Critical vulnerabilities in the Network Time Protocol (NTP) have been discovered and disclosed by members of the Google Security Team. These vulnerabilities make it possible for a remote attacker to send a carefully crafted packet with malicious arbitrary code that will execute at the privilege level of the
This release includes patches to NTP from upstream to make sure it is not exploitable. As an additional measure, we've also updated the firewall rules to be more strict. We strongly recommend that all GitHub Enterprise customers upgrade their instances as soon as possible.
More details on the vulnerabilities can be found in the ICSA-14-353-01 advisory.
If you can't immediately upgrade, the attack can be mitigated by removing the firewall rule that accepts traffic to port 123. To temporarily remove the rule, SSH into the appliance and run:
sudo ufw delete allow ghe-123
The rule will be re-enabled if settings are saved or a configuration run is performed. To prevent the rule from being restored, SSH into the appliance and run:
sudo rm /data/enterprise/cookbooks/ufw/files/default/ufw_apps/ghe-123 sudo rm /etc/ufw/applications.d/ghe-123
If you have any questions, please contact support at firstname.lastname@example.org