Four security vulnerabilities in a popular program for synchronizing time on Internet-connected computers could be used to compromise tens of thousands — and possibly millions—of servers, according to security experts.
The vulnerabilities are in the ntpd server program, which is a popular open-source service used on Linux servers and other systems to implement the Network Time Protocol, or NTP. As of March 2014, some 4.6 million computers on the Internet were running the NTP service, according to data from the Shadowserver Foundation, a group that tracks botnets and other cyber-attack infrastructure.
By conducting their own scans or using online services to scan the Internet, would-be attackers could build a list of vulnerable systems, Jason Trost, director of security firm ThreatStream, told eWEEK.
“You can get a huge list of targets that could be identified from other sources,” he said. “Using that, you could quickly gain a foothold, exploit these machines and really use them for whatever purpose you wanted.”
On Dec. 19, the U.S. Computer Emergency Readiness Team (US-CERT) and other response organizations alerted companies and users to the flaw in the popular NTP program. There are four vulnerabilities, but only one appears remotely exploitable, according to the advisory.
Major software vendors were notified of the vulnerabilities by Google, whose researchers found the original flaws. NTP.org, the group that maintains the ntpd software, released an updated version on Dec. 19.
NTP has gained some recent notoriety for its use as a mechanism for generating massive denial-of-service attacks. Using a technique known as an amplification attack, a miscreant could send an NTP server a small request and get back a much larger response. By spoofing the target’s Internet address as the source of the original request, the larger response is sent to the target. By repeating the technique with millions of requests to different NTP servers, an attacker can take down sites with very large bandwidth capacities.
Not all programs that implement NTP are vulnerable to each of the flaws. Another popular program for implementing NTP, openntpd, was written from the ground up to be much more concise than ntpd and does not have the most serious vulnerabilities, Theo de Raadt, the founder of OpenBSD, said in an online statement. OpenBSD, an open-source version of the Unix operating system, uses openntpd for handling network time synchronization.
In his message, de Raadt criticized ntpd as an outdated program. Compared with the less than 5,000 lines of code it took to write openntpd, ntpd has grown to more than 190,000 lines of code over the years.
Ntpd is created using “unknown or largely unused code, poorly smithed in the past when these kinds of programming mistakes were not a significant consideration.”
While anyone can check open-source code for vulnerabilities, wading through nearly 200,000 lines of code is a monumental task for any team of programmers. Yet, for such a critical piece of infrastructure, weeding out vulnerabilities is important, ThreatStream’s Trost said.
“Simplicity is better for eliminating surface area for vulnerabilities,” he said. “The fewer lines of code and functionality, the less likelihood that vulnerabilities can hide in the code.”