Network Time Protocol Daemon (ntpd) 4.x < 4.2.8p10 Multiple Vulnerabilities

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote NTP server is affected by multiple vulnerabilities.

Description :

The version of the remote NTP server is 4.x prior to 4.2.8p10. It is,
therefore, affected by the following vulnerabilities :

- A denial of service vulnerability exists in the
receive() function within file ntpd/ntp_proto.c due to
the expected origin timestamp being cleared when a
packet with a zero origin timestamp is received. An
unauthenticated, remote attacker can exploit this issue,
via specially crafted network packets, to reset the
expected origin timestamp for a target peer, resulting
in legitimate replies being dropped. (CVE-2016-9042)

- An out-of-bounds write error exists in the mx4200_send()
function within file ntpd/refclock_mx4200.c due to
improper handling of the return value of the snprintf()
and vsnprintf() functions. An unauthenticated, remote
attacker can exploit this to cause a denial of service
condition or possibly the execution of arbitrary code.
However, neither the researcher nor vendor could find
any exploitable code path. (CVE-2017-6451)

- A stack-based buffer overflow condition exists in the
addSourceToRegistry() function within file
ports/winnt/instsrv/instsrv.c due to improper validation
of certain input when adding registry keys. A local
attacker can exploit this to execute arbitrary code.
(CVE-2017-6452)

- A flaw exists due to dynamic link library (DLL) files
being preloaded when they are defined in the inherited
environment variable 'PPSAPI_DLLS'. A local attacker can
exploit this, via specially crafted DLL files, to
execute arbitrary code with elevated privileges.
(CVE-2017-6455)

- Multiple stack-based buffer overflow conditions exist in
various wrappers around the ctl_putdata() function
within file ntpd/ntp_control.c due to improper
validation of certain input from the ntp.conf file.
An unauthenticated, remote attacker can exploit these,
by convincing a user into deploying a specially
crafted ntp.conf file, to cause a denial of service
condition or possibly the execution of arbitrary code.
(CVE-2017-6458)

- A flaw exists in the addKeysToRegistry() function within
file ports/winnt/instsrv/instsrv.c when running the
Windows installer due to improper termination of strings
used for adding registry keys, which may cause malformed
registry entries to be created. A local attacker can
exploit this issue to possibly disclose sensitive memory
contents. (CVE-2017-6459)

- A stack-based buffer overflow condition exists in the
reslist() function within file ntpq/ntpq-subs.c when
handling server responses due to improper validation of
certain input. An unauthenticated, remote attacker can
exploit this, by convincing a user to connect to a
malicious NTP server and by using a specially crafted
server response, to cause a denial of service condition
or the execution of arbitrary code. (CVE-2017-6460)

- A stack-based buffer overflow condition exists in the
datum_pts_receive() function within file
ntpd/refclock_datum.c when handling handling packets
from the '/dev/datum' device due to improper validation
of certain input. A local attacker can exploit this to
cause a denial of service condition or the execution of
arbitrary code. (CVE-2017-6462)

- A denial of service vulnerability exists within file
ntpd/ntp_config.c when handling 'unpeer' configuration
options. An authenticated, remote attacker can exploit
this issue, via an 'unpeer' option value of '0', to
crash the ntpd daemon. (CVE-2017-6463)

- A denial of service vulnerability exists when handling
configuration directives. An authenticated, remote
attacker can exploit this, via a malformed 'mode'
configuration directive, to crash the ntpd daemon.
(CVE-2017-6464)

- A flaw exists in the ntpq_stripquotes() function within
file ntpq/libntpq.c due to the function returning an
incorrect value. An unauthenticated, remote attacker can
possibly exploit this to have an unspecified impact.
(VulnDB 154204)

- An off-by-one overflow condition exists in the
oncore_receive() function in file ntpd/refclock_oncore.c
that possibly allows an unauthenticated, remote attacker
to have an unspecified impact. (VulnDB 154208)

- A flaw exists due to certain code locations not invoking
the appropriate ereallocarray() and eallocarray()
functions. An unauthenticated, remote attacker can
possibly exploit this to have an unspecified impact.
(VulnDB 154210)

- A flaw exists due to the static inclusion of unused code
from the libisc, libevent, and libopts libraries. An
unauthenticated, remote attacker can possibly exploit
this to have an unspecified impact. (VulnDB 154211)

- A security weakness exists in the Makefile due to a
failure to provide compile or link flags to offer
hardened security options by default. (VulnDB 154458)

See also :

http://www.nessus.org/u?68156231
http://support.ntp.org/bin/view/Main/NtpBug3361
http://support.ntp.org/bin/view/Main/NtpBug3376
http://support.ntp.org/bin/view/Main/NtpBug3377
http://support.ntp.org/bin/view/Main/NtpBug3378
http://support.ntp.org/bin/view/Main/NtpBug3379
http://support.ntp.org/bin/view/Main/NtpBug3380
http://support.ntp.org/bin/view/Main/NtpBug3381
http://support.ntp.org/bin/view/Main/NtpBug3382
http://support.ntp.org/bin/view/Main/NtpBug3383
http://support.ntp.org/bin/view/Main/NtpBug3384
http://support.ntp.org/bin/view/Main/NtpBug3385
http://support.ntp.org/bin/view/Main/NtpBug3386
http://support.ntp.org/bin/view/Main/NtpBug3387
http://support.ntp.org/bin/view/Main/NtpBug3388
http://support.ntp.org/bin/view/Main/NtpBug3389

Solution :

Upgrade to NTP version 4.2.8p10 or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now