NTP Security Alert Update

Owned by Kelli Higdon
Last updated: Jul 08, 2024
2 min read

NTP Security Alert

Internet Protocol telephony is achieving mainstream acceptance among business customers, propelled by its cost and functionality advantages over traditional phone service. Because it carries voice calls on IP networks, it has the potential to expose infrastructure to some of the security risks that face data networks. Unfortunately, those who would cause harm to particular organizations or the internet as a whole are seeking to exploit any opportunity to access these networks and take malicious action.  A strong set of security rules and infrastructure are critical to helping prevent attacks and maintaining high voice service availability.

 

NTP Vulnerability

Fonality premise-based products include a Network Time Protocol (NTP) Linux package that synchronizes the time displayed on the phone with the server.  It has come to our attention that this package does not prevent remote attackers from initiating a denial of service attack if they are able to access the server.  If used in this way, your server may become part of a scheme to attack other internet servers without your knowledge or your own service may be disrupted.  

 

This type of vulnerability is the reason that our Fonality best practices, recommend that your server be deployed behind a firewall.  While not a perfect defence, it greatly mitigates your risk of this type of intrusion.  

 

Resolution

To address the current issue, Fonality is releasing a fix that will be accessible to current customers from a new button on the Control Panel on March 3, 2014.  We highly recommend this solution be installed on March 3, 2014.  In the mean time, customers who want to implement the fix immediately should contact Fonality Support.  For users without a support contract with Fonality, we recommend that you ensure that your system is deployed behind a firewall and that NTP traffic is restricted on that firewall.   

 

We take the security of your Fonality solution extremely seriously and attempt to detect and eliminate opportunities for bad actors to access our systems.  However, Fonality cannot and does not warrant complete security and fraud prevention of its services, including any server, equipment or the Fonality network itself. In small print form: Fonality disclaims any and all liability resulting from or related to unauthorized intrusions or access and related security events.

 

If you have any questions related to system security, please feel free to contact us at security-team@fonality.com.   We appreciate your attention to this matter.  Working together, we can keep ahead of these malicious individuals and ensure a better experience for Fonality users and the internet as a whole.

Return to Documentation Home I Return to Sangoma Support