NTP Project Releases Security Update (June 2016)

In early June the NTP project; the team behind the Network Time Protocol (NTP)(defined) issued a security update to address 5 security issues (more formally known as CVEs (defined)), one of which has been classified as high severity. This update brings NTP to version 4.2.8p8

Why Should These Issues Be Considered Important?
The most severe issue involves a denial of service (defined) vulnerability caused by the processing of Crypto-NAK responses (these responses are sent by NTP servers when a client and server do not agree on a message authentication code (MAC)(defined)).

The other four issues were classified as low severity, one of which relates to the above crypto-NAK vulnerability. That low severity vulnerability if exploited could lead to the demobilization of an association between the server and the client (where mobilization means that an NTP server is cryptographically authenticated to a client).

How Can I Protect Myself from These Issues?
NTP is available for most operating systems primarily Linux and Mac OS X (however versions for Windows also exist). In addition, almost any device can request the correct time from an NTP server and thus could be affected by these issues even if NTP is not installed on the device (but would need to be installed on the server).

Full details of these issues are provided by the NTP project on this page (see the June 2016 entry).

Updated versions of NTP are available from this page. For Linux systems the relevant updates can also be obtained via the Package Manager bundled with your Linux distribution (see this link(Debian) and this link (Ubuntu) that should assist you in using the package manager for your distribution of Linux). Apple usually update NTP via their App Store and Software Update, details are available on this page.

Moreover, please see each of the following NTP bug entries since each contains mitigations (defined) for each vulnerability that may be of assistance to you:

NTP Bug 3042 (low severity)
NTP Bug 3043 (low severity)
NTP Bug 3044 (low severity)
NTP Bug 3045 (low severity)
NTP Bug 3046 (high severity)

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s