NTP Project Releases Security Update

In late October the NTP Project; the maintainers of the Network Time Protocol (NTP)(defined) issued a security update to resolve 13 medium and low CVEs (defined) in this commonly used protocol. This update brings the version of NTP to 4.2.8p4.

Why Should These Issues Be Considered Important?
3 of the issues addressed by this security update were discovered and responsibly disclosed (defined) to NTP by 4 researchers from Boston University. Their research is described in this paper.

The first issue involves the use of a Kiss-of-Death packet that is normally used to prevent a client device (e.g. a desktop or laptop computer etc.) from repeatedly requesting the correct time from an NTP server when the client device may be experiencing technical issues. This prevents the NTP server becoming inadvertently overloaded. An attacker can exploit this issue by sending a Kiss-Of-Death packet to a victim device from any location (what is known as an off-path attack). This packet depending on the poll value within it has the potential to prevent that victim device from correctly setting it’s clock for a year or more.

The second issue resolved is very similar but involves the attacker sending a large number of queries requesting the correct time to the NTP server. These queries have been spoofed to look like they came from the victim device. The server then responds to the victim device with the above mentioned Kiss-Of-Death packet again disabling the victim devices means of updating it’s clock. This issue could be exploited if the first issue mentioned above has already been patched on the time server. This results in the victim device experiencing a denial of service issue (defined) since it can no longer set it’s clock due to no fault of it’s own.

The third and final issue requires that the attacker be positioned in a man-in-the-middle (defined) position between the client and the server which could allow the attacker to roll back the time on the victim device that bypasses the 16-minute threshold that is usually imposed to prevent a server from setting a client devices clock more than 16 minutes from the actual correct time.

If a device has its clock set to an inaccurate time that differs too much from the correct time it can cause that device to no longer be able to carry out actions that primarily use correct time to function properly. The use of timestamps is primarily employed in cryptography to prevent replay attacks (defined) or to determine if a digital certificate is still valid (among other purposes). For the full details of how features such as TLS (defined here and here), DNSSEC (defined), DNS (defined) (among others) as well as the online cryptocurrency Bitcoin can be affected as a result of these issues please refer to page 2 and 3 of the above mentioned paper.

Since the above features (among others) rely on a device having an accurately set clock and given that an attacker can exploit these 3 issues relatively easily these issues should be patched as soon as possible.

How Can I Protect Myself from These Issues?
NTP is available for most operating systems primarily Linux and Mac OS X (however versions for Windows also exist). In addition, almost any device can request the correct time from an NTP server and thus could be affected by these issues even if NTP is not installed on the device (but would need to be installed on the server).

Full details of these issues are provided by the NTP project on this page (see the October 2015 entry). Updated versions of NTP are available from this page. For Linux systems the relevant updates can also be obtained via the Package Manager bundled with your Linux distribution (see this link (Debian) and this link (Ubuntu) that should assist you in using the package manager for your distribution of Linux). Apple usually update NTP via their App Store and Software Update, details are available on this page.

In addition, recommendations to more thoroughly protect against all of the flaws discussed in the above mentioned research paper are provided on this page.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s