Hi,
There was an security problem (ntpd internal overflow CERT vu#584606) with setting dates on an NTP client, when the difference between the client and server is more than 34 years. ntpdate used to set time wrongly on the client side; the problem is solved with NTPv4 version of ntpdate.
Now, ntpd 'usually' quits if the time difference is more than 1000 seconds (roughly 20 minutes); however, if ntpd
is started with the -g option, even that sets time wrongly on the client side!(?) Ideally, the user should run ntpdate before running ntpd, but we believe there *is* a problem for ntpd as well (even with the latest 4.2.0 release).
We have tested this on linux/tru64 implementations. Please confirm whether this is seen as a potential security issue and whether this problem is already acknowledged by ntp.org and being worked upon?
Thanks & Regards,
Vishal
|
|
0
|
|
|
|
Reply
|
 Vishal
|
5/13/2004 6:15:58 AM |
|
Vishal Agarwal wrote:
> Hi,
>
> There was an security problem (ntpd internal overflow CERT vu#584606) with setting dates on an NTP client, when the difference between the client and server is more than 34 years. ntpdate used to set time wrongly on the client side; the problem is solved with NTPv4 version of ntpdate.
>
> Now, ntpd 'usually' quits if the time difference is more than 1000 seconds (roughly 20 minutes); however, if ntpd
> is started with the -g option, even that sets time wrongly on the client side!(?) Ideally, the user should run ntpdate before running ntpd, but we believe there *is* a problem for ntpd as well (even with the latest 4.2.0 release).
>
> We have tested this on linux/tru64 implementations. Please confirm whether this is seen as a potential security issue and whether this problem is already acknowledged by ntp.org and being worked upon?
>
> Thanks & Regards,
> Vishal
>
That is correct and known and as designed. However, when using the '-g'
option, you should not run ntpdate first. That is the purpose of the -g,
to eliminate the need to run ntpdate first. And as you noted, ntpdate has
the same overflow problem. This is not a problem with these programs, it
is the limitation in the protocol itself. To quote the docs at ntp.org:
....it is necessary to set the system clock within 34 years of the current UTC
time before the protocol is started.
--
blu
It is bafflingly paradoxical that the United States is by far the world's
leading scientific nation while simultaneously housing the most scientifically
illiterate populace outside the Third World. - Richard Dawkins
--------------------------------------------------------------------------------
Brian Utterback - OP/N1 Revenue Product Engineering, Sun Microsystems, Inc.
Ph/VM: 781-442-1343, Em:brian.utterback-at-ess-you-enn-dot-kom
|
|
|
0
|
|
|
|
Reply
|
Brian
|
5/13/2004 3:20:57 PM
|
|
Vishal,
I take it you have carefully read the CERT advisory, which I submitted.
See the NTP project page and the two pages NTP timescale calculations
and NTP era and era numbering. That should answer all your concerns.
Be advised the 34-year issue is not a problem, but an inherent factor in
the design specific to the NTP timestamp calculations. As described in
the timestamp calculation page, the most recent ntpd has been modified
so that the non-ambiguity window has been extended from 34 years to 68
years. This is not a generic solution and results only from the fact
that ntpd does almost all calcuations in floating-double.
That has not been done for xntpd or ntpdate. The hazard continutes for
those programs, which I consider obsolete. It's even more serious with
xntpd, as I have pointed out before.
The bottom line is that users must insure the system clock is set within
34 years of the actual time with xntpd and ntpdate and within 68 years
with ntpd.
Dave
Vishal Agarwal wrote:
>
> Hi,
>
> There was an security problem (ntpd internal overflow CERT vu#584606) with setting dates on an NTP client, when the difference between the client and server is more than 34 years. ntpdate used to set time wrongly on the client side; the problem is solved with NTPv4 version of ntpdate.
>
> Now, ntpd 'usually' quits if the time difference is more than 1000 seconds (roughly 20 minutes); however, if ntpd
> is started with the -g option, even that sets time wrongly on the client side!(?) Ideally, the user should run ntpdate before running ntpd, but we believe there *is* a problem for ntpd as well (even with the latest 4.2.0 release).
>
> We have tested this on linux/tru64 implementations. Please confirm whether this is seen as a potential security issue and whether this problem is already acknowledged by ntp.org and being worked upon?
>
> Thanks & Regards,
> Vishal
|
|
|
0
|
|
|
|
Reply
|
David
|
5/13/2004 3:29:22 PM
|
|
I believe Dave Mills has stated that a functional requirement of ntp is
that the time be correct to within 34 years before starting ntpd.
ntpdate is worse than suboptimal and its use should be phased out.
H
--
In article <mailman.210.1084448885.1757.questions@ntp.org>,
Vishal Agarwal <avishal@india.hp.com> wrote:
>Hi,
>
>
>There was an security problem (ntpd internal overflow CERT vu#584606)
>with setting dates on an NTP client, when the difference between the
>client and server is more than 34 years. ntpdate used to set time
>wrongly on the client side; the problem is solved with NTPv4 version of
>ntpdate.
>
>
>Now, ntpd 'usually' quits if the time difference is more than 1000
>seconds (roughly 20 minutes); however, if ntpd
>is started with the -g option, even that sets time wrongly on the client
>side!(?) Ideally, the user should run ntpdate before running ntpd, but
>we believe there *is* a problem for ntpd as well (even with the latest
>4.2.0 release).
>
>
>We have tested this on linux/tru64 implementations. Please confirm
>whether this is seen as a potential security issue and whether this
>problem is already acknowledged by ntp.org and being worked upon?
>
>
>Thanks & Regards,
>Vishal
>
|
|
|
0
|
|
|
|
Reply
|
stenn
|
5/13/2004 7:18:03 PM
|
|
On Thu, 13 May 2004 19:18:03 +0000 (UTC), stenn@maccarony.ntp.org
(Harlan Stenn) wrote:
>I believe Dave Mills has stated that a functional requirement of ntp is
>that the time be correct to within 34 years before starting ntpd.
>
>ntpdate is worse than suboptimal and its use should be phased out.
>
>H
Hi Harlan -
I've read that the current NTPD can be a functional replacement for
NTPDATE, by setting certain flags so that it converges quickly and
then quits (after sync).
Would it be possible to create a new, small NTPDATE program for v4.2
(or 4.3) that simply invokes the NTPD module with the appropriate
flags, so users with existing NTPDATE calls in their scripts would
continue to function correctly, without using the old, deprecated
NTPDATE or having to make changes to the rest of their systems?
- Eric
|
|
|
0
|
|
|
|
Reply
|
Eric
|
5/14/2004 1:08:55 PM
|
|
The short script is:
#! /bin/sh
ntpd -q
(As I understand it).
It gets more difficult if somebody wants to handle all of the other options.
A volunteer would be appreciated, and it is probably better to simply
fix the startup scrupts.
H
--
In article <c0h9a0td7ogp818otigdlhvctgb3uu45mu@4ax.com>,
Eric <ejensen@spamcop.net> wrote:
>Would it be possible to create a new, small NTPDATE program for v4.2
>(or 4.3) that simply invokes the NTPD module with the appropriate
>flags, so users with existing NTPDATE calls in their scripts would
>continue to function correctly, without using the old, deprecated
>NTPDATE or having to make changes to the rest of their systems?
|
|
|
0
|
|
|
|
Reply
|
stenn
|
5/15/2004 12:26:47 AM
|
|
Eric <ejensen@spamcop.net> wrote in message news:<c0h9a0td7ogp818otigdlhvctgb3uu45mu@4ax.com>...
> On Thu, 13 May 2004 19:18:03 +0000 (UTC), stenn@maccarony.ntp.org
> (Harlan Stenn) wrote:
>
> >I believe Dave Mills has stated that a functional requirement of ntp is
> >that the time be correct to within 34 years before starting ntpd.
> >
> >ntpdate is worse than suboptimal and its use should be phased out.
> >
> >H
> Hi Harlan -
>
> I've read that the current NTPD can be a functional replacement for
> NTPDATE, by setting certain flags so that it converges quickly and
> then quits (after sync).
>
> Would it be possible to create a new, small NTPDATE program for v4.2
> (or 4.3) that simply invokes the NTPD module with the appropriate
> flags, so users with existing NTPDATE calls in their scripts would
> continue to function correctly, without using the old, deprecated
> NTPDATE or having to make changes to the rest of their systems?
>
> - Eric
No. There is no need for it. If people don't want to take it out of
their scripts then they can always use an old version. There will be
no support for this. with the advent of ntpd -g there is no reason
at all to have ntpdate in the scripts.
Danny
|
|
|
0
|
|
|
|
Reply
|
mayer
|
5/17/2004 5:52:48 PM
|
|
Vishal Agarwal <avishal@india.hp.com> wrote in message news:<mailman.210.1084448885.1757.questions@ntp.org>...
> Hi,
>
> There was an security problem (ntpd internal overflow CERT vu#584606) with setting dates on an NTP client, when the difference between the client and server is more than 34 years. ntpdate used to set time wrongly on the client side; the problem is solved with NTPv4 version of ntpdate.
>
> Now, ntpd 'usually' quits if the time difference is more than 1000 seconds (roughly 20 minutes); however, if ntpd
> is started with the -g option, even that sets time wrongly on the client side!(?) Ideally, the user should run ntpdate before running ntpd, but we believe there *is* a problem for ntpd as well (even with the latest 4.2.0 release).
>
> We have tested this on linux/tru64 implementations. Please confirm whether this is seen as a potential security issue and whether this problem is already acknowledged by ntp.org and being worked upon?
>
If you have any security issues please file a bug report in bugzilla.
This forum is not the place to address the issue. It can be discussed
here but
don't expect resolution here.
Danny
> Thanks & Regards,
> Vishal
|
|
|
0
|
|
|
|
Reply
|
mayer
|
5/18/2004 12:45:57 PM
|
|
Danny,
With due respect, wrong answer. I make no advice on sending to bugzy,
which is probably a good idea; but, if I am to see and help resolve
security issues, better copy the list or me at mills@udel.edu, since I
don't read bugzy. Another reason to post on this list is the archives.
Not everybody knows about bugzy and how to search its archives.
If somebody discovers a real security problem, like the stack hazard
awhile ago, they should follow CERT procedures. The case here is nothing
like that. It's really an operational limitation I should have predicted
and given advance notice. The fact the CERT was involved at all was
because I thought the best action to holler from the rooftops before
750,000 home routers plunged the century to chaos.
Dave
Danny Mayer wrote:
>
> Vishal Agarwal <avishal@india.hp.com> wrote in message news:<mailman.210.1084448885.1757.questions@ntp.org>...
> > Hi,
> >
> > There was an security problem (ntpd internal overflow CERT vu#584606) with setting dates on an NTP client, when the difference between the client and server is more than 34 years. ntpdate used to set time wrongly on the client side; the problem is solved with NTPv4 version of ntpdate.
> >
> > Now, ntpd 'usually' quits if the time difference is more than 1000 seconds (roughly 20 minutes); however, if ntpd
> > is started with the -g option, even that sets time wrongly on the client side!(?) Ideally, the user should run ntpdate before running ntpd, but we believe there *is* a problem for ntpd as well (even with the latest 4.2.0 release).
> >
> > We have tested this on linux/tru64 implementations. Please confirm whether this is seen as a potential security issue and whether this problem is already acknowledged by ntp.org and being worked upon?
> >
> If you have any security issues please file a bug report in bugzilla.
> This forum is not the place to address the issue. It can be discussed
> here but
> don't expect resolution here.
>
> Danny
>
>
> > Thanks & Regards,
> > Vishal
|
|
|
0
|
|
|
|
Reply
|
David
|
5/19/2004 1:42:58 AM
|
|
"David L. Mills" <mills@udel.edu> wrote in message news:<40AABBA2.FCD0A4C3@udel.edu>...
> Danny,
>
> With due respect, wrong answer. I make no advice on sending to bugzy,
> which is probably a good idea; but, if I am to see and help resolve
> security issues, better copy the list or me at mills@udel.edu, since I
> don't read bugzy. Another reason to post on this list is the archives.
I would always want you to be involved on any discussion and solution.
It's just not a good tracking mechanism to put it here.
> Not everybody knows about bugzy and how to search its archives.
>
> If somebody discovers a real security problem, like the stack hazard
> awhile ago, they should follow CERT procedures. The case here is nothing
> like that. It's really an operational limitation I should have predicted
> and given advance notice. The fact the CERT was involved at all was
> because I thought the best action to holler from the rooftops before
> 750,000 home routers plunged the century to chaos.
>
Agreed. CERT will always be certain to contact you for notification and
resolution. It's probably the best mechanism.
Danny
> Dave
>
|
|
|
0
|
|
|
|
Reply
|
mayer
|
5/20/2004 12:59:33 AM
|
|
|
9 Replies
107 Views
(page loaded in 0.14 seconds)
Similiar Articles: ntpd 4.2.0, polling interval, and loopstats - comp.protocols.time ...The Autokey provision has nothing to do with this issue, other than the fact the security protocol ... ntpd on embedded risc - comp.protocols.time.ntp ntpd 4.2.0, polling ... Bad File Descriptor - comp.protocols.time.ntpHello, I'm having an issue with ntp 4.2.0-a on FreeBSD 5.4-p4 system. It seems that ntpd is recording bad file ... believe this is because the security features require ... ntpd vs ntpq!!!!! - comp.protocols.time.ntphello everybody, i have a serious problem while running ntpd-4.2.4p4. while i type ntpd -D 3 it says wildcard interface #0 0.0.0.0 disabled.is this w... ntpd and 2 address - comp.protocols.time.ntpProblems ntpd 4.2.0? - comp.protocols.time.ntp... message: ntpd[17138]: init_socket_sig: ioctl(I_SETSIG, S_INPUT) failed: Bad address ... bugs] [Bug 717] ntpd 4.2.3p51 ... Local clock - sync issue - comp.protocols.time.ntp10 l 9 64 377 0.000 0.000 0.001 The issue with this is that once ... there has been anything fixed which might affect your issue I > don't know. > > ntpd 4.2 ... Help -- pps clock stoped working in 4.2.0 ! - comp.protocols.time ...... when I try to start the daemon (ntpd -U nobody): daemon.notice ntpd[467]: ntpd 4.2.0 ... etc/ntp/drift Simply remove the old file -- ntpd will create new, whatever problem ... Problem with Trimble Placer 450 - gpsd - ntpd - comp.protocols ...... passes that information to ntpd (4.2 ... pps clock stoped working in 4.2.0 ... whorked fine with ntpd 4.1 ... remove the old file -- ntpd will create new, whatever problem is. ... NTPd looses sync regularly / 12 hour intervals. - comp.protocols ...... 05:36:41 sn ntpd[11721]: synchronized to 10.7.100.28, stratum 2 It appears to have an issue ... found >Oct 20 15:37:12 srv3 ntpd[20655]: kernel time sync ... ntpd 4.2.0 ... Help with building NTP-4.2.0 - comp.protocols.time.ntpntpd and 2 address - comp.protocols.time.ntp regards Martin Korous ntp-4.2.0-i486-1 ... Problems ntpd 4.2.0? - comp.protocols.time.ntp... message: ntpd[17138]: init_socket ... Solaris 8 xntpd vs ntpd? - comp.protocols.time.ntp... will have both xntpd 3.5.9e and ntpd 4.2.5 co ... that Solaris 8 will have no new security ... slewing - comp.protocols.time.ntp What problem are you trying to solve? ntpd ... FreeBSD-SA-01:31.ntpd... Security Advisory FreeBSD, Inc. Topic: ntpd contains potential ... FreeBSD 3.5.1 and 4.2, and versions of the ntpd port prior to ntp-4.0.99k_2 contain this problem. 0001466: ntpd avc denied errors after update to ntp-4.2.0.a ...0001466: ntpd avc denied errors after update to ntp-4.2.0.a.20040617-4.EL4.1 ... com, but only found one ntpd avc issue ... 52:34 kern.info www kernel: security: 3 users, 4 ... 7/17/2012 6:08:47 PM
|
Search |
Post Question |
Groups |
Stream |
About |
Register
2 followers. 