Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Critical #NTP Vulnerability in ntpd prior to 4.2.8 SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Critical #NTP Vulnerability in ntpd prior to 4.2.8

The Google security team discovered several vulnerabilities in current NTP implementations, one of which can lead to arbitrary code execution [1][2]. NTP servers prior to version 4.2.8 are affected. 

There are some rumors about active exploitation of at least some of the vulnerabilities Google discovered.

Make sure to patch all publicly reachable NTP implementations as fast as possible. 

Mitigating Circumstances: 

Try to block inbound connections to ntp servers who do not have to be publicly reachable. However, be aware that simple statefull firewalls may not track UDP connections correctly and will allow access to internal NTP servers from any external IP if the NTP server recently established an outbound connection.

ntpd typically does not have to run as root. Most Unix/Linux versions will configure NTP using a lower privileged users.

According to the advisory at ntp.org, you can also:

Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file.

A few Ubuntu and CentOS systems I tested, as well as OS X systems, do not seem to use autokey. 

[1] http://www.kb.cert.org/vuls/id/852879
[2] http://support.ntp.org/bin/view/Main/SecurityNotice

CVE Impact Details
CVE-2014-9293 authentication ntp will create a weak key if none is provided in the configuration file.
CVE-2014-9294 authentication ntp-keygen uses a weak seed to create random keys
CVE-2014-9295 remote code execution A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process.
CVE-2014-9296 missing error message In the NTP code, a section of code is missing a return, and the resulting error indicates processing did not stop.

 

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

 Johannes

3693 Posts
ISC Handler
Subscribe Dec 20th 2014
4 years ago
Did they ever fix the silent crash bug in 4.2.7? I'm still on 4.2.6. Good thing I stopped letting the public access my NTP server... The 200,000 connection packet floods were getting excessive.
 Anonymous
Quote Dec 20th 2014
4 years ago

Sign Up for Free or Log In to start participating in the conversation!