Cisco Identifies Multiple Vulnerabilities in Network Time Protocol daemon (ntpd)

Cisco is committed to improving the overall security of the products and services our customers rely on. As part of this commitment, Cisco assesses the security of software components used in our products. Open source software plays a key role in many Cisco products and as a result, ensuring the security of open source software components is vital, especially in the wake of major vulnerabilities such as Heartbleed and Shellshock.

In April 2014, the Linux Foundation spearheaded the creation of the Core Infrastructure Initiative in response to the disclosure of Heartbleed with the goal of securing open source projects that are widely used on the internet. As a member of the Linux Foundation Core Infrastructure Initiative (CII) Steering Group, Cisco is contributing to the CII effort by evaluating the Network Time Protocol daemon (ntpd) for security defects. ntpd is a widely deployed software package used to synchronize time between hosts. ntpd ships with a wide variety of network and embedded devices as well as desktop and server operating systems, including Mac OS X, major Linux distributions, and BSDs.

Today, in coordination with the NTP Project, Cisco is releasing 8 advisories for vulnerabilities that have been identified by the Talos Group and the Advanced Security Initiatives Group (ASIG) within Cisco. These vulnerabilities have been reported to the NTP Project in accordance with Cisco vulnerability reporting and disclosure guidelines. The NTP Project has responded by issuing a Security Advisory along with releasing a patched version of ntpd. The following serves as a summary for all the advisories being released. For the full advisories, readers should visit the Vulnerability Reports page on the Talos website.

Advisory Summaries

The advisories that are being released today are broken down by vulnerability type.

Error Handling Logic Error

An error handling logic error exists within ntpd that manifests due to improper error condition handling associated with certain crypto-NAK packets. An unauthenticated, off­-path attacker can force ntpd processes on targeted servers to peer with time sources of the attacker's choosing by transmitting symmetric active crypto­-NAK packets to ntpd. This attack bypasses the authentication typically required to establish a peer association and allows an attacker to make arbitrary changes to system time. Matthew Van Gundy of Cisco ASIG is credited with discovering this vulnerability.

• CVE-2015-7871 - NAK to the Future: NTP crypto-NAK Symmetric Association Authentication Bypass Vulnerability

Memory Corruption

Multiple memory corruption vulnerabilities exist within ntpd that can manifest themselves due to improper handling of objects in memory. An adversary who exploits these vulnerabilities could modify memory via a buffer overflow or use-after-free condition. Aleksandar Nikolic and Yves Younan of Cisco Talos are credited with the discovery of these vulnerabilities.

• CVE-2015-7849 - Network Time Protocol Trusted Keys Memory Corruption Vulnerability
• CVE-2015-7852 - Network Time Protocol ntpq atoascii Memory Corruption Vulnerability
• CVE-2015-7853 - Network Time Protocol Reference Clock Memory Corruption Vulnerability
• CVE-2015-7854 - Network Time Protocol Password Length Memory Corruption Vulnerability

Denial of Service

Multiple denial of service vulnerabilities exist within ntpd that manifest themselves due to ntpd failing to properly validate input received via private mode packets or a remote configuration file. An adversary who crafts a specially formatted packet and transmits it to an ntpd server, or who crafts a specially formatted configuration file and transmits it to the ntpd server could cause the server daemon to crash or enter an infinite loop. Aleksandar Nikolic and Yves Younan of Cisco Talos are credited with the discovery of these vulnerabilities.

• CVE-2015-7848 - Network Time Protocol Multiple Integer Overflow Read Access Violations
• CVE-2015-7850 - Network Time Protocol Remote Configuration Denial of Service Vulnerability

Directory Traversal / File Overwrite

A file path traversal vulnerability exists within ntpd that manifests when saving a config file on VMS operating systems, potentially resulting in files being overwritten. An adversary would need to provide a malicious path in the configuration file to exploit this vulnerability. Yves Younan of Cisco Talos is credited with the discovery of this vulnerability.

• CVE-2015-7851 - Network Time Protocol saveconfig Directory Traversal Vulnerability

Known Vulnerable Versions

• ntp 4.2.5p186 though ntp 4.2.8p3
• ntp-dev.4.3.70

Cisco remains committed to improving the overall security of the products and services our customers rely on by assessing the security of all software components that are used in our products. Through the research efforts by Talos and ASIG to identify vulnerabilities in ntpd, Cisco is able to assist the CII in improving the overall security of open source software components the overall community relies on. In response to these vulnerability disclosures, Cisco is taking the following actions to help address our customer's concerns.

Cisco PSIRT has posted a Security Advisory enumerating which Cisco products are affected by these ntpd vulnerabilities. You can find the Cisco Security Advisory here:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151021-ntp


In addition, Talos has released rules that detect attempts to exploit these vulnerabilities to protect our customers. Please note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Defense Center, FireSIGHT Management Center or Snort.org.

Snort Rules: 35831, 36250-36253, 36536

For additional information and vulnerability reports visit:
http://talosintel.com/vulnerability-reports/