Critical infrastructure at risk from remotely exploitable NTP flaws
Remotely exploitable Network Time Protocol (NTP) vulnerabilities are leaving critical infrastructure firms open to attack, according to the Industrial Control Systems Computer Emergency Response Team (ICS-CERT).
ICS-CERT issued an advisory on the flaws, confirming it is working with over 20 vendors, including Google, to create fixes.
“As NTP is widely used within operational industrial control systems deployments, ICS-CERT is providing this information for US critical infrastructure asset owners and operators for awareness and to identify mitigations for affected devices,” read the advisory.
“These vulnerabilities could be exploited remotely.”
The multitude of flaws exist in all NTP Version 4 releases prior to Version 4.2.8p1 and are the result of “insufficient entropy”, the use of a cryptographically weak pseudorandom number generator (PRNG), a section of code without a return command and weak stack buffer, according to the ICS.
The emergency response team said it is yet to see any evidence any of the flaws are being exploited, but warned:
“An attacker with a low skill and an exploit script would be able to exploit these vulnerabilities. However, a higher-level of skill would be necessary to craft usable exploit scripts.”
It added that assessing the full scale of the flaws’ impact is difficult as it will depend on the individual company’s wider system.
“Impact to individual organisations depends on many factors that are unique to each organisation,” read the advisory.
“ICS-CERT recommends that organisations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.”
ICS-CERT recommends firms update to new unaffected NTP versions and take a variety of other protective measures.
“Minimise network exposure for all control system devices and/or systems, and ensure that they are not accessible from the internet,” read the advisory.
“Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
“[Finally] when remote access is required, use secure methods, such as virtual private networks (VPNs).”
The ICS-CERT advisory follows widespread warnings that firms involved in critical infrastructure are dangerously vulnerable to cyber attacks.
US president Barack Obama pledged to bolster the nation’s cyber security and intelligence-gathering powers in a bid to protect critical infrastructure and industry from terrorists during his State of the Union speech in January.