technion
Posts: 238
Joined: Sun Dec 02, 2012 9:49 am

PSA - NTP vulnerability

Fri Dec 19, 2014 11:46 pm

Hey guys,

I know a number of us (like me!) are using Raspberry Pis as NTP servers - so I just wanted to bring this alert to your attention:

Vulnerability Note VU#852879
Network Time Protocol daemon (ntpd) contains multiple vulnerabilities
http://www.kb.cert.org/vuls/id/852879

I originally had to build with a development release so that I could get PPS support, but I'm testing 4.2.8stable now. One issue with the Pi is how long it takes to compile these things.

at2oo1
Posts: 28
Joined: Sun Jul 13, 2014 1:10 pm

Re: PSA - NTP vulnerability

Sun Dec 21, 2014 8:48 pm

What was the result of your test? Is there any information about Raspbian is affected in default configuration?
Meine Projekte auf http://raspberry.tips/

User avatar
rpdom
Posts: 20889
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: PSA - NTP vulnerability

Sun Dec 21, 2014 9:24 pm

The version in Raspbian is vulnerable at present.

There is an open bug report in the Debian bug tracker for this to be fixed.

technion
Posts: 238
Joined: Sun Dec 02, 2012 9:49 am

Re: PSA - NTP vulnerability

Mon Dec 22, 2014 6:06 am

I've been running 24 hours now on version 4.2.8 stable and things are looking good. Only catch is the default install path changed from /usr/local/bin to /usr/local/sbin between -dev and stable, so watch out for init scripts that start the old version on boot!

The Rapsbian distributed edition never supported GPS clocks, so I doubt many of us are running it.

It's being exploited in the wild and if you are running a public NTP server and haven't upgraded yet, it may be time to consider wiping the card.

User avatar
DougieLawson
Posts: 42301
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK

Re: PSA - NTP vulnerability

Tue Dec 23, 2014 9:28 am

My Ubuntu system got two NTP security fixes yesterday. I'm hoping they'll percolate to DebIan (and on to Raspbian) in the next couple of days.
Languages using left-hand whitespace for syntax are ridiculous

DMs sent on https://twitter.com/DougieLawson or LinkedIn will be answered next month.
Fake doctors - are all on my foes list.

The use of crystal balls and mind reading is prohibited.

User avatar
rpdom
Posts: 20889
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: PSA - NTP vulnerability

Tue Dec 23, 2014 9:46 am

It's reported as fixed in version 1:4.2.6.p5+dfsg-2+deb7u1 available now in Raspbian Wheezy via the usual apt-get update, apt-get upgrade dance.

Gogolathome
Posts: 6
Joined: Tue Dec 23, 2014 11:21 am

Re: PSA - NTP vulnerability

Tue Dec 23, 2014 12:09 pm

technion wrote:I've been running 24 hours now on version 4.2.8 stable and things are looking good. Only catch is the default install path changed from /usr/local/bin to /usr/local/sbin between -dev and stable, so watch out for init scripts that start the old version on boot!

The Rapsbian distributed edition never supported GPS clocks, so I doubt many of us are running it.
Can you tell how you did the compile?
With the default ./configure, make, make install I get this error in syslog:

Code: Select all

refclock_params: time_pps_kcbind: Operation not supported
GPS_NMEA(0) set PPSAPI params fails
my ntp.conf has this:

Code: Select all

#generic NMEA driver
server 127.127.20.0 mode 17 prefer minpoll 4 maxpoll 4
fudge 127.127.20.0 flag1 1 flag3 1 refid PPS
PPS is working:

Code: Select all

# sudo ppstest /dev/pps0
trying PPS source "/dev/pps0"
found PPS source "/dev/pps0"
ok, found 1 source(s), now start fetching data...
NMEA working also:

Code: Select all

# cat /dev/ttyAMA0 
$GPRMC,120259.00,A,XXX.02996,N,00XXX.85399,E,0.021,,231214,,,A*76
Even latest ntp4-4.2.8-bug2650 does not work

krusher
Posts: 34
Joined: Thu Oct 10, 2013 1:55 am

Re: PSA - NTP vulnerability

Wed Dec 24, 2014 4:16 am

Hello, another forum member suggested I check out this thread, since I too have a Pi NTP server with ntpd 4.2.7 and need the 1PPS support upgrade to 4.2.8. I built the "open collector" NTP server, modified to all fit inside the original Adafruit box with an external GPS antenna. http://open.konspyre.org/blog/2012/10/1 ... me-server/

I'm getting from your discussion above that I can't just update ntpd from the repository as that would kill my 1PPS. So any tips you might have on compiling it would be helpful for me too. :)

Thanks!

technion
Posts: 238
Joined: Sun Dec 02, 2012 9:49 am

Re: PSA - NTP vulnerability

Fri Dec 26, 2014 10:47 am

Gogolathome wrote:Can you tell how you did the compile?
With the default ./configure, make, make install I get this error in syslog:
By default, nothing we need is compiled. This is also why the package distributed with the OS is useless.

$ ./configure --enable-linuxcaps --enable-all-clocks --enable-parse-clocks --enable-SHM --enable-debugging --with-sntp=no --without-ntpsnmpd --enable-pps

Should sort you out.

technion
Posts: 238
Joined: Sun Dec 02, 2012 9:49 am

Re: PSA - NTP vulnerability

Fri Dec 26, 2014 10:49 am

krusher wrote: I built the "open collector" NTP server, modified to all fit inside the original Adafruit box with an external GPS antenna. http://open.konspyre.org/blog/2012/10/1 ... me-server/
That site you linked provides exactly the process you download the source and compile it with all the correct options. I can only assume you managed that once before. Now download the current version and do it again.

Gogolathome
Posts: 6
Joined: Tue Dec 23, 2014 11:21 am

Re: PSA - NTP vulnerability

Fri Dec 26, 2014 12:26 pm

technion wrote:
Gogolathome wrote:Can you tell how you did the compile?
With the default ./configure, make, make install I get this error in syslog:
By default, nothing we need is compiled. This is also why the package distributed with the OS is useless.

$ ./configure --enable-linuxcaps --enable-all-clocks --enable-parse-clocks --enable-SHM --enable-debugging --with-sntp=no --without-ntpsnmpd --enable-pps
When you issue the command: # ./configure --help
you will see that "--enable-parse-clocks" is system specific, "--with-sntp=no" doesn't exist but is probably the same as "--without-sntp" and "--enable-pps" doesn't exist too.

So I can try to compile with "--enable-parse-clocks". I am on the latest kernel 3.12.35+ which has pps support, but as I showed with "flag 3 1" in the NMEA ref clock driver ntpd doesn't use the PPSAPI, while the version (compiled with ATOM) 4.2.6p5 did.

I am going to try again.

Edit: that didn't work also. No PPSAPI (kernel time discipline)

technion
Posts: 238
Joined: Sun Dec 02, 2012 9:49 am

Re: PSA - NTP vulnerability

Sun Dec 28, 2014 5:31 am

I can only suggest the help file is not up to date or something.

Code: Select all

pi@raspberrypi ~/ntp-4.2.8 $ more config.log
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.

It was created by ntp4 configure 4.2.8, which was
generated by GNU Autoconf 2.68.  Invocation command line was

  $ ./configure --enable-linuxcaps --enable-all-clocks --enable-parse-clocks --enable-SHM --enable-debugging --with-sntp=no --without-ntpsnmpd --enable-pps
You can see my version of NTP and the configure script I used. And my PPS is definitely working.

Gogolathome
Posts: 6
Joined: Tue Dec 23, 2014 11:21 am

Re: PSA - NTP vulnerability

Sun Dec 28, 2014 9:51 am

technion wrote:You can see my version of NTP and the configure script I used. And my PPS is definitely working.
Yes I believe you, do you use "fudge flag3 1" and can you show me the output of "ntptime"
This is mine:

Code: Select all

$ ntptime
ntp_gettime() returns code 0 (OK)
  time d84a4fe1.5fdfc19c  Sun, Dec 28 2014 10:46:09.374, (.374508920),
  maximum error 6000 us, estimated error 1 us, TAI offset 0
ntp_adjtime() returns code 0 (OK)
  modes 0x0 (),
  offset -0.335 us, frequency -131.747 ppm, interval 1 s,
  maximum error 6000 us, estimated error 1 us,
  status 0x2001 (PLL,NANO),
  time constant 4, precision 0.001 us, tolerance 500 ppm,
Status should show: status 0x2107 (PLL,PPSFREQ,PPSTIME,PPSSIGNAL,NANO)

Gogolathome
Posts: 6
Joined: Tue Dec 23, 2014 11:21 am

Re: PSA - NTP vulnerability

Sun Dec 28, 2014 11:02 am

Never mind, I tried your suggestion at last, but I never get a working kernel time discipline.
I guess I have to revert to the latest ntp_4.2.6.p5+dfsg-2+deb7u1, which I compiled with PPS following these instructions:
https://support.ntp.org/bin/view/Sandbo ... senSandbox and worked fine with my ntp.conf, to get a working kernel time discipline.

Gogolathome
Posts: 6
Joined: Tue Dec 23, 2014 11:21 am

Re: PSA - NTP vulnerability

Sun Dec 28, 2014 4:07 pm

After spending a lot of hours on searching I came across this bug which was recently solved:
http://bugs.ntp.org/show_bug.cgi?id=2314
There is explained that on a Raspberry Pi "fudge flag3 1" will be ignored.
After compiling ntp-4.2.8 I got an these errors I reported above and I used "fudge flag3 0" in the meanwhile.
After compiling ntp4-4.2.8-bug2650 I got an error but "fudge flag3 1" could be used but was ignored and effectively was "fudge flag3 0".

Too bad. :(

krusher
Posts: 34
Joined: Thu Oct 10, 2013 1:55 am

Re: PSA - NTP vulnerability

Mon Dec 29, 2014 3:19 am

technion wrote:
krusher wrote: I built the "open collector" NTP server, modified to all fit inside the original Adafruit box with an external GPS antenna. http://open.konspyre.org/blog/2012/10/1 ... me-server/
That site you linked provides exactly the process you download the source and compile it with all the correct options. I can only assume you managed that once before. Now download the current version and do it again.
Thanks technion; it's probably easier than I think then and I'll look into it later this week.

technion
Posts: 238
Joined: Sun Dec 02, 2012 9:49 am

Re: PSA - NTP vulnerability

Mon Dec 29, 2014 5:04 am

My config looks like this:

Code: Select all

server 127.127.20.0 mode 17 minpoll 3 iburst true prefer
fudge 127.127.20.0 flag1 1 time2 0.20
I'm unsure where you're getting "flag3" from, it wasn't shown in any of the references I used.

I'm not familiar with ntptime, the output I've looked for is this one:

Code: Select all

$ ntpq -p
     remote           refid      st t when poll reach   delay   offset  jitter
==============================================================================
oGPS_NMEA(0)     .GPS.            0 l    5    8  377    0.000  -20.690  23.026
The offset is quite high because I restarted it a few seconds ago. All you need to look for is the o at the start, which indicates it's using PPS.

Gogolathome
Posts: 6
Joined: Tue Dec 23, 2014 11:21 am

Re: PSA - NTP vulnerability

Thu Jan 08, 2015 1:34 pm

Ok, I got ntpd 4.2.8 working with an older kernel 3.12.22 and used the old instructions to compile a kernel.
https://support.ntp.org/bin/view/Sandbo ... senSandbox
Now I have the PPSAPI:

Code: Select all

 $ ntptime
ntp_gettime() returns code 0 (OK)
  time d859015f.3cf9e388  Thu, Jan  8 2015 14:15:11.238, (.238188515),
  maximum error 4000 us, estimated error 1 us, TAI offset 0
ntp_adjtime() returns code 0 (OK)
  modes 0x0 (),
  offset 0.000 us, frequency -132.031 ppm, interval 256 s,
  maximum error 4000 us, estimated error 1 us,
  status 0x2107 (PLL,PPSFREQ,PPSTIME,PPSSIGNAL,NANO),
  time constant 4, precision 0.001 us, tolerance 500 ppm,
  pps frequency -132.031 ppm, stability 0.012 ppm, jitter 4.200 us,
  intervals 576, jitter exceeded 200, stability exceeded 1, errors 0.
There is definitely a difference with a DIY patched kernel and the latest Raspbian kernel (2.12.35) with "PPS support".

"Flag3 1" in reference clock drivers means use kernel time discipline and gives a line with "PLL,PPSFREQ,PPSTIME,PPSSIGNAL,NANO" and letting ntpd doing this (flag3 0) which only gives "PLL NANO" in the latest Raspbian kernel.
http://www.ntp.org/ntpfaq/NTP-s-algo-kernel.htm

Fact is that I have much better results: -1 us < offset < 1 us
Attachments
time-ntp-offset-day.png
time-ntp-offset-day.png (23.52 KiB) Viewed 5983 times

Return to “Networking and servers”