Attack Code Exploiting Critical Bugs in Net Time Sync Puts Servers at Risk
If you are not familiar with NTP, here’s the Linux man page for NTPD. Needless to say you should update to the latest version of NTPD, or failing that mitigate the vulnerability through other means.
The remote-code execution bugs reside in versions of the network time protocol prior to 4.2.8, according to an advisory issued Friday by the Industrial Control Systems Cyber Emergency Response Team. In many cases, the vulnerabilities can be exploited remotely by hackers with only a low level of skill.
“Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code with the privileges of the [network time protocol daemon] process,” the advisory warned. Exploit code that targets the vulnerabilities is publicly available. It’s not clear exactly what privileges NTP processes get on the typical server, but a handful of knowledgeable people said they believed it usually involved unfettered root access. Even if the rights are limited, it’s not uncommon for hackers to combine exploits with privilege elevation attacks, which increase the system resources a targeted app has the ability to control.
Never-before-seen technique abused the Network Time Protocol to worsen effects.
In January, researchers uncovered evidence NTP was being exploited to wage crippling denial-of-service attacks on gaming sites. Attackers were using the widely used service to amplify the amount of bandwidth available to them, a technique that saturated targets with as much as 100 gigabits of data per second.