It’s that time of year and you’re probably getting ready for Christmas. Well, bad news. You’ve got another security exploit to patch. Google has just uncovered several major security loopholes in the NTP (network time protocol) and is already being exploited.
For those who don’t what NTP is, it’s a protocol used by all computer clocks to sync their clocks to a time server. Kind of like adjusting your watch to match that of Big Ben in London.
At present, the NTP protocol is being used to initiate DDOS (distributed denial of server attacks). As a matter of fact DDOS attacks in the last several months have originated from NTP vulnerabilities. Gary Sockrider from Arbor Networks, claims the reason why attackers are taking advantage of these weaknesses, is due to the amplification factor.
“With NTP reflection attacks, you get 1000 times the amplification; 1000 times the size of the query is reflected back. There’s more cause for alarm with NTP attacks because attackers get a better response rate.” – Gary Sockrider
To make matters worse, exploits kits are publicly available and are easily exploited remotely. Additionally the exploits only require a single, carefully packet can allow an attacker to gain privileged access and execute malicious code, all through the ntpd process.
“Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple vulnerabilities with CERT/CC concerning the Network Time Protocol (NTP). As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices. These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available. A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process,” – advisory from ICS-CERT
NTP versions prior to 4.2.8 are vulnerable. At time of writing, Red Hat was working on patches to address the issue. It is strongly recommended you obtain NTP 4.2.8 from your OS vendor as soon as possible.