• Articles
    • Editorial Articles
    • Research Articles
    • WatchGuard Articles
  • The 443 Podcast
  • Threat Landscape
  • About
    • About Us
    • Contact Us
    • Contribute to Secplicity

Secplicity - Security Simplified

Powered by WatchGuard Technologies

Serious NTPd vulnerabilities Patched; XTM Not Affected

December 19, 2014 By Corey Nachreiner

Today, CERT and NTP.org warned the world about some serious vulnerabilities in a very popular network time server called ntpd. If you use Linux systems, or any number of network appliances, chances are you’re using ntpd somewhere in your organization, and should apply the 4.2.8 update (tarball) as soon as possible.

Network Time Protocol (NTP) is a standard for updating and synchronizing your computer’s clock over a network. Ntpd is one of the most popular NTP services that ships with the Linux and Unix operating system, and is also used by many Linux-based network and hardware appliances (perhaps even some Internet of Things devices). According to CERT’s advisory, ntpd suffers from four new security vulnerabilities. I won’t explain them all in detail, but the worst are buffer overflow vulnerabilities in a number of ntpd functions. In short, by sending specially crafted packets, a remote and unauthenticated attacker can exploit these buffer overflow flaws to execute arbitrary code on any system running ntpd. The malicious code would run with the same privileges as the ntpd process (ntpd privilege vary from system to system).

These buffer overflow flaws are very serious, as any remote attacker can exploit them without authentication, as long as she has network access to your ntpd service. CERT assigned the flaws a 7.5 (out of 10) CVSS rating, which is pretty high. I highly recommend you update ntpd on all your *nix servers immediately.

Also, throughout the next few weeks we will likely learn of many other Linux-based products that are affected by this ntpd flaw. Be sure to watch CERT’s alert for these updates, and upgrade the firmware of any affected devices when it’s available. To learn more about these issues, check out CERT and NTP.org‘s advisories (Note: At the time of writing, NTP’s advisory was experiencing occasional downtime).

Are WatchGuard Products Affected?

Finally, astute customers might wonder if any WatchGuard products are affected by these flaw, since they are Linux-based. The good news is our flagship XTM products are not affected. However, our XCS mail security appliances are. More details below:

  • XTM and Firebox appliances: Our XTM appliances use openntpd for NTP communications, rather than ntpd. They are NOT VULNERABLE to the ntpd flaws.
  • WatchGuard Wireless Acces Points (AP): Our wireless APs only use ntpclient for time synchronization, and are NOT VULNERABLE to the ntpd issues.
  • XCS appliances: Our XCS appliance do use ntpd, and are VULNERABLE to these flaw. However, you can easily mitigate the risk of these ntpd vulnerabilities. Most administrators have a firewall in front of their XCS appliance. We recommend you prevent external NTP traffic (UDP 123) from reaching your XCS appliance. Rather, setup an internal NTP server (make sure to update ntpd if you use it) and get network time synchronization from that internal server instead.

Update on Dec 29th 2014:

  • XCS Hotfix: XCS 10.0 NTP Hotfix was published on Dec 26th to patch ntpd. WatchGuard XCS 10.0 Update 2 must be installed before installing this hotfix release.
  • WatchGuard Dimension: Although not technically exposed, Dimension includes an affected version of ntpd. A patch for Linux in Dimension was made available on Dec 23rd. Dimension automatically downloads security updates for its Linux components when they become available. Just make sure that you don’t have any upstream firewall that blocks access to security.ubuntu.com and archive.ubuntu.com.

— Corey Nachreiner, CISSP (@SecAdept), Brendan Patterson, CISSP

Share This:

Related

Filed Under: Editorial Articles, WatchGuard Articles

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

The 443 Podcast

A weekly podcast featuring the leading white-hat hackers and security researchers. Listen Now
the 443 podcast

Threat Landscape

Filter and view Firebox Feed data by type of attack, region, country, and date range. View Now
threat landscape

Top Posts

  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
  • Here Come The Regulations
  • Successfully Prosecuting a Russian Hacker

Email Newsletter

Sign up to get the latest security news and threat analysis delivered straight to your inbox

By signing up you agree to our Privacy Policy.


The views and opinions expressed on this website are those of the authors and do not necessarily reflect the policy or position of WatchGuard Technologies.

Stay in Touch

Recent Posts

  • Cybersecurity News: LastPass Incident Revealed, White House Issues Cybersecurity Strategy, FBI Purchases Leaked USHOR PII Data, and a Slew of Other Breaches
  • An Update on Section 230
  • Here Come The Regulations
  • US National Cybersecurity Strategy
  • Cybersecurity News: Free Cybersecurity Training, TrickBot Group Exposed, Major GoDaddy Breach, and Russia to Legalize cybercrime?!
View All

Search

Archives

Copyright © 2023 WatchGuard Technologies · Cookie Policy · Privacy Policy · Terms of Use