Estimated reading time: 2 minutes
Ah, the heartbreak! That ever-reliable best friend quietly running on port 123 and keeping us all in sync. We know it, use and love it... Network Time Protocol.Back in December 2016, ICS-CERT released an advisory describing a set of remotely exploitable NTP vulnerabilities. This is an issue on the level of Heartbleed, it affects a process that is in use on systems with operating systems of every stripe.NTPD (Network Time Protocol Daemon), the version of NTP running on POSIX-compliant systems, is also affected. Also affected: any open-source version integrated into routers, firewalls, switches, you name it. Don't think Apple escaped - the Mac operating system is a POSIX-compliant environment and NTPD is part of the default OSX installation. There are already published PoC (Proof of Concept) exploits for the OSX system. You can view a quite technical overview of the exploits here: https://googleprojectzero.blogspot.com/2015/01/finding-and-exploiting-ntpd.html?m=1
There appear to be several issues, with four major identified vulnerabilities, including the expected buffer overflows. Weak keys, flawed encryption, and a rarer "missing return" issue are the other three (see below for the link to the ICS-CERT bulletin). All NTP v4 installations up to 4.2.8 are affected. The majority of the vulnerabilities were addressed in the most recent stable release of NTP: NTP-stable4.2.8 on December 19, 2014. My prediction, however, is that this will be much like the ShellShock vulnerability - there will be many systems that simply get overlooked for updating because the scope of the project is so large: Every single system with NTP turned on will need to be updated. This means Windows, Linux, Unix, Cisco OS, IOS, everything, and the scope of the required response will be overwhelming for even expert system administrators.The good news is that NTP-stable 4.2.8 has been released and the NTP Support Group has some recommended actions on their site: http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
Read the ICS-CERT bulletin here: https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01A
Read the NTP Support Group's report on the NTP vulnerability: http://support.ntp.org/bin/view/Main/SecurityNotice
So, it's a flawed best friend, but we can't live without it and the fix is available - Update all systems to a minimum of NTP 4.2.8 and your friendship is right as rain.