OVERVIEW
Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple vulnerabilities with CERT/CC concerning the Network Time Protocol (NTP). As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices. ICS-CERT may release updates as additional information becomes available.

IMPACT
Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code with the privileges of the ntpd process.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.


These security holes, according to ISC-CERT, are of the worst possible kind. They can be exploited remotely and exploits are already publicly available. Adding insult to injury, ISC-CERT added, "An attacker with a low skill would be able to exploit these vulnerabilities."
During the next hours we will be performing updates that require server reboots. We do not expect any major downtimes though.

Thank you for your patience and understanding.