https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0260

FreeBSD-SA-17:03

1039427

1038123

97046

https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03962en_us

https://cert-portal.siemens.com/productcert/pdf/ssa-211752.pdf

The remote host is running a version of macOS that is prior to 10.13. It is, therefore, affected by multiple vulnerabilities in the following components :

 - Apache
 - AppSandbox
 - AppleScript
 - Application Firewall
 - ATS
 - Audio
 - CFNetwork
 - CFNetwork Proxies
 - CFString
 - Captive Network Assistant
 - CoreAudio
 - CoreText
 - DesktopServices
 - Directory Utility
 - file
 - Fonts
 - fsck_msdos
 - HFS
 - Heimdal
 - HelpViewer
 - IOFireWireFamily
 - ImageIO
 - Installer
 - Kernel
 - kext tools
 - libarchive
 - libc
 - libexpat
 - Mail
 - Mail Drafts
 - ntp
 - Open Scripting Architecture
 - PCRE
 - Postfix
 - Quick Look
 - QuickTime
 - Remote Management
 - SQLite
 - Sandbox
 - Screen Lock
 - Security
 - Spotlight
 - WebKit
 - zlib

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

According to its self-reported version number, the remote pfSense install is affected by multiple vulnerabilities as stated in the referenced vendor advisories.

The remote host is running a version of Mac OS X that is prior to 10.10.5, 10.11.x prior to 10.11.6, 10.12.x prior to 10.12.6, or is not macOS 10.13. It is, therefore, affected by multiple vulnerabilities in the following components :

  - apache
  - AppSandbox
  - AppleScript
  - Application Firewall
  - ATS
  - Audio
  - CFNetwork
  - CFNetwork Proxies
  - CFString
  - Captive Network Assistant
  - CoreAudio
  - CoreText
  - DesktopServices
  - Directory Utility
  - file
  - Fonts
  - fsck_msdos
  - HFS
  - Heimdal
  - HelpViewer
  - IOFireWireFamily
  - ImageIO
  - Installer
  - Kernel
  - kext tools
  - libarchive
  - libc
  - libexpat
  - Mail
  - Mail Drafts
  - ntp
  - Open Scripting Architecture
  - PCRE
  - Postfix
  - Quick Look
  - QuickTime
  - Remote Management
  - SQLite
  - Sandbox
  - Screen Lock
  - Security
  - Spotlight
  - WebKit
  - zlib

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

Security fix for CVE-2017-6464 CVE-2017-6462 CVE-2017-6463 CVE-2017-6458 CVE-2017-6451 CVE-2017-6460 CVE-2016-9042.

----

This update improves the default configuration file to use the pool directive. It also replaces the ntpstat program with a shell script that uses the ntpq program instead of implementing the mode 6 protocol.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Yihan Lian discovered that NTP incorrectly handled certain large request data values. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-2519)

Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed addresses when performing rate limiting. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7426)

Matthew Van Gundy discovered that NTP incorrectly handled certain crafted broadcast mode packets. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7427, CVE-2016-7428)

Miroslav Lichvar discovered that NTP incorrectly handled certain responses. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7429)

Sharon Goldberg and Aanchal Malhotra discovered that NTP incorrectly handled origin timestamps of zero. A remote attacker could possibly use this issue to bypass the origin timestamp protection mechanism.
This issue only affected Ubuntu 16.10. (CVE-2016-7431)

Brian Utterback, Sharon Goldberg and Aanchal Malhotra discovered that NTP incorrectly performed initial sync calculations. This issue only applied to Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7433)

Magnus Stubman discovered that NTP incorrectly handled certain mrulist queries. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7434)

Matthew Van Gund discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu Ubuntu 16.10, and Ubuntu 17.04. (CVE-2016-9042)

Matthew Van Gundy discovered that NTP incorrectly handled certain control mode packets. A remote attacker could use this issue to set or unset traps. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9310)

Matthew Van Gundy discovered that NTP incorrectly handled the trap service. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9311)

It was discovered that NTP incorrectly handled memory when processing long variables. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service.
(CVE-2017-6458)

It was discovered that NTP incorrectly handled memory when processing long variables. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only applied to Ubuntu 16.04 LTS, Ubuntu 16.10 and Ubuntu 17.04.
(CVE-2017-6460)

It was discovered that the NTP legacy DPTS refclock driver incorrectly handled the /dev/datum device. A local attacker could possibly use this issue to cause a denial of service. (CVE-2017-6462)

It was discovered that NTP incorrectly handled certain invalid settings in a :config directive. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2017-6463)

It was discovered that NTP incorrectly handled certain invalid mode configuration directives. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2017-6464).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A vulnerability was discovered in the NTP server's parsing of configuration directives. [CVE-2017-6464]

A vulnerability was found in NTP, in the parsing of packets from the DPTS Clock. [CVE-2017-6462]

A vulnerability was discovered in the NTP server's parsing of configuration directives. [CVE-2017-6463]

A vulnerability was found in NTP, affecting the origin timestamp check function. [CVE-2016-9042] Impact : A remote, authenticated attacker could cause ntpd to crash by sending a crafted message.
[CVE-2017-6463, CVE-2017-6464]

A malicious device could send crafted messages, causing ntpd to crash.
[CVE-2017-6462]

An attacker able to spoof messages from all of the configured peers could send crafted packets to ntpd, causing later replies from those peers to be discarded, resulting in denial of service. [CVE-2016-9042]

This ntp update to version 4.2.8p10 fixes serveral issues.

This updated enables leap smearing. See /usr/share/doc/packages/ntp/README.leapsmear for details.

Security issues fixed (bsc#1030050) :

  - CVE-2017-6464: Denial of Service via Malformed Config

  - CVE-2017-6462: Buffer Overflow in DPTS Clock

  - CVE-2017-6463: Authenticated DoS via Malicious Config     Option

  - CVE-2017-6458: Potential Overflows in ctl_put()     functions

  - CVE-2017-6451: Improper use of snprintf() in     mx4200_send()

  - CVE-2017-6460: Buffer Overflow in ntpq when fetching     reslist

  - CVE-2016-9042: 0rigin (zero origin) DoS.

  - ntpq_stripquotes() returns incorrect Value

  - ereallocarray()/eallocarray() underused

  - Copious amounts of Unused Code

  - Off-by-one in Oncore GPS Receiver

  - Makefile does not enforce Security Flags

Bugfixes :

  - Remove spurious log messages (bsc#1014172).

  - clang scan-build findings

  - Support for openssl-1.1.0 without compatibility modes

  - Bugfix 3072 breaks multicastclient

  - forking async worker: interrupted pipe I/O

  - (...) time_pps_create: Exec format error

  - Incorrect Logic for Peer Event Limiting

  - Change the process name of forked DNS worker

  - Trap Configuration Fail

  - Nothing happens if minsane < maxclock < minclock

  - allow -4/-6 on restrict line with mask

  - out-of-bound pointers in ctl_putsys and decode_bitflags

  - Move ntp-kod to /var/lib/ntp, because /var/db is not a     standard directory and causes problems for transactional     updates.

This update was imported from the SUSE:SLE-12-SP1:Update update project.

New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.

This ntp update to version 4.2.8p10 fixes the following issues:
Security issues fixed (bsc#1030050) :

  - CVE-2017-6464: Denial of Service via Malformed Config

  - CVE-2017-6462: Buffer Overflow in DPTS Clock

  - CVE-2017-6463: Authenticated DoS via Malicious Config     Option

  - CVE-2017-6458: Potential Overflows in ctl_put()     functions

  - CVE-2017-6451: Improper use of snprintf() in     mx4200_send()

  - CVE-2017-6460: Buffer Overflow in ntpq when fetching     reslist

  - CVE-2016-9042: 0rigin (zero origin) DoS.

  - ntpq_stripquotes() returns incorrect Value

  - ereallocarray()/eallocarray() underused

  - Copious amounts of Unused Code

  - Off-by-one in Oncore GPS Receiver

  - Makefile does not enforce Security Flags Bugfixes :

  - Remove spurious log messages (bsc#1014172).

  - Fixing ppc and ppc64 linker issue (bsc#1031085).

  - clang scan-build findings

  - Support for openssl-1.1.0 without compatibility modes

  - Bugfix 3072 breaks multicastclient

  - forking async worker: interrupted pipe I/O

  - (...) time_pps_create: Exec format error

  - Incorrect Logic for Peer Event Limiting

  - Change the process name of forked DNS worker

  - Trap Configuration Fail

  - Nothing happens if minsane 

  - allow -4/-6 on restrict line with mask

  - out-of-bound pointers in ctl_putsys and decode_bitflags

  - Move ntp-kod to /var/lib/ntp, because /var/db is not a     standard directory and causes problems for transactional     updates.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This ntp update to version 4.2.8p10 fixes serveral issues. This updated enables leap smearing. See /usr/share/doc/packages/ntp/README.leapsmear for details. Security issues fixed (bsc#1030050) :

  - CVE-2017-6464: Denial of Service via Malformed Config

  - CVE-2017-6462: Buffer Overflow in DPTS Clock

  - CVE-2017-6463: Authenticated DoS via Malicious Config     Option

  - CVE-2017-6458: Potential Overflows in ctl_put()     functions

  - CVE-2017-6451: Improper use of snprintf() in     mx4200_send()

  - CVE-2017-6460: Buffer Overflow in ntpq when fetching     reslist

  - CVE-2016-9042: 0rigin (zero origin) DoS.

  - ntpq_stripquotes() returns incorrect Value

  - ereallocarray()/eallocarray() underused

  - Copious amounts of Unused Code

  - Off-by-one in Oncore GPS Receiver

  - Makefile does not enforce Security Flags Bugfixes :

  - Remove spurious log messages (bsc#1014172).

  - clang scan-build findings

  - Support for openssl-1.1.0 without compatibility modes

  - Bugfix 3072 breaks multicastclient

  - forking async worker: interrupted pipe I/O

  - (...) time_pps_create: Exec format error

  - Incorrect Logic for Peer Event Limiting

  - Change the process name of forked DNS worker

  - Trap Configuration Fail

  - Nothing happens if minsane 

  - allow -4/-6 on restrict line with mask

  - out-of-bound pointers in ctl_putsys and decode_bitflags

  - Move ntp-kod to /var/lib/ntp, because /var/db is not a     standard directory and causes problems for transactional     updates.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of the remote NTP server is 4.x prior to 4.2.8p10. It is, therefore, affected by the following vulnerabilities :

  - A denial of service vulnerability exists in the     receive() function within file ntpd/ntp_proto.c due to     the expected origin timestamp being cleared when a     packet with a zero origin timestamp is received. An     unauthenticated, remote attacker can exploit this issue,     via specially crafted network packets, to reset the     expected origin timestamp for a target peer, resulting     in legitimate replies being dropped. (CVE-2016-9042)

  - An out-of-bounds write error exists in the mx4200_send()     function within file ntpd/refclock_mx4200.c due to     improper handling of the return value of the snprintf()     and vsnprintf() functions. An unauthenticated, remote     attacker can exploit this to cause a denial of service     condition or possibly the execution of arbitrary code.
    However, neither the researcher nor vendor could find     any exploitable code path. (CVE-2017-6451)

  - A stack-based buffer overflow condition exists in the     addSourceToRegistry() function within file     ports/winnt/instsrv/instsrv.c due to improper validation     of certain input when adding registry keys. A local     attacker can exploit this to execute arbitrary code.
    (CVE-2017-6452)

  - A flaw exists due to dynamic link library (DLL) files     being preloaded when they are defined in the inherited     environment variable 'PPSAPI_DLLS'. A local attacker can     exploit this, via specially crafted DLL files, to     execute arbitrary code with elevated privileges.
    (CVE-2017-6455)

  - Multiple stack-based buffer overflow conditions exist in     various wrappers around the ctl_putdata() function     within file ntpd/ntp_control.c due to improper     validation of certain input from the ntp.conf file.
    An unauthenticated, remote attacker can exploit these,     by convincing a user into deploying a specially     crafted ntp.conf file, to cause a denial of service     condition or possibly the execution of arbitrary code.
    (CVE-2017-6458)

  - A flaw exists in the addKeysToRegistry() function within     file ports/winnt/instsrv/instsrv.c when running the     Windows installer due to improper termination of strings     used for adding registry keys, which may cause malformed     registry entries to be created. A local attacker can     exploit this issue to possibly disclose sensitive memory     contents. (CVE-2017-6459)

  - A stack-based buffer overflow condition exists in the     reslist() function within file ntpq/ntpq-subs.c when     handling server responses due to improper validation of     certain input. An unauthenticated, remote attacker can     exploit this, by convincing a user to connect to a     malicious NTP server and by using a specially crafted     server response, to cause a denial of service condition     or the execution of arbitrary code. (CVE-2017-6460)

  - A stack-based buffer overflow condition exists in the     datum_pts_receive() function within file     ntpd/refclock_datum.c when handling handling packets     from the '/dev/datum' device due to improper validation     of certain input. A local attacker can exploit this to     cause a denial of service condition or the execution of     arbitrary code. (CVE-2017-6462)

  - A denial of service vulnerability exists within file     ntpd/ntp_config.c when handling 'unpeer' configuration     options. An authenticated, remote attacker can exploit     this issue, via an 'unpeer' option value of '0', to     crash the ntpd daemon. (CVE-2017-6463)

  - A denial of service vulnerability exists when handling     configuration directives. An authenticated, remote     attacker can exploit this, via a malformed 'mode'     configuration directive, to crash the ntpd daemon.
    (CVE-2017-6464)

  - A flaw exists in the ntpq_stripquotes() function within     file ntpq/libntpq.c due to the function returning an     incorrect value. An unauthenticated, remote attacker can     possibly exploit this to have an unspecified impact.

  - An off-by-one overflow condition exists in the     oncore_receive() function in file ntpd/refclock_oncore.c     that possibly allows an unauthenticated, remote attacker     to have an unspecified impact.

  - A flaw exists due to certain code locations not invoking     the appropriate ereallocarray() and eallocarray()     functions. An unauthenticated, remote attacker can     possibly exploit this to have an unspecified impact.

  - A flaw exists due to the static inclusion of unused code     from the libisc, libevent, and libopts libraries. An     unauthenticated, remote attacker can possibly exploit     this to have an unspecified impact.

  - A security weakness exists in the Makefile due to a     failure to provide compile or link flags to offer     hardened security options by default.

ID	Name	Product	Family	Severity
700511	macOS < 10.13 Multiple Vulnerabilities	Nessus Network Monitor	Operating System Detection	critical
106504	pfSense < 2.3.4 Multiple Vulnerabilities (SA-17_04)	Nessus	Firewalls	critical
103598	macOS < 10.13 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
101588	Fedora 26 : ntp (2017-20d54b2782)	Nessus	Fedora Local Security Checks	high
101263	Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : ntp vulnerabilities (USN-3349-1)	Nessus	Ubuntu Local Security Checks	high
100496	FreeBSD : FreeBSD -- Multiple vulnerabilities of ntp (3c0237f5-420e-11e7-82c5-14dae9d210b8)	Nessus	FreeBSD Local Security Checks	high
99700	openSUSE Security Update : ntp (openSUSE-2017-511)	Nessus	SuSE Local Security Checks	high
99597	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : ntp (SSA:2017-112-02)	Nessus	Slackware Local Security Checks	high
99469	SUSE SLES11 Security Update : ntp (SUSE-SU-2017:1052-1)	Nessus	SuSE Local Security Checks	high
99468	SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2017:1048-1)	Nessus	SuSE Local Security Checks	high
99467	SUSE SLES12 Security Update : ntp (SUSE-SU-2017:1047-1)	Nessus	SuSE Local Security Checks	high
97988	Network Time Protocol Daemon (ntpd) 4.x < 4.2.8p10 Multiple Vulnerabilities	Nessus	Misc.	high

CVE-2016-9042

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Tenable Plugins

critical

critical

critical

high

high

high

high

high

high

high

high

high