Exploits Circulating for Remote Code Execution Flaws in NTP Protocol

Researchers at Google have uncovered several serious vulnerabilities in the Network Time Protocol and experts warn that there are exploits publicly available for some of the bugs.

The vulnerabilities are present in all versions of NTP prior to 4.2.8 and include several buffer overflows that are remotely exploitable. The NTP is a protocol that’s used to synchronize the time on servers across networks. It’s ubiquitous and that fact has made it a useful tool for attackers in DDoS attacks in recent years. Attackers have taken advantage of a weakness in NTP to amplify DDoS attacks.

“The reason has to do with the amplification factor,” said Arbor Networks solutions architect Gary Sockrider in April. “With NTP reflection attacks, you get 1000 times the amplification; 1000 times the size of the query is reflected back. There’s more cause for alarm with NTP attacks because attackers get a better response rate.”

The flaws disclosed today in NTP are more worrisome. They put servers running older versions of the protocol at risk of remote code execution.

“Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple vulnerabilities with CERT/CC concerning the Network Time Protocol (NTP). As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices,” an advisory from ICS-CERT says.

“These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available.”

The advisory from NTP.org says that a single packet is enough to exploit any of the buffer overflow vulnerabilities.

“A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process,” the advisory says.

Suggested articles