This morning the DHS ICS-CERT published an advisory
concerning multiple vulnerabilities in the Network Time Protocol (NTP) reported
by Neel Mehta and Stephen Roettger from the Google Security Team. A newer
version of the protocol (NTP-4.2.8) is not affected by these vulnerabilities.
The identified vulnerabilities include:
• Insufficient entropy - CVE-2014-9293;
• Use of cryptographically weak
PNRG - CVE-2014-9294;
• Stack based buffer overflows - CVE-2014-9295;
and
• Missing return on error - CVE-2014-9296
According to the NTP.org security notice
on these vulnerabilities there are actually three different buffer stack
overflows covered in the reported CVE: in crypto_recv(), in ctl_putdata(),
and configure().
ICS-CERT reports that a relatively unskilled attacker could
use the publicly available exploits to execute malicious code. They also report
that “NTP is widely used within operational Industrial Control Systems
deployments”.
The CERT-CC vulnerability
notice for these vulnerabilities is starting to list various vendors and
their status vis a vi these vulnerabilities. Unfortunately there are no purely
ICS vendors currently on their list. It would be nice if ICS-CERT attempted to
do the same specifically for control system vendors.
Posts
No comments:
Post a Comment