Serious NTPd vulnerabilities Patched; XTM Not Affected

Corey Nachreiner's picture

14 Mar 2013 By Corey Nachreiner
Categories: XCS


Today, CERT and NTP.org warned the world about some serious vulnerabilities in a very popular network time server called ntpd. If you use Linux systems, or any number of network appliances, chances are you're using ntpd somewhere in your organization, and should apply the 4.2.8 update (tarball) as soon as possible.

Network Time Protocol (NTP) is a standard for updating and synchronizing your computer's clock over a network. Ntpd is one of the most popular NTP services that ships with the Linux and Unix operating system, and is also used by many Linux-based network and hardware appliances (perhaps even some Internet of Things devices). According to CERT's advisory, ntpd suffers from four new security vulnerabilities. I won't explain them all in detail, but the worst are buffer overflow vulnerabilities in a number of ntpd functions. In short, by sending specially crafted packets, a remote and unauthenticated attacker can exploit these buffer overflow flaws to execute arbitrary code on any system running ntpd. The malicious code would run with the same privileges as the ntpd process (ntpd privilege vary from system to system).

These buffer overflow flaws are very serious, as any remote attacker can exploit them without authentication, as long as she has network access to your ntpd service. CERT assigned the flaws a 7.5 (out of 10) CVSS rating, which is pretty high. I highly recommend you update ntpd on all your *nix servers immediately.

Also, throughout the next few weeks we will likely learn of many other Linux-based products that are affected by this ntpd flaw. Be sure to watch CERT's alert for these updates, and upgrade the firmware of any affected devices when it's available. To learn more about these issues, check out CERT and NTP.org's advisories (Note: At the time of writing, NTP's advisory was experiencing occasional downtime).

Are WatchGuard Products Affected?

Finally, astute customers might wonder if any WatchGuard products are affected by these flaw, since they are Linux-based. The good news is our flagship XTM products are not affected. However, our XCS mail security appliances are. More details below:

  • XTM and Firebox appliances: Our XTM appliances use openntpd for NTP communications, rather than ntpd. They are NOT VULNERABLE to the ntpd flaws.
  • WatchGuard Wireless Acces Points (AP): Our wireless APs only use ntpclient for time synchronization, and are NOT VULNERABLE to the ntpd issues.
  • XCS appliances: Our XCS appliance do use ntpd, and are VULNERABLE to these flaw. However, you can easily mitigate the risk of these ntpd vulnerabilities. Most administrators have a firewall in front of their XCS appliance. We recommend you prevent external NTP traffic (UDP 123) from reaching your XCS appliance. Rather, setup an internal NTP server (make sure to update ntpd if you use it) and get network time synchronization from that internal server instead.

Update on Dec 29th 2014:

  • XCS Hotfix: XCS 10.0 NTP Hotfix was published on Dec 26th to patch ntpd. WatchGuard XCS 10.0 Update 2 must be installed before installing this hotfix release.
  • WatchGuard Dimension: Although not technically exposed, Dimension includes an affected version of ntpd. A patch for Linux in Dimension was made available on Dec 23rd. Dimension automatically downloads security updates for its Linux components when they become available. Just make sure that you don’t have any upstream firewall that blocks access to security.ubuntu.com and archive.ubuntu.com.

— Corey Nachreiner, CISSP (@SecAdept), Brendan Patterson, CISSP