Google is aware of NTP Exploits publicly available

Pierluigi Paganini December 20, 2014

Security researchers at Google have discovered several serious flaws affecting the NTP protocol, which are remotely exploitable by the attackers.

Security experts at Google have uncovered several serious flaws in the Network Time Protocol (NTP), including several buffer overflows that are remotely exploitable.

The Network Time Protocol is a networking protocol for clock synchronization between computer systems accross a network. According to the experts, all the versions of NTP prior to 4.2.8 are affected by the flaw.

The most concerning part of the discovery is that the experts have also found several exploits in the wild exploiting vulnerabilities.

A remote attacker could exploit vulnerabilities to compromise servers running older versions of the NTP protocol.

“Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple vulnerabilities with CERT/CC concerning the Network Time Protocol (NTP). As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices,” an advisory from ICS-CERT says.

“These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available.”

NTP.org issued an advisory which explains that a single packet could be enough to exploit a buffer overflow vulnerability in the NTP.

“A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process,” the advisory says.

It is not the first time that Network Time Protocol is targeted by the hackers, in the past criminal crews exploited it in the wild to run DDoS attacks taking advantage of a weakness in NTP to amplify DDoS attacks.

Earlier 2014, security researchers at Symantec have spotted a series of Network Time Protocol (NTP) reflection DDoS attacks during the Christmas Holidays.

In the following graph is reported the DDoS activity run by nearly 15000 IP addresses involved in the Network Time Protocol (NTP) reflection attack likely belonging to a botnet.

Network Time Protocol NTP reflection DDoS spike 2013 dec

The hackers exploit the NTP reflection attack, because it amplification factor that is nearly 1000. There’s more cause for alarm with NTP attacks because attackers get a better response rate.”

It is important to carefully review every network protocol that could be abused by hackers.

Pierluigi Paganini

(Security Affairs –  NTP protocol, hacking)



you might also like

leave a comment