Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p6 Multiple Vulnerabilities
medium Nessus Plugin ID 88054
Language:
New! Plugin Severity Now Using CVSS v3
The calculated severity for Plugins has been updated to use CVSS v3 by default. Plugins that do not have a CVSS v3 score will fall back to CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Synopsis
The remote NTP server is affected by multiple vulnerabilities.Description
The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p6.It is, therefore, affected by the following vulnerabilities :
- A flaw exists in the receive() function due to the use of authenticated broadcast mode. A man-in-the-middle attacker can exploit this to conduct a replay attack.
(CVE-2015-7973)
- A time serving flaw exists in the trusted key system due to improper key checks. An authenticated, remote attacker can exploit this to perform impersonation attacks between authenticated peers. (CVE-2015-7974)
- An overflow condition exists in the nextvar() function due to improper validation of user-supplied input. A local attacker can exploit this to cause a buffer overflow, resulting in a denial of service condition.
(CVE-2015-7975)
- A flaw exists in ntp_control.c due to improper filtering of special characters in filenames by the saveconfig command. An authenticated, remote attacker can exploit this to inject arbitrary content. (CVE-2015-7976)
- A NULL pointer dereference flaw exists in ntp_request.c that is triggered when handling ntpdc relist commands.
A remote attacker can exploit this, via a specially crafted request, to crash the service, resulting in a denial of service condition. (CVE-2015-7977)
- A flaw exists in ntpdc that is triggered during the handling of the relist command. A remote attacker can exploit this, via recursive traversals of the restriction list, to exhaust available space on the call stack, resulting in a denial of service condition.
CVE-2015-7978)
- An unspecified flaw exists in authenticated broadcast mode. A remote attacker can exploit this, via specially crafted packets, to cause a denial of service condition.
(CVE-2015-7979)
- A flaw exists in the receive() function that allows packets with an origin timestamp of zero to bypass security checks. A remote attacker can exploit this to spoof arbitrary content. (CVE-2015-8138)
- A flaw exists in ntpq and ntpdc that allows a remote attacker to disclose sensitive information in timestamps. (CVE-2015-8139)
- A flaw exists in the ntpq protocol that is triggered during the handling of an improper sequence of numbers.
A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-8140)
- A flaw exists in the ntpq client that is triggered when handling packets that cause a loop in the getresponse() function. A remote attacker can exploit this to cause an infinite loop, resulting in a denial of service condition. (CVE-2015-8158)
Solution
Upgrade to NTP version 4.2.8p6 or later.See Also
Plugin Details
Severity: Medium
ID: 88054
File Name: ntp_4_2_8p6.nasl
Version: 1.17
Type: remote
Family: Misc.
Published: 1/21/2016
Updated: 9/17/2018
Dependencies: ntp_open.nasl
Configuration: Enable paranoid mode
Risk Information
CVSS Score Source: CVE-2015-8140
VPR
Risk Factor: Medium
Score: 4.4
CVSS v2
Risk Factor: Medium
Base Score: 5.8
Temporal Score: 4.3
Vector: AV:N/AC:M/Au:N/C:N/I:P/A:P
Temporal Vector: E:U/RL:OF/RC:C
CVSS v3
Risk Factor: Medium
Base Score: 4.8
Temporal Score: 4.2
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L
Temporal Vector: E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:ntp:ntp
Required KB Items: NTP/Running, Settings/ParanoidReport
Exploit Ease: No known exploits are available
Patch Publication Date: 1/19/2016
Vulnerability Publication Date: 1/19/2016
Reference Information
CVE: CVE-2015-7973, CVE-2015-7974, CVE-2015-7975, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8138, CVE-2015-8139, CVE-2015-8140, CVE-2015-8158
BID: 81963, 81811, 81814, 81815, 81816, 81959, 81960, 81962, 82102, 82105
CERT: 718152