Network Time Protocol Vulnerabilities

Monday, December 22, 2014 @ 01:12 PM gHale

There are multiple vulnerabilities with the Network Time Protocol (NTP), according to a report on ICS-CERT.

Since NTP sees use within operational Industrial Control Systems deployments, ICS-CERT issued a release to provide asset owners and operators a sense of awareness and to identify mitigations for possible affected devices. Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple vulnerabilities with CERT/CC.

RELATED STORIES
Experion PKS Vulnerabilities Patched
Innominate Patches mGuard Hole
Schneider Mitigates ProClima Holes
Siemens Adds More WinCC Fixes

These remotely exploitable vulnerabilities are publicly available. Products using NTP service prior to NTP-4.2.8 suffer from the issue. No specific vendor ended up specified because this is an open source protocol.

Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code with the privileges of the ntpd process.

The NTP is in RFC 958, an open source collaboration for acceptance and sees use to synchronize system time over a network.

If the authentication key does not end up set in the configuration file, ntpd will generate a weak random key with insufficient entropy.

This vulnerability ended up resolved with NTP-dev4.2.7p11 on January 28, 2010.

CVE-2014-9293 is the case number assigned by CERT/CC to this vulnerability, which has a CVSS v2 base score of 7.3.

Prior to NTP-4.2.7p230 ntp-keygen used a weak seed to prepare a random number generator. The random numbers produced then generated symmetric keys.

This vulnerability ended up resolved with NTP-dev4.2.7p230 on November 1, 2010.

CVE-2014-9294 is the case number assigned by CERT/CC to this vulnerability, which has a CVSS v2 base score of 7.3.

A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to execute with the privilege level of the ntpd process. All NTP4 releases before 4.2.8 are vulnerable.

This vulnerability ended up resolved with NTP-stable4.2.8 on December 19, 2014.

CVE-2014-9295 is the case number assigned by CERT/CC to this vulnerability, which has a CVSS v2 base score of 7.3.

In the NTP code, a section of code is missing a return, and the resulting error indicates processing did not stop. This indicated a specific rare error occurred, which does not appear to affect system integrity. All NTP Version 4 releases before Version 4.2.8 are vulnerable.

This vulnerability ended up resolved with NTP-stable 4.2.8 on December 19, 2014.

CVE-2014-9296 is the case number assigned by CERT/CC to this vulnerability, which has a CVSS v2 base score of 5.0.

An attacker with a low skill would be able to exploit these vulnerabilities.

All NTP Version 4 releases, prior to Version 4.2.8, are vulnerable and need to update to Version 4.2.8.
ICS-CERT strongly encourages CIKR users to backup current operational ICS configurations, and thoroughly test the updated software for system compatibility on a test system before attempting deployment on operational systems.

CERT/CC has published a Vulnerability Note at this URL:

Click here to access the latest NTP releases.



Leave a Reply

You must be logged in to post a comment.