From owner-freebsd-security@FreeBSD.ORG  Tue Dec 23 13:07:38 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id CCF33FA8
 for <freebsd-security@freebsd.org>; Tue, 23 Dec 2014 13:07:38 +0000 (UTC)
Received: from neoshoggoth.uraeus.com (neoshoggoth.uraeus.com [208.72.84.117])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
 bits))
 (Client CN "mail-relay.uraeus.com", Issuer "URAEUS" (not verified))
 by mx1.freebsd.org (Postfix) with ESMTPS id 9E6216486B
 for <freebsd-security@freebsd.org>; Tue, 23 Dec 2014 13:07:38 +0000 (UTC)
Received: from neoshoggoth.uraeus.com (localhost [127.0.0.1])
 by neoshoggoth.uraeus.com (Postfix) with ESMTP id CBA7A109BE0E;
 Tue, 23 Dec 2014 13:07:35 +0000 (UTC)
X-Amavis-Alert: BAD HEADER SECTION, Non-encoded 8-bit data (char C3 hex): To:
 Dag-Erling Sm\303\270rgrav <des@des.no>
Received: from neoshoggoth.uraeus.com ([127.0.0.1])
 by neoshoggoth.uraeus.com (neoshoggoth.uraeus.com [127.0.0.1]) (amavisd-new,
 port 10024)
 with LMTP id wNYF7tftIh2X; Tue, 23 Dec 2014 13:07:34 +0000 (UTC)
Received: by neoshoggoth.uraeus.com (Postfix, from userid 1013)
 id 7193C109BE0C; Tue, 23 Dec 2014 13:07:34 +0000 (UTC)
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: quoted-printable
Message-ID: <21657.26902.156000.609968@neoshoggoth.uraeus.com>
Date: Tue, 23 Dec 2014 13:07:34 +0000
From: Joe Malcolm <jmalcolm@uraeus.com>
To: Dag-Erling Smørgrav <des@des.no>
Subject: Re: ntpd vulnerabilities
In-Reply-To: <86sig6yd63.fsf@nine.des.no>
References: <252350272.1812596.1419241828431.JavaMail.zimbra@cleverbridge.com>
 <86a92fzmls.fsf@nine.des.no>
 <CA+QLa9Du5dZbF-FzEX6Z5cA4m=rTo+ZiEgzuKN5f8xquVExwXg@mail.gmail.com>
 <21656.46224.764659.252388@neoshoggoth.uraeus.com>
 <86sig6yd63.fsf@nine.des.no>
X-Mailer: VM 8.1.1 under 21.4 (patch 22) "Instant Classic" XEmacs Lucid
 (amd64--freebsd)
Cc: Joe Malcolm <jmalcolm@uraeus.com>, freebsd-security@freebsd.org,
 Robert Simmons <rsimmons0@gmail.com>,
 Winfried Neessen <neessen@cleverbridge.com>
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Dec 2014 13:07:38 -0000

Dag-Erling Sm=C3=B8rgrav writes:
>Joe Malcolm <jmalcolm@uraeus.com> writes:
>> I'm no expert on ntp.conf, but this appears in my ntp.conf on one of=

>> my FreeBSD systems:
>>
>> restrict default kod nomodify notrap nopeer noquery
>> restrict -6 default kod nomodify notrap nopeer noquery
>>
>> However, it also has these:
>>
>> restrict 127.0.0.1
>> restrict -6 ::1
>> restrict 127.127.1.0
>
>These work on a "last match" basis.  The latter three lines lift all
>restrictions for localhost, so you can still "ntpq -pn" your own serve=
r,
>but nobody else can.

Thanks. So, if I understand correctly, the shipped config is
vulnerable to local (same-host) attackers, not remote ones.

joe