Several critical vulnerabilities in the protocol implementation used to synchronize clock settings over the Internet are putting countless servers at risk of remote hijacks until they install a security patch, an advisory issued by the federal government warned.
The remote-code execution bugs reside in versions of the network time protocol prior to 4.2.8, according to an advisory issued Friday by the Industrial Control Systems Cyber Emergency Response Team. In many cases, the vulnerabilities can be exploited remotely by hackers with only a low level of skill.
"Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code with the privileges of the [network time protocol daemon] process," the advisory warned. Exploit code that targets the vulnerabilities is publicly available. It's not clear exactly what privileges NTP processes get on the typical server, but a handful of knowledgeable people said they believed it usually involved unfettered root access. Even if the rights are limited, it's not uncommon for hackers to combine exploits with privilege elevation attacks, which increase the system resources a targeted app has the ability to control.
In January, researchers uncovered evidence NTP was being exploited to wage crippling denial-of-service attacks on gaming sites. Attackers were using the widely used service to amplify the amount of bandwidth available to them, a technique that saturated targets with as much as 100 gigabits of data per second.The bugs were discovered by Google Security Team researchers Neel Mehta and Stephen Roettger, who reported them privately. The vulnerabilities have been fixed in version 4.2.8. Maintainers of the open-source NTP code have bare-bones details on the bugs here. Additional details, including about separate information disclosure vulnerabilities caused by a weak default key and non-cryptographic random number generator in NTP, are here.
Post updated to add "implementation" to the first sentence.
reader comments
55