A researcher has released a proof-of-concept exploit for a vulnerability in the Network Time Protocol daemon that could crash a server with a single, malformed packet.
The Network Time Foundation’s NTP Project on Monday patched the bug and nine others with the release of NTP 4.2.8p9.
The vulnerability affected NTP 4.2.7p22 up to NTP 4.2.8p9, and ntp-4.3.0 up to, but not including ntp-4.3.94, researcher Magnus Stubman said.
Stubman released an exploit on Monday that crashes the NTP daemon and creates a denial-of-service condition.
“The vulnerability allows unauthenticated users to crash ntpd with a single malformed UDP packet, which causes a null pointer dereference,” Stubman wrote in an advisory.
Stubman said he found the vulnerability on June 24 and privately disclosed. A patch was developed and sent to Stubman Sept. 29; he confirmed that it mitigated the issue two days later.
NTP is a protocol used to synchronize time on computer clocks. In late 2014 and into 2015, hackers were able to exploit vulnerabilities in NTP to harness the power of these servers and conduct highly amplified distributed denial-of-service attacks.
Research from companies such as Arbor Networks illustrated the effectiveness of NTP amplification attacks; at the time, Arbor said 85 percent of volumetric DDoS attacks exceeding 100 Gbps were NTP reflection attacks. Experts said that NTP amplification attacks are effective because they reflect 1,000 times the size of the initial query back to the target.
Some of those numbers have since been dwarfed, especially in DDoS attacks powered by the Mirai malware and botnet. Mirai infects connected devices with malware joining it to a massive botnet; the malware seeks so-called Internet of Things devices and conducts brute force attacks using known or default credentials to access the device before infecting it.
Given the availability of Stubman’s exploit, admins are urged to patch NTP implementations soon.
— K. Reid Wightman (@ReverseICS) November 21, 2016
The latest NTP update patches a number of denial of service vulnerabilities, all of which can be exploited remotely. Aside from Stubman’s high severity vulnerability, five of the remaining nine bugs were rated low severity and four either medium, or medium-low severity.
The Department of Homeland Security-sponsored CERT at the Software Engineering Institute at Carnegie Mellon University listed a number of vendors that implement NTP that could be affected. It also recommends the implementation of BCP-38, a protocol that helps prevent spoofing and route injection.