Network Time Protocol Vulnerabilities

OVERVIEW

Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple vulnerabilities with CERT/CC concerning the Network Time Protocol (NTP). As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices. ICS-CERT may release updates as additional information becomes available.
These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available.
Products using NTP service prior to NTP-4.2.8 are affected. No specific vendor is specified because this is an open source protocol.

IMPACT

Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code with the privileges of the ntpd process.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

BACKGROUND

The NTP is described in RFC 958a, an open source collaboration for acceptance and is used to synchronize system time over a network.

VULNERABILITY CHARACTERIZATION

VULNERABILITY OVERVIEW

INSUFFICIENT ENTROPYb

If the authentication key is not set in the configuration file, ntpd will generate a weak random key with insufficient entropy.

This vulnerability was resolved with NTP-dev4.2.7p11 on January 28, 2010.

CVE-2014-9293c has been assigned by CERT/CC to this vulnerability. A CVSS v2 base score of 7.3 has been assigned by CERT/CC; the CVSS vector string is (AV:N/AC:L/Au:M/C:P/I:P/A:C).d

USE OF CRYPTOGRAPHICALLY WEAK PRNGe

Prior to NTP-4.2.7p230 ntp-keygen used a weak seed to prepare a random number generator. The random numbers produced were then used to generate symmetric keys.
This vulnerability was resolved with NTP-dev4.2.7p230 on November 1, 2010.
CVE-2014-9294f has been assigned by CERT/CC to this vulnerability. A CVSS v2 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:M/C:P/I:P/A:C).g

STACK-BASED BUFFER OVERFLOWSh

A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process. All NTP4 releases before 4.2.8 are vulnerable.
This vulnerability is resolved with NTP-stable4.2.8 on December 19, 2014.
CVE-2014-9295i has been assigned by CERT/CC to this vulnerability. A CVSS v2 base score of 7.3 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:P/I:P/A:P).j

MISSING RETURN ON ERRORk

In the NTP code, a section of code is missing a return, and the resulting error indicates processing did not stop. This indicated a specific rare error occurred, which does not appear to affect system integrity. All NTP Version 4 releases before Version 4.2.8 are vulnerable.
This vulnerability is resolved with NTP-stable4.2.8 on December 19, 2014.
CVE-2014-9296l has been assigned by CERT/CC to this vulnerability. A CVSS v2 base score of 5.0 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:P).m

VULNERABILITY DETAILS

EXPLOITABILITY

These vulnerabilities could be exploited remotely.

EXISTENCE OF EXPLOIT

Exploits that target these vulnerabilities are publicly available.

DIFFICULTY

An attacker with a low skill would be able to exploit these vulnerabilities.

MITIGATION

All NTP Version 4 releases, prior to Version 4.2.8, are vulnerable and need to be updated to Version 4.2.8.
ICS-CERT strongly encourages CIKR users to backup current operational ICS configurations, and thoroughly test the updated software for system compatibility on a test system before attempting deployment on operational systems.
CERT/CC has published a Vulnerability Note at the following URL:
http://www.kb.cert.org/vuls/id/852879
The latest NTP releases can be accessed at:
http://support.ntp.org/bin/view/Main/SoftwareDownloads.
ICS-CERT would like to thank NTP for coordinating with the Google Security Team Researchers.
ICS-CERT also encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.

• Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
• Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
• When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.

vCenter Server Appliance 5.5 vs vCenter Server 5.5

vCenter Server Appliance 5.5 vs vCenter Server 5.5 on Windows

vCenter Server Appliance 5.5 is reducing the dependency of Windows operating system for vCenter server Install. With VCSA 5.5 on Embedded database can manage 100 hosts and 3000 Virtual Machines. vCSA reduces lot of administrative efforts by reducing efforts needed for windows patching, software update and management of Guest OS on windows operating system. It is necessary to understand the difference between the vCenter Server Appliance 5.5 and vCenter server 5.5 installed on windows Server. This post will explain you the detailed difference between the 2 items.

Feature	vCenter Server Appliance 5.5	vCenter Server 5.5 on Windows
Can be Deployed	Only as a Virtual Machine	Can be installed on Physical or Virtual windows Machine
Operating System	Preconfigured Linux-based virtual machine	vCenter 5.5 requires 64 Bit OS and 64 bit DSN: Windows Server 2012 (64 bit) Windows Server 2008 Sp2 (64 bit) Windows Server 2008 R2 Sp1 (64 bit) Windows Server 2008 R2 (64 bit)
Database	PostgreSQL for the embedded database Supports Oracle Database	SQL Server 2005 (SP4) (Standard\Enterprise) (32-bit & 64-bit)SQL Server 2008 (R2 SP2, R2 SP1) (Express\standard\Enterprise\Datacenter) (32-bit & 64-bit) SQL Server 2012 (SP1) (Enterprise\Standard) (32-bit & 64-bit) Oracle 11 G Release 2 (Enterprise\Standard) & Oracle 11G ONE edition (32-bit & 64-bit)
Installation Method	Deployed as a Virtual Machine using OVF or OVA template	Need to install on top of Windows Operating System.
Hosts Per vCenter	100 Hosts with embedded vPostgres database 1000 Hosts with Oracle Database	1000 hosts per vCenter Server
Virtual Machines Per vCenter	3,000 VM’s with embedded vPostgres database 10,000 VM’s with Oracle Database	10,000 VM’s per vCenter Server
vCenter Linked Mode	Not Supported	Supported with Windows Install
vCenter Server Heartbeat	Not Supported	vCenter heartbeat is a windows application. It works with Windows install vCenter server
VMware Update Manager	You can’t install VUM on VCSA. Update Manager can be installed on separate windows machine to use with VCSA	Supported with Windows Install
AutoDeploy	Autodeploy is bundled with VCSA	Should be installed as an additional package. Installation files are located in vCenter Installation DVD
Syslog Collector	Syslog collector is installed by default	Should be installed as an additional package. Installation files are located in vCenter Installation DVD
ESXi Dump Collector Service	ESXi Dump Collector Service is installed by default	Should be installed as an additional package. Installation files are located in vCenter Installation DVD
vSphere Web Client	Pre-Installed with VCSA	Should be installed as an additional package. Installation files are located in vCenter Installation DVD
PowerCLI	Cannot be installed on vCSA	Can be installed on Windows vCenter Server machine
IPV6 support	IPv6 is not supported. Only supports IPV4	Both  IPv4 and IPv6 are supported

Release for CentOS Linux Rolling media

CentOS Linux rolling builds are point in time snapshot media rebuild
from original release time, to include all updates pushed to
mirror.centos.org's repositories. This includes all security, bugfix,
enhancement and general updates for CentOS Linux. Machines installed
from this media will have all these updates pre-included and will look
no different when compared with machines installed with older media
that have been yum updated to the same point in time. All rpm/yum
repos remain on mirror.centos.org with no changes in either layout or
content. 

We will aim to update and issue for release a new set of these files
at the end of every month going forward. Each released filename
includes a datestamp and a buildtag to indicate the content included.
Files marked as 20141129_02 indicate that it includes all content
released to mirror.centos.org upto ( and including ) the 29th of Nov
2014 and is the second build of that cycle. While all build's are made
public at buildlogs.centos.org/, only those that pass our QA and
testing cycles will be marked as released, to be included in
buildlogs.centos.org/rolling/. We will also do interim builds as
needed ( for development and testing purposes ) at different points in
time, those builds will not be marked for general release, but will
still be avilable publicly.

Since there is a need to test these images, the release will always
lag few days behind the datestamp ( and therefore content included )
in the release. My aim is to automate as much of this as possible
going forward to reduce this time lag as much as possible, however we
might not be able to remove it completely.

With every cycle, we hope to increase the content made available in
this rolling format. Immediate next steps include bringing the CentOS
Linux 7 livemedia into the rolling releases followed by CentOS Linux 6
content from the next ( December 2014 ) cycle.

Due to the way the installer works in CentOS-5, and its point in time
we have no plans on including CentOS-5 in this cycle at this point.

For the sake of uniformity and communication, the release media will
be referenced by the month it reflects, not the month it was released
in. Making this release the Nov 2014 Rolling release.

Other content formats like containers and vendor specific images will
aim to start with the same cycle as the main CentOS Linux media, but
might move to a more frequent build and release cycle if needed.
Special Interest Groups ( http://wiki.centos.org/SpecialInterestGroup
) wanting to do media and installer releases should also consider
using the rolling timelines to sync with.

CentOS Linux distro installer media:

File: CentOS-7-x86_64-DVD-20141129_02.iso
Sha256sum:
85a46c62b5bfc701678bef7854bb73af4ccfb840dfcbfb2f9b2189e08fe9438c

File: CentOS-7-x86_64-Everything-20141129_02.iso
Sha256sum:
f9fdd8b12c9529a1e3bf7628ebee964b2aeb9fd66540de7b369e0fde6f7a4236

File: CentOS-7-x86_64-Minimal-20141129_02.iso
Sha256sum:
e1338d13178f1c66c17386b7ced0b1459c677ff9a1cf095ac4db377234cc03fa

Symlinks are provided that will always map to the latest released
builds, as follows ( including their current mapping )
http://buildlogs.centos.org/rolling/7/isos/x86_64/CentOS-7-x86_64-DVD.iso
- -> CentOS-7-x86_64-DVD-20141129_02.iso
http://buildlogs.centos.org/rolling/7/isos/x86_64/CentOS-7-x86_64-Everything.iso
- -> CentOS-7-x86_64-Everything-20141129_02.iso
http://buildlogs.centos.org/rolling/7/isos/x86_64/CentOS-7-x86_64-Minimal.iso
- -> CentOS-7-x86_64-Minimal-20141129_02.iso

These symlinks will be updated to point at the latest tested and
released media and make for a good target in automation that requires
CentOS Linux media.

Cloud and Instance Images:

The CentOS Linux 7 GenericCloud image is built to include cloud-init
from the Extras/ repository. The image is made available in multiple
formats, with identical content. The cloud images are released via
http://cloud.centos.org/centos/7/images/

File: CentOS-7-x86_64-GenericCloud-20141129_01.qcow2
Desc: is the reference image.
Size: 944 MB
Sha256Sum:
7710ffdd497cf00fc72c22a3fa7cc7adb3424d3542521ca8fbe19eba9ded403f

File: CentOS-7-x86_64-GenericCloud-20141129_01.qcow2c
Desc: This is the same image, run through the qemu qcow2 internal
compression setup - while this image is suiteable for development and
play, it comes with non trivial i/o performance penalties and
therefore not recommended for production.
Size: 399MB
Sha256Sum:
db42e4fb9565e75f0acbe6b54a5b8822f3f1e9783fb1a553e1552c72ceaff8df

File: CentOS-7-x86_64-GenericCloud-20141129_01.qcow2.xz
Desc:  This is the regular qcow2 file, run through the xz compression
tool. This gives a regular qcow2 file, suiteable for production use.
Size: 266MB
Sha256Sum:
9b0b38c48a24164c15c33625972b87835501b6994c3ee894f6b79ce40e7d5e54

File: CentOS-7-x86_64-GenericCloud-20141129_01.raw
Desc: This is a raw format file for systems that dont consume qcow2
image types. Its also suiteable to use with "qemu-img convert" to
render into different formats.
Size: 8GB.
Sha256Sum:
2e643310bdb3cda775905408dbfe378a5eed04e91db193165178afc5ed5492b8


Symlinks are provided that will always map to the latest released
builds, as follows ( including their current mapping )
http://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.qcow2
- -> CentOS-7-x86_64-GenericCloud-20141129_01.qcow2
http://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.qcow2c
- -> CentOS-7-x86_64-GenericCloud-20141129_01.qcow2c
http://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.qcow2.xz
- -> CentOS-7-x86_64-GenericCloud-20141129_01.qcow2.xz
http://cloud.centos.org/centos/7/images/CentOS-7-x86_64-GenericCloud.raw
- -> CentOS-7-x86_64-GenericCloud-20141129_01.raw

These symlinks will be updated to point at the latest tested and
released media and make for a good target in automation that requires
CentOS Linux media.
 

Leader

As a leader, you hold a great responsibility. You are the architect of the plan that will take your people to a better place, not just in terms of the achievement of common goals, but also in terms of the fulfillment of their basic, as well as their more complex needs as human beings.

Regardless of whether you lead a small or a large organization, for-profit or non-for-profit, a religious community or a sports club, as a leader you are ultimately responsible for certain decisions affecting other people´s lives.

People do not mess around with their livelihoods, therefore human beings only follow those who care about their needs.

Your ability to visualize joint goals, alongside your capacity to satisfy common human needs, becomes instrumental for good leadership.

But while leading people in general is always a difficult task, leading leaders is certainly a much more complex challenge.

The complexity in leading leaders resides in the fact that the needs of those who have already reached a leadership role are not necessarily related to the basic needs of the "general public", such as financial stability, protection against unexpected adversities and sense of belonging.

People holding leadership roles expect those above them to understand their "more complex" needs. Leader's needs have more to do with status, contribution and self-actualization, than with mere monetary compensation per se.

We all have seen examples of organizations promoting super-achievers at mid management level, to senior leadership roles.

The problem with this type of policy is that in most cases the super-achiever does not understand what it takes to manage other leaders effectively.

Super-achievers tend to struggle when promoted to C-level roles due to a variety of reasons, including:

• Selfishness.
• Inability to delegate.
• Incapability to empathize.
• Result-centeredness.

Working at C-level is radically different to managing a team of doers or being a super-star.

As a senior leader you will need to gain the aid and support of other leaders in order to be able to materialize common strategic goals. Otherwise you take the risk of being sabotaged very quickly.

In this article, I will recap on what attitudes and behaviors you must nurture in order to be able to lead a team of leaders.

# 1. Empower Your Team:

Once you are in a C-level role, you should no longer tell your people what to do or how to do it. You are leading leaders, so they know perfectly well the what´s and how´s.

Telling other leaders what to do or how to do it is a clear sign of your lack of confidence in their ability to lead their teams.

People in leadership roles like to feel empowered. They need to feel that those above them have full confidence in their ability to make the most out of the resources avilable to them.

# 2. Be Humble:

Ask your team about their opinion and incentivize open debate. Don´t impose your thoughts. Promote discussion and challenge status quo, so you give other leaders the opportunity to express their ideas too.

Humble leaders understand and apply a balance of being strong, yet gentle. They are opened to constructive criticism and innovative ideas.

Other leaders need to feel that their opinion matters and most importantly, that they are no longer compensated for what they “do”, but for their strategic contributions.

# 3. Be Coherent:

Your behavior will be permanently under scrutiny. Other leaders will incessantly judge your actions as most likely their ultimate goal is occupy your chair and that´s fine, succession plans are a key part of every organizational strategy.

It is critical that your actions are consistent with your words. Never ask other leaders to do what you cannot or you would not do yourself.

Don´t abuse your position of authority and always apply a rational judgment behind all your actions.

# 4. Be Generous:

If you are in a C-level role, make sure you share the spotlight with other leaders who may benefit from additional visibility and exposure. Give them the opportunity to shine when the right occasion arises.

Self-actualized individuals are concerned with solving problems, including helping others and finding solutions to problems in the external world. These people are often motivated by a sense of personal responsibility and ethics.

Admirable leaders come across as very personable and generous human beings; they express their self-confidence through inclusiveness and generosity.

If you don´t allow other leaders to exploit their intellectual talent and reward them for their contributions, you may soon see them break away.

Self-actualization, creativity and status are all key motivational drivers for people in leading roles. As a leader of leaders your primary responsability is to fulfill those needs.

Remember that you do not need to be the one calling all the shots anymore, that´s why you lead a team of leaders now!