FreeBSD : FreeBSD -- Multiple vulnerabilities of ntp (fcedcdbb-c86e-11e6-b1cf-14dae9d210b8)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote FreeBSD host is missing one or more security-related
updates.

Description :

Multiple vulnerabilities have been discovered in the NTP suite :

CVE-2016-9311: Trap crash, Reported by Matthew Van Gundy of Cisco
ASIG.

CVE-2016-9310: Mode 6 unauthenticated trap information disclosure and
DDoS vector. Reported by Matthew Van Gundy of Cisco ASIG.

CVE-2016-7427: Broadcast Mode Replay Prevention DoS. Reported by
Matthew Van Gundy of Cisco ASIG.

CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS. Reported
by Matthew Van Gundy of Cisco ASIG.

CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp Bypass.
Reported by Sharon Goldberg and Aanchal Malhotra of Boston University.

CVE-2016-7434: NULL pointer dereference in
_IO_str_init_static_internal(). Reported by Magnus Stubman.

CVE-2016-7426: Client rate limiting and server responses. Reported by
Miroslav Lichvar of Red Hat.

CVE-2016-7433: Reboot sync calculation problem. Reported independently
by Brian Utterback of Oracle, and by Sharon Goldberg and Aanchal
Malhotra of Boston University. Impact : A remote attacker who can send
a specially crafted packet to cause a NULL pointer dereference that
will crash ntpd, resulting in a Denial of Service. [CVE-2016-9311]

An exploitable configuration modification vulnerability exists in the
control mode (mode 6) functionality of ntpd. If, against long-standing
BCP recommendations, 'restrict default noquery ...' is not specified,
a specially crafted control mode packet can set ntpd traps, providing
information disclosure and DDoS amplification, and unset ntpd traps,
disabling legitimate monitoring by an attacker from remote.
[CVE-2016-9310]

An attacker with access to the NTP broadcast domain can periodically
inject specially crafted broadcast mode NTP packets into the broadcast
domain which, while being logged by ntpd, can cause ntpd to reject
broadcast mode packets from legitimate NTP broadcast servers.
[CVE-2016-7427]

An attacker with access to the NTP broadcast domain can send specially
crafted broadcast mode NTP packets to the broadcast domain which,
while being logged by ntpd, will cause ntpd to reject broadcast mode
packets from legitimate NTP broadcast servers. [CVE-2016-7428]

Origin timestamp problems were fixed in ntp 4.2.8p6. However,
subsequent timestamp validation checks introduced a regression in the
handling of some Zero origin timestamp checks. [CVE-2016-7431]

If ntpd is configured to allow mrulist query requests from a server
that sends a crafted malicious packet, ntpd will crash on receipt of
that crafted malicious mrulist query packet. [CVE-2016-7434]

An attacker who knows the sources (e.g., from an IPv4 refid in server
response) and knows the system is (mis)configured in this way can
periodically send packets with spoofed source address to keep the rate
limiting activated and prevent ntpd from accepting valid responses
from its sources. [CVE-2016-7426]

Ntp Bug 2085 described a condition where the root delay was included
twice, causing the jitter value to be higher than expected. Due to a
misinterpretation of a small-print variable in The Book, the fix for
this problem was incorrect, resulting in a root distance that did not
include the peer dispersion. The calculations and formulas have been
reviewed and reconciled, and the code has been updated accordingly.
[CVE-2016-7433]

See also :

http://www.nessus.org/u?dc8befee

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.1
(CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C)

Family: FreeBSD Local Security Checks

Nessus Plugin ID: 96123 ()

Bugtraq ID:

CVE ID: CVE-2016-7426
CVE-2016-7427
CVE-2016-7428
CVE-2016-7431
CVE-2016-7433
CVE-2016-7434
CVE-2016-9310
CVE-2016-9311

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now