Network Time Protocol Vulnerabilities

Act NowICS-CERT ICSA-14-353-01CSep 21, 2014

Siemens

Summary

Multiple vulnerabilities exist in NTP implementations across industrial devices and embedded systems. The issues include weak random number generation (CWE-331, CWE-338), buffer overflows (CWE-121), improper input validation (CWE-703), and insufficient authentication mechanisms (CWE-290). These affect Siemens ROX controllers, Meinberg LANTIME time servers, Innomoninate mGuard firewalls, Arbiter clock products, VxWorks operating systems, and Wind River Linux deployments. Attackers can spoof NTP time values, corrupt system clocks, or execute code on vulnerable platforms by sending crafted NTP packets to UDP port 123.

What this means

What could happen

Multiple critical vulnerabilities in NTP implementations could allow attackers to corrupt or spoof time data, disrupting synchronization across PLCs, RTUs, and safety systems that depend on accurate time for logging, sequencing, and interlocks. Time manipulation could also enable attackers to bypass time-based security controls and authentication mechanisms.

Who's at risk

Water and electric utilities relying on Siemens ROX controllers, Meinberg LANTIME time servers, Innomoninate mGuard firewalls, Arbiter clock products, or any systems running VxWorks or Wind River Linux for synchronized operations. Any industrial device or PLC that depends on system time for process control, event logging, or safety interlocks is at risk.

How it could be exploited

An attacker with network access to the NTP port (UDP 123) on affected devices can send malformed NTP packets or act as a rogue NTP server. By exploiting the underlying weaknesses (weak random number generation, buffer overflows, improper input validation), the attacker can corrupt the system clock, inject false time values, or execute code with system privileges on vulnerable systems like VxWorks and WR Linux.

Prerequisites

Network access to UDP port 123 (NTP service)
Device must be configured to use NTP for time synchronization
No authentication required for basic time spoofing exploitation

Remotely exploitable via UDP 123No authentication required for time spoofingLow complexity exploitHigh EPSS score (57.3%)No patches available for most affected productsAffects safety-critical time synchronizationWeak random number generation and buffer overflow issues

Exploitability

Likely to be exploited — EPSS score 57.3%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (13)

1 pending12 EOL

ProductAffected VersionsFix Status

Wind River System VxWorks: 6.96.9No fix yet

Arbiter Systems Clock products using the network card: vers:all/*All versionsNo fix (EOL)

Innomoninate mGuard Firmware: 7.07.0No fix (EOL)

Meinberg LANTIME Firmware: <V6.16.007<V6.16.007No fix (EOL)

Meinberg NTP V4.x: <4.2.8<4.2.8No fix (EOL)

Siemens ROX 2: <ROX_2.6.2<ROX 2.6.2No fix (EOL)

Siemens ROX 1: vers:all/*All versionsNo fix (EOL)

Wind River System VxWorks: 77No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGDisable NTP on devices where time synchronization is not operationally necessary

HARDENINGRestrict NTP traffic to authorized time servers using firewall rules; whitelist only known good NTP sources by IP address

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGImplement NTP rate limiting and authentication (NTP symmetric key or MD5) to reduce exposure to spoofing

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Arbiter Systems Clock products using the network card: vers:all/*, Innomoninate mGuard Firmware: 7.0, Meinberg LANTIME Firmware: <V6.16.007, Meinberg NTP V4.x: <4.2.8, Siemens ROX 2: <ROX_2.6.2, Siemens ROX 1: vers:all/*, Wind River System VxWorks: 7, Wind River System WR Linux: 4.3.0.X, Innomoninate mGuard Firmware: 8.0, Wind River System WR Linux: 5.0.1.x, Wind River System WR Linux: 6.0.0.x, Wind River System WR Linux: 7.0.0.x. Apply the following compensating controls:

HARDENINGSegment NTP services onto a dedicated network or VLAN if possible to limit attacker reachability

HARDENINGMonitor system time drift and alert on anomalous NTP behavior or time jumps

CVEs (6)

CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296 CVE-2014-9297 CVE-2014-9298

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ef6a3330-b38f-40e9-a643-8b12f4248a11

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.