NTP package upgrade to 2.4.8p9



  • Hi,

    I'm a newbie to Pfsense (and my first post) however have been using it as a virtual router for separately networks in my env.
    I'm using : 2.3.2-RELEASE on a VM Image.
    My WAN IP gets scanned and got a report that the NTP version ìs subjected to: "NTP server is affected by a denial of service vulnerability".

    So I looked around a lot in different forums/sites etc to try and update the NTP server on my system (ntpd 4.2.8p8@1.3265) to 4.2.8p9. I have downloaded the 4.2.8p9.gz file but not sure how to install it (and whether I need to MAKE it). Not very savvy in that area either.

    I even modified the repos (mentioned in other PfSense links) to temporarily enable FreeBSD to see if I can update it from there but no luck when I try to run pkg update or pkg install ntp.
    I tried the pkg_add command but it is not found.

    Can someone help me with this?

    Thanks,
    Bharath


  • LAYER 8 Global Moderator

    You should be able to manually add it from the freebsd packages
    http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/ntp-4.2.8p9_1.txz

    I will try doing it on my install.. Post back the instruction..

    edit:  Ok not going to recommend you do this..  Best solution would be to request that pfsense add this to their repo..

    So you can grab the above, and seems you also need
    http://pkg.freebsd.org/freebsd:10:x86:64/latest/All/libwww-5.4.0_6.txz

    so use fetch with the above urls - then install with

    pkg install ntp-4.2.8p9_1.txz
    pkg install libwww-5.4.0_6.txz

    then you will see that your ntp is updated

    [2.3.2-RELEASE][root@pfsense.local.lan]/tmp: ntpd –help
    ntpd - NTP daemon program - Ver. 4.2.8p9
    Usage:  ntpd [ - <flag>[<val>] | –<name>[{=| }<val>] ]…
                    [ <server1>… <servern>]

    Again do this at your own risk, normally bad idea to install packages on your own..

    What I highly suggest if your going to do it, since your on a VM, take a snapshot!!!  then if update of the  "libmd5.so.0" breaks anything you can just rollback

    edit: my links are to 64bit, for for some odd reason your on 32bit do not use those links.</servern></server1></val></name></val></flag>


  • Banned

    To state the obvious, you should NOT open NTP on your WAN in the first place.


  • LAYER 8 Global Moderator

    ^ agreed!!  Unless you fully know what your doing ;)  I wouldn't host ntp to the public internet off my firewall for example.. But I do serve up ntp to ntp pool from stratum 1 ntp server I run inside..

    But maybe pfsense is internal to his network, and wan on his pfsense is not really "public"

    "been using it as a virtual router for separately networks in my env. "

    Maybe his has some internal security process that is scanning their internal devices and giving him grief.. If this is an internal ntp server I really don't the issues with p8 being a problem..



  • Note that 2.3.3-DEVELOPMENT and 2.4-BETA have p9:

    [2.3.3-DEVELOPMENT][root@pfSense.localdomain]/root: ntpd --version
    ntpd 4.2.8p9@1.3265-o Mon Jan  2 18:58:30 UTC 2017 (1)
    
    
    [2.4.0-BETA][root@pfSense.localdomain]/root: ntpd --version
    ntpd 4.2.8p9@1.3265-o Mon Jan  2 18:55:14 UTC 2017 (1)
    
    

    Of course that is not much help if you are not in a position to update to a DEV/BETA.



  • Thank you guys. Yes, both comments are valid:

    To state the obvious, you should NOT open NTP on your WAN in the first place.

    But maybe pfsense is internal to his network, and wan on his pfsense is not really "public"

    Yes the WAN is not public however IT Nessus scans can see it as the machine is 'public' to them. I've modified the NTP settings and have enabled NTP only on the LAN interface and after rescanning the system the scan doesn't show the security hole anymore.

    The reason I wanted to patch it myself is to understand how it can be done and moreover actually plug the hole.
    I have already taken a snapshot of the PfSense VM so I will try with the URL mentioned to install 4.2.8p9.

    Thanks again
    Bharath



  • @ johnpoz

    Thank you for the steps to download/install the patch. It worked perfectly! I didn't know of that URL to fetch the FreeBSD packages although I came across similar ones.

    Bharath


Log in to reply