Network Time Protocol DoS Attacks

Friday, April 10, 2015 @ 04:04 PM gHale

There are two vulnerabilities in the open-source Network Time Protocol that allow attackers to change system clocks.

Red Hat security researcher Miroslav Lichvar reported the two since-patched holes in which packets without proper message authentication codes end up accepted regardless (CVE-2015-1798), and a denial of service (DoS) condition triggers when spoofed packets end up sent between synchronized hosts (CVE-2015-1799).

Cisco Mitigates DoS Holes
Cisco Fixes Mulitple DoS Issues
Cisco IPv6 Processing Vulnerability
Risk with Custom VPN Portals

The latter flaw affects NTP installations that use symmetric key authentication (xntp3.3wy to version ntp-4.2.8p1), and involves sending spoofed packets between two peering hosts that contain mismatched originate and transmit timestamps.

“An attacker who periodically sends such packets to both hosts can prevent synchronization,” the Carnegie Mellon University Computer Emergency Response Team said in a blog post. “An unauthenticated attacker with network access may be able to inject packets or prevent peer synchronization among symmetrically authenticated hosts.”

Sysadmins should update to version ntp-4.2.8p2 of their daemon.

NTP synchronizes computer clocks across the web, and is a favorite for denial-of-service attackers who use the protocol to amplify traffic.

Leave a Reply

You must be logged in to post a comment.