[LWN Logo]
[LWN.net]
Date: Thu, 12 Apr 2001 12:10:38 -0600
From: Evelyn Mitchell <efm-krudannounce@tummy.com>
To: krudannounce@lists.tummy.com
Subject: [KRUD-Announce]Tummy.com Security Announcement -- NTP Root Exploit

Tummy.com Security Announcement -- NTP Root Exploit
2001-04-11

Sean Reifschneider, tummy.com, ltd.
<jafo-securityannounce@tummy.com>
===================================

Nobody is surprised when there's an exploit found in Sendmail.  The BIND DNS
server is starting to get a similar reputation.  However, this is the first
instance I know of where the Network Time Protocol (NTP) daemon has been
found to be vulnerable.

NTP is a daemon which checks with a collection of outside time services
(including some time servers run by the National Institute of Standards and
Technology, and the US Naval Observatory), and keeps the time on your
systems synchronized.

NTP is a valuable service because it prevents you from periodically having
to change the time on your machines, and from a security standpoint allows
you to correlate activities on multiple machines (those in your control and
others).

Recently, a compromise which allows remote users to execute arbitrary
commands as root via the NTP daemon have been announced.  RedHat, Debian
and Mandrake have all announced patches (though beware that Debian later
had to announce a second update to fix a denial of service issue
introduced in the initial patch -- be sure to update if you have the early
patches).

NTP scans haven't been very prevalent, but expect them to become more
popular now that this exploit has been found.  This sort of exploit is what
the black-hats dream about...

Strong packet filters will reduce your exposure, but the traffic filters
for an NTP client filter on the same port as the NTP server, so specific
allow rules for each of the servers you contact must be made.

HOW TO TELL IF YOU'RE VULNERABLE
   All version of RedHat, Mandrake, and Debian available as of April 9,
   2001 are vulnerable.  KRUD versions prior to 2001-05-01 are vulnerable.

   KRUD/RedHat 7.0:

      "rpm -qa | grep ntp-4" reports a version PRIOR to 4.0.99k-15

   KRUD/RedHat 6.2 and older:

      "rpm -qa | grep xntp" reports a version PRIOR to xntp3-5.93-15

UPDATES
   Updates for these packages are available on ftp://updates.redhat.com/

      ftp://updates.redhat.com/7.0/en/os/i386/ntp-4.0.99k-15.i386.rpm

FOR HELP

If you would like tummy.com to check your systems for vunerability
to this exploit, please reply to this email, and we'll arrange
an appointment to look at it.




_______________________________________________
KRUDAnnounce mailing list
KRUDAnnounce@lists.tummy.com
http://lists.tummy.com/mailman/listinfo/krudannounce