PCI Compliance NTP

Support for security such as Firewalls and securing linux
Post Reply
marcus178
Posts: 2
Joined: 2012/01/15 23:05:37

PCI Compliance NTP

Post by marcus178 » 2012/01/15 23:10:46

I'm currently try to get Centos 5.7 PCI compliant but keep getting the following in regards to NTP

Description: Possible vulnerability in ntpd Severity: Potential Problem CVE: CVE-2001-0414 Impact: If this vulnerability is present, a remote attacker could gain root access to an affected system. Resolution [url=http://www.ntp.org/downloads.html]NTP Software Downloads[/url] Upgrade to NTP 4.2.4p8 or higher, or upgrade as designated by Linux vendor

I'm currently on 4.2.2p1 and can't find any way to upgrade. Any suggestions would be welcome.
[Moderator edit: Fix URL.]

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: PCI Compliance NTP

Post by TrevorH » 2012/01/16 00:06:37

Generally the way to check is to run

[code]
rpm -q --changelog ntp | grep CVE-xxxx-xxxx
[/code]

but in this case it does not work because it seems that that CVE is so old that it predates Redhat adding CVE numbers to their changelog. However, there is an entry in the changelog

[quote]
* Thu Apr 05 2001 Preston Brown
- security patch for ntpd
[/quote]

and since that's the day after CVE-2001-0414 is dated I think it's a reasonable assumption that it is the fix. I'm also not quite sure of the recommendation to upgrade to 4.2.4 or higher since 4.2.2 was released in 2006 I would really expect it to contain the fix for a security problem reported in 2001! The CVE itself says to upgrade to later than 4.0.99k to fix the problem so this also means that 4.2.2 is OK. What [u]is[/u] fixed in 4.2.4p8 is CVE-2009-1252 and that does have an entry in the changelog for RHEL's 4.2.2.

Mods: the link in the OP's post leads nowhere because of a trailing "]"

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

PCI Compliance NTP

Post by pschaff » 2012/01/16 03:37:48

Seems like yet another case of the stupidity of PCI compliance checks that are more concerned with version numbers than actual security. Please point your PCI police to [url=http://wiki.centos.org/FAQ/General?highlight=%28TUV%29#head-d29a2b7e61ffc544973098f9dd49fe4663efba50]TUV[/url]'s policy of [url=http://www.redhat.com/security/updates/backporting/]Backporting of Security Fixes[/url].

marcus178
Posts: 2
Joined: 2012/01/15 23:05:37

Re: PCI Compliance NTP

Post by marcus178 » 2012/01/16 09:38:52

THanks everyone for the advise. I will see how I get on.

Post Reply