More NTP Holes Fixed

Wednesday, October 28, 2015 @ 01:10 PM gHale

An update released for the Network Time Protocol (NTP) to address a series of low and medium severity vulnerabilities reported by researchers from Cisco, Red Hat, IDA, Boston University, and Tenable Networks.

NTP is a protocol used to synchronize clocks between computer systems on a network. While NTP is highly useful, it also has had a series of security flaws, and it has often been the victim of distributed denial-of-service (DDoS) attacks.

Malware Growing by the Minute
Malware Masquerades as Chrome
Exploit Kit Evades Detection ‘On Fly’
Adobe Zero Day Under Attack

The latest update to NTP, ntp-4.2.8p4, patches 13 flaws, including denial-of-service (DoS), directory traversal, memory corruption, authentication bypass, and file overwrite issues.

The only generally exploitable bug, with a CVSS score of 6.4, is a crypto-NAK issue (CVE-2015-7871) uncovered by researchers at Cisco, according to an advisory published by the NTP Project.

The vulnerability, which exists due to a logic error in the handling of certain crypto-NAK packets by the Network Time Protocol daemon (ntpd), can end up exploited by an unauthenticated off-path attacker to force ntpd processes to peer with malicious time sources in an effort to make changes to the system time.

Once they manage to change system time, attackers can authenticate to services using expired passwords and accounts, they can bypass web security mechanisms such as HTTP STS and certificate pinning, they can cause TLS clients to accept revoked and expired certificates, damage systems, deny service to authentication systems and services that use time-limited authentication tickets, and cause a negative impact on system performance by forcing caching systems like content delivery networks (CDNs) and DNS to flush caches.

“This vulnerability has been confirmed in ntp version 4.2.8p3. The vulnerable code path was introduced in ntp version 4.2.5p186 (late 2009). Therefore, all ntp-4 stable releases from 4.2.5p186 through 4.2.8p3 appear to be vulnerable. All ntp-4 development versions from 4.3.0 through, at least, 4.3.76 also appear to be vulnerable,” Cisco said.

The networking giant is figuring out which of its products suffer from the vulnerabilities patched with the release of ntp-4.2.8p4. The company will then release software updates to patch the security holes.

After the NTP Project released the update addressing the vulnerabilities they discovered (CVE-2015-7704 and CVE-2015-7705), Boston University researchers published a paper detailing their findings.

The researchers detailed a method an on-path attacker can use to hijack traffic to the NTP server and change the time on its clients. They also described a technique an off-path attacker located anywhere on the targeted organization’s network can use to disable NTP synchronization via a low-rate denial-of-service attack.

According to Boston University researchers, an off-path attacker can also use IPv4 fragmentation to hijack the NTP connection between the client and server to alter time.

The impact of these vulnerabilities is generally similar to the attack scenarios described by Cisco. However, Boston University also described a scenario affecting the digital currency Bitcoin.

“Bitcoin is a digital currency that allows a decentralized network of node to arrive at a consensus on a distributed public ledger of transactions, aka ‘the blockchain’. The blockchain consists of timestamped ‘blocks’; bitcoin nodes use computational proofs-of-work to add blocks to the blockchain,” the researchers said in their paper. “Because blocks should be added to the blockchain according to their validity interval (about 2 hours), an NTP attacker can trick a victim into rejecting a legitimate block, or into wasting computational power on proofs-of-work for a stale block.”

An NTP server fragmentation vulnerability testing tool made available by Boston University allows organizations to check their configuration simply by entering their IP address or domain name.

Leave a Reply

You must be logged in to post a comment.