[Secure-testing-team] Bug#791534: openntpd: constraint certificate verification turned off

Vincent Lefevre vincent at vinc17.net
Sun Jul 5 21:45:50 UTC 2015 

Package: openntpd
Version: 1:5.7p4-1
Severity: important
Tags: security

In the logs, I get:

Jul 03 14:17:59 zira systemd[1]: Starting OpenNTPd Network Time Protocol...
Jul 03 14:17:59 zira ntpd[820]: constraint certificate verification turned off

which is really bad from a security point of view, as it defeats
the security requirement configured by the user (I have installed
openntpd specifically for this, as my laptop is often on an untrusted
network, where at least SLAAC attacks occur from time to time). Let's
recall what the ntpd.conf(5) man page says:

CONSTRAINTS
  ntpd(8) can be configured to query the ‘Date’ from trusted HTTPS
  servers via TLS.  This time information is not used for precision but
  acts as an authenticated constraint, thereby reducing the impact of
  unauthenticated NTP ‘Man-In-The-Middle’ attacks.  Received NTP packets
  with time information falling outside of a range near the constraint
  will be discarded and such NTP servers will be marked as invalid.

But in case of man-in-the-middle attack, the attacker can provide his
own server instead of the one expected from the config file. And if
the certificate is not check, this will remained unnoticed, and the
constraint would be absolutely useless.

-- System Information:
Debian Release: stretch/sid
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages openntpd depends on:
ii  adduser              3.113+nmu3
ii  init-system-helpers  1.23
ii  libc6                2.19-18
ii  netbase              5.3

openntpd recommends no packages.

Versions of packages openntpd suggests:
pn  apparmor  <none>

-- Configuration Files:
/etc/openntpd/ntpd.conf changed:
servers 0.debian.pool.ntp.org
servers 1.debian.pool.ntp.org
servers 2.debian.pool.ntp.org
servers 3.debian.pool.ntp.org
constraint from www.vinc17.net


-- no debconf information

More information about the Secure-testing-team mailing list