NTP Vulnerabilities Reported 2023-04
In April 2023, some vulnerabilities in the NTP software up to and including version 4.2.8p15 were reported and initially classified as high risk.
After detailed investigation, however, the risk was changed to low
because it is almost impossible that the running NTP service (ntpd
)
can be compromised by a remote attacker.
Four of the 5 vulnerabilities only affect a single routine used by the ntpq
utility
to display formatted millisecond values.
The problem can only arise when ntpq
is explicitly run to request data
from a remote NTP server and the response contains specially crafted, manipulated data.
This, in turn, can only happen if the remote NTP server itself has already been compromised, or if a man-in-the-middle attack is possible and the network packets are specially manipulated.
The last of the vulnerabilities affects the ntpd
service, but only
a driver for some very old GPS receivers. If no such GPS receiver is connected
and explicitly configured as a time source for ntpd, the problematic code will never run.
Meinberg has already pre-installed the appropriate patches, so the vulnerabilities are already fixed in programs of the NTP package with these version codes (or later):
- 4.2.8p15a of the NTP package for Windows (2023-04-19)
- 4.2.8p15-mbg-04 of the NTP programs used within the firmware of Meinberg devices (2023-04-19)
The official version where these fixes are included, is 4.2.8p16.
References
Collection of links related to the NTP vulnerabilities:
- Initial Report at github:
https://github.com/spwpun/ntp-4.2.8p15-cves
- Discussion at github:
https://github.com/spwpun/ntp-4.2.8p15-cves/issues/1
- Announcement at BSI:
https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2023-0938
- Initial Report at Heise Security Ticker:
BSI warnt vor kritischen Zero-Day-Lücken im NTP-Server
https://www.heise.de/news/BSI-warnt-vor-kritischen-Zero-Day-Luecken-im-NTP-Server-8948528.html
- Followup at Heise Security Ticker:
NTP-Schwachstelle: Offenbar weniger bedrohlich als zunächst vermutet
https://www.heise.de/news/NTP-Schwachstelle-Offenbar-weniger-bedrohlich-als-zunaechst-vermutet-8949340.html
— Martin Burnicki martin.burnicki@meinberg.de, last updated 2023-04-19