Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p4 Multiple Vulnerabilities

critical Nessus Plugin ID 86631

Synopsis

The remote NTP server is affected by multiple vulnerabilities.

Description

The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p4.
It is, therefore, affected by the following vulnerabilities :

- A flaw exists in the ntp_crypto.c file due to improper validation of the 'vallen' value in extension fields. An unauthenticated, remote attacker can exploit this, via specially crafted autokey packets, to disclose sensitive information or cause a denial of service.
(CVE-2015-7691)

- A denial of service vulnerability exists in the autokey functionality due to a failure in the crypto_bob2(), crypto_bob3(), and cert_sign() functions to properly validate the 'vallen' value. An unauthenticated, remote attacker can exploit this, via specially crafted autokey packets, to crash the NTP service. (CVE-2015-7692)

- A denial of service vulnerability exists in the crypto_recv() function in the file ntp_crypto.c related to autokey functionality. An unauthenticated, remote attacker can exploit this, via an ongoing flood of NTPv4 autokey requests, to exhaust memory resources.
(CVE-2015-7701)

- A denial of service vulnerability exists due to improper validation of packets containing certain autokey operations. An unauthenticated, remote attacker can exploit this, via specially crafted autokey packets, to crash the NTP service. (CVE-2015-7702)

- A flaw exists related to the handling of the 'config:' command. An authenticated, remote attacker can exploit this to set the 'pidfile' and 'driftfile' directives without restrictions, thus allowing the attacker to overwrite arbitrary files. Note that exploitation of this issue requires that remote configuration is enabled for ntpd. (CVE-2015-7703)

- A denial of service vulnerability exists due improper validation of the origin timestamp when handling Kiss-of-Death (KoD) packets. An unauthenticated, remote attacker can exploit this to stop the client from querying its servers, preventing it from updating its clock. (CVE-2015-7704)

- A denial of service vulnerability exists due to improper implementation of rate-limiting when handling server queries. An unauthenticated, remote attacker can exploit this to stop the client from querying its servers, preventing it from updating its clock. (CVE-2015-7705)

- A denial of service vulnerability exists due to an integer overflow condition in the reset_peer() function in the file ntp_request.c when handling private mode packets having request code RESET_PEER (0x16). An authenticated, remote attacker can exploit this to crash the NTP service. Note that exploitation of this issue requires that ntpd is configured to enable mode 7 packets, and that the mode 7 packets are not properly protected by available authentication and restriction mechanisms. (CVE-2015-7848)

- A use-after-free error exists in the auth_delkeys() function in the file authkeys.c when handling trusted keys. An authenticated, remote attacker can exploit this to dereference already freed memory, resulting in a crash of the NTP service or the execution of arbitrary code. (CVE-2015-7849)

- A denial of service vulnerability exists due to a logic flaw in the authreadkeys() function in the file authreadkeys.c when handling extended logging where the log and key files are set to be the same file. An authenticated, remote attacker can exploit this, via a crafted set of remote configuration requests, to cause the NTP service to stop responding. (CVE-2015-7850)

- A flaw exists in the save_config() function in the file ntp_control.c due to improper sanitization of user-supplied input. An authenticated, remote attacker can exploit this issue, via a crafted set of configuration requests, to overwrite arbitrary files.
Note that this issue only affects VMS systems and requires that ntpd is configured to allow remote configuration. (CVE-2015-7851)

- A denial of service vulnerability exists due to an off-by-one overflow condition in the cookedprint() function in the file ntpq.c when handling mode 6 response packets. An unauthenticated, remote attacker can exploit this to crash the NTP service.
(CVE-2015-7852)

- A overflow condition exists in the read_refclock_packet() function in the file ntp_io.c when handling negative data lengths. A local attacker can exploit this to crash the NTP service or possibly gain elevated privileges. (CVE-2015-7853)

- A heap-based overflow condition exists in function MD5auth_setkey() in the file authkeys.c when handling passwords. An authenticated, remote attacker can exploit this, via a crafted set of configuration requests, to crash the NTP service or possibly execute arbitrary code. (CVE-2015-7854)

- A denial of service vulnerability exists due to an assertion flaw in the decodenetnum() function in the file decodenetnum.c when handling long data values in mode 6 and 7 packets. An unauthenticated, remote attacker can exploit this to crash the NTP service.
(CVE-2015-7855)

- An authentication bypass vulnerability exists in the receive() function in the file ntp_proto.c when handling crypto-NAK packets. An unauthenticated, remote attacker can exploit this to cause the service to accept time from unauthenticated, ephemeral symmetric peers.
(CVE-2015-7871)

Solution

Upgrade to NTP version 4.2.8p4 or later.

See Also

https://www.tenable.com/security/research/tra-2015-04

http://support.ntp.org/bin/view/Main/SecurityNotice

http://www.nessus.org/u?08d2ada0

Plugin Details

Severity: Critical

ID: 86631

File Name: ntp_4_2_8p4.nasl

Version: 1.16

Type: remote

Family: Misc.

Published: 10/28/2015

Updated: 11/20/2019

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2015-7871

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ntp:ntp

Required KB Items: NTP/Running, Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/21/2015

Vulnerability Publication Date: 9/9/2014

Reference Information

CVE: CVE-2015-5194, CVE-2015-5195, CVE-2015-5219, CVE-2015-7691, CVE-2015-7692, CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, CVE-2015-7705, CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852, CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, CVE-2015-7871

BID: 77273, 77274, 77275, 77276, 77277, 77278, 77279, 77280, 77281, 77282, 77283, 77284, 77285, 77286, 77287, 77288