Security Experts:

New NTP Vulnerabilities Put Networks at Risk

The Network Time Foundation’s NTP Project has released an update for the Network Time Protocol (NTP) to address a series of low and medium severity vulnerabilities reported by experts from Cisco, Red Hat, IDA, Boston University, and Tenable Networks.

NTP is a protocol used to synchronize clocks between computer systems on a network. While NTP is highly useful, it’s also known to be plagued by various security flaws, and it has often been abused to amplify distributed denial-of-service (DDoS) attacks.

The latest update to NTP, ntp-4.2.8p4, patches a total of 13 flaws, including denial-of-service (DoS), directory traversal, memory corruption, authentication bypass, and file overwrite issues.

“NAK to the Future” Vulnerability

According to an advisory published by the NTP Project on Wednesday, the only generally exploitable bug, with a CVSS score of 6.4, is a crypto-NAK issue (CVE-2015-7871) uncovered by researchers at Cisco.

The vulnerability, which exists due to a logic error in the handling of certain crypto-NAK packets by the Network Time Protocol daemon (ntpd), can be exploited by an unauthenticated off-path attacker to force ntpd processes to peer with malicious time sources in an effort to make changes to the system time.

Once they manage to change system time, attackers can authenticate to services using expired passwords and accounts, they can bypass web security mechanisms such as HTTP STS and certificate pinning, they can cause TLS clients to accept revoked and expired certificates, damage systems, deny service to authentication systems and services that use time-limited authentication tickets, and cause a negative impact on system performance by forcing caching systems like content delivery networks (CDNs) and DNS to flush caches.

“This vulnerability has been confirmed in ntp version 4.2.8p3. The vulnerable code path was introduced in ntp version 4.2.5p186 (late 2009). Therefore, all ntp-4 stable releases from 4.2.5p186 through 4.2.8p3 appear to be vulnerable. All ntp-4 development versions from 4.3.0 through, at least, 4.3.76 also appear to be vulnerable,” Cisco said.

The networking giant is currently trying to determine which of its products are affected by the vulnerabilities patched with the release of ntp-4.2.8p4. The company will then release software updates to patch the security holes.

New Attacks on NTP

After the NTP Project released the update addressing the vulnerabilities they discovered (CVE-2015-7704 and CVE-2015-7705), Boston University researchers published a paper detailing their findings.

The experts detailed a method an on-path attacker can use to hijack traffic to the NTP server and change the time on its clients. They also described a technique that an off-path attacker located anywhere on the targeted organization’s network can use to disable NTP synchronization via a low-rate denial-of-service attack.

According to Boston University researchers, an off-path attacker can also use IPv4 fragmentation to hijack the NTP connection between the client and server to alter time.

The impact of these vulnerabilities is generally similar to the attack scenarios described by Cisco. However, Boston University also described a scenario affecting the digital currency Bitcoin.

“Bitcoin is a digital currency that allows a decentralized network of node to arrive at a consensus on a distributed public ledger of transactions, aka ‘the blockchain’. The blockchain consists of timestamped ‘blocks’; bitcoin nodes use computational proofs-of-work to add blocks to the blockchain,” experts explained in their paper. “Because blocks should be added to the blockchain according to their validity interval (about 2 hours), an NTP attacker can trick a victim into rejecting a legitimate block, or into wasting computational power on proofs-of-work for a stale block.”

An NTP server fragmentation vulnerability testing tool made available by Boston University allows organizations to check their configuration simply by entering their IP address or domain name.

view counter
Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.