Today the DHS ICS-CERT updated their
advisory for the previously
reported set of vulnerabilities in the Network Time Protocol Daemon. It is
a rather unusual update in that the previous version reported that there were
publicly available exploits and the new version claims that there are no known
publicly available exploits. The CERT-CC
notice also currently says that there are no known exploits available (I
didn’t save a copy of their original report so I can’t tell if it changed).
The NTP advisory
does not address the issue at all.
BTW #1: I missed it last week, but NTP web site is (has
been) reporting that two of these vulnerabilities were fixed quite some time
ago (2010 for the weak default key, and 2011 for the weak random number
generator). I guess you just fix some things without knowing that they need
fixing.
BTW #2: The NTP web site is (has been) reporting that there
are two other, as of yet unspecified vulnerabilities in the NTP that have yet
to be fixed. They expect to fix them within the next month.
Posts
No comments:
Post a Comment