Alex headshot

AlBlue’s Blog

Macs, Modularity and More

OSX and NTPD security update

2014, osx, security

Apple have recently released a slew of updates for the NTP daemon for 10.10, 10.9 and 10.8 versions of the operating system. It’s worth installing, but also to understand what the issue is.

What is NTP?

NTP stands for Network Time Protocol, and it’s a way of synchronizing your computer’s system clock with others on the internet. Most computers have a built-in clock with a battery backup to keep the time when the power is off (though the Raspberry Pi is an example of a computer which does not have a battery backed clock – which explains why it’s always 1970 when it boots).

NTP provides a way of determining how far out the local computer’s time with a known good time (provided by, e.g. time.euro.apple.com). It’s not enough just to say ‘What is the time?’ since by the time (aha) you get the response back, the time will have moved on some indeterminate number of milliseconds. In the same way you wouldn’t post a letter to someone to ask what day it is, simply asking a remote server what it thinks the time is is already going to be out-of-date.

On OSX, when the ‘Set date and time automatically’ is checked, the operating system will kick off a program ntpd as root to keep the local computer’s time in sync.

What's the problem?

According to Apple, there is a remote exploit possibility due to a remote buffer overrun in the ntpd program. It’s been given CVE-2014-9295 as a designator, and lists that it’s network exploitable. That’s because the ntpd is a two-way program; it sends a request and then listens for responses. Since network messages go via UDP, it’s possible for a remote attacker to send a message even if the ntpd isn’t expecting a response. It’s this that makes it globally targetable.

The CVE lists that it can be used to play a redirect for DDoS attacks, but Apple has listed it as remotely exploitable as well; so it may be more dangerous than it would seem at first glance.

In essence, if you are running an open ntpd on your network via a publicly routable device, it’s going to have problems.

Applying the update

If you’re running on 10.10, 10.9 or 10.8 then a sudo softwareupdate -i -a or using the update should work. If you’re running on older versions, you’re out of luck.

Older versions of OSX

If you’re running an older version, Apple hasn’t backported the fixes. In addition, it’s not clear that the source dumps at http://opensource.apple.com have been updated to take advantage of the fixes. So you can’t even build the version.

You could try building a version of ntpd from the upstream distribution at www.ntp.org, but there may be problems with it.

Alternatively, stop running ntpd on vulnerable Macs. This is easy to stop; go to System Preferences, then Date and Time, and uncheck the ‘Set the time automatically’ checkbox from the Date and Time tab. At least you won’t be hit whilst that isn’t running, but your time will drift.

To set the time, it’s possible to run ntpdate as root via a periodic script, using the name of the ntp hostname in the dialog box. Whilst the time is being set you may be vulnerable to responses, but at least it won’t be a 24h exposure. Running sudo crontab -e and adding

Setting the time via cron
1
@daily /usr/sbin/ntpdate time.euro.apple.com

would be enough to reset the time on a daily basis to ensure that it doesn’t drift too far.

For the really paranoid, you can run:

1
@daily /usr/bin/sandbox-exec -f /usr/share/sandbox/ntpd.sb /usr/sbin/ntpdate `dig +short time.euro.apple.com`

This will run the date seting under a sandbox profile that allows the time to be set, but not to do any other operations. This is why the host lookup needs to be done in backticks; because the sandbox profile doesn’t allow for DNS lookups.

Summary

Install the NTP security fix as soon as possible on computers that are supported. For those that aren’t, turn off the automatic date and time updates and instead use a crontab to periodically kick off the network requests, optionally running under a sandbox profile to prevent any (non-network) related issues from occuring.