6

What is the risk of altering time in a system via an NTP exploit or any other mean in a network?

Could it be a step to a higher severity risk and how exactly can it be exploited?

schroeder
  • 123,438
  • 55
  • 284
  • 319
user228062
  • 79
  • 3

2 Answers2

5

If the server checks certificates (of connected clients, or of other servers that it connects to), changing the time will disrupt these checks. Changing to a time when the accepted certificates are not valid will cause denials of service. Changing to an earlier time allows expired certificates to be accepted, and these certificate may have been compromised or may use weak cryptography that is now breakable.

Incorrect times on file timestamps, logs and anywhere else a time is recorded can make intrusion detection and later forensics harder. This is a concern when the attacker would otherwise only have limited access. For example an attacker who can gain user-level access but not root access to a unix system can fake files' modification time, but not their inode change time.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
3

Logs are based on time and log analysis requires that the timestamps be accurate, synced, and reliable.

If you could alter the time on the server, then you could attack the server, make unauthorised changes, etc. and it might be impossible for anyone to detect it through the logs or correlate the logs with other logs to build a valid chain of events. Set the time back very far, and the events might escape notice by automated systems altogether ("this event happened last month and I'm configured to report on more recent events").

It creates confusion for investigators because they can no longer trust the evidence they have.

So, the risk could end up being high, but only in conjunction with other high risks. It's more of an enhancer of other risks than a risk in and of itself.

schroeder
  • 123,438
  • 55
  • 284
  • 319