Friday, December 19, 2014

Time to patch again. This time it's ntpd

Ntpd, the network time protocol service, has a flaw that can be used to compromise a server or network router
It's late on a Friday, coming up on a holiday week. In other words, the perfect time to drop a major bug announcement, right? Someone seemed to think so. Alas this will mean much churn over the next few days for a great many IT shops.

The theme this year has been big vulnerabilities in common services or shared libraries - places where one bug might affect lots and lots of programs and devices. First it was a flaw in OpenSSL, the library that enables secure communication with websites around the world. Next came a flaw in Bash shell, a widely used Unix shell much like the Windows command line. Now it's ntpd, the Network Time Protocol service.

NTP can be envisioned as the timekeeper of the Internet. It is the way systems synchronize their time throughout a network, and it's the reason you don't have to manually set the clock on your computer. On your Windows PC, there is an "Internet Time" tab that is by default enabled. Your PC periodically queries an Internet clock for the current time, and sets your local clock to the correct time.

The Windows Date and Time dialog includes an option to set the clock automatically from an Internet Time service.

On a home PC, setting the clock is merely a convenience. On a corporate network, it is a necessity. Some authentication services require that both the client and the server believe it to be the same time. When the US Congress decided to change the dates for Daylight Savings Time a few years back, more than a few businesses awoke that Monday to dozens if not hundreds of service calls from employees that could not log on because their computer had not received the update with the new dates.

In forensic analysis, time is critical in analyzing the sequence of events in an incident. Network attacks don't usually involve only one computer; if each device on a network has a different time, it is difficult if not impossible to accurately track the timeline. Thus businesses use ntp to synchronize time across the entire organization.

On Friday, ntp.org disclosed a number of vulnerabilities in all versions of NTP prior to 4.2.8. The most serious vulnerability is identified as CVE-2014-9295: Stack buffer overflow. With this flaw, an attacker can send a specially-crafted packet to a server or router running ntpd, the NTP daemon (or service), and cause the server or router to run code of the attacker's choosing. This potentially can allow an attacker to take complete control of the vulnerable device.

The bad news is, like Heartbleed and Shellshock, there is no one-size-fits-all patch. NTP is used in many devices, by many manufacturers. In some cases end users can update the ntp package within a product, but in many cases we are dependent on the developers to release an update for their individual products.

The silver lining is that this affects devices listening for ntp packets. In other words, this affects servers and network routers, which are intended to listen for and provide a time service. It should not affect most laptops, PCs, smartphones, tablets, and other end-user devices.

So ... Server admins, Unix developers, network technicians, prepare for a busy time.

Cert.org is maintaining a list of affected products and their status (vulnerable, non-vulnerable, unknown.

Do you have something to add? A question you'd like answered? Think I'm out of my mind? Join the conversation below, reach out by email at david (at) securityforrealpeople.com, or hit me up on Twitter at @dnlongen

Whois David?

My photo

I have spent the better part of two decades in information technology and security, with roots in application developer support, system administration, and network security. My specialty is cyber threat intelligence - software vulnerabilities and patching, malware, social networking risks, etc. In particular, I strive to write about complex cyber topics in a way that can be understood by those outside the infosec industry.

Why do I do this? A common comment I get from friends and family is that complex security topics give them headaches. They want to know in simple terms how to stay safe in a connected world. Folks like me and my peers have chosen to make a profession out of hacking and defending. I've been doing this for the better part of two decades, and so have a high degree of knowledge in the field. Others have chosen different paths - paths where I would be lost. This is my effort to share my knowledge with those that are experts in something else.

When not in front of a digital screen, I spend my time raising five rambunctious teens and pre-teens - including two sets of twins. Our family enjoys archery, raising show and meat rabbits, and simply enjoying life in the Texas hill country.

For a decade I served as either Commander or a division leader for the Awana Club in Dripping Springs, Texas; while I have retired from that role I continue to have a passion for children's ministry. At the moment I teach 1st through 3rd grade Sunday School. Follow FBC Dripping Springs Kids to see what is going on in our children's ministries.