Vulnerability Note VU#852879
NTP Project Network Time Protocol daemon (ntpd) contains multiple vulnerabilities (Updated)
Original Release date: 19 Dec 2014 | Last revised: 04 Feb 2015
The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client.
The Network Time Protocol (NTP) provides networked systems and devices with a way to synchronize time for various services and applications. The reference implementation produced by the NTP Project (ntp.org) contains several vulnerabilities.
CWE-290: Authentication Bypass by Spoofing – CVE-2014-9298
The IPv6 address ::1 can be spoofed, allowing an attacker to bypass ACLs based on ::1.
CWE-754: Improper Check for Unusual or Exceptional Conditions – CVE-2014-9297
The length value in extension field pointers is not properly validated, allowing information leaks.
CWE-332: Insufficient Entropy in PRNG – CVE-2014-9293
If no authentication key is defined in the ntp.conf file, a cryptographically-weak default key is generated.
CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) – CVE-2014-9294
ntp-keygen before 4.2.7p230 uses a non-cryptographic random number generator with a weak seed to generate symmetric keys.
CWE-121: Stack Buffer Overflow – CVE-2014-9295
A remote unauthenticated attacker may craft special packets that trigger buffer overflows in the ntpd functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure(). The resulting buffer overflows may be exploited to allow arbitrary malicious code to be executed with the privilege of the ntpd process.
CWE-389: Error Conditions, Return Values, Status Codes – CVE-2014-9296
A section of code in ntpd handling a rare error is missing a return statement, therefore processing did not stop when the error was encountered. This situation may be exploitable by an attacker.
The NTP Project provides more information about these issues in their security advisory.
The NTP Project implementation is widely used in operating system distributions and network products. These vulnerabilities affect ntpd acting as a server or client. CERT/CC is not aware of any public exploit of these vulnerabilities at this time.
The CVSS score below is based on the buffer overflow vulnerabilities (CVE-2014-9295).
The buffer overflow vulnerabilities in ntpd may allow a remote unauthenticated attacker to execute arbitrary malicious code with the privilege level of the ntpd process. The weak default key and non-cryptographic random number generator in ntp-keygen may allow an attacker to gain information regarding the integrity checking and authentication encryption schemes. More specifically, the weak default key allows access to private mode and control mode queries that require authentication, if not restricted by the configuration.
Apply an update
These issues have been addressed in ntp-4.2.8p1. The update may be downloaded from ntp.org.
Restrict status queries
As noted in the announcement for ntp-4.2.8:
The vulnerabilities listed below can be significantly mitigated by following the BCP of putting
restrict default … noquery
in the ntp.conf file. With the exception of:
receive(): missing return on error
References: Sec 2670 / CVE-2014-9296 / VU#852879
below (which is a limited-risk vulnerability), none of the recent vulnerabilities listed below can be exploited if the source IP is restricted from sending a ‘query’-class packet by your ntp.conf file.
Use firewall rules
Install firewall rules that block ::1 IPv6 address from inappropriate network interfaces.
Disable autokey authentication
Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file.
Vendor Information (Learn More)
VendorStatusDate NotifiedDate UpdatedAppleAffected18 Dec 201423 Dec 2014
Cisco Systems, Inc.Affected18 Dec 201413 Jan 2015
EfficientIPAffected-24 Dec 2014
F5 Networks, Inc.Affected18 Dec 201413 Jan 2015
FreeBSD ProjectAffected18 Dec 201421 Dec 2014
Huawei TechnologiesAffected-23 Dec 2014
NTP ProjectAffected03 Dec 201422 Dec 2014
OmniTIAffected19 Dec 201422 Dec 2014
Red Hat, Inc.Affected18 Dec 201430 Dec 2014
Watchguard Technologies, Inc.Affected18 Dec 201419 Dec 2014
Fortinet, Inc.Not Affected18 Dec 201424 Dec 2014
m0n0wallNot Affected18 Dec 201419 Dec 2014
OpenBSDNot Affected18 Dec 201419 Dec 2014
Openwall GNU/*/LinuxNot Affected18 Dec 201421 Dec 2014
ACCESSUnknown18 Dec 201418 Dec 2014If you are a vendor and your product is affected, let
us know.View More »
CVSS Metrics (Learn More)
The NTP Project credits Stephen Roettger and Neel Mehta of the Google Security Team for discovering these vulnerabilities.
This document was written by Garret Wassermann.
19 Dec 2014
Date First Published:
19 Dec 2014
Date Last Updated:
04 Feb 2015
FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.