ntpd vulnerabilities
jungle Boogie
jungleboogie0 at gmail.com
Mon Dec 22 19:10:21 UTC 2014
Hi Mark,
On 22 December 2014 at 11:02, Mark Felder <feld at freebsd.org> wrote:
> On Mon, Dec 22, 2014, at 11:39, Brett Glass wrote:
>> I'd like to propose that FreeBSD move to OpenNTPD, which appears to
>> have none of the
>> fixed or unfixed (!) vulnerabilities that are present in ntpd.
>> There's already a port.
>>
>
> Historically OpenNTPD has been dismissed as a candidate because of its
> reduced accuracy and missing security features. For example, it doesn't
> implement the NTPv4 functionality or authentication.
>
> Quite literally the OpenNTPD is vulnerable to a MITM attack because of
> the lack of authentication. Their stance has been that you should trust
> your NTP servers and suggest using a VPN for the NTP traffic. Probably
> not a bad idea, honestly.
Would you say a MITM attack is similar to a forged ntp reply?
If so, have you seen this:
http://quigon.bsws.de/papers/opencon04/ntpd/mgp00018.html
>
> I don't have a qualified opinion, but that should get you on the right
> track if you want to research further.
--
-------
inum: 883510009027723
sip: jungleboogie at sip2sip.info
xmpp: jungle-boogie at jit.si
More information about the freebsd-security
mailing list