# ntpd contains multiple vulnerabilities

## freke

http://www.kb.cert.org/vuls/id/852879

Seems like only the newly released (not yet in portage) 4.2.8 is (partly) fixed...

----------

## khayyam

freke ... yes, there is a recent blog post on planet.gentoo (by hanno, aka, Hanno Böck) on the subject.

I tried both net-misc/tlsdate 0.0.6 (stable) and 0.0.12 (unstable) but had issues with tlsdate from both ... though tlsdated seems to function as expected. Note however that by default the config/tlsdate{,d} is setup to use google which seems to me unnecessay, by default its the Physikalisch-Technische Bundesanstalt.

best ... khay

----------

## Duncan Mac Leod

Yes, I just read the same in a german forum.

Seems we'll need 4.2.8 asap...

----------

## Nicias

what about openntpd?

----------

## Duncan Mac Leod

 *Nicias wrote:*   

> what about openntpd?

 

not vulnerable  :Very Happy: 

http://article.gmane.org/gmane.os.openbsd.tech/40107/

----------

## ct85711

tried switching over to use openntpd, and the fetch failed due to openntpd_20080406p-6.debian.tar.gz not existing on the hosting servers anymore.

```

...

>>> Downloading 'http://ftp.nz.debian.org/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz'

--2014-12-21 21:01:37--  http://ftp.nz.debian.org/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz

Resolving ftp.nz.debian.org... 202.8.47.148

Connecting to ftp.nz.debian.org|202.8.47.148|:80... connected.

HTTP request sent, awaiting response... 404 Not Found

2014-12-21 21:01:40 ERROR 404: Not Found.

>>> Downloading 'http://ftp.se.debian.org/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz'

--2014-12-21 21:01:40--  http://ftp.se.debian.org/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz

Resolving ftp.se.debian.org... 130.239.18.173, 130.239.18.163, 130.239.18.165, ...

Connecting to ftp.se.debian.org|130.239.18.173|:80... connected.

HTTP request sent, awaiting response... 302 Found

Location: http://caesar.acc.umu.se/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz [following]

--2014-12-21 21:01:40--  http://caesar.acc.umu.se/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz

Resolving caesar.acc.umu.se... 130.239.18.142, 2001:6b0:e:2018::142

Connecting to caesar.acc.umu.se|130.239.18.142|:80... connected.

HTTP request sent, awaiting response... 404 Not Found

2014-12-21 21:01:41 ERROR 404: Not Found.

>>> Downloading 'http://ftp.gr.debian.org/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz'

--2014-12-21 21:01:41--  http://ftp.gr.debian.org/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz

Resolving ftp.gr.debian.org... 147.102.222.211

Connecting to ftp.gr.debian.org|147.102.222.211|:80... connected.

HTTP request sent, awaiting response... 404 Not Found

2014-12-21 21:01:45 ERROR 404: Not Found.

>>> Downloading 'http://ftp.cz.debian.org/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz'

--2014-12-21 21:01:45--  http://ftp.cz.debian.org/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz

Resolving ftp.cz.debian.org... 195.113.161.73, 2001:718:1:4::2

Connecting to ftp.cz.debian.org|195.113.161.73|:80... connected.

HTTP request sent, awaiting response... 404 Not Found

2014-12-21 21:01:46 ERROR 404: Not Found.

>>> Downloading 'http://ftp.ch.debian.org/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz'

--2014-12-21 21:01:46--  http://ftp.ch.debian.org/debian/pool/main/o/openntpd/openntpd_20080406p-6.debian.tar.gz

Resolving ftp.ch.debian.org... 129.132.53.171, 2001:67c:10ec:3dd1::42

Connecting to ftp.ch.debian.org|129.132.53.171|:80... connected.

HTTP request sent, awaiting response... 404 Not Found

2014-12-21 21:01:48 ERROR 404: Not Found.

...

```

When I went to one of the servers listed and see what version they have available, I got this list

```

[b]server: http://ftp2.fr.debian.org/debian/pool/main/o/openntpd/[/b]

[   ] openntpd_20080406p-4.debian.tar.gz              28-Jun-2012 05:35   11K  

[   ] openntpd_20080406p-4.dsc                        28-Jun-2012 05:35  1.9K  

[   ] openntpd_20080406p-4_amd64.deb                  28-Jun-2012 05:35   62K  

[   ] openntpd_20080406p-4_armel.deb                  28-Jun-2012 06:21   62K  

[   ] openntpd_20080406p-4_armhf.deb                  28-Jun-2012 06:21   59K  

[   ] openntpd_20080406p-4_i386.deb                   28-Jun-2012 06:05   63K  

[   ] openntpd_20080406p-4_ia64.deb                   28-Jun-2012 06:21   75K  

[   ] openntpd_20080406p-4_kfreebsd-amd64.deb         28-Jun-2012 06:05   61K  

[   ] openntpd_20080406p-4_kfreebsd-i386.deb          28-Jun-2012 23:34   60K  

[   ] openntpd_20080406p-4_mips.deb                   28-Jun-2012 06:22   60K  

[   ] openntpd_20080406p-4_mipsel.deb                 28-Jun-2012 06:34   60K  

[   ] openntpd_20080406p-4_powerpc.deb                29-Jun-2012 15:25   62K  

[   ] openntpd_20080406p-4_s390.deb                   28-Jun-2012 06:06   64K  

[   ] openntpd_20080406p-4_s390x.deb                  28-Jun-2012 18:12   63K  

[   ] openntpd_20080406p-4_sparc.deb                  28-Jun-2012 07:02   61K  

[   ] openntpd_20080406p-7~bpo70+1.debian.tar.gz      17-Apr-2014 17:10   13K  

[   ] openntpd_20080406p-7~bpo70+1.dsc                17-Apr-2014 17:10  1.9K  

[   ] openntpd_20080406p-7~bpo70+1_amd64.deb          18-Apr-2014 11:34   63K  

[   ] openntpd_20080406p-7~bpo70+1_armel.deb          18-Apr-2014 11:44   62K  

[   ] openntpd_20080406p-7~bpo70+1_armhf.deb          18-Apr-2014 13:25   60K  

[   ] openntpd_20080406p-7~bpo70+1_i386.deb           17-Apr-2014 17:10   63K  

[   ] openntpd_20080406p-7~bpo70+1_ia64.deb           18-Apr-2014 12:14   76K  

[   ] openntpd_20080406p-7~bpo70+1_kfreebsd-amd64.deb 18-Apr-2014 11:44   62K  

[   ] openntpd_20080406p-7~bpo70+1_kfreebsd-i386.deb  18-Apr-2014 11:44   61K  

[   ] openntpd_20080406p-7~bpo70+1_mips.deb           07-May-2014 10:12   61K  

[   ] openntpd_20080406p-7~bpo70+1_mipsel.deb         18-Apr-2014 15:55   61K  

[   ] openntpd_20080406p-7~bpo70+1_powerpc.deb        18-Apr-2014 11:44   62K  

[   ] openntpd_20080406p-7~bpo70+1_s390.deb           18-Apr-2014 11:44   65K  

[   ] openntpd_20080406p-7~bpo70+1_s390x.deb          18-Apr-2014 11:44   64K  

[   ] openntpd_20080406p-7~bpo70+1_sparc.deb          18-Apr-2014 11:49   62K  

[   ] openntpd_20080406p-10.debian.tar.xz             26-Aug-2014 09:37   13K  

[   ] openntpd_20080406p-10.dsc                       26-Aug-2014 09:37  1.9K  

[   ] openntpd_20080406p-10_amd64.deb                 26-Aug-2014 09:37   59K  

[   ] openntpd_20080406p-10_arm64.deb                 26-Aug-2014 13:13   56K  

[   ] openntpd_20080406p-10_armel.deb                 26-Aug-2014 11:27   58K  

[   ] openntpd_20080406p-10_armhf.deb                 26-Aug-2014 11:27   57K  

[   ] openntpd_20080406p-10_i386.deb                  26-Aug-2014 11:17   61K  

[   ] openntpd_20080406p-10_kfreebsd-amd64.deb        26-Aug-2014 11:27   59K  

[   ] openntpd_20080406p-10_kfreebsd-i386.deb         26-Aug-2014 11:27   60K  

[   ] openntpd_20080406p-10_mips.deb                  26-Aug-2014 11:42   58K  

[   ] openntpd_20080406p-10_mipsel.deb                26-Aug-2014 11:27   58K  

[   ] openntpd_20080406p-10_powerpc.deb               26-Aug-2014 11:17   58K  

[   ] openntpd_20080406p-10_ppc64el.deb               26-Aug-2014 18:25   58K  

[   ] openntpd_20080406p-10_s390x.deb                 26-Aug-2014 11:27   59K  

[   ] openntpd_20080406p-10_sparc.deb                 26-Aug-2014 11:32   58K  

[   ] openntpd_20080406p-11.debian.tar.xz             03-Sep-2014 22:28   13K  

[   ] openntpd_20080406p-11.dsc                       03-Sep-2014 22:28  1.9K  

[   ] openntpd_20080406p-11_amd64.deb                 03-Sep-2014 22:28   60K  

[   ] openntpd_20080406p-11_arm64.deb                 22-Oct-2014 23:28   57K  

[   ] openntpd_20080406p-11_armel.deb                 04-Sep-2014 00:59   60K  

[   ] openntpd_20080406p-11_armhf.deb                 04-Sep-2014 00:14   59K  

[   ] openntpd_20080406p-11_i386.deb                  03-Sep-2014 23:59   62K  

[   ] openntpd_20080406p-11_kfreebsd-amd64.deb        03-Sep-2014 23:59   60K  

[   ] openntpd_20080406p-11_kfreebsd-i386.deb         04-Sep-2014 00:04   61K  

[   ] openntpd_20080406p-11_mips.deb                  11-Oct-2014 13:42   61K  

[   ] openntpd_20080406p-11_mipsel.deb                05-Sep-2014 20:31   60K  

[   ] openntpd_20080406p-11_powerpc.deb               03-Sep-2014 23:49   59K  

[   ] openntpd_20080406p-11_ppc64el.deb               06-Sep-2014 13:44   59K  

[   ] openntpd_20080406p-11_s390x.deb                 03-Sep-2014 23:44   60K  

[   ] openntpd_20080406p-11_sparc.deb                 04-Sep-2014 02:25   59K  

[   ] openntpd_20080406p.orig.tar.gz                  08-Mar-2012 19:17  172K  
```

So I suspect the ebuild needs to be updated to use the current patch set.

Note:  I did fix my issue on not finding the necessary file, by manually downloading from a different server (found through google search).

----------

## araxon

If I just stop the ntpd, am I safe until the patched version gets into the portage?

```
/etc/init.d/ntpd stop
```

----------

## charles17

 *araxon wrote:*   

> If I just stop the ntpd, am I safe until the patched version gets into the portage?
> 
> ```
> /etc/init.d/ntpd stop
> ```
> ...

 If you really want to stop it, also make sure not to have it in a runlevel *Quote:*   

> # rc-update del ntpd

 

----------

## charles17

 *khayyam wrote:*   

> I tried both net-misc/tlsdate 0.0.6 (stable) and 0.0.12 (unstable) but had issues with tlsdate from both ... though tlsdated seems to function as expected. Note however that by default the config/tlsdate{,d} is setup to use google which seems to me unnecessay, by default its the Physikalisch-Technische Bundesanstalt.

 What about using Ntimed http://phk.freebsd.dk/time/20141221.html as an alternative? Bug 533292 already exists.

----------

## khayyam

 *charles17 wrote:*   

> What about using Ntimed http://phk.freebsd.dk/time/20141221.html as an alternative? Bug 533292 already exists.

 

charles ... I imagine this will come to be the replacement to ntpd, however, right now there is no official release (the first is expected in Q1 2015) and its not suitable for production as yet. Also, as per the post made by Hanno (link above) there is still the issue that the NTP protocol is inherently insecure, there is no TSL/SSL or such, this means on-the-wire the packets can be tamperd with via MitM and so while the tlsdate doesn't solve all the issues (ie, who actually has the correct time) it does mitigate the primary problem with NTP.

best ... khay

----------

## e3k

does anyone know if the busybox ntpd is also affected? i am searching for that the last 2 days but still no hit.

----------

