Network Time Protocol Daemon (ntpd) 4.x < 4.2.8p9 Multiple Vulnerabilities

High Nessus Plugin ID 95575

Synopsis

The remote NTP server is affected by multiple vulnerabilities.

Description

The version of the remote NTP server is 4.x prior to 4.2.8p9. It is, therefore, affected by the following vulnerabilities :

- A denial of service vulnerability exists when rate limiting is configured for all associations, the limits also being applied to responses received from the configured sources. An unauthenticated, remote attacker can exploit this, by periodically sending spoofed packets, to keep rate limiting active, resulting in valid responses not being accepted by ntpd from its sources. (CVE-2016-7426)

- A denial of service vulnerability exists in the broadcast mode replay prevention functionality. An unauthenticated, adjacent attacker can exploit this, via specially crafted broadcast mode NTP packets periodically injected into the broadcast domain, to cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers. (CVE-2016-7427)

- A denial of service vulnerability exists in the broadcast mode poll interval functionality. An unauthenticated, adjacent attacker can exploit this, via specially crafted broadcast mode NTP packets, to cause ntpd to reject packets from a legitimate NTP broadcast server. (CVE-2016-7428)

- A denial of service vulnerability exists when receiving server responses on sockets that correspond to different interfaces than what were used in the request. An unauthenticated, remote attacker can exploit this, by sending repeated requests using specially crafted packets with spoofed source addresses, to cause ntpd to select the incorrect interface for the source, which prevents it from sending new requests until the interface list is refreshed. This eventually results in preventing ntpd from synchronizing with the source.
(CVE-2016-7429)

- A flaw exists that allows packets with an origin timestamp of zero to bypass security checks. An unauthenticated, remote attacker can exploit this to spoof arbitrary content. (CVE-2016-7431)

- A flaw exists due to the root delay being included twice, which may result in the jitter value being higher than expected. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.
(CVE-2016-7433)

- A denial of service vulnerability exists when handling specially crafted mrulist query packets that allows an unauthenticated, remote attacker to crash ntpd.
(CVE-2016-7434)

- A flaw exists in the control mode (mode 6) functionality when handling specially crafted control mode packets. An unauthenticated, adjacent attacker can exploit this to set or disable ntpd traps, resulting in the disclosure of potentially sensitive information, disabling of legitimate monitoring, or DDoS amplification.
(CVE-2016-9310)

- A NULL pointer dereference flaw exists in the report_event() function within file ntpd/ntp_control.c when the trap service handles certain peer events. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to cause a denial of service condition. (CVE-2016-9311)

- A denial of service vulnerability exists when handling oversize UDP packets that allows an unauthenticated, remote attacker to crash ntpd. Note that this vulnerability only affects Windows versions.
(CVE-2016-9312)

Solution

Upgrade to NTP version 4.2.8p9 or later.

See Also

http://www.nessus.org/u?08645c8c

http://support.ntp.org/bin/view/Main/NtpBug3067

http://support.ntp.org/bin/view/Main/NtpBug3071

http://support.ntp.org/bin/view/Main/NtpBug3072

http://support.ntp.org/bin/view/Main/NtpBug3082

http://support.ntp.org/bin/view/Main/NtpBug3102

http://support.ntp.org/bin/view/Main/NtpBug3110

http://support.ntp.org/bin/view/Main/NtpBug3113

http://support.ntp.org/bin/view/Main/NtpBug3114

http://support.ntp.org/bin/view/Main/NtpBug3118

http://support.ntp.org/bin/view/Main/NtpBug3119

Plugin Details

Severity: High

ID: 95575

File Name: ntp_4_2_8p9.nasl

Version: 1.9

Type: remote

Family: Misc.

Published: 2016/12/06

Updated: 2018/09/17

Dependencies: 10884

Configuration: Enable paranoid mode

Risk Information

Risk Factor: High

CVSS Score Source: CVE-2016-9310

CVSS Score Rationale: Deferring to highest non-dos nvd score (cve-2016-9310)

CVSS v2.0

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ntp:ntp

Required KB Items: NTP/Running, Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2016/11/21

Vulnerability Publication Date: 2016/11/21

Reference Information

CVE: CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7429, CVE-2016-7431, CVE-2016-7433, CVE-2016-7434, CVE-2016-9310, CVE-2016-9311, CVE-2016-9312

BID: 94444, 94446, 94447, 94448, 94450, 94451, 94452, 94453, 94454, 94455

CERT: 633847