AIX 6.1 TL 9 : ntp (IV87419) (deprecated)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

This plugin has been deprecated.

Description :

NTPv3 and NTPv4 are vulnerable to :

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could
allow a remote authenticated attacker to conduct spoofing attacks,
caused by a missing key check. An attacker could exploit this
vulnerability to impersonate a peer. NTP could allow a local attacker
to bypass security restrictions, caused by the failure to use a
constant-time memory comparison function when validating the
authentication digest on incoming packets. By sending a specially
crafted packet with an authentication payload, an attacker could
exploit this vulnerability to conduct a timing attack to compute the
value of the valid authentication digest. While the majority OSes
implement martian packet filtering in their network stack, at least
regarding 127.0.0.0/8, a rare few will allow packets claiming to be
from 127.0.0.0/8 that arrive over physical network. On these OSes, if
ntpd is configured to use a reference clock an attacker can inject
packets over the network that look like they are coming from that
reference clock. If ntpd was expressly configured to allow for remote
configuration, a malicious user who knows the controlkey for ntpq or
the requestkey for ntpdc (if mode7 is expressly enabled) can create a
session with ntpd and then send a crafted packet to ntpd that will
change the value of the trustedkey, controlkey, or requestkey to a
value that will prevent any subsequent authentication with ntpd until
ntpd is restarted. NTP is vulnerable to a denial of service, caused by
an error when using a specially crafted packet to create a peer
association with hmode > 7. An attacker could exploit this
vulnerability to cause the MATCH_ASSOC() function to trigger an
out-of-bounds read. NTP is vulnerable to a denial of service, caused
by the failure to always check the ctl_getitem() function return
value. By sending an overly large value, an attacker could exploit
this vulnerability to cause a denial of service. NTP is vulnerable to
a denial of service, caused by the demobilization of a preemptable
client association. By sending specially crafted crypto NAK packets,
an attacker could exploit this vulnerability to cause a denial of
service. NTP is vulnerable to a denial of service, caused by the
improper handling of packets. By sending specially crafted CRYPTO_NAK
packets, an attacker could exploit this vulnerability to cause ntpd to
crash. NTP is vulnerable to a denial of service, caused by the
improper handling of packets. By sending specially crafted CRYPTO_NAK
packets to an ephemeral peer target prior to a response being sent, a
remote attacker could exploit this vulnerability to demobilize the
ephemeral association. NTP is vulnerable to a denial of service,
caused by the improper handling of packets. By sending spoofed server
packets with correct origin timestamps, a remote attacker could
exploit this vulnerability to cause a false leap indication to be set.
NTP is vulnerable to a denial of service, caused by the improper
handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC
packets with correct origin timestamps, a remote attacker could
exploit this vulnerability to cause the autokey association to reset.

This plugin has been deprecated to better accommodate iFix
supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin
id 102128).

See also :

http://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc

Solution :

n/a

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now