Yesterday Apple released a security update for a number of critical flaws found in the NTP (Network Time Protocol) service that OS X utilizes. The most worrisome of these is a buffer overflow that allows an attacker to remotely send specially crafted packets to a system, resulting in them being able to run malicious code with the privileges of the ntpd service (system level privileges on OS X). Be aware though, since NTP is an open source protocol more than just Macs are affected. Everything from Servers to Routers to Smart TVs could be vulnerable, so keep your eyes open for security updates for anything that utilizes NTP.
Sometimes flaws like these are only theoretical, meaning no one has found a way to actually exploit them. In this case though, US-CERT states that exploits are already publicly available. They also confirm that an attacker with little skill would be able to utilize these exploits to compromise a system. This makes applying the update that Apple has released especially important.
For Mac users that run Software Update and do not see the Security Update available, you can run the following command in Terminal to force your system to check specifically for critical updates:
sudo softwareupdate --background-critical
Below I’ll include some helpful links and information about the vulnerability for those that are interested:
CVSS Metrics
Group | Score | Vector |
Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Temporal | 5.9 | E:POC/RL:OF/RC:C |
Environmental | 5.9 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
CVE IDs: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296
References
- http://support.ntp.org/bin/view/Main/SecurityNotice
- http://lists.ntp.org/pipermail/announce/2014-December/000122.html
- http://support.ntp.org/bin/view/Support/AccessRestrictions#Section_6.5.2
- http://www.ntp.org/downloads.html
- http://www.ntp.org/ntpfaq/NTP-s-algo-crypt.htm
- https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01
- http://support.apple.com/en-us/HT6601
This might be of interest:
http://marc.info/?l=openbsd-tech&m=141903858708123&w=2, Theo talks about why they wrote their own ntpd ten years ago after the ntp.org people proved uninterested in improving their code.
Very interesting read – nice to see some people taking security seriously at least.