Updates are available, patch required as soon as possible

Dec 22, 2014 21:50 GMT  ·  By

Servers used for synchronizing time over the Internet are susceptible to remote code execution attacks carried out by exploiting vulnerabilities recently discovered in the Network Time Protocol (NTP).

The development of NTP is overseen by the Network Time Foundation, which issued a warning about the security risks run by servers that did not receive the latest update, 4.2.8, released on December 18.

Exploit code available in the wild, no advanced skills necessary

The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) also released an alert about the danger unpatched systems are in because exploits targeting the flaws are already available in the wild.

The organization disclosed a set of six security flaws, acknowledging two of them as being of a more serious nature, while the other four present a lower risk.

Taking advantage of the flaws does not require advanced knowledge and an attacker could run arbitrary code remotely, with the same privileges as those of the ntpd process; if it runs under an account with elevated privileges, then the attacker could gain root access to the machine and take full control over it.

In the event that lower privileges are used to run the process, which is a more likely scenario, intruders could find ways to increase their rights on the machine.

Three buffer overflow vulnerabilities (in “crypto_recv(),” ”ctl_putdata()” and “configure()”), all tracked with the same identifier (CVE-2014-9295), could be leveraged by sending a specially crafted packet that overflows a stack buffer and permits remote execution of arbitrary code on the system.

Some less serious issues also received a fix

Two other security flaws led to weak cryptographic keys that used to be strong at the moment of implementation but are no match per today’s standards.

The last flaw that has been patched in version 4.2.8 of the NTP protocol touched on behavior when an error in the code was detected. Basically, processing would continue, despite the discovery of the error. However, the maintainers say they could not determine a method to exploit it in a way that would affect the integrity of the system.

All the weaknesses fixed in the new NTP have been discovered by Stephen Roettger and Neel Mehta, both from the Google Security Team.

Administrators running unpatched NTP servers are urged to apply the updates as soon as possible in order to eliminate remote execution attacks.

Apart from these problems, Network Time Foundation informed that two more issues had been found. However, these do not represent increased risk and would be addressed next month.