Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC Internet Storm Center

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Critical #NTP Vulnerability in ntpd prior to 4.2.8

Published: 2014-12-20
Last Updated: 2014-12-20 01:20:53 UTC
by Johannes Ullrich (Version: 1)
1 comment(s)

The Google security team discovered several vulnerabilities in current NTP implementations, one of which can lead to arbitrary code execution [1][2]. NTP servers prior to version 4.2.8 are affected. 

There are some rumors about active exploitation of at least some of the vulnerabilities Google discovered.

Make sure to patch all publicly reachable NTP implementations as fast as possible. 

Mitigating Circumstances: 

Try to block inbound connections to ntp servers who do not have to be publicly reachable. However, be aware that simple statefull firewalls may not track UDP connections correctly and will allow access to internal NTP servers from any external IP if the NTP server recently established an outbound connection.

ntpd typically does not have to run as root. Most Unix/Linux versions will configure NTP using a lower privileged users.

According to the advisory at, you can also:

Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file.

A few Ubuntu and CentOS systems I tested, as well as OS X systems, do not seem to use autokey. 


CVE Impact Details
CVE-2014-9293 authentication ntp will create a weak key if none is provided in the configuration file.
CVE-2014-9294 authentication ntp-keygen uses a weak seed to create random keys
CVE-2014-9295 remote code execution A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process.
CVE-2014-9296 missing error message In the NTP code, a section of code is missing a return, and the resulting error indicates processing did not stop.


Johannes B. Ullrich, Ph.D.

1 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Exploit Kit Evolution During 2014 - Nuclear Pack
published 1 day ago by Dr. J. (0 comments)

Is the polkit Grinch Going to Steal your Christmas?
published 2 days ago by Dr. J. (2 comments)

Certified pre-pw0ned Android Smartphones: Coolpad Firmware Backdoor
published 2 days ago by Dr. J. (1 comment)

Some Memory Forensic with Forensic Suite (Volatility plugins)
published 3 days ago by Basil (0 comments)

Safari 8.0.2 Still Supporting SSLv3 with Block Ciphers
published 4 days ago by Dr. J. (2 comments)

Customized Support Scam Supported by Typo Squatting
published 4 days ago by Dr. J. (7 comments)

Worm Backdoors and Secures QNAP Network Storage Devices
published 5 days ago by Dr. J. (4 comments)

View All Diaries →

Latest Discussions

Uptick in ssh login attempts with usernames pi and ubnt
created 2 days ago by geeknik (1 reply)

sign post
created 3 weeks ago by Anonymous (1 reply)

CTF365 strange email
created 3 weeks ago by Alex (2 replies)

Marketing automation software vulnerabilities
created 1 month ago by Anonymous (0 replies)

Odd program from Google Chrome?
created 1 month ago by xParticle (2 replies)

View All Forums →

Latest News

View All News →