The Network Time Foundation's NTP Project recently patched a proof-of-concept exploit for a vulnerability in the...
NTP daemon that could crash a server with a single packet. How does this exploit work? What's the threat posed to enterprises, and how can they mitigate it?
There were multiple vulnerabilities recently discovered in the Network Time Protocol (NTP) daemon, along with a patch to remediate them. A patch for this specific vulnerability -- named NTP 4.2.8p9 -- was released by the Network Time Foundation Project (NTFP).
A researcher named Magnus Stubman discovered the vulnerability and, instead of going public, took the mature route and privately informed the community of his findings. The remediation was part of the NTP 4.2.8p9 release. Stubman has written that the vulnerability he discovered could allow unauthenticated users to crash NTPF with a single malformed UDP packet, which will cause a null point dereference (you can read more about the technical details of the exploit of the NTP daemon from Stubman on his personal website). This means that an attacker could be able to craft a UDP packet towards the service, resulting in an exception bypass that can cause the process to crash.
This denial-of-service (DoS) attack on the NTP daemon is dangerous because all systems rely on synchronizing their time within milliseconds of each other to properly operate, keep authentication protocols working smoothly, timestamp for compliance, correlate security logs and so on. Without the NTP daemon working properly in an environment, errors could cascade quickly throughout the network. The threat to the environment is real, and if it's not patched, an attacker could take advantage of this vulnerability.
This particular vulnerability is only affecting Windows at this time, and patching it should be a priority for anyone running the NTP daemon on a Windows systems. As mentioned previously, this particular DoS attack against NTP could incapacitate a time server and cause havoc in the network. The easiest fix is to apply the NTP patch 4.2.8p9, which also fixes multiple other issues with NTP, but there are other fixes as well.
The bug's release notes on the NTP Project website mention a few other techniques available to mitigate the exploit if patching the system isn't possible for some reason. These include only allowing mrulist query packets from hosts that the server trusts. This would be a configuration change on the server and would require a detailed understanding of the network. Implementation of antispoofing and network ingress filtering using BCP 38 to limit what can reach the server are good starting points. Lastly, the release notes mention monitoring the NTP daemon to determine if it has crashed, and to set it to automatically restart if it goes down.
These particular workarounds will keep NTP stable from the DoS attack Stubman found, but they won't mitigate the vulnerability. The best way to protect your systems against the vulnerability is to patch the application.
NTP is important to your network and patching and protecting it should be a priority. Determine which method is right for your organization and take action to defend against this vulnerability.
Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)
Read a chapter of Industrial Network Security from publisher Syngress
Learn more about modern network security threats
Find out whether DMZ networks still benefit enterprise security
Dig Deeper on IPv6 security and network protocols security
Related Q&A from Matthew Pascucci
While there are no set rules, there are some security recommendations when it comes to virtual machines running on one host. Learn the best practices...continue reading
Poisoned search results have spread the Zeus Panda banking Trojan throughout Google. Learn what this means, how search engine poisoning works and ...continue reading
A report from CrowdStrike highlights the growth of malware-less attacks using certain command-line tools. Learn how to handle these growing attacks ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.