Exploits circulating for remote code execution flaws in NTP protocol

Discussion in 'other security issues & news' started by Minimalist, Dec 19, 2014.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,722
    Location:
    Texas
    http://www.kb.cert.org/vuls/id/852879
     
  3. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,954
    Location:
    DC Metro Area
    "A network time protocol security hole has been discovered and there are reports that exploits already exist for it and are being exploited....................

    NTP is used across the Internet to set the clocks of essentially all connected computer clocks..................

    These security holes, according to ISC-CERT, are of the worst possible kind. They can be exploited remotely and exploits are already publicly available. Adding insult to injury, ISC-CERT added, 'An attacker with a low skill would be able to exploit these vulnerabilities'."

    In the article, the writer stresses the fact that the vulnerability is very serious and needs to be patched immediately.

    http://www.zdnet.com/article/major-ntp-security-holes-appears-and-are-being-exploited/

    http://www.kb.cert.org/vuls/id/852879

    https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01
     
  4. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Hmm.

    NTPD must run as root, so this is a remote root vulnerability. That is very bad.

    However, the arbitrary code execution hole is a userspace buffer overflow. And on Ubuntu at least, NTP tools are compiled as position-independent executables. And most servers use 64-bit versions with huge address space. So I'm wondering how this exploit is practical in the wild? Maybe because people can keep spamming the bad packets at a server until NTPD capitulates a few hours later... No idea really. It does not sound like it should be very easy, from the nature of the vulnerability.
     
  5. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,054
  6. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,516
  7. badsector

    badsector Registered Member

    Joined:
    Oct 7, 2014
    Posts:
    51
    after reading this... i quickly disabled NTP on my router... scary stuff...
     
  8. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,873
    I am still with XP...so, what hope have I got! :eek:
     
  9. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    To be clear, the vulnerability is in NTPd, not the protocol itself, but an implementation of it. nptd can run in an apparmor sandbox, and iptables rules for it can be linked directly to a few IPs over port 123.
     
Loading...