ICS-CERT in NTP Flaw Alert

The Network Time Protocol (NTP) is under the microscope again after the US ICS-CERT announced the discovery of several major remotely exploitable vulnerabilities.

The Department of Homeland Security sponsored organization said in an advisory that it was notified about the holes by Google security researchers.

“Exploits that target these vulnerabilities are publicly available,” it said.

It added that products using the open source protocol version 4.2.8 are affected.

The advisory claimed:

“Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code with the privileges of the ntpd process.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.”

The US government-backed body revealed details of four major vulnerabilities it said should be patched.

The first, which was patched on 28 January 2010, fixes CVE-2014-9293, which has a CVSS base score of 7.3.

“If the authentication key is not set in the configuration file, ntpd will generate a weak random key with insufficient entropy,” the ICS advisory said.

The second vulnerability, resolved in November 2010, relates to an encryption-related flaw: CVE-2014-9294.

The final two, fixed on 19 December, relate to a stack-based buffer overflow and a “missing return on error” vulnerability.

ICS-CERT claimed that an attacker with “low skill” could exploit the mentioned flaws, which are said to be publicly available.

NTP servers were widely targeted in 2014 by DDoS-ers who exploited a flaw to carry out denial of service attacks.

However, as servers were patched, incidents of related DDoS amplification attacks dwindled towards the end of the year.

Vulnerable NTP servers dropped from around 432,000 in December 2013 to just 17,600 in May, according to DDoS prevention firm NSFOCUS.

NTP is used by machines connected to the internet to set their clocks accurately.

What’s Hot on Infosecurity Magazine?