NTP is pretty tough but contains several flaws that could undermine encrypted communications and even jam up bitcoin transactions.
NTP has a rate-limiting mechanism, nicknamed the “Kiss O’ Death” packet that will stop a computer from repeatedly querying the time in case of a technical problem. When that packet is sent, systems may stop querying the time for days or years.
The researchers have used these flaws to make an organisation’s servers to stop checking the time altogether.
Time is pretty important. In 2012, two servers run by the US Navy rolled back their clocks 12 years, and thought it was 2000.
Computers that checked in with the Navy’s servers and adjusted their clocks accordingly had a variety of problems with their phones systems, routers and authentication systems.
If a computer’s clock is rolled back an expired SSL/TLS certificate could be accepted as valid for which the attacker has the decryption key, according to their technical paper.
Sharon Goldberg, an associate professor at Boston University’s computer science department said that the KOD vulnerability was found just reading the specifications of the NTP protocol. The researchers wondered what you could do with it.
With just one computer, the researchers suspect such a spoofing attack could be conducted on a large scale across NTP clients found using network scanners such as nmap and zmap.
The spoofing is possible because most NTP servers don’t use encryption when talking to their clients. Two other flaws were also found. In a type of denial-of-service attack, an attacker could spoof Kiss O’Death packets to look like they’re coming from an NTP client. The time server then tries to slow down those queries, sending a response that causes the NTP client to stop updating its clock.
The third flaw allows an attacker who interfering with unencrypted NTP traffic to shift a computer’s clock forward or backwards on a reboot.
Fortunately fixes for the problems are available now. The latest version of NTP released on Tuesday is ntp-4.2.8p4, and administrators are advised to patch as soon as possible. The only problem is that the old versions of NTP have been sitting there for more than a decade and they are not something that people thing to patch.