On 2014-12-22 01:42, Felix wrote:
Hi
See: https bugs.debian.org/cgi-bin/bugreport.cgi?bug=773576
There's as of yet no update from Apple applicable to those relays running on Mac OS X.
In the interim, I've reconfigured ntpd on the Macs to deny queries (steps below). This may prevent their default-listening ntp.org/UDel ntpd from seeing and being affected by the potential single packet exploits.
In the medium term, I'll be switching to something like 'sudo port install openntpd' and trying to kill off the bundled UDel ntpd on Mac OS X in favor of the replacement. (That service replacment might succeed, but if so it will probably require defeating the ghost of Steve Jobs along the way...)
More info on the bugs: http://bugs.ntp.org/show_bug.cgi?id=2668 http://www.kb.cert.org/vuls/id/852879 https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01 https://access.redhat.com/security/cve/CVE-2014-9295 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9293 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9294 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9296
Richard
------- 1) Confirm ntpd listener on by default and responding to other hosts (such as one running the nmap scanner):
$ sudo nmap -sU -pU:123 -sV -Pn -n --script=ntp-monlist,ntp-info ${IPA} ... PORT STATE SERVICE VERSION 123/udp open ntp NTP v4 | ntp-info: |_ receive time stamp: Sat Dec 20 00:49:36 2014
2) Edit ntp config:
-------8<------- --- /private/etc/ntp-restrict.conf.old +++ /private/etc/ntp-restrict.conf @@ -2,8 +2,8 @@ # http://support.ntp.org/bin/view/Support/AccessRestrictions # Limit network machines to time queries only
-restrict default kod nomodify notrap nopeer noquery -restrict -6 default kod nomodify notrap nopeer noquery +restrict default kod nomodify notrap nopeer noquery ignore +restrict -6 default kod nomodify notrap nopeer noquery ignore
# localhost is unrestricted restrict 127.0.0.1 -------8<-------
3) Send a HUP to reload the config:
$ sudo killall -HUP ntpd
4) Confirm ntpd still running after HUP:
$ ps -axw | grep ntpd | grep -v grep 51928 ?? 0:00.02 /usr/sbin/ntpd -c /private/etc/ntp-restrict.conf ...
5) Confirm ntpd listener now off [1] by default:
$ sudo nmap -sU -pU:123 -sV -Pn -n --script=ntp-monlist,ntp-info ${IPA} ... PORT STATE SERVICE 123/udp open|filtered ntp