Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 14 May 2015 18:50:10 +0000
From: Harlan Stenn <stenn@....org>
To: cve-assign@...re.org
cc: kseifried@...hat.com, oss-security@...ts.openwall.com, stenn@....org,
    sgraves@...ime.org
Subject: Re: Potential issue in NTP -A option

cve-assign@...re.org writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> > the documentation seems to conflict slightly
> 
> We do not feel that a CVE is required; however, Harlan can choose to
> have a CVE ID if the undocumented risky behavior is going to be
> announced as a vulnerability.

We're not going to announce this as a vulnerability.

I'm with Kurt on this one - from our POV '-A' means "disable
authentication checks" and I'd bet that Prof. Mills wrote the
documentation that says ... "this is almost never a good idea."

> More specifically, it appears that mode 7 itself is, in some sense,
> deprecated (e.g., "mode7 ... Enables processing of NTP mode 7
> implementation-specific requests which are used by the deprecated
> ntpdc program" on the
> http://www.eecis.udel.edu/~mills/ntp/html/miscopt.html page and
> "functionally deprecating ntpdc" on the
> http://support.ntp.org/bin/view/Main/SoftwareDownloads page). If so,
> then we do not feel that there is a requirement for the documentation
> to precisely specify the effect of a command-line option on a
> deprecated feature. The -A documentation doesn't directly make a false
> statement about authentication within mode 7; it simply does not
> discuss mode 7.
> 
> If mode 7 itself isn't deprecated, and there is a supported use case
> in which the user may choose to enable both mode 7 and the -A option,
> then announcing the behavior/documentation mismatch as a vulnerability
> is probably more useful.

Mode 7 is for "vendor-specific" control operations, and there is no
requirement in the protocol for any data structure in the packets.
There is also no requirement for *any* use of mode 7.  We noticed enough
difficulties trying to use mode 7 that we shifted everything to mode 6
(ntpq).

To be clear, this issue (-A) is about a discrepancy between the
documentation and the behavior of older, EOL'd versions of the reference
implementation of NTP.  I'll be looking to add clarifying language to
our on-line set of documentation for older, EOL'd NTP releases, but
that's all.

I haven't seen *any* other NTP implementation that provides either mode
6 or mode 7 support.

So I'm planning to make an announcement along the lines of "-A means
'disable authentication' and we've documented that this is almost never
a good idea.  If you have done X in an environment that allows Y, that
will allow bad guys to do Z.  That's a real problem and is an obvious
case of why using -A is generally a Bad Idea."

Never put salt in your eyes: https://www.youtube.com/watch?v=_83MEuLoz9Y

-- 
Harlan Stenn <stenn@....org>
http://networktimefoundation.org - be a member!

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ