0

This week a new attack on the Network Time Protocol Daemon (ntpd) was demonstrated, see this paper. This could potentially wreak havoc with my HTTPS website or other time sensitive services I am running.

According to the article, to remain safe, clients and servers alike should run at least NTP version 4.2.8p4.

Running ntpd --version on my Ubuntu Server 14.04.3 LTS machine gives me ntpd 4.2.6p5 which is still vulnerable. This is even after running apt-get update, apt-get upgrade and apt-get dist-upgrade.

Apparently I can download the latest version from ntp.org myself. But I am unsure if this will conflict with my existing ntpd install done via apt-get. Also they only offer the download via HTTP and their method of ensuring authenticity is by using an MD5 hash checksum... I am looking forward to my NSA backdoored patch. I really wish people would use GPG signatures.

  1. Does Ubuntu plan to release a security patch to upgrade ntpd to 4.2.8p4 any time soon? What will be needed to get the fix?

  2. If I read the code and assumed the 4.2.8p4 version available for download on the ntp.org website was trustworthy, how can I install that without conflicts?

Rex
  • 3

1 Answers1

-1

  1. Install checkinstall, read man checkinstall and use checkinstall to keep track of the files installed.

  2. Download, build and install the version of ntpd that you need, overwriting Ubuntu's. Check to see that you can make uninstall (by reading Makefile), or keep track of the files installed.

  3. When Ubuntu updates ntpd to, or beyond, the desired version, return to the source directory and make uninstall. Then sudo apt-get install --reinstall ntpd should get you re-synchronized with the official version.

Note: I have not tried this, so I may be wrong.

waltinator
  • 37,856