r2 - 2009-10-06 - 04:51:51 - HarlanStennYou are here: NTP >  Dev Web > HandlingSecurityIssues > SecurityIssueDefinition
NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38.

ntp-4.2.8p15 was released on 23 June 2020. It addresses 1 medium-severity security issue in ntpd, and provides 13 non-security bugfixes over 4.2.8p13.

Please see the NTP Security Notice for vulnerability and mitigation details.

Are you using Autokey in production? If so, please contact Harlan - he's got some questions for you.

Definition of a Security Issue

Steve suggested:

  • In the extreme, a security bug is one that allows an outside party to execute arbitrary code as the NTP user or gain access to the system.

Rob Austein suggests:

  1. a bug in security code (eg, an acl mechanism that doesn't do what it claims to do).
  2. a bug that can cause a server to fall over and die, or otherwise gives an attacker leverage by which to dos the server.
  3. a bug that allows an attacker to take control of the server or the host on which it's running.
  4. probably others that don't leap to mind as quickly.

Harlan asked: Would it be a security bug if you could cause the service to abort?

Steve thinks not.

Rob says:

any bug an attacker can use to force the service to behave badly would be a security bug, so assuming i understand the question, yes, i'd consider that a security bug.

but some security bugs are more equal than others. it's probably best to think in terms of risk management rather than absolutes.

Edit | WYSIWYG | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r2 < r1 | More topic actions
SSL security by CAcert
Get the CAcert Root Certificate
This site is powered by the TWiki collaboration platform
IPv6 Ready
Copyright & 1999-2022 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding the site? Send feedback