This morning the DHS ICS-CERT published an advisory concerning multiple vulnerabilities in the Network Time Protocol (NTP) reported by Neel Mehta and Stephen Roettger from the Google Security Team. A newer version of the protocol (NTP-4.2.8) is not affected by these vulnerabilities. The identified vulnerabilities include:
• Insufficient entropy - CVE-2014-9293;
• Use of cryptographically weak PNRG - CVE-2014-9294;
• Stack based buffer overflows - CVE-2014-9295; and
• Missing return on error - CVE-2014-9296
According to the NTP.org security notice on these vulnerabilities there are actually three different buffer stack overflows covered in the reported CVE: in crypto_recv(), in ctl_putdata(), and configure().
ICS-CERT reports that a relatively unskilled attacker could use the publicly available exploits to execute malicious code. They also report that “NTP is widely used within operational Industrial Control Systems deployments”.
The CERT-CC vulnerability notice for these vulnerabilities is starting to list various vendors and their status vis a vi these vulnerabilities. Unfortunately there are no purely ICS vendors currently on their list. It would be nice if ICS-CERT attempted to do the same specifically for control system vendors.