Researchers have uncovered several vulnerabilities in the Network Time Protocol (NTP), used to synchronize time...
across computers and servers around the world. The flaws represent an opportunity for attackers to potentially compromise a wide array of vulnerable systems.
Neel Mehta and Stephen Roettger, both members of Google Inc.'s security team, reported a total of eight NTP security flaws to the Network Time Foundation, overseers of the research-focused NTP Project, including multiple problems with weak keys being generated by the protocol.
Among the most serious of the vulnerabilities is CVE-2014-9295, a buffer-overflow flaw that an NTP Project advisory noted could be triggered remotely by a single, carefully crafted packet. A successful exploit of CVE-2014-9295 could allow an attacker to execute malicious code at the same privilege level of the ntpd process.
The NTP Project added in its advisory that the two most serious vulnerabilities have already been addressed with last week's release of NTP version 4.2.8, and another patch is planned within a month to resolve the lingering issues.
A separate warning from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) cautioned that NTP is widely used within ICS deployments and that an attacker with minimal skills could exploit the NTP vulnerabilities. ICS-CERT also warned that exploits targeting the flaws are already being circulated, though no information on the exploits was immediately available.
Enterprise impact: 'Numerous systems' run NTP
As for how to respond to these NTP vulnerabilities, Rob VandenBrink, senior consulting engineer for Toronto-based solution provider Metafore Technologies Inc., said on the SANS Institute's Internet Storm Center blog that organizations should be aware of the numerous systems on a network running NTP that wouldn't typically be associated with the project. That could include routers, switches, VoIP gateways, mail servers and more.
According to VandenBrink, his attempt to scan servers for the NTP security vulnerabilities produced immediate results.
"In these days of auto-updates, you would think that most NTP servers would be patched against the vulnerabilities found by the Google team," said VandenBrink. "However, it only took until the second host checked to find a very out of date server. Unfortunately, it's the main NTP server of a large Canadian ISP (Oops)."
NTP already made headlines earlier this year when a reflection-driven DDoS attack made used of the protocoland its huge amplification factor to commit one of the largest DDoS attacks ever recorded. As a result, enterprises have begun paying more attention to NTP amplification, though holes are obviously still present.