MitM, DoS bugs in Network Time Protocol squashed

Two vulnerabilities affecting Network Time Protocol (NTP), which is used for synchronizing clocks of computer systems, have been patched and made available in the latest version of the protocol daemon (ntpd-4.2.8p2).

The first one, CVE-2015-1798, can be used by an attacker to perform a Man-in-the-Middle (MITM) attack: “In NTP4 installations utilizing symmetric key authentication, versions ntp-4.2.5p99 to ntp-4.2.8p1, packets with no message authentication code (MAC) are accepted as though they have a valid MAC. An attacker may be able to leverage this validation error to send packets that will be accepted by the client.”

The second one, CVE-2015-1799, can be used to prevent peer synchronization among symmetrically authenticated hosts, which could lead to Denial-of-Service (DoS).

“An attacker knowing that NTP hosts A and B are peering with each other (symmetric association) can send a packet to host A with source address of B which will set the NTP state variables on A to the values sent by the attacker. Host A will then send on its next poll to B a packet with originate timestamp that doesn’t match the transmit timestamp of B and the packet will be dropped. If the attacker does this periodically for both hosts, they won’t be able to synchronize to each other,” explained Miroslav Lichvar of Red Hat, who discovered and reported both bugs.

Many products of diverse manufacturers incorporate a version of the ntpd package. Cisco has already released software updates that address these two vulnerabilities.

NTP amplification DDoS attacks were a considerable problem a year ago due to the exploitation of the “monlist” feature of NTP servers. Following a alert from US-CERT, many of the servers got patched and DDoS attack volumes plummeted.