Connect with us

Hi, what are you looking for?



New NTP Vulnerabilities Put Networks at Risk

The Network Time Foundation’s NTP Project has released an update for the Network Time Protocol (NTP) to address a series of low and medium severity vulnerabilities reported by experts from Cisco, Red Hat, IDA, Boston University, and Tenable Networks.

The Network Time Foundation’s NTP Project has released an update for the Network Time Protocol (NTP) to address a series of low and medium severity vulnerabilities reported by experts from Cisco, Red Hat, IDA, Boston University, and Tenable Networks.

NTP is a protocol used to synchronize clocks between computer systems on a network. While NTP is highly useful, it’s also known to be plagued by various security flaws, and it has often been abused to amplify distributed denial-of-service (DDoS) attacks.

The latest update to NTP, ntp-4.2.8p4, patches a total of 13 flaws, including denial-of-service (DoS), directory traversal, memory corruption, authentication bypass, and file overwrite issues.

“NAK to the Future” Vulnerability

According to an advisory published by the NTP Project on Wednesday, the only generally exploitable bug, with a CVSS score of 6.4, is a crypto-NAK issue (CVE-2015-7871) uncovered by researchers at Cisco.

The vulnerability, which exists due to a logic error in the handling of certain crypto-NAK packets by the Network Time Protocol daemon (ntpd), can be exploited by an unauthenticated off-path attacker to force ntpd processes to peer with malicious time sources in an effort to make changes to the system time.

Once they manage to change system time, attackers can authenticate to services using expired passwords and accounts, they can bypass web security mechanisms such as HTTP STS and certificate pinning, they can cause TLS clients to accept revoked and expired certificates, damage systems, deny service to authentication systems and services that use time-limited authentication tickets, and cause a negative impact on system performance by forcing caching systems like content delivery networks (CDNs) and DNS to flush caches.

Advertisement. Scroll to continue reading.

“This vulnerability has been confirmed in ntp version 4.2.8p3. The vulnerable code path was introduced in ntp version 4.2.5p186 (late 2009). Therefore, all ntp-4 stable releases from 4.2.5p186 through 4.2.8p3 appear to be vulnerable. All ntp-4 development versions from 4.3.0 through, at least, 4.3.76 also appear to be vulnerable,” Cisco said.

The networking giant is currently trying to determine which of its products are affected by the vulnerabilities patched with the release of ntp-4.2.8p4. The company will then release software updates to patch the security holes.

New Attacks on NTP

After the NTP Project released the update addressing the vulnerabilities they discovered (CVE-2015-7704 and CVE-2015-7705), Boston University researchers published a paper detailing their findings.

The experts detailed a method an on-path attacker can use to hijack traffic to the NTP server and change the time on its clients. They also described a technique that an off-path attacker located anywhere on the targeted organization’s network can use to disable NTP synchronization via a low-rate denial-of-service attack.

According to Boston University researchers, an off-path attacker can also use IPv4 fragmentation to hijack the NTP connection between the client and server to alter time.

The impact of these vulnerabilities is generally similar to the attack scenarios described by Cisco. However, Boston University also described a scenario affecting the digital currency Bitcoin.

“Bitcoin is a digital currency that allows a decentralized network of node to arrive at a consensus on a distributed public ledger of transactions, aka ‘the blockchain’. The blockchain consists of timestamped ‘blocks’; bitcoin nodes use computational proofs-of-work to add blocks to the blockchain,” experts explained in their paper. “Because blocks should be added to the blockchain according to their validity interval (about 2 hours), an NTP attacker can trick a victim into rejecting a legitimate block, or into wasting computational power on proofs-of-work for a stale block.”

An NTP server fragmentation vulnerability testing tool made available by Boston University allows organizations to check their configuration simply by entering their IP address or domain name.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.