From owner-freebsd-security@FreeBSD.ORG  Sat Mar 15 03:43:57 2014
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id C507655E;
 Sat, 15 Mar 2014 03:43:57 +0000 (UTC)
Received: from mail.lariat.net (mail.lariat.net [66.62.230.51])
 by mx1.freebsd.org (Postfix) with ESMTP id 64DCE6AD;
 Sat, 15 Mar 2014 03:43:57 +0000 (UTC)
Received: from Toshi.lariat.org (IDENT:ppp1000.lariat.net@localhost
 [127.0.0.1]) by mail.lariat.net (8.9.3/8.9.3) with ESMTP id VAA27172;
 Fri, 14 Mar 2014 21:43:42 -0600 (MDT)
Message-Id: <201403150343.VAA27172@mail.lariat.net>
X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9
Date: Fri, 14 Mar 2014 21:43:37 -0600
To: d@delphij.net, Fabian Wenk <fabian@wenks.ch>, freebsd-security@freebsd.org
From: Brett Glass <brett@lariat.org>
Subject: Re: NTP security hole CVE-2013-5211?
In-Reply-To: <5323AF47.9080107@delphij.net>
References: <B0F3AA0A-2D23-424B-8A79-817CD2EBB277@FreeBSD.org>
 <52CEAD69.6090000@grosbein.net>
 <81785015-5083-451C-AC0B-4333CE766618@FreeBSD.org>
 <52CF82C0.9040708@delphij.net>
 <CAO82ECEsS-rKq7A-9w7VuxKpe_c_f=tvZQoRKgHEfi-yPdNeGQ@mail.gmail.com>
 <86d2jud85v.fsf@nine.des.no> <52D7A944.70604@wenks.ch>
 <201403141700.LAA21140@mail.lariat.net>
 <5323AF47.9080107@delphij.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Cc: Ollivier Robert <roberto@freebsd.org>, hackers@lists.ntp.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security/>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 15 Mar 2014 03:43:57 -0000

At 07:39 PM 3/14/2014, Xin Li wrote:
 
>FreeBSD 10.0-RELEASE ships with new default NTP settings, are you
>talking an earlier RC (before RC4 as r259975), or are you saying
>10.0-RELEASE ships with a ntp.conf with wrong defaults?

The latter. The ntp.conf shipped with 10.0-RELEASE still allows
relaying of attacks, even with an ntpd that is patched to prevent
amplification.

>We sure can do this as a new advisory but it's not guaranteed to work
>because end user may have to do manual merge and may choose not to
>accept these.

True. Perhaps, if freebsd-update finds that ntp.conf is not the
default that was shipped with the release, a warning should be given that 
a manual merge is needed.

>Note that like I stated before, for attackers it would be efficient to
>just deliver the packets themselves, 

Attackers have an interest in obfuscating the sources of attacks, since
this makes them more difficult to block. We have several patched servers 
which malicious parties are attempting to use as relays even though they
cannot use them to amplify the volume of data sent. Once we altered
ntp.conf, we were able to put a stop to this.

--Brett Glass