NTP Daemon Vulnerabilities (Nov 19, 2015)


NTP is a protocol designed to synchronize the clocks of computers over a network. The NTP Project produces a reference implementation of the NTP protocol and implementation documentation through a largely volunteer effort. NTP uses a hierarchical, semi-layered system of time sources. Each level of this hierarchy is termed a “stratum” and is assigned a number starting with zero at the top.

The NTP Project conducts Research and Development in NTP and produces the Official Reference Implementation of NTP along with the Implementation Documentation. A few weeks ago, ntp-4.2.8p4 was released which fixed multiple vulnerabilities.

Dell SonicWALL has released several IPS signatures to detect and block exploitation attempts targeting the vulnerabilities.

  • Sid:11276 “NTP Daemon Arbitrary File Overwrite”, which addresses CVE-2015-7703
  • Description: If ntpd is configured to allow for remote configuration, and if the (possibly spoofed) source IP address is allowed to send remote configuration requests, and if the attacker knows the remote configuration password, it’s possible for an attacker to use the “pidfile” or “driftfile” directives to potentially overwrite other files.

  • Sid:11225 “NTP Daemon Assertion Failure DoS”, which addresses CVE-2015-7855
  • Description: If ntpd is fed a crafted mode 6 or mode 7 packet containing an unusually long data value where a network address is expected, the decodenetnum() function will abort with an assertion failure instead of simply returning a failure condition.

  • Sid:11240 “NTP Daemon Crypto-NAK Authentication Bypass 1” and
    Sid:11254 “NTP Daemon Crypto-NAK Authentication Bypass 2”, which address CVE-2015-7871
  • Description: Crypto-NAK packets can be used to cause ntpd to accept time from unauthenticated ephemeral symmetric peers by bypassing the authentication required to mobilize peer associations. This vulnerability appears to have been introduced in ntp-4.2.5p186 when the code handling mobilization of new passive symmetric associations was refactored.

The most critical one in the above list is the crypto-NAK bug. Administrators are urged to upgrade ntpd to the latest version to protect their servers.

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.