Nmedia - Fotolia

How can enterprises fix the NTP daemon vulnerability to DoS attacks?

A recently patched NTP daemon vulnerability has put enterprises at risk. Expert Matthew Pascucci explains the vulnerability and how organizations can defend against it.

The Network Time Foundation's NTP Project recently patched a proof-of-concept exploit for a vulnerability in the...

NTP daemon that could crash a server with a single packet. How does this exploit work? What's the threat posed to enterprises, and how can they mitigate it?

There were multiple vulnerabilities recently discovered in the Network Time Protocol (NTP) daemon, along with a patch to remediate them. A patch for this specific vulnerability -- named NTP 4.2.8p9 -- was released by the Network Time Foundation Project (NTFP).

A researcher named Magnus Stubman discovered the vulnerability and, instead of going public, took the mature route and privately informed the community of his findings. The remediation was part of the NTP 4.2.8p9 release. Stubman has written that the vulnerability he discovered could allow unauthenticated users to crash NTPF with a single malformed UDP packet, which will cause a null point dereference (you can read more about the technical details of the exploit of the NTP daemon from Stubman on his personal website). This means that an attacker could be able to craft a UDP packet towards the service, resulting in an exception bypass that can cause the process to crash.

This denial-of-service (DoS) attack on the NTP daemon is dangerous because all systems rely on synchronizing their time within milliseconds of each other to properly operate, keep authentication protocols working smoothly, timestamp for compliance, correlate security logs and so on. Without the NTP daemon working properly in an environment, errors could cascade quickly throughout the network. The threat to the environment is real, and if it's not patched, an attacker could take advantage of this vulnerability.

This particular vulnerability is only affecting Windows at this time, and patching it should be a priority for anyone running the NTP daemon on a Windows systems. As mentioned previously, this particular DoS attack against NTP could incapacitate a time server and cause havoc in the network. The easiest fix is to apply the NTP patch 4.2.8p9, which also fixes multiple other issues with NTP, but there are other fixes as well.

The bug's release notes on the NTP Project website mention a few other techniques available to mitigate the exploit if patching the system isn't possible for some reason. These include only allowing mrulist query packets from hosts that the server trusts. This would be a configuration change on the server and would require a detailed understanding of the network. Implementation of antispoofing and network ingress filtering using BCP 38 to limit what can reach the server are good starting points. Lastly, the release notes mention monitoring the NTP daemon to determine if it has crashed, and to set it to automatically restart if it goes down.

These particular workarounds will keep NTP stable from the DoS attack Stubman found, but they won't mitigate the vulnerability. The best way to protect your systems against the vulnerability is to patch the application.

NTP is important to your network and patching and protecting it should be a priority. Determine which method is right for your organization and take action to defend against this vulnerability.

Ask the Expert:
Want to ask Matt Pascucci a question about security? Submit your question now via email. (All questions are anonymous.)

Next Steps

Read a chapter of Industrial Network Security from publisher Syngress

Learn more about modern network security threats

Find out whether DMZ networks still benefit enterprise security

This was last published in January 2017

Dig Deeper on Network security