Network Time Protocol Daemon (ntpd) 4.x < 4.2.8p10 Multiple Vulnerabilities

Medium Nessus Plugin ID 97988

Synopsis

The remote NTP server is affected by multiple vulnerabilities.

Description

The version of the remote NTP server is 4.x prior to 4.2.8p10. It is, therefore, affected by the following vulnerabilities :

- A denial of service vulnerability exists in the receive() function within file ntpd/ntp_proto.c due to the expected origin timestamp being cleared when a packet with a zero origin timestamp is received. An unauthenticated, remote attacker can exploit this issue, via specially crafted network packets, to reset the expected origin timestamp for a target peer, resulting in legitimate replies being dropped. (CVE-2016-9042)

- An out-of-bounds write error exists in the mx4200_send() function within file ntpd/refclock_mx4200.c due to improper handling of the return value of the snprintf() and vsnprintf() functions. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or possibly the execution of arbitrary code.
However, neither the researcher nor vendor could find any exploitable code path. (CVE-2017-6451)

- A stack-based buffer overflow condition exists in the addSourceToRegistry() function within file ports/winnt/instsrv/instsrv.c due to improper validation of certain input when adding registry keys. A local attacker can exploit this to execute arbitrary code.
(CVE-2017-6452)

- A flaw exists due to dynamic link library (DLL) files being preloaded when they are defined in the inherited environment variable 'PPSAPI_DLLS'. A local attacker can exploit this, via specially crafted DLL files, to execute arbitrary code with elevated privileges.
(CVE-2017-6455)

- Multiple stack-based buffer overflow conditions exist in various wrappers around the ctl_putdata() function within file ntpd/ntp_control.c due to improper validation of certain input from the ntp.conf file.
An unauthenticated, remote attacker can exploit these, by convincing a user into deploying a specially crafted ntp.conf file, to cause a denial of service condition or possibly the execution of arbitrary code.
(CVE-2017-6458)

- A flaw exists in the addKeysToRegistry() function within file ports/winnt/instsrv/instsrv.c when running the Windows installer due to improper termination of strings used for adding registry keys, which may cause malformed registry entries to be created. A local attacker can exploit this issue to possibly disclose sensitive memory contents. (CVE-2017-6459)

- A stack-based buffer overflow condition exists in the reslist() function within file ntpq/ntpq-subs.c when handling server responses due to improper validation of certain input. An unauthenticated, remote attacker can exploit this, by convincing a user to connect to a malicious NTP server and by using a specially crafted server response, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-6460)

- A stack-based buffer overflow condition exists in the datum_pts_receive() function within file ntpd/refclock_datum.c when handling handling packets from the '/dev/datum' device due to improper validation of certain input. A local attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-6462)

- A denial of service vulnerability exists within file ntpd/ntp_config.c when handling 'unpeer' configuration options. An authenticated, remote attacker can exploit this issue, via an 'unpeer' option value of '0', to crash the ntpd daemon. (CVE-2017-6463)

- A denial of service vulnerability exists when handling configuration directives. An authenticated, remote attacker can exploit this, via a malformed 'mode' configuration directive, to crash the ntpd daemon.
(CVE-2017-6464)

- A flaw exists in the ntpq_stripquotes() function within file ntpq/libntpq.c due to the function returning an incorrect value. An unauthenticated, remote attacker can possibly exploit this to have an unspecified impact.

- An off-by-one overflow condition exists in the oncore_receive() function in file ntpd/refclock_oncore.c that possibly allows an unauthenticated, remote attacker to have an unspecified impact.

- A flaw exists due to certain code locations not invoking the appropriate ereallocarray() and eallocarray() functions. An unauthenticated, remote attacker can possibly exploit this to have an unspecified impact.

- A flaw exists due to the static inclusion of unused code from the libisc, libevent, and libopts libraries. An unauthenticated, remote attacker can possibly exploit this to have an unspecified impact.

- A security weakness exists in the Makefile due to a failure to provide compile or link flags to offer hardened security options by default.

Solution

Upgrade to NTP version 4.2.8p10 or later.

See Also

http://www.nessus.org/u?68156231

http://support.ntp.org/bin/view/Main/NtpBug3361

http://support.ntp.org/bin/view/Main/NtpBug3376

http://support.ntp.org/bin/view/Main/NtpBug3377

http://support.ntp.org/bin/view/Main/NtpBug3378

http://support.ntp.org/bin/view/Main/NtpBug3379

http://support.ntp.org/bin/view/Main/NtpBug3380

http://support.ntp.org/bin/view/Main/NtpBug3381

http://support.ntp.org/bin/view/Main/NtpBug3382

http://support.ntp.org/bin/view/Main/NtpBug3383

http://support.ntp.org/bin/view/Main/NtpBug3384

http://support.ntp.org/bin/view/Main/NtpBug3385

http://support.ntp.org/bin/view/Main/NtpBug3386

http://support.ntp.org/bin/view/Main/NtpBug3387

http://support.ntp.org/bin/view/Main/NtpBug3388

http://support.ntp.org/bin/view/Main/NtpBug3389

Plugin Details

Severity: Medium

ID: 97988

File Name: ntp_4_2_8p10.nasl

Version: 1.14

Type: remote

Family: Misc.

Published: 2017/03/27

Updated: 2019/01/02

Dependencies: 10884

Configuration: Enable paranoid mode

Risk Information

Risk Factor: Medium

CVSS Score Source: CVE-2017-6458

CVSS v2.0

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ntp:ntp

Required KB Items: NTP/Running, Settings/ParanoidReport

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2017/03/21

Vulnerability Publication Date: 2017/02/11

Reference Information

CVE: CVE-2016-9042, CVE-2017-6451, CVE-2017-6452, CVE-2017-6455, CVE-2017-6458, CVE-2017-6459, CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464

BID: 97045, 97046, 97049, 97050, 97051, 97052, 97058

CERT: 325339