Last week the team that supports the Network Time Protocol (NTP) software released an advisorydescribing a number of vulnerabilities in NTP and announced patches that address them. One of the announced vulnerabilities could be used to crash the NTP daemon, causing a denial of service attack against the NTP service. If you are already using CloudPassage Halo to monitor your server workload configurations with one of the Linux-based CIS benchmark or DISA STIG policies, you were likely already protected by following the hardening recommendations for NTP that were provided.
The vulnerability
The vulnerability applies to all Linux systems that are running unpatched versions of the NTP daemon, and unless mitigated, could lead to an NTPD crash and a Denial of Service (DoS). NTP is designed to synchronize system clocks across a variety of systems from a highly accurate source, and it supports a number of query types other than the basic time query. Since these additional queries do not always validate input well, one malicious malformed packet, without authentication, could cause the daemon to crash. A proof-of-concept exploit reportedly exists.
This vulnerability can be mitigated by configuring the server to protect against it, or by installing patches when the Operating System vendors release them. The CVE for this vulnerability is CVE-2016-7434.
How Halo can help
CloudPassage customers can use Halo to protect themselves by following these steps:
- If the customer is using a CSM policy based on a recent CIS or STIG-based template, and they have applied the mitigations for ntp.conf, they are already protected. If they have not, they should consider doing so.
- Make sure to perform a Software Vulnerability Scan on all servers.
- Halo will alert for all servers that are vulnerable to CVE-2016-7434 as soon as that data is available to us.
- Mitigate the vulnerability by applying the mitigations described in the CERT vulnerability description, if they are not already in place.
- Use CSM to confirm that the mitigations are in place.
A CSM policy example
The best way to address this vulnerability is to install patches. Until they are available from the OS vendors, these mitigations should protect servers from attack. If /etc/ntp.com is updated to restrict access to non-time-related queries, then the system should be protected.
Below is a screenshot of a check that will look for the presence of this mitigation.
Using SVA to find vulnerable software
Customers running SVA scans against their servers should see the vulnerability appearing in their reports once the vulnerability has been added to our database. If updated packages cannot be installed, one can mitigate the vulnerability.
In addition, customers can always use the Filter functionality in the Servers tab to find servers that may be vulnerable, or can look at the Software tab to determine what version of ntpd is installed.
Below is a screenshot of the configuration bar, with the Servers tab open, showing the filter Software Package Name and the package ntpd being selected.
Summary
Using Halo you can reduce your software attack surface by ensuring proper security configuration, discovering software vulnerabilities, and making sure that you apply the appropriate patches or mitigations where available.