NTP The Latest Open Source Security Problem
Written by Harry Fairhead   
Tuesday, 23 December 2014

NTP - Network Time Protocol (or SNTP - Simple Network Time Protocol) is one of the un-sung heros of the Internet. Put simply, it provides the time and data for servers and clients so that they know when something happened. Now we have another security problem to deal with in the Linux NTP code.

The problem was discovered by the Google Security Team which seems to be responsible recently for more than its fair share of vulnerabilities detected. Some of the vulnerabilities are in older versions of the NTP code and have been fixed. So as long as you have been keeping up-to-date there is nothing to worry about. 

ntflogo

Three problems were found in the current code and to remove these you need to upgrade to version 4.2.8. Two of the problems are classical buffer overflows and should prompt the response "will we never learn?" Not as long as we make use of languages that don't protect us from such things or use tools that test for such things.

Three stack buffer overflows have been identified in three different routines. As the security advisory says:

"A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process."

It is often the case that the NTP daemon runs with root access because of the need for it to up-date the system clock. This usually isn't necessary as NTP can run as a non-root user.

The final problem is a missing return statement which causes processing to continue after an error. Currently it isn't clear if this problem can be exploited in any way - given the ingenuity brought to bear on such matters it probably can be. 

The NTP protocol is fine, it is just the implementation that needs some attention. Similarly other implementations not derived directly from the Linux implementation are probably fine - BSD's openntdp is not vulnerable.  Indeed Theo De Raadt of BSD makes the following observations:

"openntpd is a modern piece of code <5000 lines long written using best known practices of the time, whereas ntp.org's codebase is reportedly 100,000 lines of unknown or largely unused code, poorly smithed in the past when these kinds of programming mistakes were not a significant consideration."

 

In the early days of open source and Linux things were not so critical as there were not as many black hats waiting to exploit vulnerabilities for so many commercial purposes. This isn't an excuse; more a nostalgic reminder that programming used to be slightly more fun and relaxed than it is today. 

NTPlogo

If you would like to know more about the NTP protocol and how to work with it, see: SNTP Time Class.

Banner


OpenSilver Adds XAML Designer For Visual Studio Code
12/12/2024

OpenSilver 3.1 has been released. This version adds a drag-and-drop XAML designer for Visual Studio Code (VS Code), a new modern UI theme, and expanded support for WPF features. The open-source altern [ ... ]



Windows 11 Adoption Takes A Downturn
11/12/2024

With Windows 10 End of Life only ten months away, Microsoft is stepping up its campaign to get Windows users to upgrade to Windows 11. But while Windows 11 had been gaining users at a steady rate at t [ ... ]


More News

 

espbook

 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Friday, 26 January 2024 )