http://nwtime.org/ntp428p9_release/

http://support.ntp.org/bin/view/Main/NtpBug3113

http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities

94446

1037354

https://bto.bluecoat.com/security-advisory/sa139

https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03706en_us

FreeBSD-SA-16:39

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03883en_us

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03899en_us

USN-3707-2

VU#633847

An update of the ntpstat package has been released.

An update of the ntp package has been released.

An update of [guile,ntp] packages for PhotonOS has been released.

According to its self-reported version number, the remote pfSense install is affected by multiple vulnerabilities as stated in the referenced vendor advisories.

The version of NTP installed on the remote AIX host is affected by the following vulnerabilities :

  - A denial of service vulnerability exists in the     broadcast mode replay prevention functionality. An     unauthenticated, adjacent attacker can exploit this, via     specially crafted broadcast mode NTP packets     periodically injected into the broadcast domain, to     cause ntpd to reject broadcast mode packets from     legitimate NTP broadcast servers. (CVE-2016-7427)

  - A denial of service vulnerability exists in the     broadcast mode poll interval functionality. An     unauthenticated, adjacent attacker can exploit this, via     specially crafted broadcast mode NTP packets, to cause     ntpd to reject packets from a legitimate NTP broadcast     server. (CVE-2016-7428)

  - A flaw exists in the control mode (mode 6) functionality     when handling specially crafted control mode packets. An     unauthenticated, adjacent attacker can exploit this to     set or disable ntpd traps, resulting in the disclosure     of potentially sensitive information, disabling of     legitimate monitoring, or DDoS amplification.
    (CVE-2016-9310)

  - A NULL pointer dereference flaw exists in the     report_event() function within file ntpd/ntp_control.c     when the trap service handles certain peer events. An     unauthenticated, remote attacker can exploit this, via     a specially crafted packet, to cause a denial of service     condition. (CVE-2016-9311)

Yihan Lian discovered that NTP incorrectly handled certain large request data values. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-2519)

Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed addresses when performing rate limiting. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7426)

Matthew Van Gundy discovered that NTP incorrectly handled certain crafted broadcast mode packets. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7427, CVE-2016-7428)

Miroslav Lichvar discovered that NTP incorrectly handled certain responses. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7429)

Sharon Goldberg and Aanchal Malhotra discovered that NTP incorrectly handled origin timestamps of zero. A remote attacker could possibly use this issue to bypass the origin timestamp protection mechanism.
This issue only affected Ubuntu 16.10. (CVE-2016-7431)

Brian Utterback, Sharon Goldberg and Aanchal Malhotra discovered that NTP incorrectly performed initial sync calculations. This issue only applied to Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7433)

Magnus Stubman discovered that NTP incorrectly handled certain mrulist queries. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7434)

Matthew Van Gund discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu Ubuntu 16.10, and Ubuntu 17.04. (CVE-2016-9042)

Matthew Van Gundy discovered that NTP incorrectly handled certain control mode packets. A remote attacker could use this issue to set or unset traps. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9310)

Matthew Van Gundy discovered that NTP incorrectly handled the trap service. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9311)

It was discovered that NTP incorrectly handled memory when processing long variables. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service.
(CVE-2017-6458)

It was discovered that NTP incorrectly handled memory when processing long variables. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only applied to Ubuntu 16.04 LTS, Ubuntu 16.10 and Ubuntu 17.04.
(CVE-2017-6460)

It was discovered that the NTP legacy DPTS refclock driver incorrectly handled the /dev/datum device. A local attacker could possibly use this issue to cause a denial of service. (CVE-2017-6462)

It was discovered that NTP incorrectly handled certain invalid settings in a :config directive. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2017-6463)

It was discovered that NTP incorrectly handled certain invalid mode configuration directives. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2017-6464).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ntp fixes the following issues: ntp was updated to 4.2.8p9. Security issues fixed :

  - CVE-2016-9311, CVE-2016-9310, bsc#1011377: Mode 6     unauthenticated trap information disclosure and DDoS     vector.

  - CVE-2016-7427, bsc#1011390: Broadcast Mode Replay     Prevention DoS.

  - CVE-2016-7428, bsc#1011417: Broadcast Mode Poll Interval     Enforcement DoS.

  - CVE-2016-7431, bsc#1011395: Regression: 010-origin: Zero     Origin Timestamp Bypass.

  - CVE-2016-7434, bsc#1011398: NULL pointer dereference in
    _IO_str_init_static_internal().

  - CVE-2016-7429, bsc#1011404: Interface selection attack.

  - CVE-2016-7426, bsc#1011406: Client rate limiting and     server responses.

  - CVE-2016-7433, bsc#1011411: Reboot sync calculation     problem.

  - CVE-2015-8140: ntpq vulnerable to replay attacks.

  - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose     origin.

  - CVE-2015-5219: An endless loop due to incorrect     precision to double conversion (bsc#943216).
    Non-security issues fixed :

  - Fix a spurious error message.

  - Other bugfixes, see     /usr/share/doc/packages/ntp/ChangeLog.

  - Fix a regression in 'trap' (bsc#981252).

  - Reduce the number of netlink groups to listen on for     changes to the local network setup (bsc#992606).

  - Fix segfault in 'sntp -a' (bsc#1009434).

  - Silence an OpenSSL version warning (bsc#992038).

  - Make the resolver task change user and group IDs to the     same values as the main task. (bsc#988028)

  - Simplify ntpd's search for its own executable to prevent     AppArmor warnings (bsc#956365).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ntp fixes the following issues :

ntp was updated to 4.2.8p9.

Security issues fixed :

  - CVE-2016-9311, CVE-2016-9310, bsc#1011377: Mode 6     unauthenticated trap information disclosure and DDoS     vector.

  - CVE-2016-7427, bsc#1011390: Broadcast Mode Replay     Prevention DoS.

  - CVE-2016-7428, bsc#1011417: Broadcast Mode Poll Interval     Enforcement DoS.

  - CVE-2016-7431, bsc#1011395: Regression: 010-origin: Zero     Origin Timestamp Bypass.

  - CVE-2016-7434, bsc#1011398: NULL pointer dereference in
    _IO_str_init_static_internal().

  - CVE-2016-7429, bsc#1011404: Interface selection attack.

  - CVE-2016-7426, bsc#1011406: Client rate limiting and     server responses.

  - CVE-2016-7433, bsc#1011411: Reboot sync calculation     problem.

  - CVE-2015-5219: An endless loop due to incorrect     precision to double conversion (bsc#943216).

Non-security issues fixed :

  - Fix a spurious error message.

  - Other bugfixes, see     /usr/share/doc/packages/ntp/ChangeLog.

  - Fix a regression in 'trap' (bsc#981252).

  - Reduce the number of netlink groups to listen on for     changes to the local network setup (bsc#992606).

  - Fix segfault in 'sntp -a' (bsc#1009434).

  - Silence an OpenSSL version warning (bsc#992038).

  - Make the resolver task change user and group IDs to the     same values as the main task. (bsc#988028)

  - Simplify ntpd's search for its own executable to prevent     AppArmor warnings (bsc#956365).

This update was imported from the SUSE:SLE-12-SP1:Update update project.

Multiple vulnerabilities have been discovered in the NTP suite :

CVE-2016-9311: Trap crash, Reported by Matthew Van Gundy of Cisco ASIG.

CVE-2016-9310: Mode 6 unauthenticated trap information disclosure and DDoS vector. Reported by Matthew Van Gundy of Cisco ASIG.

CVE-2016-7427: Broadcast Mode Replay Prevention DoS. Reported by Matthew Van Gundy of Cisco ASIG.

CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS. Reported by Matthew Van Gundy of Cisco ASIG.

CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp Bypass.
Reported by Sharon Goldberg and Aanchal Malhotra of Boston University.

CVE-2016-7434: NULL pointer dereference in
_IO_str_init_static_internal(). Reported by Magnus Stubman.

CVE-2016-7426: Client rate limiting and server responses. Reported by Miroslav Lichvar of Red Hat.

CVE-2016-7433: Reboot sync calculation problem. Reported independently by Brian Utterback of Oracle, and by Sharon Goldberg and Aanchal Malhotra of Boston University. Impact : A remote attacker who can send a specially crafted packet to cause a NULL pointer dereference that will crash ntpd, resulting in a Denial of Service. [CVE-2016-9311]

An exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. If, against long-standing BCP recommendations, 'restrict default noquery ...' is not specified, a specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, disabling legitimate monitoring by an attacker from remote.
[CVE-2016-9310]

An attacker with access to the NTP broadcast domain can periodically inject specially crafted broadcast mode NTP packets into the broadcast domain which, while being logged by ntpd, can cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers.
[CVE-2016-7427]

An attacker with access to the NTP broadcast domain can send specially crafted broadcast mode NTP packets to the broadcast domain which, while being logged by ntpd, will cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers. [CVE-2016-7428]

Origin timestamp problems were fixed in ntp 4.2.8p6. However, subsequent timestamp validation checks introduced a regression in the handling of some Zero origin timestamp checks. [CVE-2016-7431]

If ntpd is configured to allow mrulist query requests from a server that sends a crafted malicious packet, ntpd will crash on receipt of that crafted malicious mrulist query packet. [CVE-2016-7434]

An attacker who knows the sources (e.g., from an IPv4 refid in server response) and knows the system is (mis)configured in this way can periodically send packets with spoofed source address to keep the rate limiting activated and prevent ntpd from accepting valid responses from its sources. [CVE-2016-7426]

Ntp Bug 2085 described a condition where the root delay was included twice, causing the jitter value to be higher than expected. Due to a misinterpretation of a small-print variable in The Book, the fix for this problem was incorrect, resulting in a root distance that did not include the peer dispersion. The calculations and formulas have been reviewed and reconciled, and the code has been updated accordingly.
[CVE-2016-7433]

This update for ntp fixes the following issues: ntp was updated to 4.2.8p9. Security issues fixed :

  - CVE-2016-9311, CVE-2016-9310, bsc#1011377: Mode 6     unauthenticated trap information disclosure and DDoS     vector.

  - CVE-2016-7427, bsc#1011390: Broadcast Mode Replay     Prevention DoS.

  - CVE-2016-7428, bsc#1011417: Broadcast Mode Poll Interval     Enforcement DoS.

  - CVE-2016-7431, bsc#1011395: Regression: 010-origin: Zero     Origin Timestamp Bypass.

  - CVE-2016-7434, bsc#1011398: NULL pointer dereference in
    _IO_str_init_static_internal().

  - CVE-2016-7429, bsc#1011404: Interface selection attack.

  - CVE-2016-7426, bsc#1011406: Client rate limiting and     server responses.

  - CVE-2016-7433, bsc#1011411: Reboot sync calculation     problem.

  - CVE-2015-5219: An endless loop due to incorrect     precision to double conversion (bsc#943216).
    Non-security issues fixed :

  - Fix a spurious error message.

  - Other bugfixes, see     /usr/share/doc/packages/ntp/ChangeLog.

  - Fix a regression in 'trap' (bsc#981252).

  - Reduce the number of netlink groups to listen on for     changes to the local network setup (bsc#992606).

  - Fix segfault in 'sntp -a' (bsc#1009434).

  - Silence an OpenSSL version warning (bsc#992038).

  - Make the resolver task change user and group IDs to the     same values as the main task. (bsc#988028)

  - Simplify ntpd's search for its own executable to prevent     AppArmor warnings (bsc#956365).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ntp fixes the following issues :

  - Simplify ntpd's search for its own executable to prevent     AppArmor warnings (bsc#956365). Security issues fixed     (update to 4.2.8p9) :

  - CVE-2016-9311, CVE-2016-9310, bsc#1011377: Mode 6     unauthenticated trap information disclosure and DDoS     vector.

  - CVE-2016-7427, bsc#1011390: Broadcast Mode Replay     Prevention DoS.

  - CVE-2016-7428, bsc#1011417: Broadcast Mode Poll Interval     Enforcement DoS.

  - CVE-2016-7431, bsc#1011395: Regression: 010-origin: Zero     Origin Timestamp Bypass.

  - CVE-2016-7434, bsc#1011398: NULL pointer dereference in
    _IO_str_init_static_internal().

  - CVE-2016-7429, bsc#1011404: Interface selection attack.

  - CVE-2016-7426, bsc#1011406: Client rate limiting and     server responses.

  - CVE-2016-7433, bsc#1011411: Reboot sync calculation     problem.

  - CVE-2015-5219: An endless loop due to incorrect     precision to double conversion (bsc#943216).

  - CVE-2015-8140: ntpq vulnerable to replay attacks.

  - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose     origin.

  - CVE-2015-5219: An endless loop due to incorrect     precision to double conversion (bsc#943216).
    Non-security issues fixed :

  - Fix a spurious error message.

  - Other bugfixes, see     /usr/share/doc/packages/ntp/ChangeLog.

  - Fix a regression in 'trap' (bsc#981252).

  - Reduce the number of netlink groups to listen on for     changes to the local network setup (bsc#992606).

  - Fix segfault in 'sntp -a' (bsc#1009434).

  - Silence an OpenSSL version warning (bsc#992038).

  - Make the resolver task change user and group IDs to the     same values as the main task. (bsc#988028)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of the remote NTP server is 4.x prior to 4.2.8p9. It is, therefore, affected by the following vulnerabilities :

  - A denial of service vulnerability exists when rate     limiting is configured for all associations, the limits     also being applied to responses received from the     configured sources. An unauthenticated, remote attacker     can exploit this, by periodically sending spoofed     packets, to keep rate limiting active, resulting in     valid responses not being accepted by ntpd from its     sources. (CVE-2016-7426)

  - A denial of service vulnerability exists in the     broadcast mode replay prevention functionality. An     unauthenticated, adjacent attacker can exploit this, via     specially crafted broadcast mode NTP packets     periodically injected into the broadcast domain, to     cause ntpd to reject broadcast mode packets from     legitimate NTP broadcast servers. (CVE-2016-7427)

  - A denial of service vulnerability exists in the     broadcast mode poll interval functionality. An     unauthenticated, adjacent attacker can exploit this, via     specially crafted broadcast mode NTP packets, to cause     ntpd to reject packets from a legitimate NTP broadcast     server. (CVE-2016-7428)

  - A denial of service vulnerability exists when receiving     server responses on sockets that correspond to different     interfaces than what were used in the request. An     unauthenticated, remote attacker can exploit this, by     sending repeated requests using specially crafted     packets with spoofed source addresses, to cause ntpd     to select the incorrect interface for the source, which     prevents it from sending new requests until the     interface list is refreshed. This eventually results in     preventing ntpd from synchronizing with the source.
    (CVE-2016-7429)

  - A flaw exists that allows packets with an origin     timestamp of zero to bypass security checks. An     unauthenticated, remote attacker can exploit this to     spoof arbitrary content. (CVE-2016-7431)

  - A flaw exists due to the root delay being included     twice, which may result in the jitter value being higher     than expected. An unauthenticated, remote attacker can     exploit this to cause a denial of service condition.
    (CVE-2016-7433)

  - A denial of service vulnerability exists when handling     specially crafted mrulist query packets that allows an     unauthenticated, remote attacker to crash ntpd.
    (CVE-2016-7434)

  - A flaw exists in the control mode (mode 6) functionality     when handling specially crafted control mode packets. An     unauthenticated, adjacent attacker can exploit this to     set or disable ntpd traps, resulting in the disclosure     of potentially sensitive information, disabling of     legitimate monitoring, or DDoS amplification.
    (CVE-2016-9310)

  - A NULL pointer dereference flaw exists in the     report_event() function within file ntpd/ntp_control.c     when the trap service handles certain peer events. An     unauthenticated, remote attacker can exploit this, via     a specially crafted packet, to cause a denial of service     condition. (CVE-2016-9311)

  - A denial of service vulnerability exists when handling     oversize UDP packets that allows an unauthenticated,     remote attacker to crash ntpd. Note that this     vulnerability only affects Windows versions.
    (CVE-2016-9312)

Network Time Foundation reports :

NTF's NTP Project is releasing ntp-4.2.8p9, which addresses :

- 1 HIGH severity vulnerability that only affects Windows

- 2 MEDIUM severity vulnerabilities

- 2 MEDIUM/LOW severity vulnerabilities

- 5 LOW severity vulnerabilities

- 28 other non-security fixes and improvements

All of the security issues in this release are listed in VU#633847.

New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.

ID	Name	Product	Family	Severity
121669	Photon OS 1.0: Ntpstat PHSA-2017-0003	Nessus	PhotonOS Local Security Checks	high
121668	Photon OS 1.0: Ntp PHSA-2017-0003	Nessus	PhotonOS Local Security Checks	high
111852	Photon OS 1.0: Guile / Ntp / Ntpstat PHSA-2017-0003 (deprecated)	Nessus	PhotonOS Local Security Checks	high
106503	pfSense < 2.3.3 Multiple Vulnerabilities (SA-17_01 - SA-17_03)	Nessus	Firewalls	high
102129	AIX NTP v3 Advisory : ntp_advisory8.asc (IV92194) (IV91803) (IV92193) (IV91951) (IV92192) (IV92067)	Nessus	AIX Local Security Checks	high
101263	Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : ntp vulnerabilities (USN-3349-1)	Nessus	Ubuntu Local Security Checks	high
99184	AIX NTP v4 Advisory : ntp_advisory8.asc (IV92126) (IV92287)	Nessus	AIX Local Security Checks	high
96715	SUSE SLES11 Security Update : ntp (SUSE-SU-2017:0255-1)	Nessus	SuSE Local Security Checks	high
96173	openSUSE Security Update : ntp (openSUSE-2016-1525)	Nessus	SuSE Local Security Checks	high
96123	FreeBSD : FreeBSD -- Multiple vulnerabilities of ntp (fcedcdbb-c86e-11e6-b1cf-14dae9d210b8)	Nessus	FreeBSD Local Security Checks	high
95988	SUSE SLES12 Security Update : ntp (SUSE-SU-2016:3196-1)	Nessus	SuSE Local Security Checks	high
95987	SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:3195-1)	Nessus	SuSE Local Security Checks	high
95986	SUSE SLES11 Security Update : ntp (SUSE-SU-2016:3193-1)	Nessus	SuSE Local Security Checks	high
95575	Network Time Protocol Daemon (ntpd) 4.x < 4.2.8p9 Multiple Vulnerabilities	Nessus	Misc.	high
95265	FreeBSD : ntp -- multiple vulnerabilities (8db8d62a-b08b-11e6-8eba-d050996490d0)	Nessus	FreeBSD Local Security Checks	high
95028	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : ntp (SSA:2016-326-01)	Nessus	Slackware Local Security Checks	high

CVE-2016-7428

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins