It’s that time of year again when summer daylight saving time has just ended in Europe and the developers of the NTP time synchronisation service are responding to a series of new attacks with an update, German IT news site heise reports. With these attacks communication between servers and clients can be manipulated so that the clients receive the incorrect time or no time at all.
The reference implementation of the NTP time server service is now version 4.2.8p4, with which the developers have closed 13 security holes, including a series of vulnerabilities which four Boston University researchers describe in detail in a research paper (PDF). The researchers succeeded in finding several ways of attacking the time service, including preventing clients of the service from using it, also known as a Denial of Service (DoS) attack and providing them with the wrong time under certain circumstances.
NTP is used to synchronise the local clocks of all kinds of computers via the network. Various providers make different servers available which a client can query for the current clock time. Nearly all modern operating systems adjust this unnoticed in the background. Nevertheless, there have been attacks in the past on software implementations of this system and on the NTP protocol itself.
Kiss of death
Two of the new attacks are characterised mainly by the fact that the attacker does not need to hook up to the connection between client and server as a “man in the middle“. Both kinds of DoS attack take advantage of the so-called “Kiss o’ Death” (KoD) packet to cripple communication between the client and server. The KoD packet tricks the client into thinking that a NTP server is very busy or overloaded and the client should send fewer queries.
Attackers can now fake packets for all services which a client normally queries for its time; and do so in such a way that the client doesn’t update its internal clock for months or even years on end. The elegant thing about this hack is that the attacker only needs to send very few packets. In the second attack possibility described by the researchers the attacker must fake many client requests and thus force the server to silence the client with KoD packets. This also results in the client no longer updating its clock.
Both holes (CVE-2015-7704 and CVE-2015-7705) have been plugged in the new version of NTP.
Time shift
With 2 further attack methods the researchers succeeded in foisting incorrect clock times on clients. Clients should normally ignore times which differ by more than 1,000 seconds from their system time – the so-called “Panic Threshold“. However, in many configurations this does not apply to NTP queries sent immediately after a reboot of the client. Their system times can therefore be manipulated almost at will if they can be forced to reboot. Cryptography operations can be gerrymandered or DoS attacks conducted on the software running on the client with such a manipulation.
The intentional fragmentation of IPv4 packets can also be abused to confound a client’s time queries and foist an incorrect time on it. However, this method is very fiddly and the researchers did not want to test in the the wild since it uses the techniques of the decades-old Teardrop attacks and can crash old operating systems. This problem with overlapping TCP/IP packets is not a specific error of the NTP protocol, but of the underlying operating systems.
Admins should patch NTP
The Boston University researchers discovered the security holes on 20th August. Their paper has only been published now to give the NTP developers time to plug the holes. The researchers are recommending that admins running NTP servers update them as quickly as possible to version 4.3.8p4.