Synopsis
The remote NTP server is affected by multiple vulnerabilities.
Description
The version of the remote NTP server is 4.x prior to 4.2.8p9. It is, therefore, affected by the following vulnerabilities :
- A denial of service vulnerability exists when rate limiting is configured for all associations, the limits also being applied to responses received from the configured sources. An unauthenticated, remote attacker can exploit this, by periodically sending spoofed packets, to keep rate limiting active, resulting in valid responses not being accepted by ntpd from its sources. (CVE-2016-7426)
- A denial of service vulnerability exists in the broadcast mode replay prevention functionality. An unauthenticated, adjacent attacker can exploit this, via specially crafted broadcast mode NTP packets periodically injected into the broadcast domain, to cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers. (CVE-2016-7427)
- A denial of service vulnerability exists in the broadcast mode poll interval functionality. An unauthenticated, adjacent attacker can exploit this, via specially crafted broadcast mode NTP packets, to cause ntpd to reject packets from a legitimate NTP broadcast server. (CVE-2016-7428)
- A denial of service vulnerability exists when receiving server responses on sockets that correspond to different interfaces than what were used in the request. An unauthenticated, remote attacker can exploit this, by sending repeated requests using specially crafted packets with spoofed source addresses, to cause ntpd to select the incorrect interface for the source, which prevents it from sending new requests until the interface list is refreshed. This eventually results in preventing ntpd from synchronizing with the source.
(CVE-2016-7429)
- A flaw exists that allows packets with an origin timestamp of zero to bypass security checks. An unauthenticated, remote attacker can exploit this to spoof arbitrary content. (CVE-2016-7431)
- A flaw exists due to the root delay being included twice, which may result in the jitter value being higher than expected. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.
(CVE-2016-7433)
- A denial of service vulnerability exists when handling specially crafted mrulist query packets that allows an unauthenticated, remote attacker to crash ntpd.
(CVE-2016-7434)
- A flaw exists in the control mode (mode 6) functionality when handling specially crafted control mode packets. An unauthenticated, adjacent attacker can exploit this to set or disable ntpd traps, resulting in the disclosure of potentially sensitive information, disabling of legitimate monitoring, or DDoS amplification.
(CVE-2016-9310)
- A NULL pointer dereference flaw exists in the report_event() function within file ntpd/ntp_control.c when the trap service handles certain peer events. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to cause a denial of service condition. (CVE-2016-9311)
- A denial of service vulnerability exists when handling oversize UDP packets that allows an unauthenticated, remote attacker to crash ntpd. Note that this vulnerability only affects Windows versions.
(CVE-2016-9312)
Solution
Upgrade to NTP version 4.2.8p9 or later.
Plugin Details
File Name: ntp_4_2_8p9.nasl
Configuration: Enable paranoid mode
Supported Sensors: Nessus
Risk Information
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:ntp:ntp
Required KB Items: NTP/Running, Settings/ParanoidReport
Exploit Ease: Exploits are available
Patch Publication Date: 11/21/2016
Vulnerability Publication Date: 11/21/2016
Reference Information
CVE: CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7429, CVE-2016-7431, CVE-2016-7433, CVE-2016-7434, CVE-2016-9310, CVE-2016-9311, CVE-2016-9312
BID: 94444, 94446, 94447, 94448, 94450, 94451, 94452, 94453, 94454, 94455