AIX NTP v4 Advisory : ntp_advisory7.asc (IV87278) (IV87279)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote AIX host has a version of NTP installed that is affected
by multiple vulnerabilities.

Description :

The version of NTP installed on the remote AIX host is affected by
the following vulnerabilities :

- A time serving flaw exists in the trusted key system
due to improper key checks. An authenticated, remote
attacker can exploit this to perform impersonation
attacks between authenticated peers. (CVE-2015-7974)

- A denial of service vulnerability exists due to improper
handling of a crafted Crypto NAK Packet with a source
address spoofed to match that of an existing associated
peer. An unauthenticated, remote attacker can exploit
this to demobilize a client association. (CVE-2016-1547)

- An information disclosure vulnerability exists in the
message authentication functionality in libntp that is
triggered during the handling of a series of specially
crafted messages. An adjacent attacker can exploit this
to partially recover the message digest key.
(CVE-2016-1550)

- A flaw exists due to improper filtering of IPv4 'bogon'
packets received from a network. An unauthenticated,
remote attacker can exploit this to spoof packets to
appear to come from a specific reference clock.
(CVE-2016-1551)

- A denial of service vulnerability exists that allows an
authenticated, remote attacker to manipulate the value
of the trustedkey, controlkey, or requestkey via a
crafted packet, preventing authentication with ntpd
until the daemon has been restarted. (CVE-2016-2517)

- An out-of-bounds read error exists in the MATCH_ASSOC()
function that occurs during the creation of peer
associations with hmode greater than 7. An
authenticated, remote attacker can exploit this, via a
specially crafted packet, to cause a denial of service.
(CVE-2016-2518)

- An overflow condition exists in the ctl_getitem()
function in ntpd due to improper validation of
user-supplied input when reporting return values. An
authenticated, remote attacker can exploit this to cause
ntpd to abort. (CVE-2016-2519)

- A denial of service vulnerability exists when handling
authentication due to improper packet timestamp checks.
An unauthenticated, remote attacker can exploit this,
via a specially crafted and spoofed packet, to
demobilize the ephemeral associations. (CVE-2016-4953)

- A flaw exists that is triggered when handling spoofed
packets. An unauthenticated, remote attacker can exploit
this, via specially crafted packets, to affect peer
variables (e.g., cause leap indications to be set). Note
that the attacker must be able to spoof packets with
correct origin timestamps from servers before expected
response packets arrive. (CVE-2016-4954)

- A flaw exists that is triggered when handling spoofed
packets. An unauthenticated, remote attacker can exploit
this, via specially crafted packets, to reset autokey
associations. Note that the attacker must be able to
spoof packets with correct origin timestamps from
servers before expected response packets arrive.
(CVE-2016-4955)

- A denial of service vulnerability exists when handling
CRYPTO_NAK packets that allows an unauthenticated,
remote attacker to cause a crash. (CVE-2016-4957)

See also :

http://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc

Solution :

A fix is available and can be downloaded from the IBM AIX website.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVSS Temporal Score : 3.7
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now