Vigil@nce - NTP.org: altering time via Small-step/Big-step
March 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can act as a Man-in-the-Middle of NTP.org, in order to
change the client time.
Impacted products: CheckPoint IP Appliance, IPSO, Fedora, FreeBSD,
AIX, Meinberg NTP Server, NTP.org, Slackware.
Severity: 2/4.
Creation date: 08/01/2016.
DESCRIPTION OF THE VULNERABILITY
The ntpd daemon of NTP.org manages the local time by receiving
information from several time servers with upper stratum.
However, if an attacker acts as a Man-in-the-Middle, and sends
invalid information to NTP.org, the daemon restarts. Then, during
the restart, the attacker can continue to spoof upper time
servers, to change the time. If ntpd is started without the "-g"
option, the time change is limited to 900 seconds.
An attacker can therefore act as a Man-in-the-Middle of NTP.org,
in order to change the client time.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/NTP-org-altering-time-via-Small-step-Big-step-18665