From owner-freebsd-security@FreeBSD.ORG  Thu Mar 20 17:19:32 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 0D5327A
 for <freebsd-security@freebsd.org>; Thu, 20 Mar 2014 17:19:32 +0000 (UTC)
Received: from mail.lariat.net (mail.lariat.net [66.62.230.51])
 by mx1.freebsd.org (Postfix) with ESMTP id BDF93257
 for <freebsd-security@freebsd.org>; Thu, 20 Mar 2014 17:19:31 +0000 (UTC)
Received: from Toshi.lariat.org (IDENT:ppp1000.lariat.net@localhost
 [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id LAA29331;
 Thu, 20 Mar 2014 11:19:27 -0600 (MDT)
Message-Id: <201403201719.LAA29331@mail.lariat.net>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Thu, 20 Mar 2014 11:19:17 -0600
To: "Ronald F. Guilmette" <rfg@tristatelogic.com>, freebsd-security@freebsd.org
From: Brett Glass <brett@lariat.org>
Subject: Re: NTP security hole CVE-2013-5211?
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Mar 2014 17:19:32 -0000

At 09:56 PM 3/17/2014, Ronald F. Guilmette wrote:

>(It was explained to me at the time that NTP operates a bit like DNS...
>with which I am more familiar... i.e. that all outbound requests originate
>on high numbered ports, well and truly away from all low numbered ports,
>including, in particular, 123.  I am just re-verifying that my understanding
>in this regard is correct, and that my current blanket firewall rule is
>fine as it stands.)

Different implementations do different things in this regard. Alas, newer
versions of ntpd seem to use UDP port 123 as the originating port when
synchronizing with outside servers while older versions did it right and
used high, ephemeral ports. This means that stateful firewalling is
required for security, and even with it spoofing is still possible if the
attacker can guess which servers you query. (The ones in the default FreeBSD
ntp.conf file are likely to work most of the time.)

We should definitely patch the ntpd that's shipped with FreeBSD to issue
queries on randomly chosen ephemeral ports, as well as changing the default
ntp.conf file to prevent relaying. As we've seen with DNS, UDP-based services
are so ripe for attacks (due to the lack of a 3-way handshake) that they need
to be protected in every way possible.

--Brett Glass