Network Time Protocol flaws can cause chaos on a global scale

Serious flaws in the Network Time Protocol can be exploited to cause severe outages, eavesdrop encrypted communications, bypass authentication processes.

Bad news for network administrators, new attacks on Network Time Protocol can defeat HTTPS and create serious problems.

The bugs exploited in the attacks was discovered by the experts at the Cisco's Talos group that has been working on the code base of the time-synch daemon.

"The Network Time Protocol daemon (ntpd) is an operating system program that maintains the system time in synchronization with time servers using the Network Time Protocol (NTP)."

The ntpd determines which other NTP daemons to peer according to the ntp.conf configuration file defined by the network administrator. The attack exploits a logic error in the Network Time Protocol daemon's handling of certain crypto-NAK packets, the NTP symmetric association authentication bypass vulnerability.

"Unauthenticated off-path attackers can force ntpd processes to peer with malicious time sources of the attacker's choosing allowing the attacker to make arbitrary changes to system time. This attack leverages a logic error in ntpd's handling of certain crypto-NAK packets. When a vulnerable ntpd receives an NTP symmetric active crypto-NAK packet, it will peer with the sender bypassing the authentication typically required to establish a peer association." state a blog post published by Talos.

Basically, a threat actor can force someone's ntpd process to peer with a "malicious time source" and interfere with their system clocks.

The ntpd is also able to establish peer associations on the fly in response to specifically kind of incoming requests.

"In most common configurations, if ntpd receives such a packet, it will set up an ephemeral association with the sender only if the packet is correctly authenticated under a key that ntpd trusts. For example, when ntpd receives a symmetric active (NTP mode 1) packet and there is no existing peer association with the sender, ntpd executes the following check to determine if the packet has been correctly authenticated before mobilizing a new ephemeral symmetric association." continues Cisco Talos.

Malicious changes ins the system time can have serious implications in several systems, the experts warned that the attackers may exploit them to:

  • Authenticate via expired passwords and accounts
  • Cause TLS clients to accept expired and revoked certificates and to reject currently valid certificates
  • Circumvent modern web security mitigations such as certificate pinning and HTTP Strict Transport Security
  • Deny service to authentication systems such as Kerberos, Active Directory, and other systems that use time-limited authentication tickets such as web services
  • Force caching systems such as DNS and CDNs to flush their caches resulting in significant system performance degradation
  • Damage real-time and cyber-physical systems

NTP 1024x376Who is impacted?

This flaw affects ntp version 4.2.8p3, as explained by Talos it has been introduced in ntp version 4.2.5p186 (late 2009).

"Therefore, all ntp-4 stable releases from 4.2.5p186 through 4.2.8p3 appear to be vulnerable. All ntp-4 development versions from 4.3.0 through, at least, 4.3.76 also appear to be vulnerable. Any product which integrates an ntpd version from the vulnerable range may also be affected. Because many vendors patch ntpd before packaging it for distribution in their products, the susceptibility of any specific product must be considered on a per-product basis."

The experts of the Talos group also found the following bugs:

  • Integer overflows that crash the daemon.
  • A use-after-free bug and a buffer overflow in NTP's password manager.
  • A VMS-specific directory traversal bug.
  • An off-by-one error in NTPQ.
  • Remote attackers can create a denial-of-service by sending a malicious configuration file to the target.
  • A buffer overflow bug in the daemon.

The NTP Project says users should immediately install ntp-4.2.8p4 to get the fix, and implement BCP 38 ingress and egress filtering.