Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p6 Multiple Vulnerabilities

medium Nessus Plugin ID 88054

Synopsis

The remote NTP server is affected by multiple vulnerabilities.

Description

The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p6.
It is, therefore, affected by the following vulnerabilities :

- A flaw exists in the receive() function due to the use of authenticated broadcast mode. A man-in-the-middle attacker can exploit this to conduct a replay attack.
(CVE-2015-7973)

- A time serving flaw exists in the trusted key system due to improper key checks. An authenticated, remote attacker can exploit this to perform impersonation attacks between authenticated peers. (CVE-2015-7974)

- An overflow condition exists in the nextvar() function due to improper validation of user-supplied input. A local attacker can exploit this to cause a buffer overflow, resulting in a denial of service condition.
(CVE-2015-7975)

- A flaw exists in ntp_control.c due to improper filtering of special characters in filenames by the saveconfig command. An authenticated, remote attacker can exploit this to inject arbitrary content. (CVE-2015-7976)

- A NULL pointer dereference flaw exists in ntp_request.c that is triggered when handling ntpdc relist commands.
A remote attacker can exploit this, via a specially crafted request, to crash the service, resulting in a denial of service condition. (CVE-2015-7977)

- A flaw exists in ntpdc that is triggered during the handling of the relist command. A remote attacker can exploit this, via recursive traversals of the restriction list, to exhaust available space on the call stack, resulting in a denial of service condition.
CVE-2015-7978)

- An unspecified flaw exists in authenticated broadcast mode. A remote attacker can exploit this, via specially crafted packets, to cause a denial of service condition.
(CVE-2015-7979)

- A flaw exists in the receive() function that allows packets with an origin timestamp of zero to bypass security checks. A remote attacker can exploit this to spoof arbitrary content. (CVE-2015-8138)

- A flaw exists in ntpq and ntpdc that allows a remote attacker to disclose sensitive information in timestamps. (CVE-2015-8139)

- A flaw exists in the ntpq protocol that is triggered during the handling of an improper sequence of numbers.
A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-8140)

- A flaw exists in the ntpq client that is triggered when handling packets that cause a loop in the getresponse() function. A remote attacker can exploit this to cause an infinite loop, resulting in a denial of service condition. (CVE-2015-8158)

Solution

Upgrade to NTP version 4.2.8p6 or later.

See Also

http://support.ntp.org/bin/view/Main/SecurityNotice

http://www.nessus.org/u?d42322ca

Plugin Details

Severity: Medium

ID: 88054

File Name: ntp_4_2_8p6.nasl

Version: 1.17

Type: remote

Family: Misc.

Published: 1/21/2016

Updated: 9/17/2018

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P

CVSS Score Source: CVE-2015-8140

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ntp:ntp

Required KB Items: Settings/ParanoidReport, NTP/Running

Exploit Ease: No known exploits are available

Patch Publication Date: 1/19/2016

Vulnerability Publication Date: 1/19/2016

Reference Information

CVE: CVE-2015-7973, CVE-2015-7974, CVE-2015-7975, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8138, CVE-2015-8139, CVE-2015-8140, CVE-2015-8158

BID: 81963, 81811, 81814, 81815, 81816, 81959, 81960, 81962, 82102, 82105

CERT: 718152