At least three serious vulnerabilities in the Network Time Protocol (NTP) have been uncovered by security researchers at Google in 2014. This is quite serious because of the sheer number of computers that may potentially be targets of DDoS (click here to read earlier blog) attacks exploiting the said vulnerabilities. The NTP Project, which continues to develop the Protocol Standard since it was first published in 1985, produces the specifications of software and protocol behind the clocks running in tens of millions of computers worldwide.
One of the reported vulnerabilities is a multiple stack-based buffer overflow flaw identified as CVE-2014-9295. Using a cleverly crafted packet sent from a remote location, a hacker can trigger the flaw and execute malicious code in the target system. The privilege level of this code is the same as that of the ntpd process. The flaw is present in ntpd releases before version 4.2.8, according to the National Vulnerability Database website of NIST. The NTP Project released ntpd version 4.2.8 on December 18, 2014 in response to this particular reported vulnerability.
Another flaw discovered by the Google researchers is the generation of cryptographically weak authentication keys by NTP which could give rise to multiple problems.
There is also a vulnerability caused by missing return on error. The ICS-CERT website describes this flaw as follows: “In the NTP code, a section of code is missing a return, and the resulting error indicates processing did not stop. This indicated a specific rare error occurred, which does not appear to affect system integrity. All NTP Version 4 releases before Version 4.2.8 are vulnerable.”
The flaws represent an opportunity for attackers, including those with low skill level, to potentially compromise systems using NTP Version 4 releases earlier than version 4.2.8.
To mitigate the potential security threat from the flaws, users have been strongly urged to act immediately to ensure that the NTP daemons (ntpd) used in their systems are not to vulnerable to DDoS attack. The recommendation in the NTP website is to defeat DDoS attacks by implementing Ingress and Egress filtering through BCP38.
Of course, users should also install NTP Version 4.2.8 if they have not yet done so.