Vulnerabilities discovered by Matthew Van Gundy from Cisco ASIG

Overview

As a member of the Linux FoundationCore Infrastructure Initiative, Cisco is contributing to the CII effort by evaluating the Network Time Protocol daemon (ntpd) for security defects. We previously identified aseries of vulnerabilities in the Network Time Protocol daemon; through our continued research we have identified a further vulnerabilities in the software. This vulnerability results in a denial of service attack against peers due to the origin timestamp check functionality. The attacker does not need to be authenticated in order to exploit the vulnerability.

The ntpd daemon uses the Network Time Protocol for clock synchronization between computer systems and as such, plays a vital role in maintaining system integrity.

Details

TALOS-2016-0260 (CVE-2016-9042) - Network Time Protocol Origin Timestamp Check Denial of Service Vulnerability
An unauthenticated attacker can send a crafted network packet to reset the origin timestamp for target peers. If the attacker knows that source address of a peer, and sends a spoof ntpd packet with the source address of the peer with a zero origin timestamp, this clears the expected origin timestamp. Hence, legitimate incoming packets with correct timestamps will be rejected because their correct timestamp will not equal the (now cleared) value for the expected timestamp. This causes the packet to be dropped and creating a denial of service condition.

More details can be found in the vulnerability reports: TALOS-2016-0260

Tested Version: NTP 4.2.8p9

Conclusion
The ntpd daemon is a vital part of many systems ensuring that clocks are synchronised to a common standard. Cisco has previously identified a series of vulnerabilities in ntpd and worked to ensure that patches are released, and that detection of exploitation of these vulnerabilities is available.

Organisations should take care to ensure that potentially spoofed ntpd packets are rejected at network perimeters, that ntpd installations are fully patched or upgraded as soon as possible, and that detection for potential exploitation is in place.

Coverage
The following Snort Rules will detect exploitation attempts. Note that additional rules may be released at a future date and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your FireSIGHT Management Center or Snort.org.

Snort Rules: 41367