NTP security hole CVE-2013-5211?
Julian Elischer
julian at elischer.org
Fri Mar 21 23:19:01 UTC 2014
On 3/20/14, 9:20 PM, Brett Glass wrote:
> At 03:37 PM 3/20/2014, Ronald F. Guilmette wrote:
>
>> Starting from these lines in my /etc/ntp.conf file:
>>
>> server 0.freebsd.pool.ntp.org iburst
>> server 1.freebsd.pool.ntp.org iburst
>> server 2.freebsd.pool.ntp.org iburst
>>
>> I resolved each of those three host names to _all_ of its associated
>> IPv4 addresses. This yielded me the following list:
>>
>> 50.116.38.157
>> 69.50.219.51
>> 69.55.54.17
>> 69.167.160.102
>> 108.61.73.244
>> 129.250.35.251
>> 149.20.68.17
>> 169.229.70.183
>> 192.241.167.38
>> 199.7.177.206
>> 209.114.111.1
>> 209.118.204.201
You can't use this list because the members of the pool change over time.
you need the following rules placed in the correct places in your ruleset.
check-state
and
allow udp from me to any 123 out via ${oif} keep-state.
unless a udp packet first exits via the second rule, the first will
not match
and will continue on to further rules (which should throw it away one
hopes).
Once an outgoing udp packet to 123 has been seen on the second rule,
any response will be allowed for the next N seconds. (it's some small
integer from memory)
any copy o fhtat packet that comes after the timeout will be dropped
again.
>
> [Snip]
>
> All of this is good. However, remember that anyone who can spoof IPs
> will know
> that the above addresses are the defaults for any FreeBSD machine
> and can
> take advantage of these "holes" in your firewall.
>
> --Brett Glass
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to
> "freebsd-security-unsubscribe at freebsd.org"
More information about the freebsd-security
mailing list