November 22, 2016
A proof-of-concept (PoC) exploit for a critical vulnerability in the Network Time Protocol daemon (ntpd) has been publically released that could allow anyone to crash a server with just a single maliciously crafted packet.
The vulnerability has been patched by the Network Time Foundation with the release of NTP 4.2.8p9, which includes a total of 40 security patches, bug fixes, and improvements.
The NTP daemon is used in almost every device that needs to synchronize time on computer clocks. NTP got the most attention in late 2014 and 2015 when hackers used it to launch highly amplified DDoS attacks against services.
The flaw which affects NTP.org’s nptd versions prior to 4.2.8p9, but not including ntp-4.3.94, has been discovered by security researcher Magnus Stubman, who privately disclosed it to the Network Time Foundation on June 24.
A patch for the vulnerability was developed and sent to Stubman on 29th September and just two days later, the researcher acknowledged that it mitigated the issue. And now he went with the public disclosure.
“The vulnerability allows unauthenticated users to crash ntpd with a single malformed UDP packet, which causes a null pointer dereference,” Stubman wrote in an advisory published Monday.
Stubman also released a PoC exploit that can crash the NTP daemon and creates a denial-of-service (DoS) condition. The issue only affects Windows.
Besides Stubman’s high severity vulnerability, the latest NTP update also addresses two medium severity bugs, two medium-low severity, and five low-severity security issues; 28 bug fixes, and contains other improvements over 4.2.8p8.
Another major bug is a trap-crash vulnerability reported by Cisco’s Matthew Van Gundy.
“If trap service has been explicitly enabled, an attacker can send a specially crafted packet to cause a null pointer dereference that will crash ntpd, resulting in a denial of service,” reads the advisory.
CERT at the Software Engineering Institute at Carnegie Mellon University has also released the full list of the vulnerabilities in NTP and fixes. It also listed some vendors that implement NTP and could be affected by the bugs.