SUMMARY: security hole in xntpd from Bob Vickers on 2001-04-10 (tru64-unix-managers)

From: Bob Vickers <bobv_at_cs.rhul.ac.uk>
Date: Mon, 09 Apr 2001 13:41:52 +0100 (BST)

Dear Tru64 Managers,

Thanks to the many people who replied. Points made included:

(1) You can use a cronned ntpdate instead of xntpd while xntpd's status is
    unclear.
(2) You can use access rules to protect yourself. I am steering clear
    of this because discussion on the Bugtraq list has demonstrated
    various pitfalls. Also people can spoof UDP messages so the extra
    security is limited. However, here is a suggestion from Arrigo
    Triulzi:
restrict default ignore
restrict 195.89.178.226 nomodify
restrict 195.89.178.230 nomodify
restrict 127.0.0.1
server 195.89.178.226 version 3
server 195.89.178.230 version 3

(3) The published exploit generates core dumps on IRIX and Solaris but
    not Tru64
(4) Tru64 uses a version of xntpd written at the U of Toronto whereas
    the vulnerable one was written at the U of Delaware
(5) There is a suggestion that the hole (in those versions that have
    it) is not as serious as first feared and does not lead to a root
    compromise. I won't attempt to pass judgement on this.

More information about the general problem can be found in the Bugtraq
archives at www.securityfocus.com . But it seems likely that Tru64 is
not vulnerable, and here is a comment from "an anonymous but usually
reliable source within Compaq who can not speak officially for Compaq
on such a matter":

"Our security response team is investigating this, and their conclusion
so far is that the Tru64 UNIX implementation is NOT susceptible to the
attack. They are doing further investigation to see if they can find
a similar attack that will work, and expect to have more data around
the middle of next week. A formal statement is likely to come out by
the end of next week, I'd guess, but that's only a guess."

This was written on Saturday so I think next week means this week! He
promises that the statement will be sent to this list.

Bob

-- 
==============================================================
Bob Vickers                     R.Vickers_at_cs.rhul.ac.uk
Dept of Computer Science, Royal Holloway, University of London
WWW:    http://www.cs.rhul.ac.uk/home/bobv
Phone:  +44 1784 443691

Received on Mon Apr 09 2001 - 12:43:35 NZST

This archive was generated by hypermail 2.4.0 : Wed Nov 08 2023 - 11:53:42 NZDT