Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p6 Multiple Vulnerabilities

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote NTP server is affected by multiple vulnerabilities.

Description :

The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p6.
It is, therefore, affected by the following vulnerabilities :

- A flaw exists in the receive() function due to the use
of authenticated broadcast mode. A man-in-the-middle
attacker can exploit this to conduct a replay attack.
(CVE-2015-7973)

- A time serving flaw exists in the trusted key system
due to improper key checks. An authenticated, remote
attacker can exploit this to perform impersonation
attacks between authenticated peers. (CVE-2015-7974)

- An overflow condition exists in the nextvar() function
due to improper validation of user-supplied input. A
local attacker can exploit this to cause a buffer
overflow, resulting in a denial of service condition.
(CVE-2015-7975)

- A flaw exists in ntp_control.c due to improper filtering
of special characters in filenames by the saveconfig
command. An authenticated, remote attacker can exploit
this to inject arbitrary content. (CVE-2015-7976)

- A NULL pointer dereference flaw exists in ntp_request.c
that is triggered when handling ntpdc relist commands.
A remote attacker can exploit this, via a specially
crafted request, to crash the service, resulting in a
denial of service condition. (CVE-2015-7977)

- A flaw exists in ntpdc that is triggered during the
handling of the relist command. A remote attacker can
exploit this, via recursive traversals of the
restriction list, to exhaust available space on the call
stack, resulting in a denial of service condition.
CVE-2015-7978)

- An unspecified flaw exists in authenticated broadcast
mode. A remote attacker can exploit this, via specially
crafted packets, to cause a denial of service condition.
(CVE-2015-7979)

- A flaw exists in the receive() function that allows
packets with an origin timestamp of zero to bypass
security checks. A remote attacker can exploit this to
spoof arbitrary content. (CVE-2015-8138)

- A flaw exists in ntpq and ntpdc that allows a remote
attacker to disclose sensitive information in
timestamps. (CVE-2015-8139)

- A flaw exists in the ntpq protocol that is triggered
during the handling of an improper sequence of numbers.
A man-in-the-middle attacker can exploit this to conduct
a replay attack. (CVE-2015-8140)

- A flaw exists in the ntpq client that is triggered when
handling packets that cause a loop in the getresponse()
function. A remote attacker can exploit this to cause an
infinite loop, resulting in a denial of service
condition. (CVE-2015-8158)

See also :

http://support.ntp.org/bin/view/Main/SecurityNotice
http://www.nessus.org/u?d42322ca

Solution :

Upgrade to NTP version 4.2.8p6 or later.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.8
(CVSS2#E:U/RL:U/RC:C)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now