A new version of the Network Time Protocol daemon (ntpd) released this week by the NTP Project patches several low and medium severity vulnerabilities.
The NTP Project’s advisory describes a total of nine new vulnerabilities reported by researchers at Cisco and Chinese antivirus company Qihoo 360. Seven of these flaws have been patched with the release of ntp-4.2.8p7. The remaining two will be fully resolved in an upcoming release, but mitigations have been made available.
Cisco found five of the new ntpd vulnerabilities as part of its contribution to the Linux Foundation’s Core Infrastructure Initiative. According to the company, the issues reported by its researchers can be leveraged to cause a denial-of-service (DoS) condition or alter the time via specially crafted UDP packets.
One of the vulnerabilities reported by Cisco, CVE-2016-1550, is an authentication issue that allows an attacker to send spoofed NTP packets that are accepted as valid by the recipient.
Another flaw, tracked as CVE-2016-1551, is related to the fact that ntpd implicitly trusts reference clock NTP traffic from an IP address in the 127.127.0.0/16 range. This allows an attacker to send spoofed packets apparently coming from this range, establish themselves as a trusted peer, and alter the time on the targeted system.
CVE-2016-1549 has been described by Cisco as an NTP ephemeral association sybil vulnerability that can also be leveraged to alter the time. The flaw can be used in combination with CVE-2016-1550.
Cisco researchers also discovered a flaw, identified as CVE-2016-1547, that can be leveraged for DoS attacks by sending spoofed crypto-NAK packets apparently coming from a legitimate peer in an effort to interrupt the association of peer ntpd systems.
Finally, Cisco experts identified a security hole, tracked as CVE-2016-1548, that allows an attacker to set an arbitrary time on a targeted client by sending a specially crafted packet that forces the client to switch from basic client-server mode to interleaved mode. This and the sybil vulnerability will be fully patched in an upcoming release.
The other new vulnerabilities patched this week have the following CVE identifiers: CVE-2016-2516, CVE-2016-2517, CVE-2016-2518 and CVE-2016-2519.
A couple of the issues patched with the release of ntp-4.2.8p7 were partially fixed in mid-January in version ntp-4.2.8p6.
Malicious actors have abused NTP over the past years for DDoS attack reflection and amplification. Arbor Networks’ latest Annual Worldwide Infrastructure Security Report shows that NTP is the second most commonly used protocol for reflection/amplification, after DNS.