Exploits Circulating for Remote Code Execution Flaws in NTP Protocol

Researchers at Google have uncovered several serious vulnerabilities in the Network Time Protocol and experts warn that there are exploits publicly available for some of the bugs.

The vulnerabilities are present in all versions of NTP prior to 4.2.8 and include several buffer overflows that are remotely exploitable. The NTP is a protocol that’s used to synchronize the time on servers across networks. It’s ubiquitous and that fact has made it a useful tool for attackers in DDoS attacks in recent years. Attackers have taken advantage of a weakness in NTP to amplify DDoS attacks.

“The reason has to do with the amplification factor,” said Arbor Networks solutions architect Gary Sockrider in April. “With NTP reflection attacks, you get 1000 times the amplification; 1000 times the size of the query is reflected back. There’s more cause for alarm with NTP attacks because attackers get a better response rate.”

The flaws disclosed today in NTP are more worrisome. They put servers running older versions of the protocol at risk of remote code execution.

“Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple vulnerabilities with CERT/CC concerning the Network Time Protocol (NTP). As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices,” an advisory from ICS-CERT says.

“These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available.”

The advisory from NTP.org says that a single packet is enough to exploit any of the buffer overflow vulnerabilities.

“A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process,” the advisory says.

Suggested articles

Hackers Hijack Smart TVs to Promote PewDiePie

The same hacking duo behind the recent “PewDiePie” printer hacks are back – this time with publicly exposed Chromecast, Google Home and smart TV systems as their targets.

Discussion

  • Junk on

    CVE #?
  • SCADAhacker on

    It is worth noting that in ICSA-14-353-01A, there is a significant clarification that states "No known public exploits specifically target these vulnerabilities".

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.