NTP security hole CVE-2013-5211? (Gary Palmer)
Garrett Wollman
wollman at bimajority.org
Wed Mar 26 06:33:20 UTC 2014
<<On Wed, 26 Mar 2014 07:08:57 +0200, Kimmo Paasiala <kpaasial at icloud.com> said:
> I believe Gary was talking about changing the control/status port
> and not the actual service port (UDP 123). That should be doable
> without breaking compatibility with existing NTP tools.
NTP does not have a separate "control/status port"; all NTP operations
that could be called "control" and "status" use the NTP protocol and
the NTP port. If you configure your NTP server correctly (or start
from a good default configuration), these operations will be
restricted using NTP's built-in authentication and access-control
mechanisms. In NTP-speak, the relevant packets are known as "mode 6"
and "mode 7" messages. ntpq and ntpdc, since they run as non-root,
will obviously use an ephemeral source port.
Historically (not sure if it's still true), ntpd would generate a
random key on startup and then fork a process to read the
configuration file and handle DNS resolution; the child process would
then use mode 7 messages to add associations in the main server
process as each host name was resolved.
-GAWollman
More information about the freebsd-security
mailing list