Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p4 Multiple Vulnerabilities

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote NTP server is affected by multiple vulnerabilities.

Description :

The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p4.
It is, therefore, affected by the following vulnerabilities :

- A flaw exists in the ntp_crypto.c file due to improper
validation of the 'vallen' value in extension fields. An
unauthenticated, remote attacker can exploit this, via
specially crafted autokey packets, to disclose
sensitive information or cause a denial of service.
(CVE-2015-7691)

- A denial of service vulnerability exists in the autokey
functionality due to a failure in the crypto_bob2(),
crypto_bob3(), and cert_sign() functions to properly
validate the 'vallen' value. An unauthenticated, remote
attacker can exploit this, via specially crafted autokey
packets, to crash the NTP service. (CVE-2015-7692)

- A denial of service vulnerability exists in the
crypto_recv() function in the file ntp_crypto.c related
to autokey functionality. An unauthenticated, remote
attacker can exploit this, via an ongoing flood of NTPv4
autokey requests, to exhaust memory resources.
(CVE-2015-7701)

- A denial of service vulnerability exists due to improper
validation of packets containing certain autokey
operations. An unauthenticated, remote attacker can
exploit this, via specially crafted autokey packets,
to crash the NTP service. (CVE-2015-7702)

- A flaw exists related to the handling of the 'config:'
command. An authenticated, remote attacker can exploit
this to set the 'pidfile' and 'driftfile' directives
without restrictions, thus allowing the attacker to
overwrite arbitrary files. Note that exploitation of
this issue requires that remote configuration is enabled
for ntpd. (CVE-2015-7703)

- A denial of service vulnerability exists due improper
validation of the origin timestamp when handling
Kiss-of-Death (KoD) packets. An unauthenticated, remote
attacker can exploit this to stop the client from
querying its servers, preventing it from updating its
clock. (CVE-2015-7704)

- A denial of service vulnerability exists due to improper
implementation of rate-limiting when handling server
queries. An unauthenticated, remote attacker can exploit
this to stop the client from querying its servers,
preventing it from updating its clock. (CVE-2015-7705)

- A denial of service vulnerability exists due to an
integer overflow condition in the reset_peer() function
in the file ntp_request.c when handling private mode
packets having request code RESET_PEER (0x16). An
authenticated, remote attacker can exploit this to crash
the NTP service. Note that exploitation of this issue
requires that ntpd is configured to enable mode 7
packets, and that the mode 7 packets are not properly
protected by available authentication and restriction
mechanisms. (CVE-2015-7848)

- A use-after-free error exists in the auth_delkeys()
function in the file authkeys.c when handling trusted
keys. An authenticated, remote attacker can exploit this
to dereference already freed memory, resulting in a
crash of the NTP service or the execution of arbitrary
code. (CVE-2015-7849)

- A denial of service vulnerability exists due to a logic
flaw in the authreadkeys() function in the file
authreadkeys.c when handling extended logging where the
log and key files are set to be the same file. An
authenticated, remote attacker can exploit this, via a
crafted set of remote configuration requests, to cause
the NTP service to stop responding. (CVE-2015-7850)

- A flaw exists in the save_config() function in the file
ntp_control.c due to improper sanitization of
user-supplied input. An authenticated, remote attacker
can exploit this issue, via a crafted set of
configuration requests, to overwrite arbitrary files.
Note that this issue only affects VMS systems and
requires that ntpd is configured to allow remote
configuration. (CVE-2015-7851)

- A denial of service vulnerability exists due to an
off-by-one overflow condition in the cookedprint()
function in the file ntpq.c when handling mode 6
response packets. An unauthenticated, remote attacker
can exploit this to crash the NTP service.
(CVE-2015-7852)

- A overflow condition exists in the
read_refclock_packet() function in the file ntp_io.c
when handling negative data lengths. A local attacker
can exploit this to crash the NTP service or possibly
gain elevated privileges. (CVE-2015-7853)

- A heap-based overflow condition exists in function
MD5auth_setkey() in the file authkeys.c when handling
passwords. An authenticated, remote attacker can exploit
this, via a crafted set of configuration requests, to
crash the NTP service or possibly execute arbitrary
code. (CVE-2015-7854)

- A denial of service vulnerability exists due to an
assertion flaw in the decodenetnum() function in the
file decodenetnum.c when handling long data values in
mode 6 and 7 packets. An unauthenticated, remote
attacker can exploit this to crash the NTP service.
(CVE-2015-7855)

- An authentication bypass vulnerability exists in the
receive() function in the file ntp_proto.c when handling
crypto-NAK packets. An unauthenticated, remote attacker
can exploit this to cause the service to accept time
from unauthenticated, ephemeral symmetric peers.
(CVE-2015-7871)

See also :

http://www.tenable.com/security/research/tra-2015-04
http://support.ntp.org/bin/view/Main/SecurityNotice
http://www.nessus.org/u?08d2ada0

Solution :

Upgrade to NTP version 4.2.8p4 or later.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 6.4
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true