A proof-of-concept (PoC) exploit for a critical vulnerability in the Network Time Protocol daemon (ntpd) has been publically released that could allow anyone to crash a server with just a single maliciously crafted packet.
The vulnerability has been patched by the Network Time Foundation with the release of NTP 4.2.8p9, which includes a total of 40 security patches, bug fixes, and improvements.
The NTP daemon is used in almost every device that needs to synchronize time on computer clocks. NTP got the most attention in late 2014 and 2015 when hackers used it to launch highly amplified DDoS attacks against services.
The flaw which affects NTP.org’s nptd versions prior to 4.2.8p9, but not including ntp-4.3.94, has been discovered by security researcher Magnus Stubman, who privately disclosed it to the Network Time Foundation on June 24.
A patch for the vulnerability was developed and sent to Stubman on 29th September and just two days later, the researcher acknowledged that it mitigated the issue. And now he went with the public disclosure.
"The vulnerability allows unauthenticated users to crash ntpd with a single malformed UDP packet, which causes a null pointer dereference," Stubman wrote in an advisory published Monday.
Stubman also released a PoC exploit that can crash the NTP daemon and creates a denial-of-service (DoS) condition. The issue only affects Windows.
Besides Stubman’s high severity vulnerability, the latest NTP update also addresses two medium severity bugs, two medium-low severity, and five low-severity security issues; 28 bug fixes, and contains other improvements over 4.2.8p8.
Another major bug is a trap-crash vulnerability reported by Cisco’s Matthew Van Gundy.
"If trap service has been explicitly enabled, an attacker can send a specially crafted packet to cause a null pointer dereference that will crash ntpd, resulting in a denial of service," reads the advisory.
CERT at the Software Engineering Institute at Carnegie Mellon University has also released the full list of the vulnerabilities in NTP and fixes. It also listed some vendors that implement NTP and could be affected by the bugs.
Since the exploit for the severe bug is available to the public, administrators are strongly recommended to patch their NTP implementations as soon as possible.
In the past, we have seen hackers abusing the NTP servers by sending small spoofed UDP packets to the vulnerable server that requests a significant amount of data (megabytes worth of traffic) to be sent to the DDoS’s target IP Address.
Above 400 Gbps NTP amplification DDoS Attack was carried out against content-delivery and anti-DDoS protection firm CloudFlare, and volumetric DDoS attacks exceeding 100 Gbps against popular Gaming services, including League of Legends, EA.com, and Battle.net from Blizzard in 2014.
In a study conducted by Arbor Networks in late 2013, the researchers illustrated the effectiveness of NTP amplification attacks that are massive and efficient to take any large server offline because they reflect 1,000 times the size of the initial query back to the target.