Linux distros patch serious leak in ntp

Several Linux distributions have released updates in recent days for vulnerabilities in the network time protocol daemon. Red Hat, Ubuntu and Debian, among others, have closed the leaks.

Last weekend, the details of four vulnerabilities in network time protocol daemon were disclosed by US-Cert. The leaks were found by Google’s security team and included the random number generator. In particular, the ability to cause buffer overflows created a serious vulnerability: it could allow attackers to execute code on affected systems.

All previous versions of ntp4 are vulnerable and on December 19, version 4.2.8 was released which addressed the issues. Apple released an automatic update to that version on Tuesday to fix the vulnerability in OS X, but before that, several Linux distros released all their patches.

For example, Canonical Monday released Security Notice USN-2449-1 which updates Ubuntu 14.10, Ubuntu 14.04 LTS, Ubuntu 12.04 LTS and Ubuntu 10.04 LTS. Debian released DSA-3108 last weekend to address the issues and Red Hat was also quick to act with its RHSA-2014:2025-1-security update for ntp. The full list of potentially affected software can be found at Cert’s Vulnerability Notes Database.

OpenBSD is not vulnerable, notes Theo de Raadt, founder of the OS, because the software uses openntpd. “That was written 10 years ago at my request because the source code of ntpd scared us,” says De Raadt. It would have contained a lot of redundant code and the development team would have shown little interest in improving it. “When will software vendors wake up?” he wonders.