touch-packages team mailing list archive
-
touch-packages team
-
Mailing list archive
-
Message #27579
[Bug 1039420] Re: NTP security vulnerability because not using authentication by default
So, any updates on this issue now that it has become clear it can be
severely abused?
See:
https://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-Bypassing-HTTP-Strict-Transport-Security-wp.pdf
At least crank up the importance a bit...
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ntp in Ubuntu.
https://bugs.launchpad.net/bugs/1039420
Title:
NTP security vulnerability because not using authentication by default
Status in “ntp” package in Ubuntu:
Confirmed
Bug description:
Ubuntu implements so much security one way or another. So much
defenses against network level man in the middle or malicious proxies
or wifi hotspots. Cryptographic verification generally works well but
there is one big drawback: it requires correct date/time.
NTP in Ubuntu does not use any authentication by default, although it
is supported by NTP.
I conclude, that almost no one is using authenticated NTP, because
there are no instructions in a forum or blog how to enable NTP
authentication. Therefore almost everyone uses standard configuration
and is at risk.
An adversary can tamper with the unauthenticated NTP replies and put
the users time several years back, especially, but not limited, if the
bios battery or hardware clock is defect. That issue becomes more
relevant with new devices like RP, which do not even have a hardware
clock.
Putting the clock several years back allows an adversary to use
already revoked, broken, expired certificates; replay old, broken,
outdated, known vulnerable updates etc.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1039420/+subscriptions