Cisco has turned over a bunch of Network Time Protocol daemon (ntpd) vulnerabilities to the Linux Foundation's Core Infrastructure Initiative.
The vulnerabilities, discovered during its ongoing ntpd evaluation, “allow attackers to craft UDP packets to either cause a denial of service condition or to prevent the correct time being set”, Cisco's Talos Security Intelligence and Research Group writes here.
First on the list is CVE-2016-1550, described as an NTP authentication potential timing vulnerability: a successful attack on a 128 bit key shared between co-ordinating systems would let the attacker spoof NTP packets (and therefore set the target system to the wrong time.
CVE-2016-1551, an NTP refclock impersonation vulnerability, is less serious. The vuln means packet spoofing would let the attacker alter the target's time, if the packets originate from the 127.127.0.0/16 address range as trusted.
However, as the post notes, the 127.127.0.0/8 range should be filtered out by operating systems or routers, and should rarely be encountered by the daemon.
CVE-2016-1549 is an NTP ephemeral association sybil vulnerability: the protocol supports the creation of peer associations for systems to agree on a common reference time.
The problem? There's no limit to how many peers can share the same key, and that means if an attacker can discover the key, they can set up malicious peers. With enough malicious peers sharing the wrong time, they can “drown out” the correct time, the post says.
CVE-2016-1547, “demobilization of preemptible associations”, is a denial-of-service vulnerability. The attacker can spoof the address of a machine in a crypto-NAK packet (that is, the recipient signalling that they were unable to authenticate the sender), and that breaks the association between peers in the system.
Finally, there's CVE-2016-1548 “Xleave pivot: NTP basic mode to interleaved”. The attacker can use this vulnerability to break the association between client and server, and impersonate the server to set the wrong time at the client.
The vulnerabilities have been fixed in NTP http://ntp.org/downloads.html version 4.2.8p7. ®