How To Find And Fix The Latest NTP Exploits On Windows And Linux Machines

Earlier this week, a set of vulnerabilities were released that can crash or cause other issues with certain versions of the Network Time Protocol (NTP) daemon, used to synchronise clocks on a variety of computers, with a single malformed packet. This bug affects only affects some Windows systems but other vulnerabilities have also been found that impact some Linux machines along with a number of embedded devices. While these security flaws can’t crash servers or computers, it can have severe and unexpected flow-on effects. If you want to find out if your systems are affected and how to apply fixes before different vendors bring out their own patches, read on.

So why should IT administrators care about this exploit? Because time synchronisation is important for a wide variety of tasks including:

• Authentication via Kerberos
• Data synchronisation
• Logging
• Scheduling of jobs
• Regular backups

If you crash the NTP daemon, everything can go out of sync, which can wreak havoc on your servers and computers. The main bug triggers a crash when a malformed denial-of-service packet is sent to ntpd on Windows systems that have it installed. It should be noted that the NTP daemon has historically been exploited in reflected distributed-denial-of-service (DDoS) attacks. The rest of the flaws found are also denial-of-service vulnerabilities that affect some Linux distributions and Windows with ntpd installed. You can read the details here.

These new vulnerabilities affect the NTP daemon called ntpd, released by the Network Time Protocol Foundation. Versions of ntpd that are impacted by this bug include:

• NTP 4.2.7p22 up to NTP 4.2.8p9
• ntp-4.3.0 up to, but not including, ntp-4.3.94

While you can at least patch the vulnerabilities on servers and computers, which we will go into in a second, IP-connected embedded devices running Linux may not be able to be patched. This may cause serious security headaches for organisations as routers, switches, firewalls, IP cameras, printers and more may all be affected.

We don’t have the solution for those devices, but we can guide you through detecting the current version of ntpd your Windows or Linux machine is running and how to apply a patch or a workaround.

Detection

ntpd is a service you have to install manually on Windows systems. To check if it’s installed on your machine, punch in the following command in the command prompt:

sc queryex type= service state= all | find "Network Time Protocol Daemon"

To find out what version of ntpd version you’re using on your Linux machine, you can use the following command:

ntpq -crv

This will give you a version number. The command won’t run if ntdp is not installed. Modern versions of Linux using systemd (e.g. Ubuntu) won’t be affected by this bug by default because they use timesyncd instead of ntpd.

Patch For Windows

Good news for those running ntpd on Windows. The easiest way to mitigate all the new vulnerabilities that have been found is to just download and install the newest version of the daemon. You can download it here.

The Temporary Fix For Linux

If you’re running an affected version of ntpd, you’ll need to apply a patch which NTP Foundation has already released in NTP 4.2.8p9 but you may still need to wait for your operating system’s vendor to integrate the patch into their distribution. At the time of writing, it doesn’t appear that any Linux vendors have done this yet.

Luckily, there is a workaround for some of the issues.

The workaround is a two-part process. Firstly, IT administrators need to ensure that the following configuration is present in the /etc/ntp.conf file:

restrict default noquery

restrict -6 default noquery

This configuration stops external sources from querying the NTP daemon. Secondly, you need to monitor ntpd and auto-restart it if it stops running. There is no universal command to do this and it will depend on the specific Linux distribution you’re using. You’ll likely need to configure a monitoring daemon to automatically restart it. A widely known and reliable tool is called monit, which can perform this task. Most distributions can install it through their package manager (go apt-get!). You can find the documentation to install and configure monit here.

This isn’t a permanent fix because anybody that is on the local machine can still trigger the exploit so be sure to check in with the vendor of your affected operating system to apply any patches they release as soon as possible.