Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Several Vulnerabilities Patched in NTP Daemon

A new version of the Network Time Protocol daemon (ntpd) released this week by the NTP Project patches several low and medium severity vulnerabilities.

A new version of the Network Time Protocol daemon (ntpd) released this week by the NTP Project patches several low and medium severity vulnerabilities.

The NTP Project’s advisory describes a total of nine new vulnerabilities reported by researchers at Cisco and Chinese antivirus company Qihoo 360. Seven of these flaws have been patched with the release of ntp-4.2.8p7. The remaining two will be fully resolved in an upcoming release, but mitigations have been made available.

Cisco found five of the new ntpd vulnerabilities as part of its contribution to the Linux Foundation’s Core Infrastructure Initiative. According to the company, the issues reported by its researchers can be leveraged to cause a denial-of-service (DoS) condition or alter the time via specially crafted UDP packets.

One of the vulnerabilities reported by Cisco, CVE-2016-1550, is an authentication issue that allows an attacker to send spoofed NTP packets that are accepted as valid by the recipient.

Another flaw, tracked as CVE-2016-1551, is related to the fact that ntpd implicitly trusts reference clock NTP traffic from an IP address in the 127.127.0.0/16 range. This allows an attacker to send spoofed packets apparently coming from this range, establish themselves as a trusted peer, and alter the time on the targeted system.

CVE-2016-1549 has been described by Cisco as an NTP ephemeral association sybil vulnerability that can also be leveraged to alter the time. The flaw can be used in combination with CVE-2016-1550.

Cisco researchers also discovered a flaw, identified as CVE-2016-1547, that can be leveraged for DoS attacks by sending spoofed crypto-NAK packets apparently coming from a legitimate peer in an effort to interrupt the association of peer ntpd systems.

Finally, Cisco experts identified a security hole, tracked as CVE-2016-1548, that allows an attacker to set an arbitrary time on a targeted client by sending a specially crafted packet that forces the client to switch from basic client-server mode to interleaved mode. This and the sybil vulnerability will be fully patched in an upcoming release.

The other new vulnerabilities patched this week have the following CVE identifiers: CVE-2016-2516, CVE-2016-2517, CVE-2016-2518 and CVE-2016-2519.

A couple of the issues patched with the release of ntp-4.2.8p7 were partially fixed in mid-January in version ntp-4.2.8p6.

Malicious actors have abused NTP over the past years for DDoS attack reflection and amplification. Arbor Networks’ latest Annual Worldwide Infrastructure Security Report shows that NTP is the second most commonly used protocol for reflection/amplification, after DNS.

Related: New NTP Vulnerabilities Put Networks at Risk

Related: Recently Patched NTP Flaws Affect Siemens RUGGEDCOM Devices

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Vulnerabilities identified in TP-Link and NetComm router models could be exploited to achieve remote code execution (RCE).