AIX NTP v4 Advisory : ntp_advisory4.asc (IV79954) (IV79954)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote AIX host has a version of NTP installed that is affected
by multiple vulnerabilities.

Description :

The remote AIX host has a version of Network Time Protocol (NTP)
installed that is affected by the following vulnerabilities :

- A divide-by-zero error exists in file include/ntp.h
when handling LOGTOD and ULOGTOD macros in a crafted
NTP packet. An unauthenticated, remote attacker can
exploit this, via crafted NTP packets, to crash ntpd.
(CVE 2015-5219)

- A flaw exists in the ntp_crypto.c file due to improper
validation of the 'vallen' value in extension fields. An
unauthenticated, remote attacker can exploit this, via
specially crafted autokey packets, to disclose
sensitive information or cause a denial of service.
(CVE-2015-7691)

- A denial of service vulnerability exists in the autokey
functionality due to a failure in the crypto_bob2(),
crypto_bob3(), and cert_sign() functions to properly
validate the 'vallen' value. An unauthenticated, remote
attacker can exploit this, via specially crafted autokey
packets, to crash the NTP service. (CVE-2015-7692)

- A denial of service vulnerability exists in the
crypto_recv() function in the file ntp_crypto.c related
to autokey functionality. An unauthenticated, remote
attacker can exploit this, via an ongoing flood of NTPv4
autokey requests, to exhaust memory resources.
(CVE-2015-7701)

- A denial of service vulnerability exists due to improper
validation of packets containing certain autokey
operations. An unauthenticated, remote attacker can
exploit this, via specially crafted autokey packets,
to crash the NTP service. (CVE-2015-7702)

- A denial of service vulnerability exists due to a logic
flaw in the authreadkeys() function in the file
authreadkeys.c when handling extended logging where the
log and key files are set to be the same file. An
authenticated, remote attacker can exploit this, via a
crafted set of remote configuration requests, to cause
the NTP service to stop responding. (CVE-2015-7850)

- A overflow condition exists in the
read_refclock_packet() function in the file ntp_io.c
when handling negative data lengths. A local attacker
can exploit this to crash the NTP service or possibly
gain elevated privileges. (CVE-2015-7853)

- A denial of service vulnerability exists due to an
assertion flaw in the decodenetnum() function in the
file decodenetnum.c when handling long data values in
mode 6 and 7 packets. An unauthenticated, remote
attacker can exploit this to crash the NTP service.
(CVE-2015-7855)

See also :

http://aix.software.ibm.com/aix/efixes/security/ntp_advisory4.asc

Solution :

A fix is available and can be downloaded from the IBM AIX website.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 6.4
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now