The Network Time Foundation's Network Time Protocol Project has patched multiple denial-of-service vulnerabilities with the release of ntp-4.2.8p9. The last update to the open source protocol used to synchronize computer clocks was in June.  

"NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in DDoS (distributed denial-of-service) attacks," the project maintainers wrote in the security advisory.

[ Also on InfoWorld: 19 open source GitHub projects for security pros. | Discover how to secure your systems with InfoWorld's Security Report newsletter. ]

NTP is a widely used protocol, and has been hijacked several times over the past two years in distributed denial-of-service attacks. Attackers harness the power of the servers running NTP and amplify the amount of traffic -- as much as 1,000 times the size of the initial query -- sent to victim systems. Research from network security company Arbor Networks estimated that 85 percent of volumetric DDoS attacks exceeding 100Gbps in size were NTP reflection attacks.

Some of the vulnerabilities are easy to exploit, and there is a proof of concept already available for one of them. Attackers are increasingly exploiting the limitations of older protocols like NTP to generate large volumes of junk traffic used for large DDoS attacks, network company Akamai said in a previous State of the Internet report.

Issues fixed in ntp-4.2.8p9

The most serious vulnerability lets attackers crash Windows systems by sending "too big" packets (CVE-2016-9312). The update also includes fixes for two medium, two medium-low, and five low-severity vulnerabilities, all of which can be exploited to cause a denial of service. One of the medium-severity flaws (CVE-2016-7431) was related to a regression in the handling of some Zero Origin timestamp checks. One of the low-severity flaws (CVE-2016-7433) was related to a previously fixed bug where the jitter value was higher than expected and affected initial sync calculations.

Two vulnerabilities were related to the trap service in NTPD. While trap is not enabled by default, if the service is explicitly enabled, attackers can send specially crafted packets to cause a null pointer dereference (CVE-2016-9311) that will crash NTPD. The configuration modification vulnerability in the control mode (mode 6) functionality of NTPD (CVE-2016-9310) can be exploited by a remote, unauthenticated attacker.

"If, against long-standing BCP recommendations, restrict default noquery is not specified, a specially crafted control mode packet can set NTPD traps, providing information disclosure and DDoS amplification, and unset NTPD traps, disabling legitimate monitoring," according to the advisory.

Two of the low-severity vulnerabilities exploited NTP's broadcast mode. They were originally intended to be used only on trusted networks, but now attackers with access to the broadcast service can abuse the replay prevention functionality (CVE-2016-7427) and the poll interval enforcement functionality (CVE-2016-7428) to cause NTPD to reject broadcast mode packets from legitimate NTP broadcast servers.

If NTPD is configured to allow mrulist query requests, a server sending malicious mrulist queries will crash NTPD (CVE-2016-7434). The researcher who reported this vulnerability, Magnus Stubman, has publicly released the proof of concept, likely because the low-severity vulnerability, with a score of 3.8 on the Common Vulnerability Scoring System, is highly exploitable.

"The vulnerability allows unauthenticated users to crash NTPD with a single malformed UDP packet, which causes a null pointer dereference," Stubman wrote.

If the server response on a socket corresponds to a different interface than what was used for the request, NTPD updates the peer structure to use the newer interface. On hosts with multiple interfaces in separate networks and where the operating system isn't checking the packet's source IP address, attackers can send a packet with spoofed source addresses to trick NTPD to select the wrong interface (CVE-2016-7429). Repeating the attack even once per second is enough to prevent NTPD from synchronizing with the time server.

Rate limiting prevents brute-force attacks on the origin timestamp, but if the server is misconfigured, it can be abused in a DDoS attack. Attackers can send packets with spoofed source addresses and keep the rate limiting activated, which would prevent NTPD from accepting valid responses from other sources (CVE-2016-7426).

Mitigations and recommendations

Along with updating to ntp-4.2.8p9, the project maintainers recommended implementing Ingress and Egress filtering through BCP-38 to "defeat denial-of-service attacks." Many DoS attacks rely on IP source address spoofing to hide the packet's point of origin, making it hard for defenders to know where the network traffic is coming from. BCP-38 filtering lets administrators block IP packets that have forged IP addresses. If the device is not allowed to send packets with source addresses other than its own, then that device can't be hijacked to spew junk traffic as part of a DDoS attack.

Other recommendations included:

  • Monitoring NTPD instances and autorestarting the daemon without the -g flag if it stops running
  • Using restrict default noquery in the ntp.conf file to allow only mode-six queries from trusted networks and hosts
  • Using broadcast mode only on trusted networks
  • Creating a firewall rull to block oversized NTP packets, especially on Windows
  • Allowing mrulist query packets only from trusted hosts
  • Configuring the firewall to control what interfaces can receive packets from which networks, especially if the operating system isn't performing source address checks
  • Configuring rate limited with restrict source in the ntp.conf file, instead of restrict default limited

The Department of Homeland Security's Computer Emergency Response Team at Carnegie Mellon University's Software Engineering Institute maintain a list of vendors implementing NTP. At the moment, the status of most vendors is listed as "Unknown."

Update or replace?

Whenever there is a security vulnerability in a widely used open source project, a segment of IT and security folks pounce on the report as proof people should abandon using the software and switch to something else. NTP is no different, as the 30-year-old protocol lacks security features and is vulnerable to abuse. There are many who think administrators should use secure alternatives, but most tend to be complex or not yet mature enough for widespread adoption.

The "don't update, replace," argument is impractical. Replacing crucial services without thinking through how the new tool would be supported causes more administrative headaches. It may be a simple enough task to uninstall NTPD, but if administrators don't know how to configure the new tool correctly, monitor the performance, and troubleshoot resulting issues, then the replacement tool doesn't do much to improve overall security. Any replacement should come after a thorough review of the alternatives, be tested thoroughly in a nonproduction environment, and have controls to monitor and secure the software. Don't replace; update instead.

To comment on this article and other InfoWorld content, visit InfoWorld's LinkedIn page, Facebook page and Twitter stream.

InfoWorld Security

Surveillance products from Moxa and Vanderbilt are affected by several critical and high severity flaws that can be exploited by remote hackers to take control of vulnerable systems.

Moxa SoftCMS vulnerabilities

ICS-CERT has published an advisory describing three serious vulnerabilities affecting Moxa SoftCMS, a central management software designed for large-scale surveillance systems. Gu Ziqiang from Huawei Weiran Labs and Zhou Yu have been credited for finding the security holes.

The most severe of the flaws, with a CVSS score of 9.8, is a SQL injection (CVE-2016-9333) that can be exploited by a remote attacker to access SoftCMS with administrator privileges.

Another flaw, tracked as CVE-2016-8360, is a double free condition that allows an attacker to cause a denial-of-service (DoS) and possibly even execute arbitrary code.

The third vulnerability (CVE-2016-9332) has been described by ICS-CERT as an “improper input validation” issue that can lead to a crash of the application.

ICS-CERT said in its advisory that Moxa patched these security holes with the release of SoftCMS 1.6 on November 10, but the vendor’s release notes show that the latest version only addresses the SQL Injection issue.

A different SQL injection, also discovered by Zhou Yu, was patched by Moxa in its SoftCMS software a couple of months ago with the release of version 1.5. Versions 1.3 and 1.4, released last year, also fixed potentially serious flaws found by security researchers.

Vulnerabilities in Siemens-branded Vanderbilt CCTV cameras

Siemens and ICS-CERT informed users that several Siemens-branded Vanderbilt IP cameras are affected by a vulnerability (CVE-2016-9155) that allows an attacker with network access to obtain administrative credentials using specially crafted requests. Updates have been released by Vanderbilt for each of the affected products.

Vanderbilt Industries completed the acquisition of Siemens’ security products business in June 2015. Since the affected CCTV cameras are Siemens-branded products, the German engineering giant has published a security advisory on its own website.

Related: Flaws Found in Moxa Industrial Ethernet Products

Related: Privilege Escalation Flaw Affects Several Siemens Products

Related: Flaws Found in Moxa Factory Automation Products

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

The Google Project Zero bug reports just keep coming for Symantec.

Symantec patched two flaws in the file parser component of its antivirus decomposer engine, used by many Symantec products, after they were discovered in June by Google Project Zero information security engineer Tavis Ormandy. The bugs, which are the latest in a series of high-profile vulnerabilities affecting Symantec antivirus products, appear to parallel those Ormandy reported, and were patched by Symantec, earlier this year.

Although Symantec's report indicated the patched vulnerabilities were of medium severity, Ormandy disagreed, claiming Symantec had mischaracterized the flaws as enabling denial-of-service attacks; Ormandy insisted that they enable remote code execution attacks:

Via its LiveUpdate system, Symantec patched all Norton Security and Norton Antivirus products for Windows and Mac, but many of its enterprise products will need to be updated manually.

Ormandy wrote in the issue report: "We pointed out to Symantec that they hadn't updated their unrar-based unpacker for years, and it was vulnerable to dozens of publicly documented flaws." Anticipating that Symantec would fix that in all of its code bases, Ormandy went on, "but they appear to have just backported fixes for the few issues I sent them."

"Here are two known bugs in unrar that are fixed upstream, but not in Symantec's ancient code. If they continue to refuse to rebase, this might take a few iterations to shake the bugs out. Sigh."

This is the third batch of flaws in Symantec security products reported by Ormandy this year; the first, in May, included a vulnerability Ormandy described as being "as bad as it can possibly get." At the time, Ormandy wrote, that flaw, an RCE vulnerability, was particularly bad because Symantec used "a filter driver to intercept all system I/O, just emailing a file to a victim or sending them a link is enough to exploit it."

Next Steps

Listen to the Risk & Repeat podcast about Symantec's ongoing issues with vulnerabilities in its security products.

Find out more about lessons to be learned by antivirus vendors from research conducted by Tavis Ormandy on security flaws in Sophos' antivirus engine.

Read about the new Google Project Zero Prize competition to improve Android security.



Find more PRO+ content and other member only offers, here.

SearchSecurity: Security Wire Daily News

Cisco has released software updates for its WebEx Meetings Server product to address a couple of critical and high severity vulnerabilities that can be exploited remotely for arbitrary command execution and denial-of-service (DoS) attacks.

The critical flaw, tracked as CVE-2016-1482, is caused by insufficient sanitization of user-supplied data. An attacker can exploit it to execute arbitrary commands with elevated privileges by injecting the commands into existing application scripts running on a targeted device located in a DMZ (demilitarized) zone.

The high severity issue, identified as CVE-2016-1483, allows an unauthenticated attacker to cause a targeted device to enter a DoS condition by repeatedly attempting to access a specific service.

Both vulnerabilities affect WebEx Meetings Server version 2.6 and they have been addressed with the release of version 2.7. Cisco says it’s unaware of any instances where these flaws have been exploited for malicious purposes.

This is the second time Cisco updates its WebEx products in recent weeks to address serious vulnerabilities. The company recently patched critical and medium severity flaws in the WebEx Meetings Player.

Earlier this month, Cisco informed customers that a high severity vulnerability in its ACE30 Application Control Engine module and ACE 4700 series Application Control Engine appliances can be exploited for DoS attacks.

The company updated its initial advisory on Thursday to say that the issue will be resolved with the release of version A5(3.5), which is only expected to become available by November 30. What makes this vulnerability interesting is the fact that while it hasn’t been exploited for malicious purposes, it was triggered in some cases by a research project that scans the Internet for SSL/TLS servers.

Related: Cisco Updates ASA Software to Address NSA-Linked Exploit

Related: Cisco Patches Critical Flaws in Firepower Management Center

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Two remotely exploitable vulnerabilities, one of which can lead to remote code execution, have been found in Schneider Electric’s ION Power Meter products and FENIKS PRO Elnet Energy Meters.

power meter flaws

What’s more, security researcher Karn Ganeshen, who discovered the flaws, published in detail his findings after the companies kept dragging their feet when it came to fixing the problems or updating him of their progress.

The Industrial Control Systems Cyber Emergency Response Team has released alerts for both vulnerabilities because of this.

But while Schneider Electric has worked with ICS-CERT, acknowledged the existence of the CSCR flaw affecting several of its power meters (that are used in energy management applications such as feeder monitoring and sub-metering), and has identified mitigations that will share with their customers, FENIKS PRO has yet to acknowledge the problem.

According to the alert, the company’s Elnet LT power meters for electrical measurements and harmonics can be managed by attackers remotely without authentication.

For mitigating attacks on both types of devices, ICS-CERT advises making sure that they are not accessible from the Internet, are put behing firewalls and are isolated from any business network, and that legitimate users use secure methods (such as VPNs) to remotely access the devices. Also, when a security update is made available, to first test it in a test development environment and then implement it if everything works as it should.

In addition to this, Schneider Electric has advised users of its ION power meters to disable several features (Webserver Config Access, Enable Webserver) that allow users – or attackers – to modify the devices’ configuration through a browser.

“Some power meters may be revenue locked, which further protects unauthorized meter configuration parameter changes, except Owner, Tag1 and Tag2 string registers,” they added.

Finally, they’ve also advised users to change passwords from the default settings upon installation of the product.

Help Net Security

Alongside Microsoft and Adobe, SAP released this week its monthly security updates to address a total of 19 vulnerabilities, including three high severity issues.

The September 2016 Patch Day fixes include 11 security notes, 3 updates to previous notes, and 5 support package notes. Three of the flaws they resolve have been rated “high,” while the rest are considered “medium.”

Many of the vulnerabilities are missing authorization checks, which is one of the most common type of problems found in SAP products, but the patches also address information disclosure, denial-of-service (DoS), cross-site scripting (XSS) and SQL injection issues.

According to ERPScan, a company that specializes in protecting SAP and Oracle business-critical enterprise resource planning (ERP) systems, two of the three most severe vulnerabilities affect SAP Adaptive Server Enterprise (ASE), a relational model database management product.

The security holes are SQL injection flaws that allow attackers to execute specially crafted SQL queries.

“[ASE] stores all sensitive and valuable corporate data. It would be no exaggeration to say that the SAP ASE database is a treasure trove for hackers,” ERPScan wrote in a blog post.

“Both closed vulnerabilities are SQL Injections. It means that an authenticated user on the following SAP ASE server versions may be able to create and execute a stored procedure with SQL commands. This allows the attacker to elevate their privileges, modify database objects, or execute commands they are not authorized to execute,” the company explained.

The third most serious issue patched this month is a DoS vulnerability affecting the SAP Business Objects BI Launchpad product.

A report published by ERPScan last month revealed that, through June 2016, SAP had issued more than 3,660 security notes and support package notes to address thousands of vulnerabilities.

Security firm Onapsis reported that some of these vulnerabilities affected more than 10,000 of SAP’s customers. In May, Onapsis warned that up to 36 global businesses had been hacked through a SAP product flaw that was patched five years ago.

Related: SAP Patches Critical Code Injection, XSS Vulnerabilities

Related: SAP Patches Critical Clickjacking Vulnerabilities

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

Xen Project patches serious virtual machine escape flaws

The Xen Project mascot.

Credit: XenProject.org

The Xen Project has fixed four vulnerabilities in its widely used virtualization software, two of which could allow malicious virtual machine administrators to take over host servers.

Flaws that break the isolation layer between virtual machines are the most serious kind for a hypervisor like Xen, which allows users to run multiple VMs on the same underlying hardware in a secure manner.

[ Doing storage virtualization correctly is not simple. InfoWorld's expert contributors show you how to get it right in this "Storage Virtualization Deep Dive" PDF guide. | Get the latest insight on the tech news that matters from InfoWorld's Tech Watch blog. ]

The Xen hypervisor is widely used by cloud computing providers and virtual private server hosting companies like Linode, which had to reboot some of its servers over the past few days to apply the new patches.

The Xen updates, which were shared with partners in advance, were released publicly Thursday along with accompanying security advisories.

One vulnerability identified as CVE-2016-7093 affects Hardware Virtual Machines (HVMs) which use hardware-assisted virtualization. It allows an administrator of a guest OS to escalate their privilege to that of the host.

The vulnerability affects Xen versions 4.7.0 and later, as well as Xen releases 4.6.3 and 4.5.3 but only those deployments with HVM guests running on x86 hardware.

Another privilege escalation flaw identified as CVE-2016-7092 affects the other type of virtual machines supported by Xen: paravirtualized (PV) VMs. The vulnerability affects all Xen versions and allows administrators of 32-bit PV guests to gain privileges on the host.

The two other patched vulnerabilities, CVE-2016-7154 and CVE-2016-7094, can be exploited by guest administrators to cause denial-of-service conditions on the host. In the case of CVE-2016-7154, which only affects Xen 4.4, remote code execution and privilege escalation cannot be excluded, the Xen Project said in an advisory.

Meanwhile, CVE-2016-7094 affects all versions of Xen but only deployments hosting HVM guests on x86 hardware that are configured to run with shadow paging.

For quite a while now, Rapid7 researchers Tod Beardsley and Deral Heiland have been looking for vulnerabilities in various Network Management Systems (NMSs).

With the help of independent researcher Matthew Kienow, they found over a dozen vulnerabilities affecting nine different NMS products: Castle Rock SMNPc, CloudView NMS, Ipswitch WhatsUp Gold, ManageEngine OpUtils, Netikus EventSentry, Opmantek NMIS, Opsview Monitor, Paessler PRTG, and Spiceworks Desktop.

What are Network Management Systems?

Network Management Systems are used for discovering, managing and monitoring various devices on a network (e.g. routers, switches, desktops, printers, etc.). They usually use the Simple Network Management Protocol (SNMP) to format and exchange management messages, and it’s exactly through this protocol that these systems can be attacked.

“These systems are attractive targets for attackers looking to learn more about new environments. A compromised NMS can serve as a treasure map, leading attackers to the most valuable — and perhaps non-obvious — targets, such as the printer that is responsible for payroll runs, or HR’s central server containing personally identifiable information on the employee base,” the researchers noted.

“Besides, why spend time and risk detection by scanning the network from a compromised system controlled by the attacker, when one could just piggyback on a working NMS that’s already designed to monitor the entire network population?”

The vulnerabilities

The vulnerabilities they found can all be exploited through three distinct attack vectors:

  • XSS attacks over SNMP agent-provided data
  • XSS attacks over SNMP trap alert messages (which are sent by SNMP agents to notify the network manager of any status change)
  • Format string processing on the NMS web management console (practically all modern NMSs are managed through them).

The first type of attack can be mounted by introducing a new device on the network. The NMS “discovers” it, and identifies it via SNMP data supplied by it. This data is displayed in the systems’ web-based console and can trigger an XSS attack. This type of attack requires a local attacker to be able to add a malicious device to the network.

The second type can be mounted by injecting Flash into easily spoofed SNMP trap messages that will be delivered to the management console, allowing an XSS attack string to be embedded in it. The attacker must occupy a position on the network.

XSS attack on Network Management Systems over SNMP trap alert messages

The third one can also be launched via spoofed and specially crafted trap alert messages.

For more details about each of the vulnerabilities, consult this blog post.

The good news is that all the found flaws have already been patched, and users of the aforementioned products can download security updates with the fixes.

Help Net Security

A popular brand of smart electrical sockets is plagued by several serious vulnerabilities that expose networks to remote attacks, Bitdefender researchers reported on Thursday.

The affected vendor has not been named since it has yet to release patches for the vulnerable product. The fix is expected to become available sometime in the third quarter of 2016.

Smart electrical sockets allow users to create on/off schedules for their devices, monitor energy usage and prevent overheating. In many cases, these products can be controlled remotely using a mobile application.

The product analyzed by Bitdefender researchers Dragos Gavrilut, Radu Basaraba and George Cabau is a smart socket that is installed, configured and controlled using iOS and Android apps available on the App Store and Google Play.

During the setup process, the user is instructed to provide the Wi-Fi credentials needed by the device to connect to the local wireless network. The device is also registered with the vendor’s server through a UDP message containing the device’s name, model and MAC address.

Experts discovered several vulnerabilities, including the fact that the socket’s hotspot is protected by weak, default credentials, and users are not warned about the risks of leaving them unchanged.

Vulnerabilities found in smart socketsAnother problem is related to the fact that the mobile app transfers Wi-Fi credentials in clear text, allowing an attacker to intercept the information. Furthermore, communications between the device and the application go through the manufacturer’s server without being encrypted – the data is only encoded and it can be easily decoded.

According to researchers, the security weaknesses plaguing the product can be exploited by a remote attacker who knows the MAC and default password to take control of the device. This includes making configuration changes (e.g. modifying schedules) and obtaining user information.

While some might argue that a smart socket does not store any sensitive information, the product analyzed by the security firm includes an email notification feature that requires the user to provide their email username and password. If an attacker gains access to the device, they can steal the victim’s email credentials and hack their account.

Experts also found that due to the lack of password sanitization, attackers can inject arbitrary commands into new password requests. This allows them not only to overwrite the root password, but also to open the embedded Telnet service and remotely hijack the device. The method can also be used to install malicious firmware, which gives hackers persistent access to the socket and from there to all the other devices on the local network.

“This type of attack enables a malicious party to leverage the vulnerability from anywhere in the world”, said Alexandru Balan, chief security researcher at Bitdefender. “Up until now most IoT vulnerabilities could be exploited only in the proximity of the smart home they were serving, however, this flaw allows hackers to control devices over the Internet and bypass the limitations of the network address translation. This is a serious vulnerability, we could see botnets made up of these power outlets.”

Related Reading: Security Pros Show Extensive Distrust of IoT Security

Related Reading: The IoT Sky is Falling - How Being Connected Makes Us Insecure

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed

During an internal security review, Cisco discovered that its Firepower Management Center product is plagued by several issues, including critical privilege escalation and command execution vulnerabilities.

The Firepower Management Center is described by the vendor as the administrative nerve center for managing Cisco network security solutions, including firewall, intrusion prevention, application control, advanced malware protection and URL filtering products.

Cisco discovered several flaws in the appliance’s web-based graphical user interface (GUI). One of the critical issues, tracked as CVE-2016-1457, allows an authenticated attacker to remotely execute arbitrary commands on the affected device with root-level privileges.

Critical vulnerabilities in Cisco Firepower applianceThe security hole, caused by insufficient authorization checking, affects Firepower Management Center and the Cisco ASA 5500-X series with FirePOWER Services versions 5.4.0, 5.3.1,, 5.2.0 and The bug has been addressed in versions,, 5.4.1 and 6.0.0.

Another critical vulnerability, identified as CVE-2016-1458, allows an authenticated attacker to elevate the privileges of user accounts on the targeted device. The weakness affects the same products and versions as CVE-2016-1457.

Cisco has also identified a medium severity cross-site scripting (XSS) flaw in Firepower Management Center. The flaw can be exploited by a remote, unauthenticated attacker to launch XSS attacks against a user by getting them to access a specially crafted link or by intercepting their requests and injecting them with malicious code.

No workarounds are available for these issues. Cisco says there is no evidence that the flaws have been exploited in the wild.

Cisco also warned users on Wednesday that it has identified a high severity zero-day vulnerability after analyzing the exploits leaked by a threat group calling itself Shadow Brokers. The flaw remains unpatched, but the networking giant has provided some workarounds.

Shadow Brokers has leaked hundreds of megabytes of exploits and implants allegedly stolen from the NSA-linked Equation Group. The exploits published by the hackers also target products from Fortinet, Chinese company TOPSEC, Juniper Networks, WatchGuard and several unknown vendors.

Related: Cisco Fixes Flaws in Network Analysis Modules

Related: No Patch for Critical RCE Flaw in Cisco Routers

Related: Cisco, Juniper Patch Operating System Flaws

view counter

Previous Columns by Eduard Kovacs:


SecurityWeek RSS Feed