Q: NTP vulnerability on versions prior to 4.2.8 -- we OK?

Denisism wrote:

 

DPr0f wrote: if you're still running an internet server on 10.6.x, you're used to fending for yourself.

 

By this, can I take it to mean that 10.6.x is only vulnerable to the current NTP exploit if one is running a server on the machine?  In other words, if I'm not running any public web servers, FTP servers, etc. on a Snow Leopard machine, I should be relatively safe from the NTP vulnerablilty?  Or can I get hacked via the NTP vulnerability by simply connecting my Snow Leopard machine to the Internet or WiFi hotspot and/or going to a website?

There are a lot of unknowns with this vulnerability, but IMO Apple's global (and extremely fast) release of the patch for all OS X machines (client and server) speaks to the universal nature of the vulnerability:  if you're running ntp and your OS X machine (OS X Client or Server) is connected to the Internet, you should assume that the machine is vulnerable.

The only really way to really protect it is to not run ntp, which you can accomplish by unchecking the checkbox for "Set date and time automatically" in the Date & Time prefpane and if you're running OS X Server, going into Server Admin-->Settings-->Date & Time (tab)-->Date & Time (sub-tab) and unchecking the same checkbox there (they seem to work independently, so uncheck them both to be sure).

When you're done, you can check to see if ntp is not running in the Terminal with "ps ax | grep ntp".  If you only see a line ending with "grep ntp" and nothing else, then ntp is not running and you're good to go.  If you see anything else, check your settings.

After this, you'll need to periodically check to see if your date and time is correct, which in many cases is no biggie, but in cases of OpenDirectory and other servers could well be critical to proper operation.  Also, if it's a desktop machine of that vintage, might be time to stick a new PRAM battery in it (the little battery on the mainboard), as that's what maintains the date and time when the machine is powered down.

JohnDCCUI wrote

Wellll.....might be time to upgrade that bad boy.  10.6.8 is pushing 7 years old and isn't being updated by Apple for security issues like this one, so it's probably time to move on.  You can get an updated Mac Mini on eBay that will run 10.8 for under $200:  it's time.

Very true, but then I don't like to throw a working machine away.

The machine is purely used as a web server. If somebody hacks into it or breaks it, it will be replaced, but not much information is being lost.

In order to make things easy, I run the client version of 10.6.8. I fixed the bash vulnerability as well. So might look around for just recompiling NTP on the machine. For now, NTP is off and I will probably turn it on occasionally to make sure times are synched.

Cheers

LL

DPr0f wrote:

 

Long Lane wrote:

 

Any suggestions as to how to patch 10.6.8? It shows 4.2.4p4, so is vulnerable.

 

Well, the good news is that Apple didn't introduce its benighted "pacemaker" dæmon until 10.9.x; previous to that, their ntpd was the stock version from ntp.org. So "all" you need to do is download, compile and install ntpd 4.2.8, and you should be good to go.

 

When I did this (on 10.9.x and 10.10.x), I needed to apply this patch to get it to compile. This is a known bug in 4.2.8. Presumably, it will be fixed in the next release.

 

 

Thanks. I will give it a go and report back!

LL

[I]f you're running ntp and your OS X machine (OS X Client or Server) is connected to the Internet, you should assume that the machine is vulnerable.

If I recall correctly (I don't have access to any Snow Leopard Machines), Apple only tightened up its restriction to the "client" NTP configuration  in response to this bug in NTP. Previous to that (i.e., in Snow Leopard), anyone could send a control packet to your running ntpd. So those older ntpd's are way more vulnerable than the ones in recent versions of MacOSX (which are susceptible to forged control packets with 127.0.0.1 as the source address, but are otherwise immune).

The only really way to really protect it is to not run ntp ...

Correct.

(Unless, of course, you are handy enough at the commandline to compile your own replacement for ntpd and, while you're at it, a replacement for bash (to counter the Shellshock bug), etc.)

So looks like this was automatically deployed on all Macs in our environment.

Thanks Apple!

So looks like this was automatically deployed on all Macs in our environment.

I have seen reports on the web, of this Security Update auto-installing itself, regardless of the user's Software Update settings. If so, that's a pretty drastic step for Apple to take (an indication of the severity of the problem).

If they're not going to issue patches for pre-10.8 systems, they really should warn users to turn off Network Time resolution. Wouldn't look good for a slew of old Macs to get pwned.

I agree. I wonder if commenting out the (lack of) restrictions for 127.0.0.1 in ntp-restrict.conf has any adverse affects. Does an ntp client even need to listen for connections??

FWIW, my Raspberry Pis just got an update of their ntpd to 4.2.6p5 and 4.2.6.p5@1.2349-o

LL

Not likely a good idea. That's how other processes (e.g. the pacemaker daemon) communicate with ntpd.

For 10.6.8 I've created a patch based on 4.2.4p8+dfsg-1ubuntu2.2:

https://dl.dropboxusercontent.com/u/71275879/CVE-2014-9293-9294-9295.patch.zip

Just add it to the patches in http://www.opensource.apple.com/source/ntp/ntp-45.1/patches (don't forget to edit the Makefile).

Cheers

NTP 4.2.8p1-beta1 is out, fixing the compilation problems on MacOSX, FreeBSD and other platforms.

Thank you for sharing the patch for 10.6.8.  I downloaded the zip file, decompressed it and I now have a patch file.  How do I apply the patch to my system?

Topher Kessler has posted instructions on how to manually patch older systems (ex., 10.5, 10.6, 10.7) at his site -> http://www.macissues.com/2014/12/24/how-to-manually-patch-ntp-for-os-x-10-6-and- 10-7/

I'm patching my first 10.6 system now.

I'm on Snow Leopard and want to use Topher's method. He says first I have to install Xcode 3.2.

There are several options in the installer. Is the "Essentials" option good enough or

do I have install all the options?

Thanks

Essentials ought to be enough. You are just installing Xcode to get the command line tools and compiler.