Remotely Exploitable NTP Vulnerabilities Put Industrial and Critical Infrastructure Systems at Risk
Security researchers Neel Mehta and Stephen Roettger of Google’s Security Team recently discovered vulnerabilities in the Network Time Protocol (NTP), a service that helps synchronize system times over a network, including some flaws that could enable an attacker to take control of or crash a system.
According to the disclosures, several vulnerabilities exist, including buffer overflow vulnerabilities (CVE-2014-9295) that could allow a remote attacker to send a specially crafted request packet that could crash the NTP daemon (ntpd) or execute arbitrary code with the privileges of the NTP user.
The biggest concern is that the vulnerabilities can be easily exploited remotely by a low skilled attacker with exploits that are already publicly available.
Mehta, who also discovered the infamous Heartbleed vulnerability, and Roettger coordinated the disclosure of NTP vulnerabilities with CERT/CC, which published a vulnerability note on Friday.
NTP has released an update that addresses several, but not all of the newly-discovered vulnerabilities in the Network Time Protocol daemon. The two most serious issues and four less serious issues were fixed with the release of ntp-4.2.8, which was made available on Dec. 18. The NTP Project said that it expects to fix two less significant vulnerabilities within the next month.
Products using NTP Version 4 releases prior to NTP-4.2.8 are affected, and because the software is a widely used open source protocol, many products from technology vendors will be at risk.
Industrial Control Systems at Risk
The DHS’ Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) also issued an advisory to warn operators of industrial control systems to ensure they are protected against the dangerous flaws.
“As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices,” ICS-CERT noted it its advisory.
“NTP is indeed a vital component of ICS and SCADA networks,” Bill Rios, an ICS security expert and founder of security startup Laconicly, told SecurityWeek. “Timing is really important and synchronizing components in SCADA networks is extremely important.”
Impact to individual organizations depends on many factors that are unique to each organization, ICS-CERT said, and recommends that organizations evaluate the impact of the vulnerabilities based on their operational environment, architecture, and product implementation.
“I’m certain that many portions of our nations critical infrastructure depend of the integrity of timing services like NTP,” Rios said.
ICS-CERT strongly encourages Critical Infrastructure and Key Resources (CIKR) users to backup current operational ICS configurations, and thoroughly test the updated software for system compatibility on a test system before attempting deployment on operational systems.
NTP was one of the first open source projects selected to receive support from the Linux Foundation’s Core Infrastructure Initiative, an effort supported by a group of tech Industry heavyweights including Microsoft, Google, Intel, and Cisco to support and fund open source projects that make up critical elements of global information infrastructure. Formed primarily as the industry’s response to the Heartbleed crisis, the OpenSSL library and NTP were the initiative’s first projects to receive support.
The latest NTP releases can be found online from the NTP project website.
OpenBSD is not affected as it does not use ntp.org code.
You can expect many other vendors to release updates in the days and weeks ahead to address these vulnerabilities in products that leverage NTP.