A proof of concept exploit that has to do with an important loophole in the Network Time Protocol daemon (ntpd) has been released for general public access. The loophole could allow any hacker with just one damaging packet to disable a server.
The organization behind the fix is Network Time Foundation after it released NTP 4.2.8p9, which comes with about 40 security patches, sever bug fixes, and a couple of other improvements.
The NTP daemon is a piece of software that allows all devices that have to synchronize time on computer clocks. NTP made a buzz in 2014 and 2015 when a group of hackers used it to attack servers with amplified DDoS attacks.
Magnus Stubman, a security researcher, made the discovery of the flaw and silently informed Network Time Foundation this year in June 24th.
Later, a patch was developed to cover the vulnerability and later forwarded to Stubman, September the 29th. Two days after that, Stubman acknowledged that the problem was no more.
Writing in an advisory that was posted on Monday, Stubman said: “The vulnerability used to let unauthorized users disable ntpd using a single malicious UDP packet. This would cause a null pointer dereference.”
There was also a PoC exploit released by Stubman. The exploit has the ability to crash the NTP daemon and causes a denial of service condition. Only window is suffering the problem.
The high vulnerability of Stubman, the last update of the NTP also deals with two medium to low severity as well as five low severity issues. There were a total of 28 bug fixes and some more advancements.
The other notable bug is a trap crash that was spotted by Mathew VAN Gundy of Cisco.
“With the trap service enabled, an attacker can cause a null pointer dereference resulting in the crashing of ntpd which will lead to denial of service,” reads the advisory.
A full list of vulnerabilities in NTP along with their fixes has been released by the CERT at the Software Engineering Institute at the Carnegie Melon University. The list also included vendor that use NTP that could be affected by the issues. Software Engineering Institute at the Carnegie Mellon University.
