oss-sec mailing list archives
Re: Potential issue in NTP -A option
From: Harlan Stenn <stenn () ntp org>
Date: Thu, 14 May 2015 18:50:10 +0000
cve-assign () mitre org writes:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1the documentation seems to conflict slightlyWe do not feel that a CVE is required; however, Harlan can choose to have a CVE ID if the undocumented risky behavior is going to be announced as a vulnerability.
We're not going to announce this as a vulnerability. I'm with Kurt on this one - from our POV '-A' means "disable authentication checks" and I'd bet that Prof. Mills wrote the documentation that says ... "this is almost never a good idea."
More specifically, it appears that mode 7 itself is, in some sense, deprecated (e.g., "mode7 ... Enables processing of NTP mode 7 implementation-specific requests which are used by the deprecated ntpdc program" on the http://www.eecis.udel.edu/~mills/ntp/html/miscopt.html page and "functionally deprecating ntpdc" on the http://support.ntp.org/bin/view/Main/SoftwareDownloads page). If so, then we do not feel that there is a requirement for the documentation to precisely specify the effect of a command-line option on a deprecated feature. The -A documentation doesn't directly make a false statement about authentication within mode 7; it simply does not discuss mode 7. If mode 7 itself isn't deprecated, and there is a supported use case in which the user may choose to enable both mode 7 and the -A option, then announcing the behavior/documentation mismatch as a vulnerability is probably more useful.
Mode 7 is for "vendor-specific" control operations, and there is no requirement in the protocol for any data structure in the packets. There is also no requirement for *any* use of mode 7. We noticed enough difficulties trying to use mode 7 that we shifted everything to mode 6 (ntpq). To be clear, this issue (-A) is about a discrepancy between the documentation and the behavior of older, EOL'd versions of the reference implementation of NTP. I'll be looking to add clarifying language to our on-line set of documentation for older, EOL'd NTP releases, but that's all. I haven't seen *any* other NTP implementation that provides either mode 6 or mode 7 support. So I'm planning to make an announcement along the lines of "-A means 'disable authentication' and we've documented that this is almost never a good idea. If you have done X in an environment that allows Y, that will allow bad guys to do Z. That's a real problem and is an obvious case of why using -A is generally a Bad Idea." Never put salt in your eyes: https://www.youtube.com/watch?v=_83MEuLoz9Y -- Harlan Stenn <stenn () ntp org> http://networktimefoundation.org - be a member!
Current thread:
- Potential issue in NTP -A option Kurt Seifried (May 14)
- Re: Potential issue in NTP -A option cve-assign (May 14)
- Re: Potential issue in NTP -A option Harlan Stenn (May 14)
- Re: Potential issue in NTP -A option cve-assign (May 14)