"A network time protocol security hole has been discovered and there are reports that exploits already exist for it and are being exploited.................... NTP is used across the Internet to set the clocks of essentially all connected computer clocks.................. These security holes, according to ISC-CERT, are of the worst possible kind. They can be exploited remotely and exploits are already publicly available. Adding insult to injury, ISC-CERT added, 'An attacker with a low skill would be able to exploit these vulnerabilities'." In the article, the writer stresses the fact that the vulnerability is very serious and needs to be patched immediately. http://www.zdnet.com/article/major-ntp-security-holes-appears-and-are-being-exploited/ http://www.kb.cert.org/vuls/id/852879 https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01
Hmm. NTPD must run as root, so this is a remote root vulnerability. That is very bad. However, the arbitrary code execution hole is a userspace buffer overflow. And on Ubuntu at least, NTP tools are compiled as position-independent executables. And most servers use 64-bit versions with huge address space. So I'm wondering how this exploit is practical in the wild? Maybe because people can keep spamming the bad packets at a server until NTPD capitulates a few hours later... No idea really. It does not sound like it should be very easy, from the nature of the vulnerability.
To be clear, the vulnerability is in NTPd, not the protocol itself, but an implementation of it. nptd can run in an apparmor sandbox, and iptables rules for it can be linked directly to a few IPs over port 123.
