From owner-freebsd-security@FreeBSD.ORG Thu Mar 20 21:04:42 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B5A2ABC1 for ; Thu, 20 Mar 2014 21:04:42 +0000 (UTC) Received: from mail-out.apple.com (mail-out.apple.com [17.151.62.50]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 97FEB274 for ; Thu, 20 Mar 2014 21:04:42 +0000 (UTC) MIME-version: 1.0 Received: from relay2.apple.com ([17.128.113.67]) by mail-out.apple.com (Oracle Communications Messaging Server 7.0.5.30.0 64bit (built Oct 22 2013)) with ESMTP id <0N2R00DXA3RE3F60@mail-out.apple.com> for freebsd-security@freebsd.org; Thu, 20 Mar 2014 13:04:35 -0700 (PDT) X-AuditID: 11807143-f79f66d0000015d3-27-532b49d3cb98 Received: from [17.149.233.107] (Unknown_Domain [17.149.233.107]) (using TLS with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) by relay2.apple.com (Apple SCV relay) with SMTP id 6E.BF.05587.3D94B235; Thu, 20 Mar 2014 13:04:35 -0700 (PDT) Subject: Re: NTP security hole CVE-2013-5211? From: Charles Swiger In-reply-to: <44680.1395343983@server1.tristatelogic.com> Date: Thu, 20 Mar 2014 13:04:35 -0700 Message-id: <742A1A10-15BF-433A-8693-CA2DD1DE0501@mac.com> References: <44680.1395343983@server1.tristatelogic.com> To: "Ronald F. Guilmette" X-Mailer: Apple Mail (2.1510) X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFtrKLMWRmVeSWpSXmKPExsUiOPVltu5lT+1gg8PbLS16Nj1hs3h1+RWb A5PHjE/zWTzub2pkDmCK4rJJSc3JLEst0rdL4MrY8OckW8Gcworjn7ayNzD+Tupi5OSQEDCR WP1iNxuELSZx4d56IJuLQ0ign0lidXc7YxcjBwezQILE/zdFICavgJ7E9l9yIOXCAroSzUcP sIOE2QTUJCZM5AEJcwpYSizf08cKYrMIqEqcurmEGcRmFlCQmDz/O5jNK2Al8XvJKnYQW0jA QmLqvqOMILaIgL7E0r1PGSGukZU4fe45ywRGvlkIN8xCuGEW2FBtiWULXzNDVOhITF7IiCoM YX88f4RpASPbKkaBotScxEojvcSCgpxUveT83E2MoMBsKHTewXhsmdUhRgEORiUe3gpO7WAh 1sSy4srcQ4wSHMxKIrzXdIFCvCmJlVWpRfnxRaU5qcWHGKU5WJTEeZ8aAaUE0hNLUrNTUwtS i2CyTBycUg2MZh9lKpk/68t6FfYu9jo4Oy3a3KJ0sk78mSUvw6SPtV6fuq9ygadgpe3yLc9j SiQyGnV7nS0W3Wt+bPohcSVbkNBW646aCb3+aR+Vyl28/1/JfLy26odfxbTrUtXiHP638u37 5ypf8ls59cjFJPuNj9caL9c8qOfVoH5vZ0nr0wsTL3Y9PsKjxFKckWioxVxUnAgAoq5+MUgC AAA= Content-Type: text/plain; CHARSET=US-ASCII Content-Transfer-Encoding: 7BIT X-Content-Filtered-By: Mailman/MimeDel 2.1.17 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Mar 2014 21:04:42 -0000 Hi-- On Mar 20, 2014, at 12:33 PM, Ronald F. Guilmette wrote: > Here is what I am seeing now in response to an ntpdc "peers" query. I am > not really all that familiar with this stuff, so if anybody else here can > tell me if this looks messed up or not, I'd sure appreciate it. > > > remote local st poll reach delay offset disp > ======================================================================= > =nist.netservice 69.62.255.118 16 1024 0 0.00000 0.000000 3.99217 > =rook.slash31.co 69.62.255.118 16 1024 0 0.00000 0.000000 3.99217 > =96.44.142.5 69.62.255.118 16 1024 0 0.00000 0.000000 3.99217 Reachability score of 0 means you've blocked the communications. > Of course, if this *is* messed up, then I guess that I'll have to remove > my firewall rule, and diddle my /etc/ntp.conf file at the same time, in > order to make sure that the Evil Ones don't come back and use & abuse me > again. OK, although you're making this more complicated than it needs to be. If you don't want to provide NTP service to the outside world, leave your existing deny rule in place but add permit rules to allow UDP traffic to and from the NTP servers which you want to sync time from. Regards, -- -Chuck