From owner-freebsd-security@FreeBSD.ORG Sat Mar 22 00:14:46 2014 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 98D3BCB2 for ; Sat, 22 Mar 2014 00:14:46 +0000 (UTC) Received: from gw.catspoiler.org (gw.catspoiler.org [75.1.14.242]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 79B206B6 for ; Sat, 22 Mar 2014 00:14:46 +0000 (UTC) Received: from FreeBSD.org (mousie.catspoiler.org [192.168.101.2]) by gw.catspoiler.org (8.13.3/8.13.3) with ESMTP id s2M0EVRZ094760; Fri, 21 Mar 2014 16:14:35 -0800 (PST) (envelope-from truckman@FreeBSD.org) Message-Id: <201403220014.s2M0EVRZ094760@gw.catspoiler.org> Date: Fri, 21 Mar 2014 17:14:31 -0700 (PDT) From: Don Lewis Subject: Re: NTP security hole CVE-2013-5211? To: brett@lariat.org In-Reply-To: <201403202028.OAA01351@mail.lariat.net> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Cc: freebsd-security@FreeBSD.org, rfg@tristatelogic.com X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Mar 2014 00:14:46 -0000 On 20 Mar, Brett Glass wrote: > IMHO, you should diddle /etc/ntp.conf as I mentioned in my earlier message > AND use stateful firewall rules (IPFW works fine for this) to ensure that > you only accept incoming NTP packets which are answers to your own queries. > And, as you state above, outbound queries should use randomized ephemeral > source ports as with DNS. This involves a patch to the ntpd that's shipped > with FreeBSD, because it is currently compiled to use source port 123. > (Back in the days of FreeBSD 5.x and 6.x, it used ephemeral source ports, > but not now.) So far as I know, ntpd on FreeBSD has never used ephemeral source ports for queries. Neither does ntpdate, unless it is run as non-root or with the -u option. If you use symmetric mode (with the peer keyword instead of server in ntp.conf) then the protocol requires port 123 on both ends. In addition to locking down the outside interface of my firewall box with ipfw, I also lock down the inside interface. I greatly restrict the UDP packets between the firewall and inside network. For NTP, I constrain it to only using port 123 on the firewall and port 123 on the inside hosts. I've been using that configuration since the 4.x days and both ntpd and ntpdate have functioned without issue. I can't query ntpd on the firewall from the inside network with ntpq, which uses a high numbered port. I actually have to log on to the firewall and run ntpq there.