Apple have recently released a slew of updates for the NTP daemon for 10.10, 10.9 and 10.8 versions of the operating system. It’s worth installing, but also to understand what the issue is.
What is NTP?
NTP stands for Network Time Protocol, and it’s a way of synchronizing your computer’s system clock with others on the internet. Most computers have a built-in clock with a battery backup to keep the time when the power is off (though the Raspberry Pi is an example of a computer which does not have a battery backed clock – which explains why it’s always 1970 when it boots).
NTP provides a way of determining how far out the local computer’s time with a known good time (provided by, e.g. time.euro.apple.com). It’s not enough just to say ‘What is the time?’ since by the time (aha) you get the response back, the time will have moved on some indeterminate number of milliseconds. In the same way you wouldn’t post a letter to someone to ask what day it is, simply asking a remote server what it thinks the time is is already going to be out-of-date.
On OSX, when the
‘Set date and time automatically’
is checked, the operating system will kick off a program
ntpd as root to
keep the local computer’s time in sync.
What's the problem?
According to Apple, there
is a remote exploit possibility due to a remote buffer overrun in the
program. It’s been given CVE-2014-9295
as a designator, and lists that it’s network exploitable. That’s because the
ntpd is a two-way program; it sends a request and then listens for responses.
Since network messages go via UDP,
it’s possible for a remote attacker to send a message even if the ntpd isn’t
expecting a response. It’s this that makes it globally targetable.
The CVE lists that it can be used to play a redirect for DDoS attacks, but Apple has listed it as remotely exploitable as well; so it may be more dangerous than it would seem at first glance.
In essence, if you are running an open
ntpd on your network via a publicly
routable device, it’s going to have problems.
Applying the update
If you’re running on 10.10, 10.9 or 10.8 then a
sudo softwareupdate -i -a
or using the update should work. If you’re running on older versions, you’re
out of luck.
Older versions of OSX
If you’re running an older version, Apple hasn’t backported the fixes. In addition, it’s not clear that the source dumps at http://opensource.apple.com have been updated to take advantage of the fixes. So you can’t even build the version.
You could try building a version of ntpd from the upstream distribution at www.ntp.org, but there may be problems with it.
Alternatively, stop running
ntpd on vulnerable Macs. This is easy to stop;
go to System Preferences, then Date and Time, and uncheck the ‘Set the time
automatically’ checkbox from the Date and Time tab. At least you won’t be
hit whilst that isn’t running, but your time will drift.
To set the time, it’s possible to run
ntpdate as root via a periodic
script, using the name of the ntp hostname in the dialog box. Whilst the time
is being set you may be vulnerable to responses, but at least it won’t be
a 24h exposure. Running
sudo crontab -e and adding
would be enough to reset the time on a daily basis to ensure that it doesn’t drift too far.
For the really paranoid, you can run:
This will run the date seting under a sandbox profile that allows the time to be set, but not to do any other operations. This is why the host lookup needs to be done in backticks; because the sandbox profile doesn’t allow for DNS lookups.
Install the NTP security fix as soon as possible on computers that are supported. For those that aren’t, turn off the automatic date and time updates and instead use a crontab to periodically kick off the network requests, optionally running under a sandbox profile to prevent any (non-network) related issues from occuring.