Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p7 Multiple Vulnerabilities

High Nessus Plugin ID 90923

Synopsis

The remote NTP server is affected by multiple vulnerabilities.

Description

The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p7.
It is, therefore, affected by the following vulnerabilities :

- A denial of service vulnerability exists due to improper validation of the origin timestamp field when handling a Kiss-of-Death (KoD) packet. An unauthenticated, remote attacker can exploit this to cause a client to stop querying its servers, preventing the client from updating its clock. (CVE-2015-7704)

- A flaw exists in the receive() function in ntp_proto.c that allows packets with an origin timestamp of zero to bypass security checks. An unauthenticated, remote attacker can exploit this to spoof arbitrary content.
(CVE-2015-8138)

- A denial of service vulnerability exists due to improper handling of a crafted Crypto NAK Packet with a source address spoofed to match that of an existing associated peer. An unauthenticated, remote attacker can exploit this to demobilize a client association. (CVE-2016-1547)

- A denial of service vulnerability exists due to improper handling of packets spoofed to appear to be from a valid ntpd server. An unauthenticated, remote attacker can exploit this to cause NTP to switch from basic client/server mode to interleaved symmetric mode, causing the client to reject future legitimate responses. (CVE-2016-1548)

- A race condition exists that is triggered during the handling of a saturation of ephemeral associations. An authenticated, remote attacker can exploit this to defeat NTP's clock selection algorithm and modify a user's clock. (CVE-2016-1549)

- An information disclosure vulnerability exists in the message authentication functionality in libntp that is triggered during the handling of a series of specially crafted messages. An adjacent attacker can exploit this to partially recover the message digest key.
(CVE-2016-1550)

- A flaw exists due to improper filtering of IPv4 'bogon' packets received from a network. An unauthenticated, remote attacker can exploit this to spoof packets to appear to come from a specific reference clock.
(CVE-2016-1551)

- A denial of service vulnerability exists that allows an authenticated, remote attacker that has knowledge of the controlkey for ntpq or the requestkey for ntpdc to create a session with the same IP twice on an unconfigured directive line, causing ntpd to abort.
(CVE-2016-2516)

- A denial of service vulnerability exists that allows an authenticated, remote attacker to manipulate the value of the trustedkey, controlkey, or requestkey via a crafted packet, preventing authentication with ntpd until the daemon has been restarted. (CVE-2016-2517)

- An out-of-bounds read error exists in the MATCH_ASSOC() function that occurs during the creation of peer associations with hmode greater than 7. An authenticated, remote attacker can exploit this, via a specially crafted packet, to cause a denial of service.
(CVE-2016-2518)

- An overflow condition exists in the ctl_getitem() function in ntpd due to improper validation of user-supplied input when reporting return values. An authenticated, remote attacker can exploit this to cause ntpd to abort. (CVE-2016-2519)

Solution

Upgrade to NTP version 4.2.8p7 or later.

See Also

http://support.ntp.org/bin/view/Main/SecurityNotice

http://www.nessus.org/u?4a6d1cf4

Plugin Details

Severity: High

ID: 90923

File Name: ntp_4_2_8p7.nasl

Version: 1.14

Type: remote

Family: Misc.

Published: 2016/05/05

Updated: 2019/01/22

Dependencies: 10884

Configuration: Enable paranoid mode

Risk Information

Risk Factor: High

CVSS Score Source: CVE-2016-2516

CVSS v2.0

Base Score: 7.1

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ntp:ntp

Required KB Items: NTP/Running, Settings/ParanoidReport

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2016/04/26

Vulnerability Publication Date: 2015/10/06

Reference Information

CVE: CVE-2015-7704, CVE-2015-8138, CVE-2016-1547, CVE-2016-1548, CVE-2016-1549, CVE-2016-1550, CVE-2016-1551, CVE-2016-2516, CVE-2016-2517, CVE-2016-2518, CVE-2016-2519, CVE-2015-7974, CVE-2015-7705, CVE-2015-7704

BID: 88180, 88189, 88200, 88204, 88219, 88226, 88261, 88264, 88276

CERT: 718152