The network time protocol (NTP) is badly vulnerable (again). Time to get patching (again). But NTP seems to be embedded in everything these days, so this won't be a simple matter for many IT shops.
Not great timing if you're winding down for the holidays, is it? In IT Blogwatch, bloggers get ready to patch loads of gear (again).
Your humble blogwatcher curated these bloggy bits for your entertainment.
Lucky us—Lucian Constantin comments: [You're fired -Ed.]
Remote code execution vulnerabilities in the standard implementation of...NTP can be exploited by attackers...sending specially crafted packets.
…
The Network Time Foundation, the organization that oversees the NTP project, has released version 4.2.8 of the [reference] implementation. [It] fixes four buffer overflow vulnerabilities, tracked together as CVE-2014-9295...and fixes three other weaknesses in the protocol's cryptographic implementation and error handling.
…
The U.S. government's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned...that exploit code for these vulnerabilities is publicly available already. MORE
And Dan Goodin brings the goods:
[It's] putting countless servers at risk of remote hijacks. ... In many cases, the vulnerabilities can be exploited remotely by hackers with only a low level of skill.
…
The bugs were discovered by Google Security Team researchers Neel Mehta and Stephen Roettger. MORE
Ever-vigilant in their protection of the "Homeland's" security, the anonymous gnomes at NCCIC/ICS-CERT advise thuswise:
As NTP is widely used within operational Industrial Control Systems deployments, [we are] providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices. ... Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code.
…
ntpd [may] generate a weak random key with insufficient entropy. ... ntp-keygen used a weak seed to prepare a random number generator...to generate symmetric keys. ... A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed. ... All NTP Version 4 releases, prior to Version 4.2.8, are vulnerable. MORE
Yep, including those in Mac OS, notes Christopher Breen:
Apple issued a security update for Mac OS X Mountain Lion, Mavericks, and Yosemite [and] suggests that you install the update as soon as possible.
…
Choose Software Update from the Apple menu and click the Update button next to the latest Security Update entry. MORE
Meanwhile, Darren Pauli feels for the poor sysadmins who were looking forward to a quiet few days:
System administrators may need to forego the Christmas beers and roasted beasts until they've updated NTP daemons.
…
Admins should backup...system configurations and test the patch prior to deployment, [CERT] urged. It's also advisable to harden systems by minimising network exposure, including by shoving remote devices and...control system networks behind firewalls and into isolated zones. MORE
Always on the ball, SJVN had that angle earlier, and zero punches were pulled:
Yes, I know, you're a hardworking system or network administrator and you want to go home for the holidays. Too bad, so sad. ... You need to fix it. Now. ... These security holes, according to ISC-CERT, are of the worst possible kind.
…
I strongly urge you to approach your operating system vendor for NTP 4.2.8. ... Plan of making a night of it. This is a serious bug. MORE
And Finally: Today's earworm…
Music to patch by
You have been reading IT Blogwatch by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don't have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or itbw@richi.uk. Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.
