Network Time Protocol Vulnerabilities

Number: AL14-041
Date: 20 December 2014

Purpose

The purpose of this Alert is to bring attention to vulnerable versions of Network Time Protocol (NTP).

Assessment

CCIRC is aware of recently disclosed vulnerabilities in the Network Time Protocol (NTP). NTP Version 4 releases, prior to Version 4.2.8, are vulnerable and need to be updated to Version 4.2.8. There are four vulnerabilities addressed in NTP v4.2.8. The most severe is CVE-2014-9295 (Buffer Overflows) which can be remotely exploited by attackers and exploit code is publicly available. Successful exploitation of CVE-2014-9295 (Buffer Overflows) could allow an attacker to execute arbitrary code with the same privileges of as the ntpd process. As some vendor implementations of NTP are not affected, CCIRC recommends administrators consult with their vendors to verify if the system is vulnerable and confirm patch availability.

CVE-2014-9293: Random Key with Insufficient Entropy
Omitted authentication key in the configuration file will cause the ntpd process to generate a weak random key with insufficient entropy.
CVE Reference: CVE-2014-9293
Affected versions: All versions prior to NTP-4.2.7p11
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9293

CVE-2014-9294: Weak Random Seed
ntp-keygen use a weak seed to create a random numbers used by the symmetric keys generation algorithm.
CVE Reference: CVE-2014-9294
Affected versions: All versions prior to NTP-4.2.7p230
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9294

CVE-2014-9295: Buffer Overflows
A single adequately crafted packet could overflow a stack buffer and allow arbitrary code to be run as ntpd process.
CVE Reference: CVE-2014-9295
Affected versions: All version priors to NTP-stable4.2.8
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295

CVE-2014-9296: Failure to stop executing
The receive function will continue to execute code, even after detecting a specific authentication error.
CVE Reference: CVE-2014-9296
Affected versions: All version priors to NTP-stable4.2.8
Reference: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9296

Suggested Action

CCIRC recommends that organizations running NTP service versions prior to NTP-stable4.2.8 strongly consider updating to the latest version immediately after assessing the impact on their networked environment and business requirements. Many vendors have begun to issue patches. Please consult your vendor’s website for information addressing this vulnerability.

Patch Availability:
Latest NTP release: http://support.ntp.org/bin/view/Main/SoftwareDownloads

References:

Vulnerability Note VU#852879:
Reference: http://www.kb.cert.org/vuls/id/852879      

Vendor Information for VU#852879:
Reference: http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=852879&SearchOrder=4

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: