Blog | G5 Cyber Security

CVE-2015-7704: NTP Server Vulnerability

G5 Cyber Security

TL;DR

CVE-2015-7704, the “kiss-of-death” vulnerability in ntpd, can affect NTP time servers. While often discussed in relation to clients, a malicious actor can exploit this on servers to cause denial of service (DoS). Servers are particularly vulnerable if they accept queries from untrusted networks.

Understanding the Vulnerability

CVE-2015-7704 is a bug in how ntpd handles specially crafted packets. These packets can trigger a CPU usage spike, leading to server instability and ultimately a crash (DoS). The vulnerability exists because of an inefficient handling of control messages.

Is Your Server Affected?

  1. Check your ntpd version: The vulnerability affects versions prior to ntpd 4.6.103. Use the following command: 
    ntpd -V
  2. If your version is older than 4.6.103, you are vulnerable.

Mitigation Steps

There are several ways to protect your NTP servers:

1. Upgrade ntpd

  1. The best solution is to upgrade to the latest stable version of ntpd (4.6.103 or later). Use your distribution’s package manager:
    • Debian/Ubuntu: 
      sudo apt update && sudo apt upgrade ntpd
    • CentOS/RHEL: 
      sudo yum update ntpd
  2. Restart the ntpd service after upgrading: 
    sudo systemctl restart ntpd

    (or equivalent for your distribution).

2. Restrict Access

If you cannot upgrade immediately, restrict access to your NTP servers:

  1. Firewall Rules: Allow connections only from trusted networks or clients.
    • Example using iptables (replace with your actual network ranges): 
      sudo iptables -A INPUT -s 192.168.1.0/24 -p udp --dport 123 -j ACCEPT
      sudo iptables -A INPUT -p udp --dport 123 -j DROP
  2. ntpd Configuration (ntpd.conf): Use the restrict keyword to limit access.
    • Example: 
      restrict default nomodify notrap nopeer noquery limited

      This configuration blocks most unwanted queries from the outside world.

3. Disable Monlist

The monlist feature is particularly vulnerable. Disable it if you don’t need it:

  1. Edit your ntpd.conf file: Add or modify the following line: 
    restrict -4 default nomodify notrap nopeer noquery limited monlist off
  2. Restart ntpd: 
    sudo systemctl restart ntpd

Monitoring

Monitor your NTP servers for high CPU usage or crashes. Tools like top, htop, and system logs can help identify potential attacks.

Exit mobile version