Denial of service attacks pour through rift in Network Time Protocol
Mismatched clocks allow poison packets to prevent synching, and sink you
Red Hat security chap Miroslav Lichvar has revealed two vulnerabilities in the widely used and open-source Network Time Protocol daemon (NTPd) that allow attackers to mess up people's clocks.
Lichvar reported the two since-patched holes in which packets without proper message authentication codes are accepted regardless (CVE-2015-1798), and a denial of service condition is triggered when spoofed packets are sent between synchronized hosts (CVE-2015-1799).
The latter flaw affects NTP installations that use symmetric key authentication (xntp3.3wy to version ntp-4.2.8p1), and involves sending spoofed packets between two peering hosts that contain mismatched originate and transmit timestamps.
"An attacker who periodically sends such packets to both hosts can prevent synchronisation," the Carnegie Mellon University Computer Emergency Response Team says.
"An unauthenticated attacker with network access may be able to inject packets or prevent peer synchronisation among symmetrically authenticated hosts."
Sysadmins should update to version ntp-4.2.8p2 of their daemon.
NTP is used to synchronize computer clocks across the web, and is a favorite for denial-of-service attackers who use the protocol to amplify traffic.