J-Security Center

Title: Microsoft NTP Time Synchronization Spoof Weakness

Severity: MODERATE

Description:

NTP is the Network Time Protocol. It is used to synchronize the clocks of computers via UDP datagrams. Various protections exist to mitigate the ability of an attacker to arbitrarily change the time of NTP synchronized computers. Microsoft Active Directory requires accurate time, and therefore Microsoft has included an implementation of NTP for operating systems that support Active Directory.

It is reported that the NTP implementation in Microsoft operating systems is vulnerable to time spoofing attacks.

The NTP protocol specification and reference implementation from ntp.org include support for a mesh of synchronized time servers, cryptographic authentication, as well as filtering code to attempt to eliminate the possibility of an attacker spoofing time sources. NTP is run over UDP datagrams, and uses fixed source and destination ports.

If a computer wishes to synchronize its clock with an NTP server, and fails to implement these features, it is vulnerable to attackers spoofing the reply datagrams from legitimate NTP servers.

The implementation contained in Microsoft operating systems reportedly only employs these anti-spoofing features when communicating between members of the Active Directory domain.

If the Active Directory domain controller is configured as recommended by Microsoft, using an external network time source - it will revert to using the Simple Network Time Protocol (SNTP). In this mode, server authentication is not used. Only one external server is synchronized with, and it leaves the domain controller open to attack.

If an attacker can successfully alter the time on the domain controller, the entire domain will then synchronize with the attacker specified time.

Microsoft has implemented several registry keys controlling the behavior of time synchronization.

In Windows 2000 based operating systems, the registry key 'MaxAllowedClockErrInSecs' controls how large of a time offset is acceptable. By default this value is configured for 43200 seconds (12 hours). The Forrest root PDC uses this value to ensure that obviously erroneous time offsets will not corrupt time for the entire domain. Member servers and domain controllers will accept absolutely any time presented to them by the Forrest root PDC. An attacker would be able to skew the time source by 12 hour increments, altering the time for all servers contained in a Windows 2000 environment.

Windows XP and 2003 do not use this registry key at all. Instead they use the keys 'MaxPosPhaseCorrection', and 'MaxNegPhaseCorrection' to specify the maximum number of seconds in the positive and negative ranges are acceptable to synchronize with. By default, all domain controllers and member servers use an unlimited value (0xFFFFFFFF) for both keys. Stand-alone clients use a value of 54000 (15 hours) by default. This means that attacker can arbitrarily set the time for servers, anywhere within a range from the year 1900 to 2036.

Windows XP and 2003 default registry key settings are much worse than the settings in Windows 2000. An attacker may be able to modify the time in the servers far more drastically than on the workstations in the domain. If an attacker skews the time by more than 15 hours at once, workstations will reject the time change, and a very large difference in time will be created between servers and clients. All Kerberos authentication from the workstations will likely fail. If an attacker modifies the time by more than a few years, then X.509 certificates will begin to fail.

This weakness may allow an attacker to deny service to legitimate users, as correct time is required for many operations, including domain authentication, X.509 certificate expiration times. Other attacks may also be possible.

This weakness is reported to exist in all versions of Microsoft operating systems that include Active Directory support.

Affected Products:

  • Avaya DefinityOne Media Servers
  • Avaya IP600 Media Servers
  • Avaya S3400 Message Application Server
  • Avaya S8100 Media Servers
  • Microsoft Small Business Server 2000 0.0.0
  • Microsoft Small Business Server 2003 0.0.0
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Advanced Server SP3
  • Microsoft Windows 2000 Advanced Server SP4
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Datacenter Server SP1
  • Microsoft Windows 2000 Datacenter Server SP2
  • Microsoft Windows 2000 Datacenter Server SP3
  • Microsoft Windows 2000 Datacenter Server SP4
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Professional SP1
  • Microsoft Windows 2000 Professional SP2
  • Microsoft Windows 2000 Professional SP3
  • Microsoft Windows 2000 Professional SP4
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Server Japanese Edition
  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Server SP3
  • Microsoft Windows 2000 Server SP4
  • Microsoft Windows Server 2003 Datacenter Edition
  • Microsoft Windows Server 2003 Datacenter Edition Itanium
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Enterprise Edition Itanium
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Web Edition
  • Microsoft Windows XP 64-bit Edition
  • Microsoft Windows XP 64-bit Edition SP1
  • Microsoft Windows XP 64-bit Edition Version 2003
  • Microsoft Windows XP 64-bit Edition Version 2003 SP1
  • Microsoft Windows XP Embedded
  • Microsoft Windows XP Embedded SP1
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Professional SP1
  • Microsoft Windows XP Professional SP2

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.