Severe Remote Code Execution Flaws Spotted in NTP Protocol

Researchers at Google have unearthed a number of serious vulnerabilities within the Network Time Protocol (NTP) and security researchers have reason to believe exploits are publicly available across the web.

Versions of NTP prior to their latest 4.2.8 release have been identified as vulnerable to a number of exploits including severe buffer overflow attacks that are remotely exploitable. The Network Time Protocol is a networking protocol widely used across the web for clock synchronization or to synchronize time on servers across networks. The protocol has been abused maliciously countless times to launch massive scale distributed denial of service (DDoS) attacks over the recent years. Attackers have levered several weaknesses and vulnerabilities within the protocol to launch amplified DDoS attacks.

The vulnerabilities disclosed in NTP are far more worrisome than experts have expressed concern for in the past. The recent set of vulnerabilities put older servers running the older version of the protocol at risk to a remote code execution attack.

“Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple vulnerabilities with CERT/CC concerning the Network Time Protocol (NTP). As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices,” an advisory from the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) read. “These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available.”

The publicly posted security advisory from NTP.org claims a single packet is enough to trigger any of the buffer overflow vulnerabilities (CVE-2014-9295) recently discovered within the networking protocol.

“A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process,” the advisory said.

The United States Computer Emergency Readiness Team (US-CERT) noted the exploitation of these vulnerabilities (VU#852879) may allow a remote attacker to execute malicious code on the server or systems if running vulnerable versions of NTP.

The US-CERT urges all users and administrators to upgrade their systems and networks to the latest version of NTP 4.2.8.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

One Comment