PDA

View Full Version : Solving Ntpd overflow

Jonathan Jesse
Don't know if this is the best place to post this but recently we had an
outside vendor do some vulnerabilty scanning of our internal network. One
of these that was found was the Ntpd overflow. All of the googling I have
done I have not found anything that refers to the Ntpd overflow in regards
to Microsoft. Is this a false vunlerability? Is there a better place to
post this message?
Steven L Umbach
It does not ring a bell for me. I searched Microsoft's website and could
find no reference for Ntpd overflow. Don't these vendors provide any
additional information? Personally I would not use a vendor that can not
also provide some solutions with references. Kind of like taking you car to
the mechanic and he says it is broke but doesn't have a clue as to what is
wrong with it or how to fix it. --- Steve


"Jonathan Jesse" wrote in message
news:pan.2004.10.14.22.51.51.32803@ftpb.com...
> Don't know if this is the best place to post this but recently we had an
> outside vendor do some vulnerabilty scanning of our internal network. One
> of these that was found was the Ntpd overflow. All of the googling I have
> done I have not found anything that refers to the Ntpd overflow in regards
> to Microsoft. Is this a false vunlerability? Is there a better place to
> post this message?


Schlarg Heimer
Just an idea, but could it be a typo? Could it be an NNTP overflow
vulnerability?

Check this out and see if it matches up:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0574

Schlarg
_____________

"Jonathan Jesse" wrote in message
news:pan.2004.10.14.22.51.51.32803@ftpb.com...
Don't know if this is the best place to post this but recently we had an
outside vendor do some vulnerabilty scanning of our internal network. One
of these that was found was the Ntpd overflow. All of the googling I have
done I have not found anything that refers to the Ntpd overflow in regards
to Microsoft. Is this a false vunlerability? Is there a better place to
post this message?


Jonathan Jesse
Well after a phone call, and a disappointing converstion with someone who
could "help me out", he said that I needed to disable Windows Time
Services to prevent a buffere overflow. I still haven't seen anything on
microsoft.com or anything like that to confirm there is a problem.

Now according to
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03mngd/26_s3wts.mspx
I can configure windows time server through a Group Policy, but I don't
want to do this, any help would be appreciated.

On Fri, 15 Oct 2004 04:25:08 +0000, Steven L Umbach wrote:

> It does not ring a bell for me. I searched Microsoft's website and could
> find no reference for Ntpd overflow. Don't these vendors provide any
> additional information? Personally I would not use a vendor that can not
> also provide some solutions with references. Kind of like taking you car to
> the mechanic and he says it is broke but doesn't have a clue as to what is
> wrong with it or how to fix it. --- Steve
>
>
> "Jonathan Jesse" wrote in message
> news:pan.2004.10.14.22.51.51.32803@ftpb.com...
>> Don't know if this is the best place to post this but recently we had an
>> outside vendor do some vulnerabilty scanning of our internal network. One
>> of these that was found was the Ntpd overflow. All of the googling I have
>> done I have not found anything that refers to the Ntpd overflow in regards
>> to Microsoft. Is this a false vunlerability? Is there a better place to
>> post this message?

Steven L Umbach
I agree with you in that I have not seen any major problems with Windows
Time Service. Just be sure your computers are up to date with critical
update after compatibility testing if need be. Windows Time service is a
critical part of an Active Directory domain as kerberos authentication is
time sensitive with a five minute time skew as the default. Do they know
that?? You could eventually have a lot of problems if you disable the
Windows Time service on domain computers including failed logons, denied
access to resources, downlevel [less secure] authentication methods, and
problems with Active Directory replication. I would call him back and ask
where you can find SPECIFIC documentation on the threat, including at
Microsoft.com and in the future use someone who knows what they are doing
that can provide specifics of vulnerabilities found, degree of threat,
specific fixes, and any ramifications of. --- Steve


"Jonathan Jesse" wrote in message
news:pan.2004.10.15.19.52.47.991719@ftpb.com...
> Well after a phone call, and a disappointing converstion with someone who
> could "help me out", he said that I needed to disable Windows Time
> Services to prevent a buffere overflow. I still haven't seen anything on
> microsoft.com or anything like that to confirm there is a problem.
>
> Now according to
> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03mngd/26_s3wts.mspx
> I can configure windows time server through a Group Policy, but I don't
> want to do this, any help would be appreciated.
>
> On Fri, 15 Oct 2004 04:25:08 +0000, Steven L Umbach wrote:
>
>> It does not ring a bell for me. I searched Microsoft's website and could
>> find no reference for Ntpd overflow. Don't these vendors provide any
>> additional information? Personally I would not use a vendor that can not
>> also provide some solutions with references. Kind of like taking you car
>> to
>> the mechanic and he says it is broke but doesn't have a clue as to what
>> is
>> wrong with it or how to fix it. --- Steve
>>
>>
>> "Jonathan Jesse" wrote in message
>> news:pan.2004.10.14.22.51.51.32803@ftpb.com...
>>> Don't know if this is the best place to post this but recently we had an
>>> outside vendor do some vulnerabilty scanning of our internal network.
>>> One
>>> of these that was found was the Ntpd overflow. All of the googling I
>>> have
>>> done I have not found anything that refers to the Ntpd overflow in
>>> regards
>>> to Microsoft. Is this a false vunlerability? Is there a better place
>>> to
>>> post this message?
>


Karl Levinson [x y] mvp
That's truly terrible advice from someone who knows little about Windows.
This is not a person you can trust to scan your Windows systems for
vulnerabilities or give you advice on what you should do. Scanners find and
report all sorts of things and unless you want a whole report full of
useless, un-actionable garbage that does you no good, you need someone who
knows something about the technology in question and common ways to
implement it securely so that they can accurately interpret the scan
results, subtracting things that aren't important and adding things that
aren't in the report by reading between the lines.

I'm not sure Windows has an "ntpd" service anywhere. There is a "Windows
Time Service," but nowhere is it called ntpd. ntpd sounds more like the
scanner found a false alarm and thinks it found a linux or unix
vulnerability where there couldn't possible be one. You won't know for sure
unless they can tell you the CVE number or a URL hyperlink describing the
problem. Ask them to give you a Mitre CVE number, a hyperlink, and/or the
description of the problem and the fix from the scanner's most detailed
report. Then ask them for your money back.


"Jonathan Jesse" wrote in message
news:pan.2004.10.15.19.52.47.991719@ftpb.com...
> Well after a phone call, and a disappointing converstion with someone who
> could "help me out", he said that I needed to disable Windows Time
> Services to prevent a buffere overflow. I still haven't seen anything on
> microsoft.com or anything like that to confirm there is a problem.
>
> Now according to
>
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03mngd/26_s3wts.mspx
> I can configure windows time server through a Group Policy, but I don't
> want to do this, any help would be appreciated.
>
> On Fri, 15 Oct 2004 04:25:08 +0000, Steven L Umbach wrote:
>
> > It does not ring a bell for me. I searched Microsoft's website and could
> > find no reference for Ntpd overflow. Don't these vendors provide any
> > additional information? Personally I would not use a vendor that can not
> > also provide some solutions with references. Kind of like taking you car
to
> > the mechanic and he says it is broke but doesn't have a clue as to what
is
> > wrong with it or how to fix it. --- Steve
> >
> >
> > "Jonathan Jesse" wrote in message
> > news:pan.2004.10.14.22.51.51.32803@ftpb.com...
> >> Don't know if this is the best place to post this but recently we had
an
> >> outside vendor do some vulnerabilty scanning of our internal network.
One
> >> of these that was found was the Ntpd overflow. All of the googling I
have
> >> done I have not found anything that refers to the Ntpd overflow in
regards
> >> to Microsoft. Is this a false vunlerability? Is there a better place
to
> >> post this message?
>


Jonathan Jesse
Thank you for backing up my opinion and view. Guess I will be spending
part of my Monday morning on the phone trying to figure out what in the
heck they are talking about. Also the posts will help me w/ ammunition
when my boss looks at the reports and asks what the heck does this mean?

I'll let you all know how this resolves...


On Sat, 16 Oct 2004 00:05:40 +0000, Steven L Umbach wrote:

> I agree with you in that I have not seen any major problems with Windows
> Time Service. Just be sure your computers are up to date with critical
> update after compatibility testing if need be. Windows Time service is a
> critical part of an Active Directory domain as kerberos authentication is
> time sensitive with a five minute time skew as the default. Do they know
> that?? You could eventually have a lot of problems if you disable the
> Windows Time service on domain computers including failed logons, denied
> access to resources, downlevel [less secure] authentication methods, and
> problems with Active Directory replication. I would call him back and ask
> where you can find SPECIFIC documentation on the threat, including at
> Microsoft.com and in the future use someone who knows what they are doing
> that can provide specifics of vulnerabilities found, degree of threat,
> specific fixes, and any ramifications of. --- Steve
>
>
> "Jonathan Jesse" wrote in message
> news:pan.2004.10.15.19.52.47.991719@ftpb.com...
>> Well after a phone call, and a disappointing converstion with someone who
>> could "help me out", he said that I needed to disable Windows Time
>> Services to prevent a buffere overflow. I still haven't seen anything on
>> microsoft.com or anything like that to confirm there is a problem.
>>
>> Now according to
>> http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/ws03mngd/26_s3wts.mspx
>> I can configure windows time server through a Group Policy, but I don't
>> want to do this, any help would be appreciated.
>>
>> On Fri, 15 Oct 2004 04:25:08 +0000, Steven L Umbach wrote:
>>
>>> It does not ring a bell for me. I searched Microsoft's website and could
>>> find no reference for Ntpd overflow. Don't these vendors provide any
>>> additional information? Personally I would not use a vendor that can not
>>> also provide some solutions with references. Kind of like taking you car
>>> to
>>> the mechanic and he says it is broke but doesn't have a clue as to what
>>> is
>>> wrong with it or how to fix it. --- Steve
>>>
>>>
>>> "Jonathan Jesse" wrote in message
>>> news:pan.2004.10.14.22.51.51.32803@ftpb.com...
>>>> Don't know if this is the best place to post this but recently we had an
>>>> outside vendor do some vulnerabilty scanning of our internal network.
>>>> One
>>>> of these that was found was the Ntpd overflow. All of the googling I
>>>> have
>>>> done I have not found anything that refers to the Ntpd overflow in
>>>> regards
>>>> to Microsoft. Is this a false vunlerability? Is there a better place
>>>> to
>>>> post this message?
>>