mumblemumble"idiots who quote exploit code three times"mumblemumble. NTP Exploit code for NTP was released publically here, all the stratum one time servers were taken off until the problem was fixed. From Ron Ogle: There is only a patch for the NTP software from http://phk.freebsd.dk/patch/ntpd.patch. We are going to wait for a full released and tested version of NTP to be released from http://www.ntp.org/. Until that time, we are blocking NTP access from the Internet (for those of us who use Internet stratum 1 servers) for the NTP protocol. This should be a very low risk situation because or internal, stratum 2, server will keep time close enough to "real" time for at least the next several days. I suggest that other people in the same situation do the same until a proper fix is made. My .02 Ron Ogle And from Durval Menezes: Tried here against stock xntpd 3.5f (from xntpd-3.5f-3.i386.rpm) on a Redhat Linux 3.0.3 w/ kernel 2.0.36, and the exploit didn't have ANY effect: no root shell was spawned, and the daemon stayed up. An "strace" of the running xntpd process confirmed this: no exec syscalls were attempted. Same think on SPARC Solaris 2.5.1 also running xntpd 3.5f: no shell, and the xntpd daemon stayed up with no exec syscalls showing on "truss". Another vindication for those (like me) that don't like to run the "latest and greatest" versions of any code (I only upgrade my machines when forced to, either because of security bugs, or because of desperately needed new functionality, and even then only after running it for awhile on a test system INSIDE my firewall, and preferably doing an audit on the code myself). Best regards, -- Durval Menezes (durval AT tmp DOT com DOT br, http://www.tmp.com.br/) So it looks like only 4.x is vulnerable which is somewhat good news. Kurt Seifried, seifried@securityportal.com Securityportal - your focal point for security on the 'net