US-CERT Announces Critical NTP Vulnerability

Yesterday Apple released a security update for a number of critical flaws found in the NTP (Network Time Protocol) service that OS X utilizes. The most worrisome of these is a buffer overflow that allows an attacker to remotely send specially crafted packets to a system, resulting in them being able to run malicious code with the privileges of the ntpd service (system level privileges on OS X). Be aware though, since NTP is an open source protocol more than just Macs are affected. Everything from Servers to Routers to Smart TVs could be vulnerable, so keep your eyes open for security updates for anything that utilizes NTP.

Sometimes flaws like these are only theoretical, meaning no one has found a way to actually exploit them. In this case though, US-CERT states that exploits are already publicly available. They also confirm that an attacker with little skill would be able to utilize these exploits to compromise a system. This makes applying the update that Apple has released especially important.

For Mac users that run Software Update and do not see the Security Update available, you can run the following command in Terminal to force your system to check specifically for critical updates:

sudo softwareupdate --background-critical

Below I’ll include some helpful links and information about the vulnerability for those that are interested:

CVSS Metrics

CVE IDs: CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296

References

• http://support.ntp.org/bin/view/Main/SecurityNotice
• http://lists.ntp.org/pipermail/announce/2014-December/000122.html
• http://support.ntp.org/bin/view/Support/AccessRestrictions#Section_6.5.2
• http://www.ntp.org/downloads.html
• http://www.ntp.org/ntpfaq/NTP-s-algo-crypt.htm
• https://ics-cert.us-cert.gov/advisories/ICSA-14-353-01
• http://support.apple.com/en-us/HT6601