Windows Server NTP getEndptFromloCtx() Denial of Service (DoS)

A denial of service vulnerability has been reported in the Windows port of Network Time Foundation's NTP daemon. The vulnerability is due to insufficient error handling when receiving large UDP packets. A remote, unauthenticated attacker can exploit this vulnerability by sending a large UDP packet to the target server. Successful exploitation results in denial of service conditions on the target server.

Exploitation

Stages

1. An unauthenticated attacker sends four UDP packets which are larger than 1000 bytes. The UDP packets do not have to be valid NTP requests; the content can be arbitrary. Only the size of the packet matters.
2. NTPD processes inbound packets and attempts to ascertain if there are any errors indicating the endpoint may not be valid. The ‘ERROR_MORE_DATA’ state caused by packets larger than 1000 bytes is not explicitly handled and results in worker instances being consumed without being replaced. After four oversized packets are processed, all available instances are consumed and no new requests can be processed until a service restart.
3. Legitimate users who attempt to make valid requests receive all zero stratum, offset, and delay values which is the expected response if no NTPD service is running. The attack renders the NTPD service incapable of processing legitimate requests, resulting in a denial of service until the service is restarted.

Prerequisites

The vulnerable plugin must be installed on the target system.

Alert Logic Coverage

Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.

The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.

Detection of this threat is provided via the Alert Logic ActiveWatch for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are observed.

Recommendations for Mitigation

To mitigate the vulnerability, upgrade to a non-vulnerable version of the plugin.