Update to NTP Vulnerabilities

Thursday, February 5, 2015 @ 07:02 PM gHale

There is an update to the Network Time Protocol (NTP) vulnerabilities ICS-CERT reported in December.

As NTP sees use within operational industrial control systems deployments, ICS-CERT is providing this information for U.S. critical infrastructure asset owners and operators for awareness and to identify mitigations for affected devices.

RELATED STORIES
Ruggedcom Vulnerabilities Fixed
Siemens Fixes SCALANCE Hole
HART DTM Vulnerability a Small Risk
Honeywell Updates HART DTM Vulnerability

Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple remotely exploitable vulnerabilities with CERT/CC concerning the NTP.

Products using NTP service prior to ntp-4.2.8p1 suffer from the issue. This is an open source protocol.

ICS-CERT sent out a query to vendors to develop a list of products that would feel the impact of the vulnerability. Over 20 vendors responded with information regarding if their products suffered from this NTP vulnerability. There is a supplemental report containing affected product information.

Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code with the privileges of the ntpd process.

NTP is described in RFC 958, 1305, and 5905; IETF Standards documents that describe the protocol and algorithms used to synchronize time over a network. The reference implementation of these Standards comes from the open source project via the University of Delaware and Network Time Foundation, and is in wide use.

If the authentication key is not set in the configuration file, ntpd will generate a weak random key with insufficient entropy.

This vulnerability ended up resolved with NTP-dev4.2.7p11 on January 28, 2010.

CVE-2014-9293 is the case number assigned by CERT/CC to this vulnerability, which has a CVSS v2 base score of 7.3.

Prior to NTP-4.2.7p230, ntp-keygen used a weak seed to prepare a random number generator. The random numbers produced then generated symmetric keys.

This vulnerability ended up fixed with NTP-dev4.2.7p230 on November 1, 2010.

CVE-2014-9294 is the case number assigned by CERT/CC to this vulnerability, which has a CVSS v2 base score of 7.3.

In addition, a remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to execute with the privilege level of the ntpd process. All NTP4 releases before 4.2.8 are vulnerable.

This vulnerability ended up resolved with NTP-stable4.2.8 on December 19, 2014.

CVE-2014-9295 is the case number assigned by CERT/CC to this vulnerability, which has a CVSS v2 base score of 7.5.

In the NTP code, a section of code is missing a return, and the resulting error indicates processing did not stop. This indicated a specific rare error occurred, which does not appear to affect system integrity. All NTP Version 4 releases before Version 4.2.8 are vulnerable.

This vulnerability ended up fixed with NTP-stable4.2.8 on December 19, 2014.

CVE-2014-9296 is the case number assigned by CERT/CC to this vulnerability, which has a CVSS v2 base score of 5.0.

The IPv6 address ::1 can end up spoofed, allowing an attacker to bypass access control lists (ACLs) based on ::1. All NTP4 releases before 4.2.8 are vulnerable. Linux and slightly older Mac OSX kernels are vulnerable, but other tested OSes are not vulnerable to the ::1 spoofing. Proper firewall rulings can mitigate this problem. As this issue may be a kernel issue, rather than NTPD, source-IP based ACLs may be vulnerable as well.

This vulnerability ended up resolved with NTP-stable4.2.8p1 on February 04.

CVE-2014-9297 is the case number assigned by CERT/CC to this vulnerability, which has a CVSS v2 base score of 9.0.

The length value in extension field pointers is not properly validated, allowing information leaks. All NTP Version 4 releases before Version 4.2.8 are vulnerable.

This vulnerability ended up fixed with NTP-stable4.2.8p1 on February 04.

CVE-2014-9298 is the case number assigned by CERT/CC to this vulnerability, which has a CVSS v2 base score of 7.5.

No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill and an exploit script would be able to exploit these vulnerabilities. A higher-level of skill would be necessary to craft usable exploit scripts.

All NTP Version 4 releases, prior to Version 4.2.8p1, are vulnerable and users should update to Version 4.2.8p1.

ICS-CERT strongly encourages CIKR users to backup current operational ICS configurations, and thoroughly test the updated software for system compatibility on a test system before attempting deployment on operational systems.

Click here for view the CERT/CC Vulnerability Note.

The NTP project recommends updating firewall rules to disallow ::1 packets from incoming physical Ethernet ports (mitigation for CVE-2014-9297).

Additional mitigation guidance and recommended practices are publicly available in the following two publications:
• Best Practices for Improved Robustness of Time and Frequency Source in Fixed Locations, that is available for download from the ICS-CERT web site.
• ICS CERT Technical Information Paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.



Leave a Reply

You must be logged in to post a comment.