The vulnerability has been patched by the Network Time Foundation with the release of NTP 4.2.8p9, which includes a total of 40 security patches, bug fixes, and improvements.
The NTP daemon is used in almost every device that needs to synchronize time on computer clocks.
The flaw which affects NTP.org’s nptd versions prior to 4.2.8p9, but not including ntp-4.3.94, has been discovered by security researcher Magnus Stubman, who privately disclosed it to the Network Time Foundation on June 24.
“The vulnerability allows unauthenticated users to crash ntpd with a single malformed UDP packet, which causes a null pointer dereference,” Stubman wrote in an advisory published Monday.
Stubman also released a PoC exploit that can crash the NTP daemon and creates a denial-of-service (DoS) condition.
Besides Stubman’s high severity vulnerability, the latest NTP update also addresses two medium severity bugs, two medium-low severity, and five low-severity security issues; 28 bug fixes, and contains other improvements over 4.2.8p8.
Another major bug is a trap-crash vulnerability reported by Cisco’s Matthew Van Gundy.
“If trap service has been explicitly enabled, an attacker can send a specially crafted packet to cause a null pointer dereference that will crash ntpd, resulting in a denial of service,” reads the advisory.
CERT at the Software Engineering Institute at Carnegie Mellon University has also released the full list of the vulnerabilities in NTP and fixes.
In the past, we have seen hackers abusing the NTP servers by sending small spoofed UDP packets to the vulnerable server that requests a significant amount of data (megabytes worth of traffic) to be sent to the DDoS’s target IP Address.
Above 400 Gbps NTP amplification DDoS Attack was carried out against content-delivery and anti-DDoS protection firm CloudFlare, and volumetric DDoS attacks exceeding 100 Gbps against popular Gaming services, including League of Legends, EA.com, and Battle.net from Blizzard in 2014.
In a study conducted by Arbor Networks in late 2013, the researchers illustrated the effectiveness of NTP amplification attacks that are massive and efficient to take any large server offline because they reflect 1,000 times the size of the initial query back to the target.