Disabling NTP on OS X Lion or older

Solution 1:

is disabling “set date and time automatically” in Software Preferences enough to ensure that ntpd is not running?

Yes.

Here is the way to insure yourself of this. Open a Terminal or xterm window.

Run the following command:

ps ax | grep ntp

and notice that you have an ntpd process running.

Open System Preferences and turn off Set date and time automatically:

Check with the ps command above that you don't have any ntpd process running.


Don't remove the ntpd binary, this is not necessary and would deprive you of the chance to take advantage of a fix from Apple :).

In doubt I might use these instructions to limit the scope

No.

This receipe will leave you with a running ntpd and hence exposed to an attack.

Solution 2:

Instead of disabling ntpd, you should download the source for version 4.2.8 of ntp and compile it yourself. All you need is Xcode for Lion/SnowLeo. It should work on 10.6.x and 10.7.x just fine.

I have updated my 10.10 install immediately after the CVE was made public and source code released and I didn't wait on Apple to release the update.

To compile ntpd, download the source from ntp.org and apply the patch for OS X/FreeBSD. After applying this patch, you will be able to just run "./configure && make." Then you can copy the binaries to appropriate directories (/usr/sbin/ and /usr/bin/).

For Mac OS X 10.7 (Lion):

mkdir ntpd-fix
cd ntpd-fix
curl http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8.tar.gz | tar zxf -
cd ntp-4.2.8/ntpd
curl http://bugs.ntp.org/attachment.cgi?id=1165 | patch -p1
cd ..
./configure && make

Here's the list of files and folders to which they belong to that will be built from the source above. After compilation, all these files will be in various sub-folders.

/usr/bin/sntp  
/usr/bin/ntp-keygen  
/usr/bin/ntpq  
/usr/sbin/ntpdc  
/usr/sbin/ntpdate  
/usr/sbin/ntpd

Rename old ones using something like:

sudo mv /usr/sbin/ntpd /usr/sbin/ntpd.old

and then move the new one in. Make sure to chown the files after moving them in place:

sudo chown root:wheel /usr/sbin/ntpd

Note: I did not use sudo make install because I didn't trust the Makefile (I wasn’t sure it would place files in the same folders that Apple has originally placed them in and wanted to be sure they're still in the same spot as old ones). Manually moving 6 files is not a big issue. Rest of the files (man pages, html pages, etc are the same so you don't have to bother moving those.)

Solution 3:

  1. I've not dug into the documentation of the breach in detail. Normally ntp makes periodic queries to servers to get a correction. Once the drift of the local clock is established these queries aren't frequent.

  2. Most firewalls are configured to ignore request packets from the outside. Ntp I think uses UDP which is nominally stateless. Typically a firewall will let a UDP packet back in for a small window of time after a UDP packet has gone out. The return packet has to be from the right IP, and have the correct port. A black hat would have to either subvert your DNS server or subvert your NTP server.

So would someone explain how this threat is actually put into play, assuming that the person doesn't specify pool.ntp.org as his ntp server?


Ways around this:

  1. Build from source -- above.
  2. Use mac ports. This makes the installation fairly painless, although the initial build will take substantial time and a fair chunk of space. More information https://www.macports.org/

You can also use Fink or Homebrew this way, but MacPorts seems to be less dependent on Apple OS, so in the long run for an older system I suspect there will be less pain.

  1. Configure a non-vulnerable machine to be a local ntp server. Point vulnerable machines to the ntp server. At your firewall block both outbound and inbound for ntp for all but the ntpserver machine. When I ran a local school network, I had one machine (freebsd) that ran a bunch of network services, including ntp. It would then broadcast a single ntp packet every 64 seconds.