accuracy and missing security features. For example, it doesn't > implement the NTPv4 functionality or authentication. > > Quite literally the OpenNTPD is vulnerable to a MITM attack because of > the lack of authentication. Their stance has been that you should trust > your NTP servers and suggest using a VPN for the NTP traffic. Probably > not a bad idea, honestly. Would you say a MITM attack is similar to a forged ntp reply? If so, have you seen this: http://quigon.bsws.de/papers/opencon04/ntpd/mgp00018.html > > I don't have a qualified opinion, but that should get you on the right > track if you want to research further. -- ------- inum: 883510009027723 sip: jungleboogie@sip2sip.info xmpp: jungle-boogie@jit.si From owner-freebsd-security@FreeBSD.ORG Mon Dec 22 19:12:40 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7B6D82F9; Mon, 22 Dec 2014 19:12:40 +0000 (UTC) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 3BF211CEE; Mon, 22 Dec 2014 19:12:40 +0000 (UTC) Received: from critter.freebsd.dk (unknown [192.168.60.3]) by phk.freebsd.dk (Postfix) with ESMTP id C3D1A3B9D8; Mon, 22 Dec 2014 19:12:37 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.14.9/8.14.9) with ESMTP id sBMJCaXI022926; Mon, 22 Dec 2014 19:12:37 GMT (envelope-from phk@phk.freebsd.dk) To: Mark Felder Subject: Re: ntpd vulnerabilities In-reply-to: <1419274938.916478.205831685.0E7433EA@webmail.messagingengine.com> From: "Poul-Henning Kamp" References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> <201412221745.KAA28186@mail.lariat.net> <1419274938.916478.205831685.0E7433EA@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <22924.1419275556.1@critter.freebsd.dk> Content-Transfer-Encoding: quoted-printable Date: Mon, 22 Dec 2014 19:12:36 +0000 Message-ID: <22925.1419275556@critter.freebsd.dk> Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 19:12:40 -0000 -------- In message <1419274938.916478.205831685.0E7433EA@webmail.messagingengine.c= om>, = Mark Felder writes: >On Mon, Dec 22, 2014, at 11:39, Brett Glass wrote: >> I'd like to propose that FreeBSD move to OpenNTPD, which appears to = >> have none of the >> fixed or unfixed (!) vulnerabilities that are present in ntpd. = >> There's already a port. > >Historically OpenNTPD has been dismissed as a candidate because of its >reduced accuracy and missing security features. For example, it doesn't >implement the NTPv4 functionality or authentication. The entire question of authenticated time-protocols is very, very hairy. The currently available protocols leave a lot to be desired, both in terms of timekeeping, cryptography or (DoS) attack resistance. Most people who need authenticated time run their own stratum-1 server, typically with a GPS receiver, some times more elaborate than that. My main objection to OpenNTPD is not the lack of crypto, but that it's timekeeping isn't good enough, and that it is an evolutionary dead end. As you may have noticed I released a first preview of Ntimed yesterday. My goals for the ntimed-client program can almost be summarized as "Replacement for NTPD in FreeBSD's base system". I don't think it makes sense to take the discussion if we should import Ntimed into FreeBSD's source tree, until I have the first production release ready. There are good arguments both ways so details will matter. -- = Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe = Never attribute to malice what can adequately be explained by incompetence= . From owner-freebsd-security@FreeBSD.ORG Mon Dec 22 19:14:36 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8673D407; Mon, 22 Dec 2014 19:14:36 +0000 (UTC) Received: from phk.freebsd.dk (phk.freebsd.dk [130.225.244.222]) by mx1.freebsd.org (Postfix) with ESMTP id 454C91D55; Mon, 22 Dec 2014 19:14:36 +0000 (UTC) Received: from critter.freebsd.dk (unknown [192.168.60.3]) by phk.freebsd.dk (Postfix) with ESMTP id 568903B9D8; Mon, 22 Dec 2014 19:14:35 +0000 (UTC) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.14.9/8.14.9) with ESMTP id sBMJEYT2022954; Mon, 22 Dec 2014 19:14:35 GMT (envelope-from phk@phk.freebsd.dk) To: jungle Boogie Subject: Re: ntpd vulnerabilities In-reply-to: From: "Poul-Henning Kamp" References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> <201412221745.KAA28186@mail.lariat.net> <1419274938.916478.205831685.0E7433EA@webmail.messagingengine.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <22952.1419275674.1@critter.freebsd.dk> Content-Transfer-Encoding: quoted-printable Date: Mon, 22 Dec 2014 19:14:34 +0000 Message-ID: <22953.1419275674@critter.freebsd.dk> Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 19:14:36 -0000 -------- In message , jungle Boogie writes: >Would you say a MITM attack is similar to a forged ntp reply? > >If so, have you seen this: >http://quigon.bsws.de/papers/opencon04/ntpd/mgp00018.html While that does make it harder to spoof NTP packets "blind", it does *nothing* for MITM resistance. -- = Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe = Never attribute to malice what can adequately be explained by incompetence= . From owner-freebsd-security@FreeBSD.ORG Mon Dec 22 21:12:23 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 19652D24 for ; Mon, 22 Dec 2014 21:12:23 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id CCA491575 for ; Mon, 22 Dec 2014 21:12:22 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 2D6C9998D; Mon, 22 Dec 2014 21:12:18 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 32C874896; Mon, 22 Dec 2014 22:12:09 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Chris Nehren Subject: Re: ntpd vulnerabilities References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> <201412221745.KAA28186@mail.lariat.net> <20141222185238.GA3308@behemoth.lan> Date: Mon, 22 Dec 2014 22:12:09 +0100 In-Reply-To: <20141222185238.GA3308@behemoth.lan> (Chris Nehren's message of "Mon, 22 Dec 2014 13:52:38 -0500") Message-ID: <861tnrz8wm.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 21:12:23 -0000 Chris Nehren writes: > Brett Glass writes: > > I'd like to propose that FreeBSD move to OpenNTPD, which appears to > > have none of the [...] vulnerabilities that are present in ntpd. > [...] I am reticent to support more software going into the base > system. It should be small enough to build itself and bootstrap the > ports tree, with very little else. I absolutely agree. If we replace the NTP suite, it will be with a minimal SNTP client, although no decision has been made. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Mon Dec 22 23:23:47 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CFB98C1E for ; Mon, 22 Dec 2014 23:23:47 +0000 (UTC) Received: from mail.lariat.net (mail.lariat.net [66.62.230.51]) by mx1.freebsd.org (Postfix) with ESMTP id 983EE64B33 for ; Mon, 22 Dec 2014 23:23:47 +0000 (UTC) Received: from Toshi.lariat.org (IDENT:ppp1000.lariat.net@localhost [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id QAA01574; Mon, 22 Dec 2014 16:23:12 -0700 (MST) Message-Id: <201412222323.QAA01574@mail.lariat.net> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Mon, 22 Dec 2014 14:46:51 -0700 To: Chris Nehren , freebsd-security@freebsd.org From: Brett Glass Subject: Re: ntpd vulnerabilities In-Reply-To: <20141222185238.GA3308@behemoth.lan> References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> <201412221745.KAA28186@mail.lariat.net> <20141222185238.GA3308@behemoth.lan> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 23:23:47 -0000 At 11:52 AM 12/22/2014, Chris Nehren wrote: >Heartbleed, more than any other vulnerability in recent memory, >showed us users on the outside of the Project just how much >effort is involved in patching the base system (thank you, again, >DES, for being patient and explaining all the details!). Because >of this, I am reticent to support more software going into the >base system. I understand your concern! Frankly, both ntpd and OpenNTPD have more functionality than ought to be in the base system. The daemon in the base system probably should only query trusted servers for the time, as securely as possible, rather than also being a server itself. Within my own network, I have used cron and ntpdate (even though it's officially deprecated) on most of the clients, querying a couple of trusted local time servers. I've then armored those servers -- which do query the outside world -- as much as possible against abuse, with very restrictive security settings and stateful firewall rules for good measure. This is a super-lightweight approach from the clients' point of view; it takes up as little CPU and memory as possible on them. But it obviously has some drawbacks; in particular, it doesn't continuously correct the clocks but makes them jump at particular times of day. Ultimately, I'd love to see the whole world go to PKI-based digital signatures on responses to time queries. With the crypto accelerators that are now being built into many CPUs, this will probably become practical... IF one can trust the hardware not to have security holes or backdoors. Which is, of course, a big "if." --Brett Glass From owner-freebsd-security@FreeBSD.ORG Mon Dec 22 23:46:53 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AB8FDC9 for ; Mon, 22 Dec 2014 23:46:53 +0000 (UTC) Received: from mail-qa0-x232.google.com (mail-qa0-x232.google.com [IPv6:2607:f8b0:400d:c00::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 639B764E1B for ; Mon, 22 Dec 2014 23:46:53 +0000 (UTC) Received: by mail-qa0-f50.google.com with SMTP id dc16so3913379qab.9 for ; Mon, 22 Dec 2014 15:46:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=xClucoLFSVqSyQwSYkkDdM86Jeb4P6CdmIaiXuzGbdI=; b=K9O1iSrOPBUPwI/W5iXkzF9oq3of+FEOHJRD1oo5AYI7dFC7tmLp9oelUpjiM22KBf Apd0PNtfjsN3sC+Hud9WmKPbVjK5GmPPUOgZwtoOAxfiIKRJLsPckdeYu89UhvlNTvE1 MDXPuEsn8lz+qZJPyNiFk2YO2+c/HDRW7R611lIphP/P4Co8bjjCG49/GxIXXBMFNGvC u9ITxYKWVuLXgDcsSJ2Gk/bhzhItb+opRwlrVSelsWIOlyiy50taiBbh83l+KnOvcEQT KEX9a3T0rRUNAnXizYVqEot2AEuXHGmY6FyaOLXhHwIH8KWC91tQrtQQzDhuA/wQThiJ iuLg== MIME-Version: 1.0 X-Received: by 10.140.18.236 with SMTP id 99mr38792776qgf.52.1419292012512; Mon, 22 Dec 2014 15:46:52 -0800 (PST) Received: by 10.140.18.145 with HTTP; Mon, 22 Dec 2014 15:46:52 -0800 (PST) In-Reply-To: <86a92fzmls.fsf@nine.des.no> References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> <86a92fzmls.fsf@nine.des.no> Date: Mon, 22 Dec 2014 18:46:52 -0500 Message-ID: Subject: Re: ntpd vulnerabilities From: Robert Simmons To: =?UTF-8?Q?Dag=2DErling_Sm=C3=B8rgrav?= Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Winfried Neessen X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 23:46:53 -0000 On Mon, Dec 22, 2014 at 11:16 AM, Dag-Erling Sm=C3=B8rgrav wro= te: > Yes, FreeBSD is vulnerable, and we have informed CERT of that fact, so I > don't know why they have us down as "unknown". We are preparing an > advisory for tomorrow. As was the case with BIND, this takes more work > than for many other operating systems since we maintain older versions > in older branches; for instance, 8.4 has 4.2.4. It looks like all supported FreeBSD versions use 4.2.4. At least CURRENT and 10.1 report that as the version: Dec 22 23:35:56 ntpd[660]: ntpd 4.2.4p5-a (1) Will 4.2.8 be pulled into CURRENT eventually, or is the plan to replace it entirely with ntimed? From owner-freebsd-security@FreeBSD.ORG Tue Dec 23 00:20:53 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 3360EF25 for ; Tue, 23 Dec 2014 00:20:53 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id E6B023A8A for ; Tue, 23 Dec 2014 00:20:52 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 6EC5F9D8F; Tue, 23 Dec 2014 00:20:48 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 86F144926; Tue, 23 Dec 2014 01:20:39 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Robert Simmons Subject: Re: ntpd vulnerabilities References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> <86a92fzmls.fsf@nine.des.no> Date: Tue, 23 Dec 2014 01:20:39 +0100 In-Reply-To: (Robert Simmons's message of "Mon, 22 Dec 2014 18:46:52 -0500") Message-ID: <86wq5jxlm0.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Winfried Neessen X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Dec 2014 00:20:53 -0000 Robert Simmons writes: > Will 4.2.8 be pulled into CURRENT eventually, or is the plan to > replace it entirely with ntimed? We have two people working on 4.2.8. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Dec 23 00:26:13 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1253A158 for ; Tue, 23 Dec 2014 00:26:13 +0000 (UTC) Received: from neoshoggoth.uraeus.com (neoshoggoth.uraeus.com [208.72.84.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail-relay.uraeus.com", Issuer "URAEUS" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id D8A273CB5 for ; Tue, 23 Dec 2014 00:26:12 +0000 (UTC) Received: from neoshoggoth.uraeus.com (localhost [127.0.0.1]) by neoshoggoth.uraeus.com (Postfix) with ESMTP id BA056109BE0D; Tue, 23 Dec 2014 00:17:22 +0000 (UTC) X-Amavis-Alert: BAD HEADER SECTION, Non-encoded 8-bit data (char C3 hex): Cc: Dag-Erling Sm\303\270rgrav Date: Tue, 23 Dec 2014 00:17:20 +0000 From: Joe Malcolm To: Robert Simmons Subject: Re: ntpd vulnerabilities In-Reply-To: References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> <86a92fzmls.fsf@nine.des.no> X-Mailer: VM 8.1.1 under 21.4 (patch 22) "Instant Classic" XEmacs Lucid (amd64--freebsd) Cc: Dag-Erling Smørgrav , Winfried Neessen , freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Dec 2014 00:26:13 -0000 As a practical matter, is the default config vulnerable to the buffer overflow issues? The announcement: http://lists.ntp.org/pipermail/announce/2014-December/000122.html says that "restrict ... noquery" is sufficient mitigation for the 3 buffer overflow issues. I'm no expert on ntp.conf, but this appears in my ntp.conf on one of my FreeBSD systems: restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery However, it also has these: restrict 127.0.0.1 restrict -6 ::1 restrict 127.127.1.0 Joe From owner-freebsd-security@FreeBSD.ORG Tue Dec 23 04:38:57 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 142F7D1B for ; Tue, 23 Dec 2014 04:38:57 +0000 (UTC) Received: from dyslexicfish.net (dyslexicfish.net [91.109.5.35]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id A512C1200 for ; Tue, 23 Dec 2014 04:38:56 +0000 (UTC) Received: from dyslexicfish.net (dyslexicfish.net [91.109.5.35]) by dyslexicfish.net (8.14.5/8.14.5) with ESMTP id sBN4csrX030742; Tue, 23 Dec 2014 04:38:54 GMT (envelope-from jamie@dyslexicfish.net) Received: (from jamie@localhost) by dyslexicfish.net (8.14.5/8.14.5/Submit) id sBN4coM8030741; Tue, 23 Dec 2014 04:38:50 GMT (envelope-from jamie) From: Jamie Landeg-Jones Message-Id: <201412230438.sBN4coM8030741@dyslexicfish.net> Date: Tue, 23 Dec 2014 04:38:50 +0000 To: freebsd-security@freebsd.org, cnehren+freebsd-security@pobox.com, brett@lariat.org Subject: Re: ntpd vulnerabilities References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> <201412221745.KAA28186@mail.lariat.net> <20141222185238.GA3308@behemoth.lan> <201412222323.QAA01574@mail.lariat.net> In-Reply-To: <201412222323.QAA01574@mail.lariat.net> User-Agent: Heirloom mailx 12.4 7/29/08 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.7 (dyslexicfish.net [91.109.5.35]); Tue, 23 Dec 2014 04:38:54 +0000 (GMT) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Dec 2014 04:38:57 -0000 Brett Glass wrote: > Within my own network, I have used cron and ntpdate (even though it's > officially deprecated) on most of the clients, querying a couple of I think ntpdate is only deprecated because it's functionality is provided by 'ntpd -q' > on them. But it obviously has some drawbacks; in particular, it doesn't > continuously correct the clocks but makes them jump at particular > times of day. Until recently, I'd been using this too, however, using the '-B' option to ntpdate ('-x' to nptd) to slew the clock instead. A couple of these a day in cron causes neglegable drift, unless your clock ain't too good! Cheers, Jamie From owner-freebsd-security@FreeBSD.ORG Tue Dec 23 08:37:56 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4814CD20 for ; Tue, 23 Dec 2014 08:37:56 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 06D1664A80 for ; Tue, 23 Dec 2014 08:37:55 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 69A7A9339; Tue, 23 Dec 2014 08:37:49 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id AA0434A17; Tue, 23 Dec 2014 09:37:40 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Joe Malcolm Subject: Re: ntpd vulnerabilities References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> <86a92fzmls.fsf@nine.des.no> <21656.46224.764659.252388@neoshoggoth.uraeus.com> Date: Tue, 23 Dec 2014 09:37:40 +0100 In-Reply-To: <21656.46224.764659.252388@neoshoggoth.uraeus.com> (Joe Malcolm's message of "Tue, 23 Dec 2014 00:17:20 +0000") Message-ID: <86sig6yd63.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Winfried Neessen , Robert Simmons X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Dec 2014 08:37:56 -0000 Joe Malcolm writes: > I'm no expert on ntp.conf, but this appears in my ntp.conf on one of > my FreeBSD systems: > > restrict default kod nomodify notrap nopeer noquery > restrict -6 default kod nomodify notrap nopeer noquery > > However, it also has these: > > restrict 127.0.0.1 > restrict -6 ::1 > restrict 127.127.1.0 These work on a "last match" basis. The latter three lines lift all restrictions for localhost, so you can still "ntpq -pn" your own server, but nobody else can. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Dec 23 13:07:38 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CCF33FA8 for ; Tue, 23 Dec 2014 13:07:38 +0000 (UTC) Received: from neoshoggoth.uraeus.com (neoshoggoth.uraeus.com [208.72.84.117]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail-relay.uraeus.com", Issuer "URAEUS" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9E6216486B for ; Tue, 23 Dec 2014 13:07:38 +0000 (UTC) Received: from neoshoggoth.uraeus.com (localhost [127.0.0.1]) by neoshoggoth.uraeus.com (Postfix) with ESMTP id CBA7A109BE0E; Tue, 23 Dec 2014 13:07:35 +0000 (UTC) X-Amavis-Alert: BAD HEADER SECTION, Non-encoded 8-bit data (char C3 hex): To: Dag-Erling Sm\303\270rgrav Received: from neoshoggoth.uraeus.com ([127.0.0.1]) by neoshoggoth.uraeus.com (neoshoggoth.uraeus.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id wNYF7tftIh2X; Tue, 23 Dec 2014 13:07:34 +0000 (UTC) Received: by neoshoggoth.uraeus.com (Postfix, from userid 1013) id 7193C109BE0C; Tue, 23 Dec 2014 13:07:34 +0000 (UTC) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Message-ID: <21657.26902.156000.609968@neoshoggoth.uraeus.com> Date: Tue, 23 Dec 2014 13:07:34 +0000 From: Joe Malcolm To: Dag-Erling Smørgrav Subject: Re: ntpd vulnerabilities In-Reply-To: <86sig6yd63.fsf@nine.des.no> References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> <86a92fzmls.fsf@nine.des.no> <21656.46224.764659.252388@neoshoggoth.uraeus.com> <86sig6yd63.fsf@nine.des.no> X-Mailer: VM 8.1.1 under 21.4 (patch 22) "Instant Classic" XEmacs Lucid (amd64--freebsd) Cc: Joe Malcolm , freebsd-security@freebsd.org, Robert Simmons , Winfried Neessen X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Dec 2014 13:07:38 -0000 Dag-Erling Sm=C3=B8rgrav writes: >Joe Malcolm writes: >> I'm no expert on ntp.conf, but this appears in my ntp.conf on one of= >> my FreeBSD systems: >> >> restrict default kod nomodify notrap nopeer noquery >> restrict -6 default kod nomodify notrap nopeer noquery >> >> However, it also has these: >> >> restrict 127.0.0.1 >> restrict -6 ::1 >> restrict 127.127.1.0 > >These work on a "last match" basis. The latter three lines lift all >restrictions for localhost, so you can still "ntpq -pn" your own serve= r, >but nobody else can. Thanks. So, if I understand correctly, the shipped config is vulnerable to local (same-host) attackers, not remote ones. joe From owner-freebsd-security@FreeBSD.ORG Tue Dec 23 13:18:44 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 593792D1 for ; Tue, 23 Dec 2014 13:18:44 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 1711D649C9 for ; Tue, 23 Dec 2014 13:18:43 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 73AEE9673; Tue, 23 Dec 2014 13:18:34 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id CF6234A9F; Tue, 23 Dec 2014 14:18:25 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Joe Malcolm Subject: Re: ntpd vulnerabilities References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> <86a92fzmls.fsf@nine.des.no> <21656.46224.764659.252388@neoshoggoth.uraeus.com> <86sig6yd63.fsf@nine.des.no> <21657.26902.156000.609968@neoshoggoth.uraeus.com> Date: Tue, 23 Dec 2014 14:18:25 +0100 In-Reply-To: <21657.26902.156000.609968@neoshoggoth.uraeus.com> (Joe Malcolm's message of "Tue, 23 Dec 2014 13:07:34 +0000") Message-ID: <86oaquy066.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Robert Simmons , Winfried Neessen X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Dec 2014 13:18:44 -0000 Joe Malcolm writes: > Dag-Erling Sm=C3=B8rgrav writes: > > These work on a "last match" basis. The latter three lines lift all > > restrictions for localhost, so you can still "ntpq -pn" your own > > server, but nobody else can. > Thanks. So, if I understand correctly, the shipped config is > vulnerable to local (same-host) attackers, not remote ones. Broadly, yes. Restricting requests from localhost makes it impossible to monitor your own server, because ntpdc and ntpq talk to ntpd over UDP to localhost rather than a Unix socket, which could be protected by file permissions. Implementing a Unix socket for ntpdc / ntpq is left as an exercise to the reader. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Dec 23 17:10:38 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 90C342CF for ; Tue, 23 Dec 2014 17:10:38 +0000 (UTC) Received: from keltia.net (aran.keltia.net [88.191.250.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 54E0720EE for ; Tue, 23 Dec 2014 17:10:37 +0000 (UTC) Received: from lonrach-2.local (foret.keltia.net [78.232.116.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: roberto) by keltia.net (Postfix) with ESMTPSA id 31CA2529E for ; Tue, 23 Dec 2014 18:10:35 +0100 (CET) Date: Tue, 23 Dec 2014 18:10:33 +0100 From: Ollivier Robert To: freebsd-security@freebsd.org Subject: Re: ntpd vulnerabilities Message-ID: <20141223171033.GI14881@lonrach-2.local> References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com> <86a92fzmls.fsf@nine.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Operating-System: MacOS X / MBP 4,1 - FreeBSD 8.0 / T3500-E5520 Nehalem User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Dec 2014 17:10:38 -0000 According to Robert Simmons: > Will 4.2.8 be pulled into CURRENT eventually, or is the plan to > replace it entirely with ntimed? It is being worked on, import is already done in /vendor/ntp with two more patches (nothing to do with security, just compatibility). The usr.sbin bits are being worked on. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr In memoriam to Ondine : http://ondine.keltia.net/ From owner-freebsd-security@FreeBSD.ORG Tue Dec 23 23:33:25 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D38EAE63; Tue, 23 Dec 2014 23:33:25 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 7A3B664E65; Tue, 23 Dec 2014 23:33:25 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 601509EB5; Tue, 23 Dec 2014 23:33:18 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 098C54BB6; Wed, 24 Dec 2014 00:33:10 +0100 (CET) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20141223233310.098C54BB6@nine.des.no> Date: Wed, 24 Dec 2014 00:33:09 +0100 (CET) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Dec 2014 23:33:25 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-14:31.ntp Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in NTP suite Category: contrib Module: ntp Announced: 2014-12-23 Affects: All supported versions of FreeBSD. Corrected: 2014-14-22 19:07:16 UTC (stable/10, 10.1-STABLE) 2014-12-23 22:56:01 UTC (releng/10.1, 10.1-RELEASE-p3) 2014-12-23 22:55:14 UTC (releng/10.0, 10.0-RELEASE-p15) 2014-14-22 19:08:09 UTC (stable/9, 9.3-STABLE) 2014-12-23 22:54:25 UTC (releng/9.3, 9.3-RELEASE-p7) 2014-12-23 22:53:44 UTC (releng/9.2, 9.2-RELEASE-p17) 2014-12-23 22:53:03 UTC (releng/9.1, 9.1-RELEASE-p24) 2014-14-22 19:08:09 UTC (stable/8, 8.4-STABLE) 2014-12-23 22:52:22 UTC (releng/8.4, 8.4-RELEASE-p21) CVE Name: CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description When no authentication key is set in the configuration file, ntpd(8) would generate a random key that uses a non-linear additive feedback random number generator seeded with very few bits of entropy. [CVE-2014-9293] The ntp-keygen(8) utility is also affected by a similar issue. [CVE-2014-9294] When Autokey Authentication is enabled, for example if ntp.conf(5) contains a 'crypto pw' directive, a remote attacker can send a carefully crafted packet that can overflow a stack buffer. [CVE-2014-9295] In ntp_proto.c, the receive() function is missing a return statement in the case when an error is detected. [CVE-2014-9296] III. Impact The NTP protocol uses keys to implement authentication. The weak seeding of the pseudo-random number generator makes it easier for an attacker to brute-force keys, and thus may broadcast incorrect time stamps or masquerade as another time server. [CVE-2014-9293, CVE-2014-9294] An attacker may be able to utilize the buffer overflow to crash the ntpd(8) daemon or potentially run arbitrary code with the privileges of the ntpd(8) process, which is typically root. [CVE-2014-9295] IV. Workaround No workaround is available, but systems not running ntpd(8) are not affected. Because the issue may lead to remote root compromise, the FreeBSD Security Team recommends system administrators to firewall NTP ports, namely tcp/123 and udp/123 when it is not clear that all systems have been patched or have ntpd(8) stopped. V. Solution NOTE WELL: It is advisable to regenerate all keys used for NTP authentication, if configured. Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-14:31/ntp.patch # fetch https://security.FreeBSD.org/patches/SA-14:31/ntp.patch.asc # gpg --verify ntp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the ntpd(8) daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r276073 releng/8.4/ r276154 stable/9/ r276073 releng/9.1/ r276155 releng/9.2/ r276156 releng/9.3/ r276157 stable/10/ r276072 releng/10.0/ r276158 releng/10.1/ r276159 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUmfSAAAoJEO1n7NZdz2rnV/IQAMeAuVbyKDMu3mec0ErpL5z8 OcSxVxKWH9udDJQkpiw6OaU4ks7PGOH/PgAad0mIhWPflXtpUlWMQtUa54Ds4s/t NjknM2vS4sBMZLk0Poqsts0TohfwdxF+CT8OCZARA2i3t70Ov0Y9BeoCatL2rnS+ rPbhhlnQXrsAJDCKcjSrYw+37cDNEdcvk4UKhiKh76J6CXwn2cT6h1dXTMFyImWq slTNlkJV6iFMNYn3oSA8nCVEJVMw2XQwVfg2qzkpZcuDGKE5fFpdvX3VcRP7b2cq zwSClt29B7FF3EjrplRuEdgxDk8m9PjVbUz9tocLPIqV0RjhTA9j7MhNcWH5G3Dh u6NQDsA0WzE8Ki2mrWpTEAFp21ZzSyXXtZ703XYiXbQKNG9lKEFv5Z8ffVHSrUT7 uB2BsP+LrnnWNNdjkRSSSxrfy4CvFLsdQ9FI1FNz+oofEio6yPO+W47pBH//Nbj0 wfeReW1OlbrtWF6NHZr4CfX+Lx9hu4CXXdXRWKdMDTYUywr0V6BiIsrNlN1z7XCy 90+43twFhGBsOSVD5PpcDmt9oEYfpwWKdXO6dXClCo+mxAki/fgf5Y24cTT9DTQn CKuVZuyaMi+HZ0jf2sKITQ03S8+Nrn7cZEXkIGScfT5z1Y8pcN+7bRhB1DpaCs0q IIw6TjJXQm8DTMuBIwf3 =oSCq -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Dec 24 01:01:20 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 46E9CC9A for ; Wed, 24 Dec 2014 01:01:20 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 0AF9438CE for ; Wed, 24 Dec 2014 01:01:19 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id D35609FF8 for ; Wed, 24 Dec 2014 01:01:15 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 837CE4BF4; Wed, 24 Dec 2014 02:01:07 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp References: <20141223233310.098C54BB6@nine.des.no> Date: Wed, 24 Dec 2014 02:01:07 +0100 In-Reply-To: <20141223233310.098C54BB6@nine.des.no> (FreeBSD Security Advisories's message of "Wed, 24 Dec 2014 00:33:09 +0100 (CET)") Message-ID: <86h9wln9nw.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Dec 2014 01:01:20 -0000 FreeBSD Security Advisories writes: > Corrected: 2014-14-22 19:07:16 UTC (stable/10, 10.1-STABLE) > 2014-14-22 19:08:09 UTC (stable/9, 9.3-STABLE) > 2014-14-22 19:08:09 UTC (stable/8, 8.4-STABLE) Sorry about the bogus correction dates, these should of course be 2014-12-22. The dates for the releng branches are correct, and the version posted on the web site also has the correct dates. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Dec 24 01:06:36 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id A680CDC0 for ; Wed, 24 Dec 2014 01:06:36 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 98FD439F8 for ; Wed, 24 Dec 2014 01:06:36 +0000 (UTC) Date: Tue, 23 Dec 2014 17:06:30 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org Subject: Re: ntpd vulnerabilities User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Dec 2014 01:06:36 -0000 Dag-Erling Sm??rgrav wrote: >I absolutely agree. If we replace the NTP suite, it will be with a >minimal SNTP client, although no decision has been made. For now openntpd is the recommended solution but a more minimal client might be preferable depending on implementation specifics. The only feature missing from openntpd that we could use is a way to set the egress interface. Openntpd's "listen on" directive only defines the ingress tcp adddress, outgoing queries still use the server's primary ip. Roger Marquis From owner-freebsd-security@FreeBSD.ORG Wed Dec 24 01:03:54 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4F687D99 for ; Wed, 24 Dec 2014 01:03:54 +0000 (UTC) Received: from mail-ig0-x22f.google.com (mail-ig0-x22f.google.com [IPv6:2607:f8b0:4001:c05::22f]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 1129B39B1 for ; Wed, 24 Dec 2014 01:03:54 +0000 (UTC) Received: by mail-ig0-f175.google.com with SMTP id h15so6288566igd.8 for ; Tue, 23 Dec 2014 17:03:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=/ng04XFSJCPhAnOvzUuBpwfeQmbyexaO9tPrm3je/dk=; b=DWbjj9vGaLV1Cw7qfnCSoQ+u63iPTfRHe+6508K0MvHuzxBr8pUgCa2CPDdSz8/+Wg xIDoc5zvzzU2YNFKO8tebCv3rf6kNx1XXZOQ7y7N3TpID9fpZSbGSIMixrKcobwxbQJV zSOeObDaUUKjONnCROtSTGyQnCtisisT6prLL9m41vd7lT3dS7x7N2qbkgs7HodoXZiS 1Knj9fw8l6ycDXurhxbkxhjOinBnGmyYcaO9HoRiNC6VZoOCMv9lW17BJal8HfGeBNQm ea7hwVxv6COGj6WKr7g3ov1jmCa0LhX3D54MVa2nFubIrBIdCM3XcyCxhzHKvbMZmmXt f2Xw== MIME-Version: 1.0 X-Received: by 10.50.134.195 with SMTP id pm3mr24144179igb.0.1419383033272; Tue, 23 Dec 2014 17:03:53 -0800 (PST) Sender: kob6558@gmail.com Received: by 10.107.52.19 with HTTP; Tue, 23 Dec 2014 17:03:53 -0800 (PST) Received: by 10.107.52.19 with HTTP; Tue, 23 Dec 2014 17:03:53 -0800 (PST) In-Reply-To: <20141223233310.0165A4BB5@nine.des.no> References: <20141223233310.0165A4BB5@nine.des.no> Date: Tue, 23 Dec 2014 17:03:53 -0800 X-Google-Sender-Auth: XVq8lStGLXD4TO4Vh_liinV5mxc Message-ID: Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:31.ntp From: Kevin Oberman To: freebsd-security@freebsd.org X-Mailman-Approved-At: Wed, 24 Dec 2014 02:48:38 +0000 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Dec 2014 01:03:54 -0000 What month is 2014-14-22? I assume tgat you meant 2014-12-22. On Dec 23, 2014 3:35 PM, "FreeBSD Security Advisories" < security-advisories@freebsd.org> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > > ============================================================================= > FreeBSD-SA-14:31.ntp Security > Advisory > The FreeBSD > Project > > Topic: Multiple vulnerabilities in NTP suite > > Category: contrib > Module: ntp > Announced: 2014-12-23 > Affects: All supported versions of FreeBSD. > Corrected: 2014-14-22 19:07:16 UTC (stable/10, 10.1-STABLE) > 2014-12-23 22:56:01 UTC (releng/10.1, 10.1-RELEASE-p3) > 2014-12-23 22:55:14 UTC (releng/10.0, 10.0-RELEASE-p15) > 2014-14-22 19:08:09 UTC (stable/9, 9.3-STABLE) > 2014-12-23 22:54:25 UTC (releng/9.3, 9.3-RELEASE-p7) > 2014-12-23 22:53:44 UTC (releng/9.2, 9.2-RELEASE-p17) > 2014-12-23 22:53:03 UTC (releng/9.1, 9.1-RELEASE-p24) > 2014-14-22 19:08:09 UTC (stable/8, 8.4-STABLE) > 2014-12-23 22:52:22 UTC (releng/8.4, 8.4-RELEASE-p21) > CVE Name: CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) > used to synchronize the time of a computer system to a reference time > source. > > II. Problem Description > > When no authentication key is set in the configuration file, ntpd(8) > would generate a random key that uses a non-linear additive feedback random > number generator seeded with very few bits of entropy. [CVE-2014-9293] > The ntp-keygen(8) utility is also affected by a similar issue. > [CVE-2014-9294] > > When Autokey Authentication is enabled, for example if ntp.conf(5) contains > a 'crypto pw' directive, a remote attacker can send a carefully > crafted packet that can overflow a stack buffer. [CVE-2014-9295] > > In ntp_proto.c, the receive() function is missing a return statement in > the case when an error is detected. [CVE-2014-9296] > > III. Impact > > The NTP protocol uses keys to implement authentication. The weak > seeding of the pseudo-random number generator makes it easier for an > attacker to brute-force keys, and thus may broadcast incorrect time stamps > or masquerade as another time server. [CVE-2014-9293, CVE-2014-9294] > > An attacker may be able to utilize the buffer overflow to crash the ntpd(8) > daemon or potentially run arbitrary code with the privileges of the ntpd(8) > process, which is typically root. [CVE-2014-9295] > > IV. Workaround > > No workaround is available, but systems not running ntpd(8) are not > affected. Because the issue may lead to remote root compromise, the > FreeBSD Security Team recommends system administrators to firewall NTP > ports, namely tcp/123 and udp/123 when it is not clear that all systems > have been patched or have ntpd(8) stopped. > > V. Solution > > NOTE WELL: It is advisable to regenerate all keys used for NTP > authentication, if configured. > > Perform one of the following: > > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. > > 2) To update your vulnerable system via a binary patch: > > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: > > # freebsd-update fetch > # freebsd-update install > > 3) To update your vulnerable system via a source code patch: > > The following patches have been verified to apply to the applicable > FreeBSD release branches. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch https://security.FreeBSD.org/patches/SA-14:31/ntp.patch > # fetch https://security.FreeBSD.org/patches/SA-14:31/ntp.patch.asc > # gpg --verify ntp.patch.asc > > b) Apply the patch. Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile the operating system using buildworld and installworld as > described in . > > Restart the ntpd(8) daemons, or reboot the system. > > VI. Correction details > > The following list contains the correction revision numbers for each > affected branch. > > Branch/path Revision > - ------------------------------------------------------------------------- > stable/8/ r276073 > releng/8.4/ r276154 > stable/9/ r276073 > releng/9.1/ r276155 > releng/9.2/ r276156 > releng/9.3/ r276157 > stable/10/ r276072 > releng/10.0/ r276158 > releng/10.1/ r276159 > - ------------------------------------------------------------------------- > > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: > > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base > > Or visit the following URL, replacing NNNNNN with the revision number: > > > > VII. References > > > > > > > > > > > > The latest revision of this advisory is available at > > -----BEGIN PGP SIGNATURE----- > > iQIcBAEBCgAGBQJUmfSAAAoJEO1n7NZdz2rnV/IQAMeAuVbyKDMu3mec0ErpL5z8 > OcSxVxKWH9udDJQkpiw6OaU4ks7PGOH/PgAad0mIhWPflXtpUlWMQtUa54Ds4s/t > NjknM2vS4sBMZLk0Poqsts0TohfwdxF+CT8OCZARA2i3t70Ov0Y9BeoCatL2rnS+ > rPbhhlnQXrsAJDCKcjSrYw+37cDNEdcvk4UKhiKh76J6CXwn2cT6h1dXTMFyImWq > slTNlkJV6iFMNYn3oSA8nCVEJVMw2XQwVfg2qzkpZcuDGKE5fFpdvX3VcRP7b2cq > zwSClt29B7FF3EjrplRuEdgxDk8m9PjVbUz9tocLPIqV0RjhTA9j7MhNcWH5G3Dh > u6NQDsA0WzE8Ki2mrWpTEAFp21ZzSyXXtZ703XYiXbQKNG9lKEFv5Z8ffVHSrUT7 > uB2BsP+LrnnWNNdjkRSSSxrfy4CvFLsdQ9FI1FNz+oofEio6yPO+W47pBH//Nbj0 > wfeReW1OlbrtWF6NHZr4CfX+Lx9hu4CXXdXRWKdMDTYUywr0V6BiIsrNlN1z7XCy > 90+43twFhGBsOSVD5PpcDmt9oEYfpwWKdXO6dXClCo+mxAki/fgf5Y24cTT9DTQn > CKuVZuyaMi+HZ0jf2sKITQ03S8+Nrn7cZEXkIGScfT5z1Y8pcN+7bRhB1DpaCs0q > IIw6TjJXQm8DTMuBIwf3 > =oSCq > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-announce@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org > " > From owner-freebsd-security@FreeBSD.ORG Wed Dec 24 05:52:41 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 21B98525 for ; Wed, 24 Dec 2014 05:52:41 +0000 (UTC) Received: from hz.grosbein.net (hz.grosbein.net [78.47.246.247]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "hz.grosbein.net", Issuer "hz.grosbein.net" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9FC5A18E1 for ; Wed, 24 Dec 2014 05:52:39 +0000 (UTC) Received: from eg.sd.rdtc.ru (root@eg.sd.rdtc.ru [62.231.161.221]) by hz.grosbein.net (8.14.9/8.14.9) with ESMTP id sBO5qLcU051953 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Wed, 24 Dec 2014 06:52:25 +0100 (CET) (envelope-from eugen@grosbein.net) X-Envelope-From: eugen@grosbein.net X-Envelope-To: freebsd-security@freebsd.org Received: from eg.sd.rdtc.ru (eugen@localhost [127.0.0.1]) by eg.sd.rdtc.ru (8.14.9/8.14.9) with ESMTP id sBO5qIOf034617; Wed, 24 Dec 2014 12:52:18 +0700 (KRAT) (envelope-from eugen@grosbein.net) Message-ID: <549A5492.6000503@grosbein.net> Date: Wed, 24 Dec 2014 12:52:18 +0700 From: Eugene Grosbein User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: =?UTF-8?B?RGFnLUVybGluZyBTbcO4cmdyYXY=?= , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp References: <20141223233310.098C54BB6@nine.des.no> <86h9wln9nw.fsf@nine.des.no> In-Reply-To: <86h9wln9nw.fsf@nine.des.no> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=3.0 required=5.0 tests=BAYES_00, DATE_IN_FUTURE_96_Q, LOCAL_FROM autolearn=no version=3.3.2 X-Spam-Report: * 2.7 DATE_IN_FUTURE_96_Q Date: is 4 days to 4 months after Received: date * -2.3 BAYES_00 BODY: Bayes spam probability is 0 to 1% * [score: 0.0000] * 2.6 LOCAL_FROM From my domains X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on hz.grosbein.net X-Spam-Level: ** X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Dec 2014 05:52:41 -0000 On 24.12.2014 08:01, Dag-Erling Smørgrav wrote: > FreeBSD Security Advisories writes: >> Corrected: 2014-14-22 19:07:16 UTC (stable/10, 10.1-STABLE) >> 2014-14-22 19:08:09 UTC (stable/9, 9.3-STABLE) >> 2014-14-22 19:08:09 UTC (stable/8, 8.4-STABLE) > > Sorry about the bogus correction dates, these should of course be > 2014-12-22. The dates for the releng branches are correct, and the > version posted on the web site also has the correct dates. Why does it say "Recompile the operating system using buildworld and installworld"? The patch touches contrib/ntp only. It should be enough to rebuild ntpd only, shouldn't it? Eugene Grosbein From owner-freebsd-security@FreeBSD.ORG Wed Dec 24 12:49:18 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DA543749 for ; Wed, 24 Dec 2014 12:49:18 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 9D3F42289 for ; Wed, 24 Dec 2014 12:49:18 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id B24BB99D8; Wed, 24 Dec 2014 12:49:14 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id A65724D14; Wed, 24 Dec 2014 13:49:06 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Eugene Grosbein Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp References: <20141223233310.098C54BB6@nine.des.no> <86h9wln9nw.fsf@nine.des.no> <549A5492.6000503@grosbein.net> Date: Wed, 24 Dec 2014 13:49:06 +0100 In-Reply-To: <549A5492.6000503@grosbein.net> (Eugene Grosbein's message of "Wed, 24 Dec 2014 12:52:18 +0700") Message-ID: <868uhx43i5.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Dec 2014 12:49:18 -0000 Eugene Grosbein writes: > Why does it say "Recompile the operating system using buildworld and > installworld"? Because that's what the template says, and we rarely change it to something more specific (in large part because that requires careful testing of the exact instructions we publish). "Rebuild, reinstall and reboot" may be overkill, but it's never wrong. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Dec 24 16:31:30 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 85CC73D3 for ; Wed, 24 Dec 2014 16:31:30 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 487CA2982 for ; Wed, 24 Dec 2014 16:31:29 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 8E8839CB2; Wed, 24 Dec 2014 16:31:18 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 95BD34D71; Wed, 24 Dec 2014 17:31:10 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Kevin Oberman Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:31.ntp References: <20141223233310.0165A4BB5@nine.des.no> Date: Wed, 24 Dec 2014 17:31:10 +0100 In-Reply-To: (Kevin Oberman's message of "Tue, 23 Dec 2014 17:03:53 -0800") Message-ID: <86ioh19fht.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Dec 2014 16:31:30 -0000 Kevin Oberman writes: > What month is 2014-14-22? I assume tgat you meant 2014-12-22. Yes. The online version has been corrected. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Dec 24 16:47:30 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DD816770 for ; Wed, 24 Dec 2014 16:47:30 +0000 (UTC) Received: from as1.azsupport.com (azsupport.com [74.52.186.194]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "azsupport.com", Issuer "COMODO RSA Domain Validation Secure Server CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C44F42BEA for ; Wed, 24 Dec 2014 16:47:29 +0000 (UTC) Date: Wed, 24 Dec 2014 17:42:16 +0100 From: Andrei To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp Message-ID: <20141224174216.6fd47466@azsupport.com> In-Reply-To: <20141223233310.098C54BB6@nine.des.no> References: <20141223233310.098C54BB6@nine.des.no> Organization: azsupport.com X-Mailer: Claws Mail 3.11.1 (GTK+ 2.24.25; amd64-portbld-freebsd11.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Dec 2014 16:47:31 -0000 On Wed, 24 Dec 2014 00:33:09 +0100 (CET) FreeBSD Security Advisories wrote: > No workaround is available, but systems not running ntpd(8) are not > affected. Because the issue may lead to remote root compromise, the > FreeBSD Security Team recommends system administrators to firewall NTP > ports, namely tcp/123 and udp/123 when it is not clear that all > systems have been patched or have ntpd(8) stopped. Why tcp/123? Kind regards, Andrei. From owner-freebsd-security@FreeBSD.ORG Wed Dec 24 17:12:16 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from hub.FreeBSD.org (hub.freebsd.org [IPv6:2001:1900:2254:206c::16:88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F2C20D25; Wed, 24 Dec 2014 17:12:15 +0000 (UTC) Date: Wed, 24 Dec 2014 17:12:04 +0000 From: Glen Barber To: Andrei Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp Message-ID: <20141224171203.GF40485@hub.FreeBSD.org> References: <20141223233310.098C54BB6@nine.des.no> <20141224174216.6fd47466@azsupport.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="cHMo6Wbp1wrKhbfi" Content-Disposition: inline In-Reply-To: <20141224174216.6fd47466@azsupport.com> X-Operating-System: FreeBSD 11.0-CURRENT amd64 X-SCUD-Definition: Sudden Completely Unexpected Dataloss X-SULE-Definition: Sudden Unexpected Learning Event User-Agent: Mutt/1.5.23 (2014-03-12) Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Dec 2014 17:12:16 -0000 --cHMo6Wbp1wrKhbfi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Dec 24, 2014 at 05:42:16PM +0100, Andrei wrote: > On Wed, 24 Dec 2014 00:33:09 +0100 (CET) > FreeBSD Security Advisories wrote: >=20 > > No workaround is available, but systems not running ntpd(8) are not > > affected. Because the issue may lead to remote root compromise, the > > FreeBSD Security Team recommends system administrators to firewall NTP > > ports, namely tcp/123 and udp/123 when it is not clear that all > > systems have been patched or have ntpd(8) stopped. >=20 > Why tcp/123? >=20 gjb@nucleus:~ % grep -i ^ntp /etc/services ntp 123/tcp #Network Time Protocol ntp 123/udp #Network Time Protocol Glen --cHMo6Wbp1wrKhbfi Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJUmvPaAAoJEAMUWKVHj+KTGP4QAJqyVNbuXhMudg3FiqKFLyQ5 VOADkEU/MV5V99wvCKd8czG09FHmSNtpc2XZX3ElzlpJu0/j17ZsZzgXDrodUhqI pzSkX+OX2segjV4mOyjvJnaOtnFGq9TvwRnW3hTZ3yjRtoYPbwdydFY5W22Jmu9V DK7DkJAY9wj7EcbOD36j7jcfOS5h1LH4XKXkCC7JcNvUTy6IHWbw9JZUlyVSVmdA RhjHE+fx7uUInpT/CLTvW+Hrm+sh/ZpPoIt0poOmy4dBgZAmerSby7NZ8CETkU+6 u0gOC+zITzjrU7/C12x92xXbpsquxa0qt+vvUVlBgPEmFdV0uKVej3Y//h0TrhRL HxaOHHk5cSG0DOr1er2tfXM9FYKrtONZsA1qFuWNip1joR6jqy8ZU/l4FTHkVFdV p2Evhv5VhBq9/jMpfiUcANC/wChxYCFlqNvzMsvnAdlUGafc4JqHPsr5JmlBOZvr YkXFBL31L5kguBtaRcUIwwFM9Giu51MqvSdebYYIwMz0NEQ8gYbt+72wNQMqHVfT H0ITGtxztvJQ36P2dPHBE5yoXh64DblDct+UnRNIqyOKEQ+SueJy9J97xRaXUbUN CCfdCCJJjXrx1J9YrdQwYknnGX9gm0U081/8iZ68kI4ayWodST4BZ9R463Q33dWq 7BuI2ObCJ7ROYMCCkOdq =BzVB -----END PGP SIGNATURE----- --cHMo6Wbp1wrKhbfi-- From owner-freebsd-security@FreeBSD.ORG Wed Dec 24 17:31:08 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ACB0B405; Wed, 24 Dec 2014 17:31:08 +0000 (UTC) Received: from hergotha.csail.mit.edu (wollman-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 67847107B; Wed, 24 Dec 2014 17:31:08 +0000 (UTC) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.14.9/8.14.9) with ESMTP id sBOHV332069720; Wed, 24 Dec 2014 12:31:03 -0500 (EST) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.14.9/8.14.4/Submit) id sBOHV34p069717; Wed, 24 Dec 2014 12:31:03 -0500 (EST) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <21658.63575.447695.575072@hergotha.csail.mit.edu> Date: Wed, 24 Dec 2014 12:31:03 -0500 From: Garrett Wollman To: Glen Barber Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp In-Reply-To: <20141224171203.GF40485@hub.FreeBSD.org> References: <20141223233310.098C54BB6@nine.des.no> <20141224174216.6fd47466@azsupport.com> <20141224171203.GF40485@hub.FreeBSD.org> X-Mailer: VM 7.17 under 21.4 (patch 22) "Instant Classic" XEmacs Lucid X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (hergotha.csail.mit.edu [127.0.0.1]); Wed, 24 Dec 2014 12:31:03 -0500 (EST) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED, HEADER_FROM_DIFFERENT_DOMAINS autolearn=disabled version=3.4.0 X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on hergotha.csail.mit.edu X-Mailman-Approved-At: Wed, 24 Dec 2014 18:14:10 +0000 Cc: freebsd-security@freebsd.org, Andrei X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Dec 2014 17:31:08 -0000 < said: > On Wed, Dec 24, 2014 at 05:42:16PM +0100, Andrei wrote: >> On Wed, 24 Dec 2014 00:33:09 +0100 (CET) >> FreeBSD Security Advisories wrote: >> > ports, namely tcp/123 and udp/123 when it is not clear that all >> > systems have been patched or have ntpd(8) stopped. >> >> Why tcp/123? >> > gjb@nucleus:~ % grep -i ^ntp /etc/services > ntp 123/tcp #Network Time Protocol > ntp 123/udp #Network Time Protocol It's IANA's policy to reserve the ports for both TCP and UDP. NTP does not use TCP, nor has it ever done so. It's highly unlikely that it ever will. You might as well tell people to firewall 123/sctp as well; it will have just as much effect. -GAWollman From owner-freebsd-security@FreeBSD.ORG Thu Dec 25 17:46:37 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 63801C86 for ; Thu, 25 Dec 2014 17:46:37 +0000 (UTC) Received: from luigi.brtsvcs.net (luigi.brtsvcs.net [IPv6:2607:fc50:1000:1f00::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3F7622AC0 for ; Thu, 25 Dec 2014 17:46:37 +0000 (UTC) Received: from chombo.houseloki.net (c-71-59-211-166.hsd1.or.comcast.net [71.59.211.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by luigi.brtsvcs.net (Postfix) with ESMTPSA id AF58E2D4FF7 for ; Thu, 25 Dec 2014 17:46:35 +0000 (UTC) Received: from [IPv6:2601:7:2580:181:baca:3aff:fe83:bd29] (unknown [IPv6:2601:7:2580:181:baca:3aff:fe83:bd29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by chombo.houseloki.net (Postfix) with ESMTPSA id 0BA4F1F06 for ; Thu, 25 Dec 2014 09:46:32 -0800 (PST) Message-ID: <549C4D71.6030704@bluerosetech.com> Date: Thu, 25 Dec 2014 09:46:25 -0800 From: Darren Pilgrim User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp References: <20141223233310.098C54BB6@nine.des.no> In-Reply-To: <20141223233310.098C54BB6@nine.des.no> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Dec 2014 17:46:37 -0000 On 12/23/2014 3:33 PM, FreeBSD Security Advisories wrote: > IV. Workaround > > No workaround is available, This was fixed in ports/net/ntp on Dec 20, so a workaround exists in the form of disabling the in-base version and installing the port. In the future, it would be helpful to mention such. From owner-freebsd-security@FreeBSD.ORG Thu Dec 25 19:37:05 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5B61B451 for ; Thu, 25 Dec 2014 19:37:05 +0000 (UTC) Received: from mail.jr-hosting.nl (mail.jr-hosting.nl [IPv6:2a01:4f8:210:34e4::25]) by mx1.freebsd.org (Postfix) with ESMTP id 17CB464821 for ; Thu, 25 Dec 2014 19:37:05 +0000 (UTC) Received: from [10.0.2.17] (a44084.upc-a.chello.nl [62.163.44.84]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.jr-hosting.nl (Postfix) with ESMTPSA id A330015B0; Thu, 25 Dec 2014 20:36:41 +0100 (CET) DMARC-Filter: OpenDMARC Filter v1.3.0 mail.jr-hosting.nl A330015B0 Authentication-Results: mail.jr-hosting.nl/A330015B0; dmarc=none header.from=FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Content-Type: multipart/signed; boundary="Apple-Mail=_BDDF00BD-9766-40A0-9437-4165EF019995"; protocol="application/pgp-signature"; micalg=pgp-sha1 X-Pgp-Agent: GPGMail 2.5b3 From: Remko Lodder In-Reply-To: <549C4D71.6030704@bluerosetech.com> Date: Thu, 25 Dec 2014 20:36:41 +0100 Message-Id: <25260C1A-8230-47BD-9FAF-585D2B560303@FreeBSD.org> References: <20141223233310.098C54BB6@nine.des.no> <549C4D71.6030704@bluerosetech.com> To: Darren Pilgrim X-Mailer: Apple Mail (2.1993) Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Dec 2014 19:37:05 -0000 --Apple-Mail=_BDDF00BD-9766-40A0-9437-4165EF019995 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On 25 Dec 2014, at 18:46, Darren Pilgrim = wrote: >=20 > On 12/23/2014 3:33 PM, FreeBSD Security Advisories wrote: >> IV. Workaround >>=20 >> No workaround is available, >=20 > This was fixed in ports/net/ntp on Dec 20, so a workaround exists in = the form of disabling the in-base version and installing the port. In = the future, it would be helpful to mention such. We talk explicitly about the base system, not about ports. We never = mentioned them and I do not see a reason to start doing so. That is my personal opinion though, it could be that others think = different and they are ofcourse entitled to do so. -- /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News --Apple-Mail=_BDDF00BD-9766-40A0-9437-4165EF019995 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJUnGdJAAoJEKjD27JZ84ywWXwP/0OfbBoasS4bH+kPpNzqLLR9 54eMW3SgzH3odIGreeagfCY2KbRsT8l9XNNhbj517vmR1SG/kqRR/myQOfKsZ9u0 eVznQ8fJeUJ5sS0aBkV/cRTHiLWa9P3T7jvqXH8xprgVPfecdyxwBv3377yYcaLU g/baVlEuNTDUrGc2pUrBo0P5bmXbJCMLuJ9UjT5Ul+QmwjDuPU9zvWpLo4hU3rYK TcUOkCXiGEsvgrKNKQRyHOcz89j8hwmMvU7MR+UyVgu5yNSlBXc+Z8QapoIaMKvh R6fvFHBHnUxwWmELx3UO2q1+qfYx94iatrSWVtkDrFPVw+3LKz6ipLwvXtXSF3k7 YpILitaBEPl5NWz32IM3KV52nmr18qLPMt2uu9oFZwkteqaSe7S/SzeFZqBbYZPL Q5wlplv4dpazyKRTW4zG0lb/GImsrQykP9lGTrN0Bw4Xno0QkQMoh32i0hdo0afg 7XGCzV4jctG9ugjwUZWWqi6M6k7ythzqXaVWhs8rSxWx/Iv6ie7mLS12d8th+D1u Yda+SK03Ifyv8W9+FcWjRQPSwVB6W7AbR9go1xzKpeV9T2gD3CA5Fwz0+SLLvyyc gkeMU1vDTY6EIulPH90kcxmnuIeOmXSoPobngkb1S3X+8eJiaBfuXp2XRpjIbGjB 7SvNUFUJzeIPY46zN/zE =dy3U -----END PGP SIGNATURE----- --Apple-Mail=_BDDF00BD-9766-40A0-9437-4165EF019995-- From owner-freebsd-security@FreeBSD.ORG Fri Dec 26 00:15:30 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 01E5948D for ; Fri, 26 Dec 2014 00:15:30 +0000 (UTC) Received: from keltia.net (aran.keltia.net [88.191.250.24]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BA3493AE3 for ; Fri, 26 Dec 2014 00:15:28 +0000 (UTC) Received: from lonrach-2.local (foret.keltia.net [78.232.116.160]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: roberto) by keltia.net (Postfix) with ESMTPSA id C1720529E for ; Fri, 26 Dec 2014 01:15:19 +0100 (CET) Date: Fri, 26 Dec 2014 01:15:14 +0100 From: Ollivier Robert To: freebsd-security@freebsd.org Subject: Re: ntpd vulnerabilities Message-ID: <20141226001513.GA85647@lonrach-2.local> References: <20141224010640.1BB77E80@hub.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20141224010640.1BB77E80@hub.freebsd.org> X-Operating-System: MacOS X / MBP 4,1 - FreeBSD 8.0 / T3500-E5520 Nehalem User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Dec 2014 00:15:30 -0000 According to Roger Marquis: > For now openntpd is the recommended solution but a more minimal client > might be preferable depending on implementation specifics. The only Last time I checked, it does not do NTP4 (the protocol), only NTP3. -- Ollivier ROBERT -=- FreeBSD: The Power to Serve! -=- roberto@keltia.freenix.fr In memoriam to Ondine : http://ondine.keltia.net/ From owner-freebsd-security@FreeBSD.ORG Fri Dec 26 20:08:35 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id ADF95A24 for ; Fri, 26 Dec 2014 20:08:35 +0000 (UTC) Received: from mx5.roble.com (mx5.roble.com [206.40.34.5]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mx5.roble.com", Issuer "mx5.roble.com" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 9D3B364B72 for ; Fri, 26 Dec 2014 20:08:35 +0000 (UTC) Date: Fri, 26 Dec 2014 12:08:29 -0800 (PST) From: Roger Marquis To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp In-Reply-To: <868uhx43i5.fsf@nine.des.no> References: <20141223233310.098C54BB6@nine.des.no> <86h9wln9nw.fsf@nine.des.no> <549A5492.6000503@grosbein.net> <868uhx43i5.fsf@nine.des.no> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Dec 2014 20:08:35 -0000 Dag-Erling Sm?rgrav wrote: > Eugene Grosbein wrote: >> Why does it say "Recompile the operating system using buildworld and >> installworld"? > > Because that's what the template says, and we rarely change it to > something more specific (in large part because that requires careful > testing of the exact instructions we publish). "Rebuild, reinstall and > reboot" may be overkill, but it's never wrong. This is most unfortunate as it creates a high bar for base security patches at many FreeBSD shops. Sites with a significant number of production hosts, jails and/or filesystem fingerprinting (integrit, tripwire) or those with constrained resources are never going to be able to make/build/installworld for something as simple as a single binary update. I assume the root cause is insufficient resources within the freebsd security team. If that's the case would there be a budget estimate associated with addressing this security advicory situation? Since quick publication of advisories is critical this also raises the question of what might be an effective way to subsequently publish more granular update instructions. Roger Marquis From owner-freebsd-security@FreeBSD.ORG Fri Dec 26 21:41:24 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 90AAEF82 for ; Fri, 26 Dec 2014 21:41:24 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 525A367626 for ; Fri, 26 Dec 2014 21:41:23 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id A0F2E9F0E; Fri, 26 Dec 2014 21:41:12 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id E9F8252DE; Fri, 26 Dec 2014 22:41:05 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Roger Marquis Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp References: <20141223233310.098C54BB6@nine.des.no> <86h9wln9nw.fsf@nine.des.no> <549A5492.6000503@grosbein.net> <868uhx43i5.fsf@nine.des.no> <20141226200838.DE83DACE@hub.freebsd.org> Date: Fri, 26 Dec 2014 22:41:05 +0100 In-Reply-To: <20141226200838.DE83DACE@hub.freebsd.org> (Roger Marquis's message of "Fri, 26 Dec 2014 12:08:29 -0800 (PST)") Message-ID: <8661cy9jim.fsf@nine.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Dec 2014 21:41:24 -0000 Roger Marquis writes: > This is most unfortunate as it creates a high bar for base security > patches at many FreeBSD shops. Sites with a significant number of > production hosts, jails and/or filesystem fingerprinting (integrit, > tripwire) or those with constrained resources are never going to be able > to make/build/installworld for something as simple as a single binary > update. These sites would be better served using freebsd-update to download and apply binary patches. Since freebsd-update is based entirely on http and on package signatures rather than server certificates, you can easily set up a proxy for systems which do not have direct Internet access. If your network is air-gapped, you can set up a few VMs with different FreeBSD versions in a DMZ to run freebsd-update through a proxy, then manually copy the contents of the proxy's cache to an http server in your secure network. > I assume the root cause is insufficient resources within the freebsd > security team. If that's the case would there be a budget estimate > associated with addressing this security advicory situation? I would suggest discussing this with the FreeBSD Foundation. They have already taken an interest in the matter. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Dec 26 22:35:51 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 93AC7D7B; Fri, 26 Dec 2014 22:35:51 +0000 (UTC) Received: from luigi.brtsvcs.net (luigi.brtsvcs.net [IPv6:2607:fc50:1000:1f00::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6C7042BF1; Fri, 26 Dec 2014 22:35:51 +0000 (UTC) Received: from chombo.houseloki.net (unknown [IPv6:2601:7:2580:181:21c:c0ff:fe7f:96ee]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by luigi.brtsvcs.net (Postfix) with ESMTPSA id B4A6B2D4F9B; Fri, 26 Dec 2014 22:35:42 +0000 (UTC) Received: from [IPv6:2601:7:2580:181:baca:3aff:fe83:bd29] (unknown [IPv6:2601:7:2580:181:baca:3aff:fe83:bd29]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by chombo.houseloki.net (Postfix) with ESMTPSA id 717FB1FA0; Fri, 26 Dec 2014 14:35:41 -0800 (PST) Message-ID: <549DE2B4.4080806@bluerosetech.com> Date: Fri, 26 Dec 2014 14:35:32 -0800 From: Darren Pilgrim Reply-To: freebsd-security@freebsd.org User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0 MIME-Version: 1.0 To: Remko Lodder Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp References: <20141223233310.098C54BB6@nine.des.no> <549C4D71.6030704@bluerosetech.com> <25260C1A-8230-47BD-9FAF-585D2B560303@FreeBSD.org> In-Reply-To: <25260C1A-8230-47BD-9FAF-585D2B560303@FreeBSD.org> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Dec 2014 22:35:51 -0000 On 12/25/2014 11:36 AM, Remko Lodder wrote: > >> On 25 Dec 2014, at 18:46, Darren Pilgrim >> wrote: >> >> On 12/23/2014 3:33 PM, FreeBSD Security Advisories wrote: >>> IV. Workaround >>> >>> No workaround is available, >> >> This was fixed in ports/net/ntp on Dec 20, so a workaround exists >> in the form of disabling the in-base version and installing the >> port. In the future, it would be helpful to mention such. > > We talk explicitly about the base system, not about ports. We never > mentioned them and I do not see a reason to start doing so. I don't understand why you wouldn't. It's a legitimate way of mitigating non-technical problems with system administration. For example, many organizations make scheduling a reboot harder/slower than scheduling the restart of a single service. Temporarily switching to the port in such cases is a very useful bandaid. From owner-freebsd-security@FreeBSD.ORG Sat Dec 27 00:21:22 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 11AD0ECF for ; Sat, 27 Dec 2014 00:21:22 +0000 (UTC) Received: from smtp1.ms.mff.cuni.cz (smtp1.ms.mff.cuni.cz [IPv6:2001:718:1e03:801::4]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 96986677C8 for ; Sat, 27 Dec 2014 00:21:21 +0000 (UTC) X-SubmittedBy: /C=CZ/O=Univerzita+20Karlova+20v+20Praze/CN=Dan+20Lukes/unstructuredName=100000045929 issued by /C=NL/O=TERENA/CN=TERENA+20Personal+20CA auth type TLS.MFF Received: from kgw.obluda.cz ([194.108.204.138]) (authenticated) by smtp1.ms.mff.cuni.cz (8.14.9/8.14.9) with ESMTP id sBR06KBI084265 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=OK) for ; Sat, 27 Dec 2014 01:21:18 +0100 (CET) (envelope-from dan@obluda.cz) Message-ID: <549DF7FC.10109@obluda.cz> Date: Sat, 27 Dec 2014 01:06:20 +0100 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26.1 MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:31.ntp References: <20141223233310.098C54BB6@nine.des.no> <549C4D71.6030704@bluerosetech.com> <25260C1A-8230-47BD-9FAF-585D2B560303@FreeBSD.org> <549DE2B4.4080806@bluerosetech.com> In-Reply-To: <549DE2B4.4080806@bluerosetech.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Dec 2014 00:21:22 -0000 On 12/26/14 23:35, Darren Pilgrim: >>>> IV. Workaround >>>> No workaround is available, >> We talk explicitly about the base system, not about ports. We never >> mentioned them and I do not see a reason to start doing so. > I don't understand why you wouldn't. Hm ... We can turn off vulnerable service. We can replace vulnerable software by another, non vulnerable. We can leave vulnerable service running, but block access to it. Security advisory is advisory. An administrator should make own decisions based on it. I'm pretty sure the system administrators are recognizing those obvious things despite not mentioned explicitly. It require basic skills only. I disagree that obvious things should be enumerated in SA. The SA should be short and readable. In advance, Security Officer should not recommend other software as secure replacement unless he consider it secure. Such analysis take a lot of time and it will cause unacceptable delay of SA. Just my $0.02 Dan