Cisco Blogs

Cisco Blog > Threat Research

Cisco Identifies Multiple Vulnerabilities in Network Time Protocol daemon (ntpd)

Cisco is committed to improving the overall security of the products and services our customers rely on. As part of this commitment, Cisco assesses the security of software components used in our products. Open source software plays a key role in many Cisco products and as a result, ensuring the security of open source software components is vital, especially in the wake of major vulnerabilities such as Heartbleed and Shellshock.

In April 2014, the Linux Foundation spearheaded the creation of the Core Infrastructure Initiative in response to the disclosure of Heartbleed with the goal of securing open source projects that are widely used on the internet. As a member of the Linux Foundation Core Infrastructure Initiative (CII) Steering Group, Cisco is contributing to the CII effort by evaluating the Network Time Protocol daemon (ntpd) for security defects. ntpd is a widely deployed software package used to synchronize time between hosts. ntpd ships with a wide variety of network and embedded devices as well as desktop and server operating systems, including Mac OS X, major Linux distributions, and BSDs.

Today, in coordination with the NTP Project, Cisco is releasing 8 advisories for vulnerabilities that have been identified by the Talos Group and the Advanced Security Initiatives Group (ASIG) within Cisco. These vulnerabilities have been reported to the NTP Project in accordance with Cisco vulnerability reporting and disclosure guidelines. The NTP Project has responded by issuing a Security Advisory along with releasing a patched version of ntpd. The following serves as a summary for all the advisories being released. For the full advisories, readers should visit the Vulnerability Reports page on the Talos website.



Tags: , , , ,

Enterprise Security: Include DDoS Mitigation in your 2014 Plans

2014 will be a pivotal year for Enterprise Security professionals. Large scale Denial of Service ( DoS ) and Distributed Denial of Service attacks ( DDoS ) have been increasing over the years, which is nothing new. As technology evolves, including faster machines and cheaper bandwidth, attacks will also evolve just as fast if not a little faster.  What is alarming is the dramatic increase in the size of these DoS and DDoS attacks over the last year. These attacks are nothing to sneeze at, and in fact, are down right scary. Most of these attacks can cripple even the biggest of Enterprises due to their sheer size. This will require Enterprise Security professionals to take a serious look at their security plans for 2014.

Entperise Security

2013 saw the largest DDoS attack on record, with the 300gbps attack on the Anti-Spam site Spamhaus. 2014 has also started off quickly with a large NTP reflection attack. Jaeson Schultz has a great article on this topic, available here. This isn’t the start of the year the Enterprise Security professional wants to see. But it’s a real threat, and any Enterprise needs to have plans in place to handle this type of situation so can keep service available for their clients.

How Enterprise Security professional handle this type of nightmare can lead to some sleepless nights. With the amount Read More »

Tags: , , , , ,

When Network Clocks Attack

TRACIn October 2013, Cisco TRAC discussed Network Time Protocol (NTP) as a possible vector for amplified distributed denial of service (DDoS) attacks. Litnet CERT has since revealed that their NTP servers were used in a denial of service (DoS) attack. Symantec also published information regarding an NTP amplification-based DDoS attack that occurred in December 2013. On December 7, 2013, a user posted an NTP amplification DDoS script to Pastebin. The NTP DDoS script is heavily obfuscated Perl, though the plain text at the top credits the “leaking” of the script to an individual who goes by the handle Starfall. Brian Krebs also mentioned someone going by the name Starfall as a paying user of They may be the same person.

Decoding the obfuscated Perl yields some interesting insights. For example, this code near the top of the script has nothing to do with the NTP DDoS functionality:

The code above downloads a program called from IP, then runs and erases that program while writing the text “j00 g0t 0wn3d s0n” into a hidden file. Unfortunately, we were unable to obtain a copy of the script, but the ominous “j00 g0t 0wn3d s0n” text indicates the purpose of the program was likely to compromise the machine of anyone who was running the obfuscated NTP DDoS script. Is there no honor among hackers?
Read More »

Tags: , , , ,

Medical Devices – It’s just a matter of time, literally!

I had the pleasure of meeting with a number of Biomedical Engineering and Clinical Engineers at CIMIT (Center for Integration of Medicine and Innovative Technology) in Cambridge this week.  Lot’s to tell you (more to come), but perhaps nothing more timely then “time” itself.  With the eventual “Meaningful Use” requirement to include the integration of Medical Devices to your EHR as a means to correlate patient vitals over time – we have big problems looming as an industry.

Under the direction of Dr. Julian Goldman at CIMIT, researcher Pratyusha Mattegunta, MS, BME and team examined 100’s of medical devices across a particular healthcare system – most of which were network attached.  What the team found was an overwhelming number of medical devices with incorrect time and date.  Some devices in fact were running some “very advanced firmware” that was able to predict the patient’s condition — Sometimes as much as 6+ months into the future! Read More »

Tags: , , , , , , ,