Network Time Protocol Daemon (ntpd) 4.x < 4.2.8p9 Multiple Vulnerabilities

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote NTP server is affected by multiple vulnerabilities.

Description :

The version of the remote NTP server is 4.x prior to 4.2.8p9. It is,
therefore, affected by the following vulnerabilities :

- A denial of service vulnerability exists when rate
limiting is configured for all associations, the limits
also being applied to responses received from the
configured sources. An unauthenticated, remote attacker
can exploit this, by periodically sending spoofed
packets, to keep rate limiting active, resulting in
valid responses not being accepted by ntpd from its
sources. (CVE-2016-7426)

- A denial of service vulnerability exists in the
broadcast mode replay prevention functionality. An
unauthenticated, adjacent attacker can exploit this, via
specially crafted broadcast mode NTP packets
periodically injected into the broadcast domain, to
cause ntpd to reject broadcast mode packets from
legitimate NTP broadcast servers. (CVE-2016-7427)

- A denial of service vulnerability exists in the
broadcast mode poll interval functionality. An
unauthenticated, adjacent attacker can exploit this, via
specially crafted broadcast mode NTP packets, to cause
ntpd to reject packets from a legitimate NTP broadcast
server. (CVE-2016-7428)

- A denial of service vulnerability exists when receiving
server responses on sockets that correspond to different
interfaces than what were used in the request. An
unauthenticated, remote attacker can exploit this, by
sending repeated requests using specially crafted
packets with spoofed source addresses, to cause ntpd
to select the incorrect interface for the source, which
prevents it from sending new requests until the
interface list is refreshed. This eventually results in
preventing ntpd from synchronizing with the source.
(CVE-2016-7429)

- A flaw exists that allows packets with an origin
timestamp of zero to bypass security checks. An
unauthenticated, remote attacker can exploit this to
spoof arbitrary content. (CVE-2016-7431)

- A flaw exists due to the root delay being included
twice, which may result in the jitter value being higher
than expected. An unauthenticated, remote attacker can
exploit this to cause a denial of service condition.
(CVE-2016-7433)

- A denial of service vulnerability exists when handling
specially crafted mrulist query packets that allows an
unauthenticated, remote attacker to crash ntpd.
(CVE-2016-7434)

- A flaw exists in the control mode (mode 6) functionality
when handling specially crafted control mode packets. An
unauthenticated, adjacent attacker can exploit this to
set or disable ntpd traps, resulting in the disclosure
of potentially sensitive information, disabling of
legitimate monitoring, or DDoS amplification.
(CVE-2016-9310)

- A NULL pointer dereference flaw exists in the
report_event() function within file ntpd/ntp_control.c
when the trap service handles certain peer events. An
unauthenticated, remote attacker can exploit this, via
a specially crafted packet, to cause a denial of service
condition. (CVE-2016-9311)

- A denial of service vulnerability exists when handling
oversize UDP packets that allows an unauthenticated,
remote attacker to crash ntpd. Note that this
vulnerability only affects Windows versions.
(CVE-2016-9312)

See also :

http://www.nessus.org/u?08645c8c
http://support.ntp.org/bin/view/Main/NtpBug3067
http://support.ntp.org/bin/view/Main/NtpBug3071
http://support.ntp.org/bin/view/Main/NtpBug3072
http://support.ntp.org/bin/view/Main/NtpBug3082
http://support.ntp.org/bin/view/Main/NtpBug3102
http://support.ntp.org/bin/view/Main/NtpBug3110
http://support.ntp.org/bin/view/Main/NtpBug3113
http://support.ntp.org/bin/view/Main/NtpBug3114
http://support.ntp.org/bin/view/Main/NtpBug3118
http://support.ntp.org/bin/view/Main/NtpBug3119

Solution :

Upgrade to NTP version 4.2.8p9 or later.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 6.4
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now