Hot on the heels of accusations by the FBI that North Korea was behind the most devastating hack in U.S. history, the federal government has just issued an advisory warning that large swaths of critical industrial-control infrastructure could be vulnerable to yet another form of attack that takes advantage of the Network Time Protocol.
The danger lies in a weakness in NTP, which is widely used to synchronize the clocks in servers across networks, that can be exploited by hackers to conduct remote attacks, according to an advisory by the government on Friday. Not only that, but hacker tools targeting the exploit are widely available.
Network Time Protocol
NTP is an open-source protocol widely used by networks considered to be critical IT infrastructure by the federal government. Hackers could use the vulnerability in order to execute code on a system with the privileges of the Network Time Protocol daemon (ntpd) process.
The problem resides in the way NTP manages its stack buffer. In earlier versions of NTP, a remote attacker can send a carefully crafted packet that can cause the stack buffer to overflow and potentially allow malicious code to be executed with the privilege level of the ntpd process. All NTP4 releases before 4.2.8 are vulnerable. System administrators are advised to upgrade to NTP-stable 4.2.8, which was released on Friday. The exploit was discovered by Neel Mehta and Stephen Roettger, two researchers in the Google Security Team who were coordinating their efforts with the Department of Homeland Security.
"Impact to individual organizations depends on many factors that are unique to each organization," according to the advisory published Friday by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a group within the Department of Homeland Security responsible for coordinating responses to threats to critical infrastructure. "ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation."
Unfortunately for anxious system admins, ICS-CERT says attackers do not need to be particularly skilled to carry out the hack. Worse, tools to exploit the vulnerability are available publicly.
Protecting Your Systems
This is hardly the first time NTP has been implicated as a potential vector for hackers. NTP attacks provide hackers with the ability to generate high-volume Distributed Denial of Service traffic to target Web sites or public-facing devices in order to disrupt services. Attacks taking advantage of NTP first began appearing around November 2013. This year, NTP attacks were used in 14 percent of all DDoS attacks in Q1, and 6 percent in Q2.
In addition to upgrading to Friday's release of NTP-stable 4.2.8, ICS-CERT is also encouraging asset owners to take additional defensive measures to protect against the vulnerability. Among its recommendations, ICS-CERT said system admins should minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
Additionally, ICS-CERT recommends that businesses locate control system networks and remote devices behind firewalls, and isolate them from the business network.