Date: Fri, 21 Mar 2014 18:13:10 -0600 From: Brett Glass <brett@lariat.org> To: Remko Lodder <remko@freebsd.org>, "Ronald F. Guilmette" <rfg@tristatelogic.com> Cc: "freebsd-security@freebsd.org" <freebsd-security@freebsd.org> Subject: Re: NTP security hole CVE-2013-5211? Message-ID: <201403220013.SAA15675@mail.lariat.net> In-Reply-To: <8F3083F1-3A20-4FEC-9969-F9968D87569E@FreeBSD.org> References: <51381.1395429637@server1.tristatelogic.com> <8F3083F1-3A20-4FEC-9969-F9968D87569E@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 03:28 PM 3/21/2014, Remko Lodder wrote: >Ofcourse the software should be well protected as well, and secteam@ did his >best to offer the best solution possible. Though as mentioned by Brett for >example we just cannot force the update of ntpd.conf on user machines because >every admin could have legitimate reasons for having a configuration in place >they decided to have. It's risky to change those things and especially enforce >them on running machines. Most of his ideas were in the advisory already >except for the 'disable monitor' part, which might be reason to discuss >whether that makes sense or not. I've suggested one other thing, and still think it would be a good idea to thwart attacks: that we compile ntpd to source outgoing queries from randomly selected ephemeral UDP ports rather than UDP port 123. (This was, in fact, done in earlier releases of FreeBSD and I'm unsure why it was changed.) This makes stateful firewalling less necessary and improves its performance if it is done. --Brett Glass
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403220013.SAA15675>