Date: Thu, 14 May 2015 18:50:10 +0000 From: Harlan Stenn <stenn@....org> To: cve-assign@...re.org cc: kseifried@...hat.com, oss-security@...ts.openwall.com, stenn@....org, sgraves@...ime.org Subject: Re: Potential issue in NTP -A option cve-assign@...re.org writes: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > the documentation seems to conflict slightly > > We do not feel that a CVE is required; however, Harlan can choose to > have a CVE ID if the undocumented risky behavior is going to be > announced as a vulnerability. We're not going to announce this as a vulnerability. I'm with Kurt on this one - from our POV '-A' means "disable authentication checks" and I'd bet that Prof. Mills wrote the documentation that says ... "this is almost never a good idea." > More specifically, it appears that mode 7 itself is, in some sense, > deprecated (e.g., "mode7 ... Enables processing of NTP mode 7 > implementation-specific requests which are used by the deprecated > ntpdc program" on the > http://www.eecis.udel.edu/~mills/ntp/html/miscopt.html page and > "functionally deprecating ntpdc" on the > http://support.ntp.org/bin/view/Main/SoftwareDownloads page). If so, > then we do not feel that there is a requirement for the documentation > to precisely specify the effect of a command-line option on a > deprecated feature. The -A documentation doesn't directly make a false > statement about authentication within mode 7; it simply does not > discuss mode 7. > > If mode 7 itself isn't deprecated, and there is a supported use case > in which the user may choose to enable both mode 7 and the -A option, > then announcing the behavior/documentation mismatch as a vulnerability > is probably more useful. Mode 7 is for "vendor-specific" control operations, and there is no requirement in the protocol for any data structure in the packets. There is also no requirement for *any* use of mode 7. We noticed enough difficulties trying to use mode 7 that we shifted everything to mode 6 (ntpq). To be clear, this issue (-A) is about a discrepancy between the documentation and the behavior of older, EOL'd versions of the reference implementation of NTP. I'll be looking to add clarifying language to our on-line set of documentation for older, EOL'd NTP releases, but that's all. I haven't seen *any* other NTP implementation that provides either mode 6 or mode 7 support. So I'm planning to make an announcement along the lines of "-A means 'disable authentication' and we've documented that this is almost never a good idea. If you have done X in an environment that allows Y, that will allow bad guys to do Z. That's a real problem and is an obvious case of why using -A is generally a Bad Idea." Never put salt in your eyes: https://www.youtube.com/watch?v=_83MEuLoz9Y -- Harlan Stenn <stenn@....org> http://networktimefoundation.org - be a member!
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ