Archive for the ‘Open Source’ Category

Understanding Open Source Agility – Watching revenue upside in SD-WAN, UCaaS services.

Thursday, July 13th, 2017
“A penny saved is a penny earned” –Wise Anonymous person’s words that I heard from my mother growing up.
R O I should be an initial checkpoint and a major focus of any technological investment.  What is the solution solving?  I can’t stop adding items to the list.  I found the article below rather interesting – The service and cloud scene is poppin right now.
–Aaron
business meeting

Mellanox Adds Cumulus Linux Support for Ethernet Switches

Tuesday, March 8th, 2016

SUNNYVALE, Calif. & YOKNEAM, Israel–(BUSINESS WIRE)–Mellanox® Technologies, Ltd. (NASDAQ:MLNX), a leading supplier of high-performance, end-to-end interconnect solutions for data center servers and storage systems, today announced it has added Cumulus® Linux® support for the Spectrum line of 10/25, 40/50, and 100 Gb/s Ethernet switches.

The addition of Cumulus Linux provides customers a best in class Network Operating System (NOS) with the highest performance and most predictable Ethernet switch platform. The availability of third party NOS solutions is the cornerstone of the Open Ethernet initiative and provides customers with freedom of choice. “Mellanox is uniquely positioned to capitalize on a big opportunity as the industry continues to move towards open solutions” Tweet this“The addition of Cumulus Linux means we now give our customers the option to choose the leading Linux NOS on the market,” said Amit Katz, vice president Ethernet switch sales, Mellanox Technologies. “We are confident our Ethernet switch platforms will continue to deliver unmatched predictability, packet performance and the ability to achieve Web-Scale IT efficiencies.”In order to achieve more agile innovation and to avoid vendor lock-in, many of the largest and most advanced web scale businesses have rejected closed, proprietary, black box switches.

Taking a page from these hyperscale data centers, more modestly sized businesses are emulating these architectures and adopting open, disaggregated switches – which separate the choice of hardware and software components. These open networking platforms enable customers to choose best of breed components in order to optimize and automate their data centers to meet their business needs. The fully integrated and tested combination of Spectrum switches and Cumulus Linux is the ideal way to achieve this agility, with an open networking platform that frees enterprises to extend and improve the pace of innovation, efficiency, and automation of their data center infrastructure.Mellanox is helping to accelerate the adoption of open networking and the transformation of businesses to achieve web-scale IT efficiencies.

The partnership between Mellanox and Cumulus Networks is a realization of the Open-Ethernet initiative and furthers both companies’ long-standing commitment to open networking, as demonstrated by their contributions to the Open Compute Project (OCP), Switch Abstraction Interface (SAI), Linux Switchdev, and Open Network Install Environment (ONIE). In addition, Mellanox has made multiple contributions of 10/25, 40/50, & 100 Gb/s Ethernet switch and OCP adapters designs.“Mellanox is uniquely positioned to capitalize on a big opportunity as the industry continues to move towards open solutions,” said JR Rivers, CEO and co-founder, Cumulus Networks. “With Mellanox’s performance-focused value proposition, Open Ethernet initiative, and large base of clients, Cumulus can expand into new markets and help accelerate customers’ move to Web IT. Open is becoming the industry standard at every level in modern infrastructure builds. As ecosystems open up, customers win; all due to selecting the best technology under the best terms.”“At Cloudalize, we offer the GPU Desktop as a Service (GDaaS) Platform to a wide range of partners for the cloud solutions they deliver to their customers, so we demand performance, predictability, and industrial-grade control of our networking equipment,” said Benny Willen, CEO Cloudalize. “Cloudalize’s requirements for high performance networking, that could be provisioned as easily as servers, led us to look at an Open solution in the form of Cumulus Linux running on top of Mellanox’s Ethernet Switches.

With Cumulus Linux, we could leverage many of our server tools to automate our network orchestration and monitoring activities. With Mellanox Ethernet Switches, we get the predictable performance we need, without worrying about packet loss.”Come see how to transform your data center and achieve web-scale IT efficiency with the Cumulus Linux running on the Spectrum switch at the Mellanox booth #B4 at the OCP Summit taking place March 9-10 at the San Jose Convention Center.

Source: Mellanox Adds Cumulus Linux Support for Ethernet Switches | Business Wire

​Why has SQL Server come to Linux? Windows-only cloud makes no sense | ZDNet

Tuesday, March 8th, 2016

Some people are asking why. After all, with MySQL, MariaDB, postgreSQL, and Oracle Database 12c Linux, there’s no shortage of RDBMS servers on Linux.Part of the reason is simple enough. Scott Guthrie, head of Microsoft’s Cloud & Enterprise business, said “This will enable SQL Server to deliver a consistent data platform across Windows Server and Linux, as well as on-premises and cloud.The more complex answer is that Microsoft’s fortune is no longer based on Windows. True, SQL Server will be available on Red Hat Enterprise Linux (RHEL) and Canonical’s Ubuntu Linux as a standalone server applications, that’s not where it’s meant to run. As Ed Bott recently uncovered, Microsoft’s new cash cows are Azure and server applications. In particular, “Microsoft Azure is growing rapidly and is reported in the same group as traditional server products (SQL Server is up, Windows Server is down). Collectively, that pair is at the top of the list.”And what operating systems run on Azure? Mark Russinovich, CTO of Microsoft Azure, Microsoft’s cloud program, said last fall that open source and Linux make great financial and technical sense for Microsoft. “It’s obvious, if we don’t support Linux, we’ll be Windows only and that’s not practical.” Then, one in four Azure operating systems instances were Linux. And that number has only been increasing.ADVERTISINGFor Microsoft to continue to grow as a cloud and services company it must become a Linux company.And, in particular, Microsoft wants to be a Linux cloud power. Today, Azure is certainly the primary way Microsoft monetizes Linux, so it’s only logical that SQL Server would be added to Linux.Al Gillen, IDC’s group vice president, sees this. “By taking this key product to Linux, Microsoft is proving its commitment to being a cross platform solution provider. This gives customers choice and reduces the concerns for lock-in. We would expect this will also accelerate the overall adoption of SQL Server.”

Source: ​Why has SQL Server come to Linux? Windows-only cloud makes no sense | ZDNet

Password hash cracking on a Juniper ScreenOS device

Monday, January 4th, 2016

So the Juniper Netscreen/SSG ScreenOS password hash is a bit of a hidden mystery. I had in my hand the config of a Netscreen device and I wanted to perform a reverse of the password hashes to see if they were weak.

In this case here’s the line from the config:

1
set admin user “admin” password “nAePB0rfAm+Nc4YO3s0JwPHtRXIHdn” privilege “all”

John The ripper has supported Netscreen passwords since back in 2008 when Samuel Moñux released this patch. Unfortunately John was too slow for my needs as I was up against a deadline, thus I looked at the faster approach of using the GPU to perform the cracking. Hashcat is the best tool for the job but unfortunately Hashcat didn’t support this hashing algorithm. :-(

After a looking through jar source code I found this python script which can generate a Netscreen hash, getting warmer. Here’s a shortened version of the code to show just the function we’re interested in:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
def makepass(user, password):
middle = “Administration Tools”
s = “%s:%s:%s” % (user, middle, password)
print s
m = hashlib.md5(s).digest()
narray = []for i in range(8):
n1 = ord(m[2*i])
n2 = ord(m[2*i+1])
narray.append( (n1<<8 & 0xff00) | (n2 & 0xff) )

res = “”
for i in narray:
p1 = i >> 12 & 0xf
p2 = i >> 6  & 0x3f
p3 = i       & 0x3f
res += b64[p1] + b64[p2] + b64[p3]

for c, n in  zip(“nrcstn”, [0, 6, 12, 17, 23, 29]):
res = res[:n] + c + res[n:]
return res

After looking through the code it is clear that there is a fixed salt of Administration Tools and a salt of the username(lines 2 and 3).
The code then takes each 2 chars and adds the binaries together(lines 8-11)
From this it creates 3 characters from the 16bits(lines 14-18)
And finally is scatters the letters n,r,c,s,t & n onto the hash in specific places (lines 20 and 21)
It’s worth noting that the letters nrcstn is actually NeTSCReeN in reverse without the e’s :-)

Using this code it was possible to write some new code to reverse backwards through the steps in order to go from a Netscreen hash back to the raw MD5 hash. Here’s the function for this:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
def reversetomd5(knownhash):
# strip out nrcstn fixed characters
clean=“”
for i in [1,2,3,4,5,7,8,9,10,11,13,14,15,16,18,19,20,21,22,24,25,26,27,28]:
clean+=knownhash[i]# create blocks
block=[]
for i in xrange(2,24,3):
p1 = b64.index(clean[i-2])
p2 = b64.index(clean[i-1])
p3 = b64.index(clean[i])
block.append(p1 << 12 | p2 << 6 | p3)

# split block into half and find out character for each decimal
md5hash=“”
for i in block:
n1 = i >> 8
n2 = i & 0xff
md5hash+=chr(n1)+chr(n2)
return binascii.hexlify(md5hash)

Using this function you are able to give it a Netscreen hash and you’ll get back the raw MD5.

1
Knownhash of:nAePB0rfAm+Nc4YO3s0JwPHtRXIHdn has MD5Hash of: 078f1d1f09bede18edf49c0f745781dd

Now using the power of GPU cracking and my favourite tool Hashcat it is possible to crack the hash. We need to put the hash in a format that hashcat can understand so we create a file called netscreen.txt and put the hash in the following format(note the training colon after the fixed salt):

1
2
[hash]:[user]:Administration Tools:
078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools:

We then use hashcat’s mode 20 which is md5($salt.$pass) to crack the hash:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
C:\cudaHashcat64.exe -m 20 netscreen.txt rockyou.txt
cudaHashcat v1.01 starting…
Hashes: 1 total, 1 unique salts, 1 unique digests
Bitmaps: 8 bits, 256 entries, 0x000000ff mask, 1024 bytes
Watchdog: Temperature abort trigger set to 90c
Watchdog: Temperature retain trigger set to 80c
Device #1: GeForce GTX 660M, 2048MB, 950Mhz, 2MCU
Device #1: Kernel ./kernels/4318/m0020_a0.sm_30.64.ptx
Device #1: Kernel ./kernels/4318/bzero.64.ptxGenerated dictionary stats for rockyou.txt: 139921541 bytes, 14344395 words, 14343300 keyspace

078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools::MySecretPassword

Session.Name…: cudaHashcat
Status………: Cracked
Input.Mode…..: File (rockyou.txt)
Hash.Target….: 078f1d1f09bede18edf49c0f745781dd:admin:Administration Tools:
Hash.Type……: md5($salt.$pass)
Time.Started…: Fri Jan 10 15:03:24 2014 (5 secs)
Speed.GPU.#1…:  4886.1 kH/s
Recovered……: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress…….: 11109723/14343300 (77.46%)
Rejected…….: 1371/11109723 (0.01%)
HWMon.GPU.#1…:  0% Util, 41c Temp, N/A Fan

Started: Fri Jan 10 15:03:24 2014
Stopped: Fri Jan 10 15:03:32 2014

Bingo it’s cracked the hash with the password MySecretPassword

As this algorithm uses more than just a fixed salt to create the hash I’ll speak to Atom (the creator of hashcat) to see if he want’s to implement it into a future release, but until then this code should help you in cracking netscreen passwords.

Update: Atom has added this hash type to oclHashcat as of version 1.20 https://hashcat.net/hashcat/ (Feature request here: https://hashcat.net/trac/ticket/235)

 

This article’s Original Author:

https://www.phillips321.co.uk/2014/01/10/cracking-a-juniper-netscreen-screenos-password-hash/

Tech and religion intersect at ‘Code for the Kingdom’ hackathon

Wednesday, October 7th, 2015
Aaron Stockton, whose team last year built a gaming app last year that won $2500 for best original code, works in the Impact Hub spaces (Will Mari / Geekwire).
Aaron Stockton, whose team last year built a gaming app last year that won $2500 for best original
code, works in the Impact Hub spaces (Will Mari / Geekwire).

All over the world technologists are increasingly using the hackathon model to solve societal problems. Whether it’s to fight government corruption or to help feed the homeless or to enhance education, hackathons for a higher purpose are going strong.

Here in the Northwest, a group of faith-motivated programmers echoed that idea. They assembled for the second time at Pioneer Square’s Impact Hub for Code for the Kingdom Seattle, part of a network of religious hackathons happening across the globe in the U.S., Canada, Indonesia, the United Kingdom, Kenya and Ethiopia.

The event, now in its second year, was sponsored by the Deaf Bible Society, the Leadership Network and World Vision. The latter is a huge international NGO based in Federal Way that routinely partners with the Gates Foundation. Other sponsors included Seattle startup TheoTech and Bellingham-based Faithlife.

Over this past weekend about 80 people, many of whom work by day as developers and engineers for local tech giants (or tech giants with local offices), including Amazon, Google and Microsoft, coded through Friday night, Saturday and in some cases Saturday night. They focused on issues such as mental illness, strengthening families, human trafficking, helping the deaf community and connecting NGO’s to their supporters. Others worked on Android versions of apps that debuted last year, including one that’s designed to connect one’s prayer life online.

The winners

VisionCaster, the runner-up for best new code, included World Vision staff and volunteers. Inspired by an app built by the UN to increase awareness of what’s going on in Syria (via Samsung’s Milk VR video service), it uses Google Cardboard to immerse viewers in the NGO’s field projects. The idea is to replicate experiences in the field, like seeing clean water access at work or ongoing disaster response efforts.

Aaron Stockton, whose team last year built a gaming app last year that won $2500 for best original code, works in the Impact Hub spaces (Will Mari / Geekwire).
Aaron Stockton, whose team last year built a gaming app last year that won $2500 for best original
code, works in the Impact Hub spaces (Will Mari).

In addition to solving problems during the hackathon, Worldvision was eager to connect to potential future hires, according to Leslie Annis, who recruits tech staff for the NGO.

“We want to get in front of technologists and let them know that we’re here in this area and we need them to join us in the work that we do,” she said. “It was really fun to see that many technologists together in a room creating really cool things for purposeful, missional work.”

Steadfast, an app to encourage spouses to concretize their support for each other, won the people’s choice and best new code awards. The app reminds people to do kind things for their spouse, like sending flowers or notes of encouragement.

StudyChurch won for best existing code. An online e-learning platform, it’s intended for use by weekly “small groups” that meet in homes and coffee shops, allowing collaboration and conversation over a shared text and eventually through video and audio content.

A common motive

Although more than $1,200 in prizes was on the line, the chance to sit down and write code with others for a good cause was the primary draw for many of the participants.

“There’s no limitations, really, any idea can be the best idea,” said Allen Wong, a graduate student at Northeastern and a contractor at Google. Wong, who works on the Google Maps team, was filming a vodcast from the hackathon.

Wong’s passion is creating vodcasts and podcasts that talk about the intersection between faith and technology in applied ways. “To actually see people take a shot at these things – you don’t see that often.”

A team that did not place among the prize-winners but was still regarded as important was Seattle Against Slavery (SAS)’s pilot project. SAS, an anti-human-trafficking nonprofit, has collected data on people, mostly men, who seek sex online. Their goal is to intervene early in the process and keep buyers from connecting with sex workers, who are often underage, migrants or otherwise exploited. By working with former users and survivors of trafficking, and with support for ad buys from Google, SAS is revising its messages to make them more effective and empathetic.

By finding more about the typical user in King County, and targeting them with ads that persuade them to think twice, the idea is to reduce the supply and thus the demand, said Robert Beiser, SAS’ executive director. SAS participated for the first time in a hackathon specifically to get help from software engineers like Kirsten Stark.

“I wanted to be in a place where there’s a stronger connection between my work and my faith,” said Stark, an engineer at Midfin Systems in Redmond.

“We love Jesus and other people and want to help them.” Helping the users and offering them alternatives by showing that others care for their underlying needs is a ‘very Christian approach’ to intervention,” she said.

Sarah Williams, whose team won a $2,500 prize last year for best original code at the inaugural event in Seattle, was back this year as a mentor and volunteer.

Calvin Freitas, a senior front-end engineer at Amazon, works on Ceaseless, at the second-annual Code for the Kingdom Seattle (Will Mari / Geekwire).
Calvin Freitas, a senior front-end engineer at Amazon, works on Ceaseless, at the second-annual Code for the Kingdom Seattle (Will Mari / Geekwire).

Now a manager at Amazon, she’s valued the colleagues and connections that came from last year and continue into the present.

“Now more people know about it… and know what I’m talking about,” she said, of sharing the event with her network.

A common community

Event organizers hope that the hackathon’s participants can continue to meet monthly to code and collaborate. To that end, they maintain an active Meetup.com group and Facebook page and invite interested Seattle-area coders to join. An upcoming conference in November will also tackle faith and tech from a more academic perspective.

Meeting together for a common cause – and creating and sustaining community – is part of the ongoing legacy of niche hackathons.

Wendy Stevens, a health specialist at a small Tumwater-based company, N2N and Associates, was at the hackathon on Saturday working on an online-based system for crisis management.

To her, the fact that programmers from rival companies were working together was part of what made the event inspiring.

Their faith was a “point of reference,” she said.

Geeks Give Back

What happens when Geeks Give Back?

Bank of America and GeekWire are joining forces to help raise $500,000 for the Washington State Opportunity Scholarship – providing local students interested in STEM with scholarships to fund their higher education goals. Support the next generation of scientists, engineers and mathematicians by clicking here to learn more and give back!

Major flaw could let lone-wolf hacker bring down huge swaths of Internet | Ars Technica

Tuesday, August 4th, 2015

A recently disclosed vulnerability in Bind, the most widely used software for translating human-friendly domain names into IP addresses used by servers, makes it possible for lone-wolf attackers to bring down huge swaths of the Internet, a security researcher has warned.The flaw, which involves the way that Bind handles some queries related to transaction key records, resides in all major versions of the software from 9.1.0 to 9.8.x, 9.9.0 to 9.9.7-P1, and 9.10.0 to 9.10.2-P2. Attackers can exploit it by sending vulnerable servers a malformed packet that’s trivial to create. Vulnerable servers, in turn, will promptly crash. There are no indications that the vulnerability is being actively exploited in the wild, and the bug wasn’t disclosed until a fix was in place. Still, the critical vulnerability underscores the fragility of Bind, which despite its three decades in use and unwieldy code remains the staple for the Internet’s domain name system.Rob Graham, CEO of penetration testing firm Errata Security, reviewed some of the Bind source code and the advisory that Bind developers issued earlier this week and made this sobering assessment:BIND9 is the oldest and most popular DNS server. Today, they announced a DoS vulnerability was announced that would crash the server with a simply crafted query. I could use my “masscan” tool to blanket the Internet with those packets and crash all publicly facing BIND9 DNS servers in about an hour. A single vuln doesn’t mean much, but if you look at the recent BIND9 vulns, you see a pattern forming. BIND9 has lots of problems—problems that critical infrastructure software should not have.Its biggest problem is that it has too many features. It attempts to implement every possible DNS feature known to man, few of which are needed on publicly facing servers. Today’s bug was in the rarely used “TKEY” feature, for example. DNS servers exposed to the public should have the minimum number of features—the server priding itself on having the maximum number of features is automatically disqualified.Normally, denial-of-service bugs receive low-severity ratings, but when they’re present in servers that form the Internet’s very core, the risks are much higher. Graham regularly scans almost the entire Internet to get an estimate of how many servers remain affected by the Heartbleed vulnerability in OpenSSL and other major software weaknesses. He said Bind’s code base still isn’t as bloated as that of OpenSSL, but it’s much slower than it should be despite being written using C and C++. The result: Bind has all the security weaknesses that come with those programming languages without the speed that often justifies their use anyway.Graham concluded:The point I’m trying to make here is that BIND9 should not be exposed to the public. It has code problems that should be unacceptable in this day and age of cybersecurity. Even if it were written perfectly, it has far too many features to be trustworthy. Its feature-richness makes it a great hidden master, it’s just all those feature get in the way of it being a simple authoritative slave server, or a simple resolver. They shouldn’t rewrite it from scratch, but if they did, they should choose a safe language and not use C/C++.

Source: Major flaw could let lone-wolf hacker bring down huge swaths of Internet | Ars Technica

ALERT! – Qualys Security Advisory CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow

Wednesday, January 28th, 2015

During a code audit performed internally at Qualys, we discovered a buffer overflow in the __nss_hostname_digits_dots() function of the GNU C Library (glibc). This bug is reachable both locally and remotely via the gethostbyname*() functions, so we decided to analyze it — and its impact — thoroughly, and named this vulnerability “GHOST”. Our main conclusions are: – Via gethostbyname() or gethostbyname2(), the overflowed buffer is located in the heap. Via gethostbyname_r() or gethostbyname2_r(), the overflowed buffer is caller-supplied (and may therefore be located in the heap, stack, .data, .bss, etc; however, we have seen no such call in practice). – At most sizeof(char *) bytes can be overwritten (ie, 4 bytes on 32-bit machines, and 8 bytes on 64-bit machines). Bytes can be overwritten only with digits (‘0’…’9’), dots (‘.’), and a terminating null character (‘\0’). – Despite these limitations, arbitrary code execution can be achieved. As a proof of concept, we developed a full-fledged remote exploit against the Exim mail server, bypassing all existing protections (ASLR, PIE, and NX) on both 32-bit and 64-bit machines. We will publish our exploit as a Metasploit module in the near future. – The first vulnerable version of the GNU C Library is glibc-2.2, released on November 10, 2000. – We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example.

via oss-security – Qualys Security Advisory CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow.

Google discloses three severe vulnerabilities in Apple OS X – CNET

Friday, January 23rd, 2015

Google’s Project Zero security team revealed the existence this week of three vulnerabilities with high severity that have yet to be fixed in Apple’s OS X operating system.

Although each of the flaws requires an attacker to have access to a targeted Mac, they could all contribute to a successful attempt to elevate privilege levels and take over a machine.

The first flaw, “OS X networkd “effective_audit_token” XPC type confusion sandbox escape,” involves circumvention of commands in the network system and may be mitigated in OS X Yosemite, but there is no clear explanation of whether this is the case. The second vulnerability documents “OS X IOKit kernel code execution due to NULL pointer dereference in IntelAccelerator.” The third one, “OS X IOKit kernel memory corruption due to bad bzero in IOBluetoothDevice.” includes an exploit related to OS X’s kernel structure.

Each vulnerability, as with any disclosed by the Project Zero team, includes a proof-of-concept exploit.

The vulnerabilities were reported to Apple back in October but the flaws have not been fixed. After 90 days, details of vulnerabilities found by Project Zero are automatically released to the public — which is what happened this week.

Project Zero, which Google officially launched in mid-2014, tasks researchers with uncovering any software flaws that have the potential of leading to targeted attacks on people’s computers.

On Apple’s product security page, the company states: “For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.”

This isn’t the first time Google’s Project Zero has published vulnerabilities that are yet to be fixed. In the past several weeks, the tech giant’s security team has published information about three separate, unpatched security flaws in Microsoft’s Windows operating system.

via Google discloses three severe vulnerabilities in Apple OS X – CNET.

Information Regarding Server Issues for VyprVPN Customers in China | Golden Frog

Friday, January 23rd, 2015

We are aware of recent network issues affecting our VyprVPN customers in China. If you are in China and are having trouble connecting to several different VPN server locations, including US and Australia servers, please use the following locations:

Netherlands

Hong Kong

Connections to these locations have been successful, but may not have a 100% success rate. In the event one of those locations fails, please try another.

Thank you for your patience in this matter. We are investigating the issue and will provide you with an update once we have additional information.

via Information Regarding Server Issues for VyprVPN Customers in China | Golden Frog.

InfoSec Alert!!! Critical #NTP Vulnerability in ntpd prior to 4.2.8

Tuesday, December 23rd, 2014

The Google security team discovered several vulnerabilities in current NTP implementations, one of which can lead to arbitrary code execution [1][2]. NTP servers prior to version 4.2.8 are affected.

There are some rumors about active exploitation of at least some of the vulnerabilities Google discovered.

Make sure to patch all publicly reachable NTP implementations as fast as possible.

Mitigating Circumstances:

Try to block inbound connections to ntp servers who do not have to be publicly reachable. However, be aware that simple statefull firewalls may not track UDP connections correctly and will allow access to internal NTP servers from any external IP if the NTP server recently established an outbound connection.

ntpd typically does not have to run as root. Most Unix/Linux versions will configure NTP using a lower privileged users.

According to the advisory at ntp.org, you can also:

Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file.

A few Ubuntu and CentOS systems I tested, as well as OS X systems, do not seem to use autokey.

[1] http://www.kb.cert.org/vuls/id/852879

[2] http://support.ntp.org/bin/view/Main/SecurityNotice

CVE Impact Details

CVE-2014-9293 authentication ntp will create a weak key if none is provided in the configuration file.

CVE-2014-9294 authentication ntp-keygen uses a weak seed to create random keys

CVE-2014-9295 remote code execution A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process.

CVE-2014-9296 missing error message In the NTP code, a section of code is missing a return, and the resulting error indicates processing did not stop.

via InfoSec Handlers Diary Blog – Critical #NTP Vulnerability in ntpd prior to 4.2.8.