It's time: Patch Network Time Protocol before it loses track of time

Synchronise your watches before someone exploits DDOS bug, or nine other nasties

10 Reg comments Got Tips?

The maintainers of the Network Time Protocol daemon (ntpd) have pushed out a patch for ten security vulnerabilities.

Leading the fixfest is a trap-crash turned up by Cisco's Matthew Van Gundy.

If ntpd is configured with the trap service enabled, a malformed packet causes a null pointer dereference and crash it.

A Windows bug fixed in ntpd Version ntp-4.2.8p9 is triggered by an oversized UDP packet, and its discoverer, Magnus Stubman, has posted proof-of-concept code here.

CERT's full list of the vulnerabilities and fixes is here.

The NTP daemon is ubiquitous, and while it gets the most attention when attackers use it for DDoS attacks (such as in late 2013 when it was deployed against, League of Legends and Steam), pretty much any 'net-facing server is running it, and is therefore potentially vulnerable to the latest brace of bugs. ®


Keep Reading

Shared memory vulnerability in IBM's Db2 database could let nefarious insiders wreak havoc – so get patching

Lack of protections around trace facility gives local users read and write access

Cisco warns miscreants are crippling IOS XR network gear over the internet with memory black-holes. No patch yet

In brief Plus: Time to dump that old backdoored ZTE mobile hotspot

So kind of SAP NetWeaver to hand out admin accounts to anyone who can reach it. You'll want to patch this

10 out of 10: Great in a test score, less good when it's for the severity of a flaw

As you're scrambling to patch the scary ZeroLogon hole in Windows Server, don't forget Samba – it's also affected

Domain controllers at risk of hijacking, depending on version and configuration

US govt warns foreign hackers 'will likely try to exploit' critical firewall bypass bug in Palo Alto gear – patch now

Bogus signatures may fool your corp network's gatekeeper

US cybersecurity agency issues super-rare emergency directive to patch Windows Server flaw ASAP

Government sysadmins given weekend to fix ZeroLogon elevation of privilege bug, rest of us given stern warning

F5 emits fixes for critical flaws in BIG-IP gear: Hopefully yours aren't internet-facing while you ready a patch

Not to worry, there are only *searches* several thousand devices apparently exposed online

Salt peppered with holes? Automation tool vulnerable to auth bypass: Patch now

'The impact is full remote command execution as root on both master and all minions'

Biting the hand that feeds IT © 1998–2020