Topic: NTP Vulnerability (Read 4939 times)

DCIFRTHS · « **on:** December 25, 2014, 01:00:09 AM »

Is the DIR-655 vulnerable to any exploits with regard to the NTP holes that were recently reported?

If yes, what hardware revisions are vulnerable, and how can I mitigate the exploits?

Thanks for any information provided !

PacketTracer · « **Reply #1 on:** December 25, 2014, 08:00:06 AM »

The answer depends on what time service implementation the DIR uses. If it uses e.g. chrony, it is not affected. Only if it uses ntpd in a non-default configuration, it might be vulnerable to remote code execution, namely if Autokey Authentication is enabled, or if control messages are allowed from source addresses other than localhost. For details, see CVE-2014-9295 and comment #11 on Red Hat Bugzilla – Bug 1176037.

FurryNutz · « **Reply #2 on:** December 25, 2014, 11:28:13 AM »

Link>Welcome!

What Hardware version is your router? Look at sticker under the router case.
Link>What Firmware version is currently loaded? Found on the routers web page under status.
What region are you located?

Also review this for D-Link information as well:
http://forums.dlink.com/index.php?topic=56542.0

DCIFRTHS · « **Reply #3 on:** December 26, 2014, 03:47:44 AM »

Quote from: PacketTracer on December 25, 2014, 08:00:06 AM

The answer depends on what time service implementation the DIR uses. If it uses e.g. chrony, it is not affected. Only if it uses ntpd in a non-default configuration, it might be vulnerable to remote code execution, namely if Autokey Authentication is enabled, or if control messages are allowed from source addresses other than localhost. For details, see CVE-2014-9295 and comment #11 on Red Hat Bugzilla – Bug 1176037.

Thank you for the information and links.

DCIFRTHS · « **Reply #4 on:** December 26, 2014, 03:50:45 AM »

Quote from: FurryNutz on December 25, 2014, 11:28:13 AM

Link>Welcome!

What Hardware version is your router? Look at sticker under the router case.
Link>What Firmware version is currently loaded? Found on the routers web page under status.
What region are you located?

Also review this for D-Link information as well:
http://forums.dlink.com/index.php?topic=56542.0

Hardware version: A3
Firmware: 1.37NA

When you ask what region I am in, I assume you mean what country? If so, I'm in the US.

Thank You.

FurryNutz · « **Reply #5 on:** December 26, 2014, 02:14:51 PM »

v1.37 maybe the last FW release for Rev A as it's getting older now and out of date. I presume if D-Link considers the NTP a security issue, it may release a patch to fix it. Otherwise, 1.37 will be it.

DCIFRTHS · « **Reply #6 on:** December 27, 2014, 02:43:13 AM »

Quote from: FurryNutz on December 26, 2014, 02:14:51 PM

v1.37 maybe the last FW release for Rev A as it's getting older now and out of date. I presume if D-Link considers the NTP a security issue, it may release a patch to fix it. Otherwise, 1.37 will be it.

Do you know if there is any way to "test" for the vulnerability?

Also, from what I understand, and I don't understand too much about this

, the vulnerability is in the incoming (server) part of the NTP daemon. The firmware page of my router lists the time service as a server. Do you know if this is accurate, and the service will actually accept incoming connections?

PacketTracer · « **Reply #7 on:** December 27, 2014, 07:05:20 AM »

Hi,

Quote

... and the service will actually accept incoming connections?

You could use this UDP port scanner to check if your DIR WAN port possibly accepts unsolicited incoming UDP messages directed to the NTP port 123/udp (when saying "unsolicited" I mean: Of course it will accept replies received as a result to requests it has sent to external NTP servers before in order to synchronize local time) . Before doing so, please read the section titled "How it works" to understand the subtleties of UDP port scans ...

Quote

...the vulnerability is in the incoming (server) part of the NTP daemon. The firmware page of my router lists the time service as a server. Do you know if this is accurate...?

NTPD (if at all used by your D-LINK box - this question and if a vulnerabilty exists can only be answered by D-Link's Security Advisories site - the latest advisory SAP10048 (published 2014/12/22) applying to DIR-655 Rev. Bx says nothing about time service vulnerabilities) can be both a client and a server (depending on configuration): It acts as a client when asking external NTP servers for time synchronization and it possibly acts as a server for devices inside your LAN if they are configured to use your DIR as a time source (don't know if DIR-655 supports this use case).

As far as I understand the vulnerability (and I may be wrong) it is also effective if NTPD operates as a client only (insofar it may receive "bad" replies from attackers using spoofed IP addresses), but only if it is configured to use cryptographic authentication functions (which it is not by default).

PT

D-Link Forums

News:

Author Topic: NTP Vulnerability (Read 4939 times)

DCIFRTHS

NTP Vulnerability

PacketTracer

Re: NTP Vulnerability

FurryNutz

Re: NTP Vulnerability

DCIFRTHS

Re: NTP Vulnerability

DCIFRTHS

Re: NTP Vulnerability

FurryNutz

Re: NTP Vulnerability

DCIFRTHS

Re: NTP Vulnerability

PacketTracer

Re: NTP Vulnerability