Newly discovered ntp vulnerability, please advise

[bitsandnumbers]

Hi,

I wonder what we, as user, can do to fix the newly discovered NTP vulnerability (as seen here for instance: http://arstechnica.com/security/201...l-bugs-in-net-time-sync-puts-servers-at-risk/).

To sum this up, the vulnerability add one more way to escalate to root privileges for hackers, even beginners.

So since Freenas has a non persistent changes policy on its system (ie: as I understand, if I update ntp manually, the changes will not stick upon reboot), what is the best way to patch this vulnerability ? Thx


Envoyé de mon iPad à l'aide de Tapatalk

 

[danb35]

Wait for the FreeNAS devs to push out an update.

 

[jgreco]

Your FreeNAS shouldn't be directly exposed to the Internet and so this shouldn't be a critical problem. You can wait for the patch to be released.

 

[rogerh]

Should be fairly safe if you don't allow any outside access to ntp on the Freenas server. And perhaps only allow it to access a local (patched) ntp server.

 

[Ericloewe]

Looks like I'm updating my router.

This has been quite a year... I must've joked that the only thing that didn't have a vulnerability discovered this year was NTP, and look where we are...

 

[jgreco]

Well, I hate to say it, there were problems with NTP earlier this year too... massive DDoS vulnerability.

obDisclosure: I work with the NTP project too.

 

[bitsandnumbers]

Well, I sometime open the SSH port to the internet for remote maintenance, I don't know if it will expose NTP in that case.

Anyway, I will wait for an update from Freenas, as suggested.

Thanks for all your answers.