AIX 7.1 TL 3 : ntp (IV79943) (deprecated)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

This plugin has been deprecated.

Description :

The remote AIX host has a version of Network Time Protocol (NTP)
installed that is affected by the following vulnerabilities :

- A divide-by-zero error exists in file include/ntp.h
when handling LOGTOD and ULOGTOD macros in a crafted
NTP packet. An unauthenticated, remote attacker can
exploit this, via crafted NTP packets, to crash ntpd.
(CVE 2015-5219)

- A flaw exists in the ntp_crypto.c file due to improper
validation of the 'vallen' value in extension fields. An
unauthenticated, remote attacker can exploit this, via
specially crafted autokey packets, to disclose
sensitive information or cause a denial of service.
(CVE-2015-7691)

- A denial of service vulnerability exists in the autokey
functionality due to a failure in the crypto_bob2(),
crypto_bob3(), and cert_sign() functions to properly
validate the 'vallen' value. An unauthenticated, remote
attacker can exploit this, via specially crafted autokey
packets, to crash the NTP service. (CVE-2015-7692)

- A denial of service vulnerability exists in the
crypto_recv() function in the file ntp_crypto.c related
to autokey functionality. An unauthenticated, remote
attacker can exploit this, via an ongoing flood of NTPv4
autokey requests, to exhaust memory resources.
(CVE-2015-7701)

- A denial of service vulnerability exists due to improper
validation of packets containing certain autokey
operations. An unauthenticated, remote attacker can
exploit this, via specially crafted autokey packets,
to crash the NTP service. (CVE-2015-7702)

- A denial of service vulnerability exists due to a logic
flaw in the authreadkeys() function in the file
authreadkeys.c when handling extended logging where the
log and key files are set to be the same file. An
authenticated, remote attacker can exploit this, via a
crafted set of remote configuration requests, to cause
the NTP service to stop responding. (CVE-2015-7850)

- A overflow condition exists in the
read_refclock_packet() function in the file ntp_io.c
when handling negative data lengths. A local attacker
can exploit this to crash the NTP service or possibly
gain elevated privileges. (CVE-2015-7853)

- A denial of service vulnerability exists due to an
assertion flaw in the decodenetnum() function in the
file decodenetnum.c when handling long data values in
mode 6 and 7 packets. An unauthenticated, remote
attacker can exploit this to crash the NTP service.
(CVE-2015-7855)

This plugin has been deprecated to better accommodate iFix
supersedence with replacement plugin aix_ntp_v3_advisory4.nasl (plugin
id 102321).

See also :

http://aix.software.ibm.com/aix/efixes/security/ntp_advisory4.asc
https://www.tenable.com/security/research/tra-2015-04

Solution :

n/a

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 6.4
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now