Hacking time: more than 30,000 NTP servers are still vulnerable
In late December, security specialists from the Google Security Team discovered a number of critical vulnerabilities in the implementation of the NTP protocol, which is used in many industrial control systems to synchronize time on servers.
Vulnerabilities to which all NTP servers up to version 4.2.8 are exposed include several buffer overflow options and allow an attacker to remotely execute arbitrary code on the server. According to the researchers, exploits for these vulnerabilities already exist in public access.
According to Positive Technologies, the use of open sources makes it easy to identify more than 30,000 servers on the Internet that are still affected by this vulnerability. And 4300 of them are located in the Russian segment of the Internet.
')
In the screenshot below, you can see how this NTP vulnerability looks in one of the security audits conducted using the MaxPatrol security and compliance monitoring system:
Vulnerability recommendations can be found in the ICS-CERT notification , as well as on the NTP support site . The main advice is to update NTP to version 4.2.8 from the official site ntp.org. If it is impossible to upgrade, there are two ways to block attacks through configuration settings:
You can do it easier: turn off the NTP service on servers and network devices or filter it on the firewall if external access is not required. But if the service is still used by external clients, you can limit access to port 123 to the list of trusted IP addresses.
Judging from the experience of past NTP bugs, it can be predicted that blocking new vulnerabilities is unlikely to occur quickly. For example, at the beginning of last year, a powerful wave of DDoS attacks with a boost through NTP rolled through the Internet. During such an attack, the attackers send a special request to the NTP server, and substitute the victim's IP address as the sender; The NTP server sends a completely legitimate response to this address, which can be several hundred times longer than the request — thus, the time server becomes an involuntary attack enhancer. CERT's recommendations for protection against such attacks were published last January . However, even six months later, in June, there were still 17 thousand vulnerable NTP-northerners, and many of them continued to participate in DDoS attacks, increasing trash traffic hundreds of times.
Vulnerabilities to which all NTP servers up to version 4.2.8 are exposed include several buffer overflow options and allow an attacker to remotely execute arbitrary code on the server. According to the researchers, exploits for these vulnerabilities already exist in public access.
According to Positive Technologies, the use of open sources makes it easy to identify more than 30,000 servers on the Internet that are still affected by this vulnerability. And 4300 of them are located in the Russian segment of the Internet.
')
In the screenshot below, you can see how this NTP vulnerability looks in one of the security audits conducted using the MaxPatrol security and compliance monitoring system:
Vulnerability recommendations can be found in the ICS-CERT notification , as well as on the NTP support site . The main advice is to update NTP to version 4.2.8 from the official site ntp.org. If it is impossible to upgrade, there are two ways to block attacks through configuration settings:
- Prevent Autokey Authentication by deleting or annotating all those ntp.conf file lines that begin with the crypto directive.
- For all untrusted clients, specify the restrict ... noquery directive in the /etc/ntp.conf file, which will not allow untrusted clients to request information about the status of the NTP server.
You can do it easier: turn off the NTP service on servers and network devices or filter it on the firewall if external access is not required. But if the service is still used by external clients, you can limit access to port 123 to the list of trusted IP addresses.
Judging from the experience of past NTP bugs, it can be predicted that blocking new vulnerabilities is unlikely to occur quickly. For example, at the beginning of last year, a powerful wave of DDoS attacks with a boost through NTP rolled through the Internet. During such an attack, the attackers send a special request to the NTP server, and substitute the victim's IP address as the sender; The NTP server sends a completely legitimate response to this address, which can be several hundred times longer than the request — thus, the time server becomes an involuntary attack enhancer. CERT's recommendations for protection against such attacks were published last January . However, even six months later, in June, there were still 17 thousand vulnerable NTP-northerners, and many of them continued to participate in DDoS attacks, increasing trash traffic hundreds of times.
Source: https://habr.com/ru/post/248637/
All Articles