What is NTP?
The Network Time Protocol (NTP) is a networking protocol used to synchronyze the clock between computer systems and servers. (More details here: http://en.wikipedia.org/wiki/Network_Time_Protocol)
NTF's NTP project has been notified of a number of vulnerabilities from Neel Mehta and Stephen Roettger of Google's Security Team. The two most serious of these issues and four less serious issues have been resolved as of ntp-4.2.8, which was released on December 18, 2014. There are still two less significant issues to be addressed. We're expecting to fix these within the next month as of publication date December 22, 2014.(Source)
The NTP provides networked systems with a way to synchronize time for various services and applications. ntpd version 4.2.7 and pervious versions allow attackers to overflow several buffers in a way that may allow malicious code to be executed. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. More details are available in the Vulnerability Note VU#852879 (http://www.kb.cert.org/vuls/id/852879)
Common Vulnerabilities and Exposures (CVE):
- CVE-2014-9293: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9293
- CVE-2014-9294: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9294
- CVE-2014-9295: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295
- CVE-2014-9296: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9296
- -The buffer overflow vulnerabilities in ntpd may allow a remote unauthenticated attacker to execute arbitrary malicious code with the privilege level of the ntpd process.
- The weak default key and non-cryptographic random number generator in ntp-keygen may allow an attacker to gain information regarding the integrity checking and authentication encryption schemes.
Apply the latest ntpd package updates available for your device or server's operating system distribution (See the References section below).
- Ubuntu: http://www.ubuntu.com/usn/usn-2449-1/
- Debian: https://www.debian.org/security/2014/dsa-3108
- Centos: http://lists.centos.org/pipermail/centos-announce/2014-December/020852.html
- Redhat: https://rhn.redhat.com/errata/RHSA-2014-2025.html
- Cisco: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpd