Six NTP Daemon Holes Patched

Wednesday, May 4, 2016 @ 01:05 PM gHale

Cisco handed over Network Time Protocol daemon (ntpd) vulnerabilities to the Linux Foundation’s Core Infrastructure Initiative.

The vulnerabilities, discovered during Cisco’s ongoing ntpd evaluation, “allow attackers to craft UDP packets to either cause a denial of service condition or to prevent the correct time being set”, Cisco’s Talos Security Intelligence and Research Group said in a post.

Microsoft Patches Office 365
New Malware Goes Modular
New Ransomware Steals Bitcoin, Passwords
Website Ransomware Not Viable – Yet

First on the list is CVE-2016-1550, which is an NTP authentication potential timing vulnerability. In this case, a successful attack on a 128 bit key shared between co-ordinating systems would let the attacker spoof NTP packets (and therefore set the target system to the wrong time.

CVE-2016-1551, an NTP refclock impersonation vulnerability, is less serious. The vulnerability means packet spoofing would let the attacker alter the target’s time, if the packets originate from the address range as trusted.

However, the range should filter out by operating systems or routers, and should rarely end up encountered by the daemon.

CVE-2016-1549 is an NTP ephemeral association sybil vulnerability. The protocol supports the creation of peer associations for systems to agree on a common reference time.

The problem is there is no limit to how many peers can share the same key, and that means if an attacker can discover the key, they can set up malicious peers. With enough malicious peers sharing the wrong time, they can “drown out” the correct time.

CVE-2016-1547, “demobilization of preemptible associations”, is a denial-of-service vulnerability. The attacker can spoof the address of a machine in a crypto-NAK packet, and that breaks the association between peers in the system.

CVE-2016-1548 is the “Xleave pivot: NTP basic mode to interleaved.” The attacker can use this vulnerability to break the association between client and server, and impersonate the server to set the wrong time at the client.

The vulnerabilities ended up fixed in NTP version 4.2.8p7.