NTP - Network Time Protocol (or SNTP - Simple Network Time Protocol) is one of the un-sung heros of the Internet. Put simply, it provides the time and data for servers and clients so that they know when something happened. Now we have another security problem to deal with in the Linux NTP code.

The problem was discovered by the Google Security Team which seems to be responsible recently for more than its fair share of vulnerabilities detected. Some of the vulnerabilities are in older versions of the NTP code and have been fixed. So as long as you have been keeping up-to-date there is nothing to worry about. 

Three problems were found in the current code and to remove these you need to upgrade to version 4.2.8. Two of the problems are classical buffer overflows and should prompt the response "will we never learn?" Not as long as we make use of languages that don't protect us from such things or use tools that test for such things.

Three stack buffer overflows have been identified in three different routines. As the security advisory says:

"A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process."

It is often the case that the NTP daemon runs with root access because of the need for it to up-date the system clock. This usually isn't necessary as NTP can run as a non-root user.

The final problem is a missing return statement which causes processing to continue after an error. Currently it isn't clear if this problem can be exploited in any way - given the ingenuity brought to bear on such matters it probably can be. 

The NTP protocol is fine, it is just the implementation that needs some attention. Similarly other implementations not derived directly from the Linux implementation are probably fine - BSD's openntdp is not vulnerable.  Indeed Theo De Raadt of BSD makes the following observations:

"openntpd is a modern piece of code <5000 lines long written using best known practices of the time, whereas ntp.org's codebase is reportedly 100,000 lines of unknown or largely unused code, poorly smithed in the past when these kinds of programming mistakes were not a significant consideration."

In the early days of open source and Linux things were not so critical as there were not as many black hats waiting to exploit vulnerabilities for so many commercial purposes. This isn't an excuse; more a nostalgic reminder that programming used to be slightly more fun and relaxed than it is today. 

If you would like to know more about the NTP protocol and how to work with it, see: SNTP Time Class.

Comments

Make a Comment or View Existing Comments Using Disqus

or email your comment to: comments@i-programmer.info