Matthew Van Gundy of Cisco ASIG and Cisco Talos have discovered multiple vulnerabilities in the NTP Daemon. Cisco Talos is an industry-leading threat intelligence organization dedicated to providing protection before, during, and after cybersecurity threats.
The company concerned issued a statement on October 21 stating that Cisco had identified multiple vulnerabilities in its Network Time Protocol Daemon (NTPD).
“Cisco assesses the security of software components used in our products. Open source software plays a key role in many Cisco products and as a result, ensuring the security of open source software components is vital, especially in the wake of major vulnerabilities such as Heartbleed and Shellshock,” the company said in the statement.
According to the company, a flaw exists within the NTPD that manifests due to improper error condition handling associated with certain crypto-NAK packets.
“An unauthenticated, off-path attacker can force the NTPD processes on targeted servers to peer with time sources of the attacker's choosing by transmitting symmetric active crypto-NAK packets to ntpd. This attack bypasses the authentication typically required to establish a peer association and allows an attacker to make arbitrary changes to system time,” it added.
Now, Cisco is evaluating the NTPD for security defects.
As per the researcher, the NTPD is a widely deployed software package used to synchronize time between hosts. It ships with a wide variety of network and embedded devices as well as desktop and server operating systems, including Mac OS X, major Linux distributions, and BSDs.
Cisco has released eight advisories for vulnerabilities that have been identified by the Talos Group and the Advanced Security Initiatives Group (ASIG) within Cisco.
“These vulnerabilities have been reported to the NTP Project in accordance with Cisco vulnerability reporting and disclosure guidelines. The NTP Project has responded by issuing a Security Advisory along with releasing a patched version of the NTPD,” the statement added.
Talos has released rules that detect attempts to exploit these vulnerabilities to protect its customers.
“Please refer to your Defense Center, FireSIGHT Management Center or Snort.org,” it added.