Date: Thu, 12 Apr 2001 12:10:38 -0600 From: Evelyn Mitchell <efm-krudannounce@tummy.com> To: krudannounce@lists.tummy.com Subject: [KRUD-Announce]Tummy.com Security Announcement -- NTP Root Exploit Tummy.com Security Announcement -- NTP Root Exploit 2001-04-11 Sean Reifschneider, tummy.com, ltd. <jafo-securityannounce@tummy.com> =================================== Nobody is surprised when there's an exploit found in Sendmail. The BIND DNS server is starting to get a similar reputation. However, this is the first instance I know of where the Network Time Protocol (NTP) daemon has been found to be vulnerable. NTP is a daemon which checks with a collection of outside time services (including some time servers run by the National Institute of Standards and Technology, and the US Naval Observatory), and keeps the time on your systems synchronized. NTP is a valuable service because it prevents you from periodically having to change the time on your machines, and from a security standpoint allows you to correlate activities on multiple machines (those in your control and others). Recently, a compromise which allows remote users to execute arbitrary commands as root via the NTP daemon have been announced. RedHat, Debian and Mandrake have all announced patches (though beware that Debian later had to announce a second update to fix a denial of service issue introduced in the initial patch -- be sure to update if you have the early patches). NTP scans haven't been very prevalent, but expect them to become more popular now that this exploit has been found. This sort of exploit is what the black-hats dream about... Strong packet filters will reduce your exposure, but the traffic filters for an NTP client filter on the same port as the NTP server, so specific allow rules for each of the servers you contact must be made. HOW TO TELL IF YOU'RE VULNERABLE All version of RedHat, Mandrake, and Debian available as of April 9, 2001 are vulnerable. KRUD versions prior to 2001-05-01 are vulnerable. KRUD/RedHat 7.0: "rpm -qa | grep ntp-4" reports a version PRIOR to 4.0.99k-15 KRUD/RedHat 6.2 and older: "rpm -qa | grep xntp" reports a version PRIOR to xntp3-5.93-15 UPDATES Updates for these packages are available on ftp://updates.redhat.com/ ftp://updates.redhat.com/7.0/en/os/i386/ntp-4.0.99k-15.i386.rpm FOR HELP If you would like tummy.com to check your systems for vunerability to this exploit, please reply to this email, and we'll arrange an appointment to look at it. _______________________________________________ KRUDAnnounce mailing list KRUDAnnounce@lists.tummy.com http://lists.tummy.com/mailman/listinfo/krudannounce