The CERT Coordination Center and the Network Time Foundation announced on Monday the availability of NTP 4.2.8p9, which includes nearly 40 security patches, bug fixes and improvements.
The latest version of the Network Time Protocol daemon (ntpd) addresses a total of ten security holes. The most serious of them, tracked as CVE-2016-9312 and rated “high severity,” has been described as an oversized UDP packet denial-of-service (DoS) issue that only affects Windows.
“If a vulnerable instance of ntpd on Windows receives a crafted malicious packet that is ‘too big’, ntpd will stop working,” CERT and NTF wrote in their advisories.
NTP 4.2.8p9 also patches two medium, two medium-low, and five low severity vulnerabilities. One of the medium severity flaws (CVE-2016-9310) affects the control mode (mode 6) functionality of ntpd and it can be exploited by a remote, unauthenticated attacker.
“If, against long-standing BCP recommendations, ‘restrict default noquery’ is not specified, a specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, disabling legitimate monitoring,” reads a description of the vulnerability.
The second medium severity flaw (CVE-2016-7431) is related to a regression in the handling of some Zero Origin timestamp checks.
Matthew Van Gundy of Cisco, Magnus Stubman, Miroslav Lichvar of Red Hat, Brian Utterback of Oracle, Robert Pajak of ABB, and Sharon Goldberg and Aanchal Malhotra of Boston University have been credited for reporting these issues.
While NTP is a widely used protocol, the project, primarily maintained by Harlan Stenn, has been having some financial problems. The Network Time Foundation has asked people to make donations and support the project as much as possible.
“We would have preferred to give much more notice to our members and CERT, however, NTF’s NTP project remains severely under-funded. Google was unable to sponsor us this year and, currently, the Linux Foundation’s Core Internet Initiative only supports Harlan for about 25% of his hours per week and is restricted to NTP development only,” the organization stated.
Earlier this year, researchers from China-based security firm Qihoo 360 warned that attackers can remotely change the time on NTP servers over long distances using inexpensive devices.
UPDATE. Stubman has published a proof-of-concept (PoC) exploit for the low-severity issue he discovered.
Related: Severe Vulnerabilities Found in Meinberg NTP Servers