TR-29 - NTP (Network Time Protocol) daemon - ntpd - critical vulnerabilities

Overview

NTP, the Network Time Protocol, is a standardized protocol providing ways to synchronize time on various operating systems. The Unix implementation called ntpd is vulnerable to multiple critical vulnerabilities. The NTP daemon (ntpd) is included in various operating systems and embedded systems. One of the vulnerabilities (CVE-2014-9295) is a remote code execution vulnerability allowing unauthenticated attackers to execute code with the privilege level of the NTP daemon (ntpd). If you are running an NTP server, you should upgrade as soon as possible especially if the Autokey Authentication feature is enabled.

Vulnerable Versions

ntpd version 4.2.7 and prior version are vulnerable to CVE-2014-9295, CVE-2014-9293, CVE-2014-9296 and CVE-2014-9294. The ntpd version 4.2.8 includes fixes for above vulnerabilities. Some other vulnerabilities are still unfixed (as stated on the official NTP Security Notice), so you can expect new versions in the following days.

Is OpenNTPD vulnerable to the mentioned vulnerabilities?

As stated by one of the OpenNTPD maintainers, OpenNTPD is not vulnerable to the vulnerabilities mentioned in TR-29. OpenNTPD is a viable alternative to the ntpd daemon especially regarding the basic support of the NTP protocol. There is also an ongoing initiative to rewrite ntpd from scratch called ntimed but OpenNTPD is currently a viable alternative.

Am I Running NTP?

NTP is using protocol UDP port 123. You can test your infrastructure by using nmap:

nmap -sU -Pn -pU:123 -sV <IP of YOUR NTP Server> --script=ntp-info.nse
PORT    STATE SERVICE VERSION
123/udp open  ntp     NTP v3
| ntp-info: 
|_  receive time stamp: 2014-12-21T08:55:19

In some cases, you might have a detailed output including the version number. The method is known to be reliable to get information about a running or non-running NTP service but unreliable to get the exact version. After you have a list of your running NTP services, we advise to review the version in use on each system.

Mitigation

If you cannot patch ntpd (patching is the recommended approach), you can add the “noquery” option in each restrict line.

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
restrict 127.0.0.1 noquery
restrict -6 ::1 noquery

With the “noquery” option, ntpd will not give anymore information about statistics and peer information. This might break monitoring of your NTP services. The “no query” option is even recommended for local network too as they can be easily bypassed with spoofing.

What About Vulnerability Causing UDP Amplification?

UDP protocols (including NTP) can be subject and abused for DDoS reflection/amplification. For more information check TR-19 - UDP Protocols Security - Recommendations To Avoid or Limit DDoS reflection / amplification. This document only covers recent vulnerabilities in the ntpd daemon.

References

Contact

If you have any question about this vulnerability, feel free to contact us.

Classification of this document

TLP:WHITE information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.2 - 2 January 2015 - Google security information added
  • Version 1.1 - 22 December 2014 - Cache version NTP announce added + DDoS clarification - TLP:WHITE
  • Version 1.0 - 22 December 2014 - TLP:WHITE