Cisco Spots New NTP Bugs
Cisco has identified six new vulnerabilities in the Network Time Protocol (NTP) which could allow cyber-criminals to craft DDoS attacks or prevent the correct time being set.
The Talos team explained in a blog post that it was responsibly disclosing the bugs after having coordinated fixes with the relevant bodies. It urged administrators to apply the patches or upgrade NTP daemon (ntpd) installations as soon as possible.
Its ongoing efforts are part of the Linux Foundation Core Infrastructure Initiative (CII), which aims to fortify the hugely popular open source software against exploitation, and have already resulted in the discovery of several NTP bugs.
The NTP daemon is a key time service ensuring that digital clocks in systems are synchronized to a common standard.
Cisco explained why finding bugs in the system is so important:
“Vulnerabilities that allow the time as understood by ntpd to be altered can be used by attackers to set the time to an arbitrary value. This allows attackers to prevent time dependent services from starting because the time of activation is never reached, to provoke the depletion of system resources by repeatedly reaching the time of activation of services, to gain system access by using expired certificates, to deny service by expiring legitimate services and caches.”
DDoS-ers have been exploiting vulnerabilities in the service to craft attacks since 2013, according to Cisco.
Typically, an attacker searches for exploitable NTP servers and then sends them traffic with a source address spoofed to mimic that of the victim. The NTP server(s) respond and flood the victim organization with traffic.
Since the US-CERT urged administrators to patch affected servers back in January 2014 there was thought to have been a decline in attacks, but it remains an issue, as Cisco’s latest bulletin reveals.
The flaws discovered include CVE-2016-1550 – an “NTP Authentication Potential Timing Vulnerability” – CVE-2016-1551, an “NTP Refclock Impersonation Vulnerability,” and CVE-2016-1549 – an “NTP Ephemeral Association Sybil Vulnerability.”
Source: Information Security Magazine