← Back to team overview

touch-packages team mailing list archive

[Bug 1039420] Re: NTP security vulnerability because not using authentication by default

 

So, any updates on this issue now that it has become clear it can be
severely abused?

See:
https://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-Bypassing-HTTP-Strict-Transport-Security-wp.pdf

At least crank up the importance a bit...

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1039420

Title:
  NTP security vulnerability because not using authentication by default

Status in “ntp” package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu implements so much security one way or another. So much
  defenses against network level man in the middle or malicious proxies
  or wifi hotspots. Cryptographic verification generally works well but
  there is one big drawback: it requires correct date/time.

  NTP in Ubuntu does not use any authentication by default, although it
  is supported by NTP.

  I conclude, that almost no one is using authenticated NTP, because
  there are no instructions in a forum or blog how to enable NTP
  authentication. Therefore almost everyone uses standard configuration
  and is at risk.

  An adversary can tamper with the unauthenticated NTP replies and put
  the users time several years back, especially, but not limited, if the
  bios battery or hardware clock is defect. That issue becomes more
  relevant with new devices like RP, which do not even have a hardware
  clock.

  Putting the clock several years back allows an adversary to use
  already revoked, broken, expired certificates; replay old, broken,
  outdated, known vulnerable updates etc.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1039420/+subscriptions