Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p7 Multiple Vulnerabilities

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote NTP server is affected by multiple vulnerabilities.

Description :

The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p7.
It is, therefore, affected by the following vulnerabilities :

- A denial of service vulnerability exists due to improper
validation of the origin timestamp field when handling a
Kiss-of-Death (KoD) packet. An unauthenticated, remote
attacker can exploit this to cause a client to stop
querying its servers, preventing the client from
updating its clock. (CVE-2015-7704)

- A flaw exists in the receive() function in ntp_proto.c
that allows packets with an origin timestamp of zero to
bypass security checks. An unauthenticated, remote
attacker can exploit this to spoof arbitrary content.
(CVE-2015-8138)

- A denial of service vulnerability exists due to improper
handling of a crafted Crypto NAK Packet with a source
address spoofed to match that of an existing associated
peer. An unauthenticated, remote attacker can exploit
this to demobilize a client association. (CVE-2016-1547)

- A denial of service vulnerability exists due to improper
handling of packets spoofed to appear to be from a valid
ntpd server. An unauthenticated, remote attacker can
exploit this to cause NTP to switch from basic
client/server mode to interleaved symmetric mode,
causing the client to reject future legitimate
responses. (CVE-2016-1548)

- A race condition exists that is triggered during the
handling of a saturation of ephemeral associations. An
authenticated, remote attacker can exploit this to
defeat NTP's clock selection algorithm and modify a
user's clock. (CVE-2016-1549)

- An information disclosure vulnerability exists in the
message authentication functionality in libntp that is
triggered during the handling of a series of specially
crafted messages. An adjacent attacker can exploit this
to partially recover the message digest key.
(CVE-2016-1550)

- A flaw exists due to improper filtering of IPv4 'bogon'
packets received from a network. An unauthenticated,
remote attacker can exploit this to spoof packets to
appear to come from a specific reference clock.
(CVE-2016-1551)

- A denial of service vulnerability exists that allows an
authenticated, remote attacker that has knowledge of the
controlkey for ntpq or the requestkey for ntpdc to
create a session with the same IP twice on an
unconfigured directive line, causing ntpd to abort.
(CVE-2016-2516)

- A denial of service vulnerability exists that allows an
authenticated, remote attacker to manipulate the value
of the trustedkey, controlkey, or requestkey via a
crafted packet, preventing authentication with ntpd
until the daemon has been restarted. (CVE-2016-2517)

- An out-of-bounds read error exists in the MATCH_ASSOC()
function that occurs during the creation of peer
associations with hmode greater than 7. An
authenticated, remote attacker can exploit this, via a
specially crafted packet, to cause a denial of service.
(CVE-2016-2518)

- An overflow condition exists in the ctl_getitem()
function in ntpd due to improper validation of
user-supplied input when reporting return values. An
authenticated, remote attacker can exploit this to cause
ntpd to abort. (CVE-2016-2519)

See also :

http://support.ntp.org/bin/view/Main/SecurityNotice
http://www.nessus.org/u?4a6d1cf4

Solution :

Upgrade to NTP version 4.2.8p7 or later.

Risk factor :

Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P)
CVSS Temporal Score : 4.7
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now