The NTP project (ntp.org) recently reported that current versions of the NTP distribution contain a number of security related issues. It reports that all NTP 4.x.x versions are affected. The vulnerabilities are specified by the following CVE-IDs: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296.
The specified vulnerabilities relate to the use of mode 6 and mode 7 packets and also the NTP ‘AutoKey’ feature.
NTP Mode 6 and Mode 7 Packet Vulnerabilities
A number of the reported issues are related to mode 6 and mode 7 packets. These vulnerabilities are only exploitable if a NTP server is allowed to respond to mode 6 and mode 7 packets from untrusted IP addresses.
TimeTools NTP servers can be configured to restrict the use of mode 6 and mode 7 packets by specifying the ‘restrict’ command in the devices “Edit NTP Configuration” web page.
Simply log into the devices web configuration pages using a web-browser and select the NTP button to go to the ‘NTP Configuration Menu’. Then select the ‘Edit NTP Configuration’ button to go to the ‘Edit Additional NTP Options’ page. Here you can enter the restrict function in the format below:
# NTP Additional Configuration File
# Add any further NTP configuration parameters here.
restrict default kod nomodify notrap nopeer noquery limited
When the restrict function has been added to the configuration file, save the file by clicking the ‘Save File’ button. The ‘NTP Configuration Menu’ will now be re-displayed. The NTP service now needs to be restarted for the changes to take effect by clicking the ‘Submit’ button.
Check the Log messages for any configuration errors to ensure that the command has been accepted by the NTP service and not mistyped. NTP only reports errors, therefore if there are no errors reported for the modified configuration, it will have been successfully accepted.
After restarting the NTP service, it will take 15 to 20 minutes for NTP to restart and re-synchronise itself to the configured reference clocks.
Additional NTP vulnerabilities are related to the NTP AutoKey feature. This feature has been found to contain a number of security issues and is not recommended as a secure way of providing network time synchronisation services.
TimeTools NTP servers do not utilise the NTP AutoKey feature by default. This feature can only be enabled by editing the devices NTP configuration file manually, using the “Edit NTP Configuration” web page. We therefore recommend that anyone that has manually added the AutoKey feature to the NTP configuration file remove it.
For maximum security, TimeTools recommends that all NTP services are protected from untrusted networks by a firewall.