[pkg-ntp-maintainers] Bug#687166: ntp: NTP security vulnerability because not using authentication by default
none
anotst01 at fastmail.fm
Mon Sep 10 13:35:29 UTC 2012
Package: ntp
Version: 1:4.2.6.p3+dfsg-1ubuntu3.1
Severity: normal
Tags: security
Debian implements so much security one way or another. So much defenses against
network level man in the middle or malicious proxies or wifi hotspots.
Cryptographic verification generally works well but there is one big drawback:
it requires correct date/time.
NTP in Debian does not use any authentication by default, although it is
supported by NTP.
I conclude, that almost no one is using authenticated NTP, because there are no
instructions in a forum or blog how to enable NTP authentication. Therefore
almost everyone uses standard configuration and is at risk.
An adversary can tamper with the unauthenticated NTP replies and put the users
time several years back, especially, but not limited, if the bios battery or
hardware clock is defect. That issue becomes more relevant with new devices
like RP, which do not even have a hardware clock.
Putting the clock several years back allows an adversary to use already
revoked, broken, expired certificates; replay old, broken, outdated, known
vulnerable updates etc.
Suggested solutions:
- NTP supports public and private keys:
http://doc.ntp.org/4.1.0/genkeys.htm
Use it.
- Write easy documentation how to host an authenticated NTP server.
- Write easy documentation how to use an authenticated NTP server.
- Add gui optoins for using authenticated NTP.
- Debian could run their own authenticated NTP server.
- Debian has importance. You could officially ask the NTP pool if they could
add authentication.
- Debian could publicly the problem and ask the community for help.
- I am sure some NTP server volunteers would like to add authentication, if you
can provide clear instructions for them.
More information about the pkg-ntp-maintainers
mailing list