NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.
ntp-4.2.8p15 was released on 23 June 2020. It addresses 1 medium-severity security issue in ntpd, and provides 13 non-security bugfixes over 4.2.8p13.
Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.
Definition of a Security Issue
- In the extreme, a security bug is one that allows an outside party to execute arbitrary code as the NTP user or gain access to the system.
Rob Austein suggests:
- a bug in security code (eg, an acl mechanism that doesn't do what it claims to do).
- a bug that can cause a server to fall over and die, or otherwise gives an attacker leverage by which to dos the server.
- a bug that allows an attacker to take control of the server or the host on which it's running.
- probably others that don't leap to mind as quickly.
Harlan asked: Would it be a security bug if you could cause the service to abort?
Steve thinks not.
any bug an attacker can use to force the service to behave badly would
be a security bug, so assuming i understand the question, yes, i'd
consider that a security bug.
but some security bugs are more equal than others. it's probably best
to think in terms of risk management rather than absolutes.