Description

A while ago an issue was discovered in the Network Time Protocol (NTP) daemon that we generally advise people to install on a server running OpenVPN Access Server on Ubuntu. The purpose of the package is to ensure that the time is always correct on the server. This is especially vital when you make use of the Google Authenticator functionality built into the Access Server, as it is time-dependent. On cloud based platforms and other virtualization systems it is not uncommon that time slowly drifts. NTP corrects this automatically.

The vulnerability found has been given designation CVE-2016-9310 and to put it simply, it allows an attacker to use the NTP server to attack other servers with bandwidth. The method is called traffic magnification and basically comes down to make a small request that results in a larger response to a specific target. Enough of these attacks could bring a server down (DoS). Other serious issues have also been found. You can read more about it in the pages linked to below. Fortunately for our users of the OpenVPN Access Server on AWS, our default security groups settings that come with the appliance do not provide access to the NTP daemon at all. So unless these were changed and access was granted to the NTP service port, this flaw cannot be exploited remotely with our Amazon AWS instances.

Resolution

Ubuntu has created their own page regarding this issue and they have issued fixes for the NTP package. Ordinary apt-get update and apt-get upgrade commands should update your packages to the latest versions that contain fixes for this particular issue. We recommend that everyone makes sure their system is regularly updated to ensure these security fixes arrive on your systems as well.

• NIST report CVE-2016-9310
• Ubuntu USN-3349-1: NTP vulnerabilities