Vulnerabilities > CVE-2013-5211 - Improper Input Validation vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 1 | |
OS | 2 | |
Application | Ntp
| 232 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Zone Scripting An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
Exploit-Db
description | NTP ntpd monlist Query Reflection - Denial of Service. CVE-2013-5211. Dos exploit for linux platform |
id | EDB-ID:33073 |
last seen | 2016-02-03 |
modified | 2014-04-28 |
published | 2014-04-28 |
reporter | Danilo PC |
source | https://www.exploit-db.com/download/33073/ |
title | NTP ntpd monlist Query Reflection - Denial of Service |
Metasploit
description Discover SSDP amplification possibilities id MSF:AUXILIARY/SCANNER/UPNP/SSDP_AMP last seen 2019-11-17 modified 2017-07-24 published 2014-08-26 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/upnp/ssdp_amp.rb title SSDP ssdp:all M-SEARCH Amplification Scanner description Detect UDP endpoints with UDP amplification vulnerabilities id MSF:AUXILIARY/SCANNER/UDP/UDP_AMPLIFICATION last seen 2020-01-17 modified 2017-07-24 published 2016-10-24 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/udp/udp_amplification.rb title UDP Amplification Scanner description This module identifies NTP servers which permit mode 6 UNSETTRAP requests that can be used to conduct DRDoS attacks. In some configurations, NTP servers will respond to UNSETTRAP requests with multiple packets, allowing remote attackers to cause a distributed, reflected denial of service (aka, "DRDoS" or traffic amplification) via spoofed requests. id MSF:AUXILIARY/SCANNER/NTP/NTP_UNSETTRAP_DOS last seen 2020-03-28 modified 2017-07-24 published 2014-08-09 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ntp/ntp_unsettrap_dos.rb title NTP Mode 6 UNSETTRAP DRDoS Scanner description This module identifies NTP servers which permit "PEER_LIST" queries and return responses that are larger in size or greater in quantity than the request, allowing remote attackers to cause a distributed, reflected denial of service (aka, "DRDoS" or traffic amplification) via spoofed requests. id MSF:AUXILIARY/SCANNER/NTP/NTP_PEER_LIST_DOS last seen 2020-05-06 modified 2017-07-24 published 2014-08-09 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ntp/ntp_peer_list_dos.rb title NTP Mode 7 PEER_LIST DoS Scanner description This module identifies NTP servers which permit mode 6 REQ_NONCE requests that can be used to conduct DRDoS attacks. In some configurations, NTP servers will respond to REQ_NONCE requests with a response larger than the request, allowing remote attackers to cause a distributed, reflected denial of service (aka, "DRDoS" or traffic amplification) via spoofed requests. id MSF:AUXILIARY/SCANNER/NTP/NTP_REQ_NONCE_DOS last seen 2020-04-30 modified 2017-07-24 published 2014-08-09 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ntp/ntp_req_nonce_dos.rb title NTP Mode 6 REQ_NONCE DRDoS Scanner description This module identifies NTP servers which permit "monlist" queries and obtains the recent clients list. The monlist feature allows remote attackers to cause a denial of service (traffic amplification) via spoofed requests. The more clients there are in the list, the greater the amplification. id MSF:AUXILIARY/SCANNER/NTP/NTP_MONLIST last seen 2019-12-05 modified 2017-07-24 published 2010-01-27 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ntp/ntp_monlist.rb title NTP Monitor List Scanner description This module identifies NTP servers which permit "reslist" queries and obtains the list of restrictions placed on various network interfaces, networks or hosts. The reslist feature allows remote attackers to cause a distributed, reflected denial of service (aka, "DRDoS" or traffic amplification) via spoofed requests. The more interfaces, networks or hosts with specific restrictions, the greater the amplification. requests. id MSF:AUXILIARY/SCANNER/NTP/NTP_RESLIST_DOS last seen 2020-05-15 modified 2017-07-24 published 2014-08-09 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ntp/ntp_reslist_dos.rb title NTP Mode 7 GET_RESTRICT DRDoS Scanner description This module reads the system internal NTP variables. These variables contain potentially sensitive information, such as the NTP software version, operating system version, peers, and more. id MSF:AUXILIARY/SCANNER/NTP/NTP_READVAR last seen 2020-06-04 modified 2017-07-24 published 2012-10-18 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ntp/ntp_readvar.rb title NTP Clock Variables Disclosure description This module identifies NTP servers which permit "PEER_LIST_SUM" queries and return responses that are larger in size or greater in quantity than the request, allowing remote attackers to cause a distributed, reflected denial of service (aka, "DRDoS" or traffic amplification) via spoofed requests. id MSF:AUXILIARY/SCANNER/NTP/NTP_PEER_LIST_SUM_DOS last seen 2020-06-05 modified 2017-07-24 published 2014-08-09 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/ntp/ntp_peer_list_sum_dos.rb title NTP Mode 7 PEER_LIST_SUM DoS Scanner description This module can be used to discover Portmapper services which can be used in an amplification DDoS attack against a third party. id MSF:AUXILIARY/SCANNER/PORTMAP/PORTMAP_AMP last seen 2020-01-04 modified 2017-07-24 published 2015-09-12 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/portmap/portmap_amp.rb title Portmapper Amplification Scanner
Nessus
NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1314.NASL description According to the version of the ntp packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.(CVE-2013-5211) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2020-03-23 plugin id 134805 published 2020-03-23 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134805 title EulerOS 2.0 SP5 : ntp (EulerOS-SA-2020-1314) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(134805); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04"); script_cve_id( "CVE-2013-5211" ); script_bugtraq_id( 64692 ); script_name(english:"EulerOS 2.0 SP5 : ntp (EulerOS-SA-2020-1314)"); script_summary(english:"Checks the rpm output for the updated package."); script_set_attribute(attribute:"synopsis", value: "The remote EulerOS host is missing a security update."); script_set_attribute(attribute:"description", value: "According to the version of the ntp packages installed, the EulerOS installation on the remote host is affected by the following vulnerability : - The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.(CVE-2013-5211) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues."); # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1314 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3885e27d"); script_set_attribute(attribute:"solution", value: "Update the affected ntp package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"patch_publication_date", value:"2020/03/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/03/23"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ntp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ntpdate"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:sntp"); script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Huawei Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp"); script_exclude_keys("Host/EulerOS/uvp_version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/EulerOS/release"); if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS"); if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0"); sp = get_kb_item("Host/EulerOS/sp"); if (isnull(sp) || sp !~ "^(5)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5"); uvp = get_kb_item("Host/EulerOS/uvp_version"); if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP5", "EulerOS UVP " + uvp); if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu); flag = 0; pkgs = ["ntp-4.2.6p5-28.h13.eulerosv2r7", "ntpdate-4.2.6p5-28.h13.eulerosv2r7", "sntp-4.2.6p5-28.h13.eulerosv2r7"]; foreach (pkg in pkgs) if (rpm_check(release:"EulerOS-2.0", sp:"5", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ntp"); }
NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0165.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - add disable monitor to default ntp.conf [CVE-2013-5211] - fix buffer overflow in datum refclock driver (CVE-2017-6462) - fix crash with invalid unpeer command (CVE-2017-6463) - fix potential crash with invalid server command (CVE-2017-6464) - don last seen 2020-06-01 modified 2020-06-02 plugin id 104204 published 2017-10-27 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104204 title OracleVM 3.3 / 3.4 : ntp (OVMSA-2017-0165) code # # (C) Tenable Network Security, Inc. # # The package checks in this plugin were extracted from OracleVM # Security Advisory OVMSA-2017-0165. # include("compat.inc"); if (description) { script_id(104204); script_version("3.4"); script_cvs_date("Date: 2019/09/27 13:00:35"); script_cve_id("CVE-2013-5211", "CVE-2015-7979", "CVE-2016-1547", "CVE-2016-1548", "CVE-2016-1550", "CVE-2016-2518", "CVE-2016-7426", "CVE-2016-7429", "CVE-2016-7433", "CVE-2016-9310", "CVE-2016-9311", "CVE-2017-6462", "CVE-2017-6463", "CVE-2017-6464"); script_bugtraq_id(64692); script_name(english:"OracleVM 3.3 / 3.4 : ntp (OVMSA-2017-0165)"); script_summary(english:"Checks the RPM output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote OracleVM host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "The remote OracleVM system is missing necessary patches to address critical security updates : - add disable monitor to default ntp.conf [CVE-2013-5211] - fix buffer overflow in datum refclock driver (CVE-2017-6462) - fix crash with invalid unpeer command (CVE-2017-6463) - fix potential crash with invalid server command (CVE-2017-6464) - don't limit rate of packets from sources (CVE-2016-7426) - don't change interface from received packets (CVE-2016-7429) - fix calculation of root distance again (CVE-2016-7433) - require authentication for trap commands (CVE-2016-9310) - fix crash when reporting peer event to trappers (CVE-2016-9311) - don't allow spoofed packets to demobilize associations (CVE-2015-7979, CVE-2016-1547) - don't allow spoofed packet to enable symmetric interleaved mode (CVE-2016-1548) - check mode of new source in config command (CVE-2016-2518) - make MAC check resilient against timing attack (CVE-2016-1550)" ); # https://oss.oracle.com/pipermail/oraclevm-errata/2017-October/000795.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?7c1983e3" ); # https://oss.oracle.com/pipermail/oraclevm-errata/2017-October/000796.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?9454d3fb" ); script_set_attribute( attribute:"solution", value:"Update the affected ntp / ntpdate packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:ntp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:vm:ntpdate"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:vm_server:3.4"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/01/02"); script_set_attribute(attribute:"patch_publication_date", value:"2017/10/26"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/10/27"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"OracleVM Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleVM/release", "Host/OracleVM/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/OracleVM/release"); if (isnull(release) || "OVS" >!< release) audit(AUDIT_OS_NOT, "OracleVM"); if (! preg(pattern:"^OVS" + "(3\.3|3\.4)" + "(\.[0-9]|$)", string:release)) audit(AUDIT_OS_NOT, "OracleVM 3.3 / 3.4", "OracleVM " + release); if (!get_kb_item("Host/OracleVM/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "OracleVM", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"OVS3.3", reference:"ntp-4.2.6p5-12.0.1.el6_9.1")) flag++; if (rpm_check(release:"OVS3.3", reference:"ntpdate-4.2.6p5-12.0.1.el6_9.1")) flag++; if (rpm_check(release:"OVS3.4", reference:"ntp-4.2.6p5-12.0.1.el6_9.1")) flag++; if (rpm_check(release:"OVS3.4", reference:"ntpdate-4.2.6p5-12.0.1.el6_9.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ntp / ntpdate"); }
NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0038.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - add disable monitor to default ntp.conf [CVE-2013-5211] - don last seen 2020-06-01 modified 2020-06-02 plugin id 97058 published 2017-02-08 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97058 title OracleVM 3.3 / 3.4 : ntp (OVMSA-2017-0038) NASL family AIX Local Security Checks NASL id AIX_IV56575.NASL description The monlist feature in ntpd in NTP allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests. last seen 2020-06-01 modified 2020-06-02 plugin id 76077 published 2014-06-17 reporter This script is Copyright (C) 2014-2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/76077 title AIX 7.1 TL 1 : ntp (IV56575) NASL family AIX Local Security Checks NASL id AIX_IV58068.NASL description The monlist feature in ntpd in NTP allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests. last seen 2020-06-01 modified 2020-06-02 plugin id 76078 published 2014-06-17 reporter This script is Copyright (C) 2014-2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/76078 title AIX 6.1 TL 8 : ntp (IV58068) NASL family Misc. NASL id VMWARE_ESXI_5_0_BUILD_1749766_REMOTE.NASL description The remote VMware ESXi host is version 5.0 prior to build 1749766. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the monlist feature in NTP. A remote attacker can exploit this flaw, using a specially crafted packet to load the query function in monlist, to conduct a distributed denial of service attack. (CVE-2013-5211) - An unspecified privilege escalation vulnerability exists that allows an attacker to gain host OS privileges or cause a denial of service condition by modifying a configuration file. (CVE-2014-8370) last seen 2020-06-01 modified 2020-06-02 plugin id 81083 published 2015-01-29 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81083 title ESXi 5.0 < Build 1749766 Multiple Vulnerabilities (remote check) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_3D95C9A77D5C11E3A8C1206A8A720317.NASL description ntp.org reports : Unrestricted access to the monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013 Use noquery to your default restrictions to block all status queries. Use disable monitor to disable the ``ntpdc -c monlist last seen 2020-06-01 modified 2020-06-02 plugin id 71960 published 2014-01-15 reporter This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/71960 title FreeBSD : ntpd DRDoS / Amplification Attack using ntpdc monlist command (3d95c9a7-7d5c-11e3-a8c1-206a8a720317) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2020-1547.NASL description According to the versions of the ntp packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.(CVE-2013-5211) - The broadcast mode replay prevention functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via a crafted broadcast mode packet.(CVE-2016-7427) - ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via the poll interval in a broadcast packet.(CVE-2016-7428) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-08 modified 2020-05-01 plugin id 136250 published 2020-05-01 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136250 title EulerOS Virtualization for ARM 64 3.0.2.0 : ntp (EulerOS-SA-2020-1547) NASL family Misc. NASL id VMWARE_VMSA-2014-0002_REMOTE.NASL description The remote VMware ESX / ESXi host is affected by multiple vulnerabilities : - Multiple integer overflow conditions exist in the glibc package in file malloc/malloc.c. An unauthenticated, remote attacker can exploit these to cause heap memory corruption by passing large values to the pvalloc(), valloc(), posix_memalign(), memalign(), or aligned_alloc() functions, resulting in a denial of service. (CVE-2013-4332) - A distributed denial of service (DDoS) vulnerability exists in the NTP daemon due to improper handling of the last seen 2020-06-01 modified 2020-06-02 plugin id 87674 published 2015-12-30 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/87674 title VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2014-0002) NASL family SuSE Local Security Checks NASL id SUSE_11_NTP-140721.NASL description The NTP time service could have been used for remote denial of service amplification attacks. This issue can be fixed by the administrator as we described in our security advisory SUSE-SA:2014:001: http://lists.opensuse.org/opensuse-security-announce/2014-01/msg00005. html and on http://support.novell.com/security/cve/CVE-2013-5211.html This update now also replaces the default ntp.conf template to fix this problem. Please note that if you have touched or modified ntp.conf yourself, it will not be automatically fixed, you need to merge the changes manually as described. Additionally the following bug has been fixed : - ntp start script does not update the /var/lib/ntp/etc/localtime file if /etc/localtime is a symlink (bnc#838458) last seen 2020-06-05 modified 2014-07-30 plugin id 76910 published 2014-07-30 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/76910 title SuSE 11.3 Security Update : ntp (SAT Patch Number 9540) NASL family Junos Local Security Checks NASL id JUNIPER_JSA10613.NASL description According to its self-reported version number, the remote Juniper Junos device is affected by a vulnerability in the NTP daemon related to the handling of the last seen 2019-10-28 modified 2014-09-19 plugin id 77756 published 2014-09-19 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/77756 title Juniper Junos NTP Server Amplification Remote DoS (JSA10613) NASL family SuSE Local Security Checks NASL id SUSE_13_1_OPENSUSE-2014--140722.NASL description The NTP time service could be used for remote denial of service amplification attacks. This issue can be fixed by the administrator as we described in our security advisory SUSE-SA:2014:001 http://lists.opensuse.org/opensuse-security-announce/2014-01/msg00005. html and on http://support.novell.com/security/cve/CVE-2013-5211.html This update now also replaces the default ntp.conf template to fix this problem. Please note that if you have touched or modified ntp.conf yourself, it will not be automatically fixed, you need to merge the changes manually as described. last seen 2017-10-29 modified 2014-08-08 plugin id 76933 published 2014-07-31 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=76933 title openSUSE Security Update : openSUSE-2014- (openSUSE-2014--1) NASL family AIX Local Security Checks NASL id AIX_IV56324.NASL description The monlist feature in ntpd in NTP allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests. last seen 2020-06-01 modified 2020-06-02 plugin id 76076 published 2014-06-17 reporter This script is Copyright (C) 2014-2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/76076 title AIX 7.1 TL 3 : ntp (IV56324) NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-474.NASL description The NTP time service could be used for remote denial of service amplification attacks. This issue can be fixed by the administrator as we described in our security advisory SUSE-SA:2014:001 http://lists.opensuse.org/opensuse-security-announce/2014-01/msg00005. html and on http://support.novell.com/security/cve/CVE-2013-5211.html This update now also replaces the default ntp.conf template to fix this problem. Please note that if you have touched or modified ntp.conf yourself, it will not be automatically fixed, you need to merge the changes manually as described. last seen 2020-06-05 modified 2014-08-01 plugin id 76958 published 2014-08-01 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76958 title openSUSE Security Update : ntp (openSUSE-2014-474) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2014-044-02.NASL description New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix a security issue. last seen 2020-06-01 modified 2020-06-02 plugin id 72489 published 2014-02-14 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72489 title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2014-044-02) NASL family Solaris Local Security Checks NASL id SOLARIS11_NTP_20140417.NASL description The remote Solaris system is missing necessary patches to address security updates : - The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013. (CVE-2013-5211) last seen 2020-06-01 modified 2020-06-02 plugin id 80714 published 2015-01-19 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80714 title Oracle Solaris Third-Party Patch Update : ntp (cve_2013_5211_input_validation) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2018-0290.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - add disable monitor to default ntp.conf [CVE-2013-5211] - fix buffer overflow in parsing of address in ntpq and ntpdc (CVE-2018-12327) - fix CVE-2016-7429 patch to work correctly on multicast client (#1422973) - fix buffer overflow in datum refclock driver (CVE-2017-6462) - fix crash with invalid unpeer command (CVE-2017-6463) - fix potential crash with invalid server command (CVE-2017-6464) last seen 2020-03-28 modified 2018-12-21 plugin id 119823 published 2018-12-21 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119823 title OracleVM 3.3 / 3.4 : ntp (OVMSA-2018-0290) NASL family AIX Local Security Checks NASL id AIX_IV59636.NASL description The monlist feature in ntpd in NTP allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests. last seen 2020-06-01 modified 2020-06-02 plugin id 76080 published 2014-06-17 reporter This script is Copyright (C) 2014-2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/76080 title AIX 5.3 TL 12 : ntp (IV59636) NASL family AIX Local Security Checks NASL id AIX_IV55365.NASL description The monlist feature in ntpd in NTP allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests. last seen 2020-06-01 modified 2020-06-02 plugin id 76074 published 2014-06-17 reporter This script is Copyright (C) 2014-2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/76074 title AIX 7.1 TL 2 : ntp (IV55365) NASL family SuSE Local Security Checks NASL id SUSE_12_3_OPENSUSE-2014--140722.NASL description The NTP time service could be used for remote denial of service amplification attacks. This issue can be fixed by the administrator as we described in our security advisory SUSE-SA:2014:001 http://lists.opensuse.org/opensuse-security-announce/2014-01/msg00005. html and on http://support.novell.com/security/cve/CVE-2013-5211.html This update now also replaces the default ntp.conf template to fix this problem. Please note that if you have touched or modified ntp.conf yourself, it will not be automatically fixed, you need to merge the changes manually as described. last seen 2017-10-29 modified 2014-08-08 plugin id 76930 published 2014-07-31 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=76930 title openSUSE Security Update : openSUSE-2014- (openSUSE-2014--1) NASL family VMware ESX Local Security Checks NASL id VMWARE_VMSA-2014-0002.NASL description a. DDoS vulnerability in NTP third-party libraries The NTP daemon has a DDoS vulnerability in the handling of the last seen 2020-06-01 modified 2020-06-02 plugin id 72958 published 2014-03-12 reporter This script is Copyright (C) 2014-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/72958 title VMSA-2014-0002 : VMware vSphere updates to third-party libraries NASL family Firewalls NASL id PFSENSE_SA-14_03.NASL description According to its self-reported version number, the remote pfSense install is prior to 2.1.1. It is, therefore, affected by multiple vulnerabilities as stated in the referenced vendor advisories. last seen 2020-06-01 modified 2020-06-02 plugin id 106488 published 2018-01-31 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106488 title pfSense < 2.1.1 Multiple Vulnerabilities (SA-14_02 / SA-14_03) NASL family AIX Local Security Checks NASL id AIX_IV58413.NASL description The monlist feature in ntpd in NTP allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests. last seen 2020-06-01 modified 2020-06-02 plugin id 76079 published 2014-06-17 reporter This script is Copyright (C) 2014-2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/76079 title AIX 6.1 TL 7 : ntp (IV58413) NASL family AIX Local Security Checks NASL id AIX_IV56213.NASL description The monlist feature in ntpd in NTP allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests. last seen 2020-06-01 modified 2020-06-02 plugin id 76075 published 2014-06-17 reporter This script is Copyright (C) 2014-2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/76075 title AIX 6.1 TL 9 : ntp (IV56213) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2016-3612.NASL description Description of changes: [4.2.6p5-22.0.1.el7_2.2] - add disable monitor to default ntp.conf [CVE-2013-5211] last seen 2020-06-01 modified 2020-06-02 plugin id 93448 published 2016-09-13 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93448 title Oracle Linux 7 : ntp (ELSA-2016-3612) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201401-08.NASL description The remote host is affected by the vulnerability described in GLSA-201401-08 (NTP: Traffic amplification) ntpd is susceptible to a reflected Denial of Service attack. Please review the CVE identifiers and references below for details. Impact : An unauthenticated remote attacker may conduct a distributed reflective Denial of Service attack on another user via a vulnerable NTP server. Workaround : We modified the default ntp configuration in =net-misc/ntp-4.2.6_p5-r10 and added “noquery” to the default restriction which disallows anyone to query the ntpd status, including “monlist”. If you use a non-default configuration, and provide a ntp service to untrusted networks, we highly recommend you to revise your configuration to disable mode 6 and 7 queries for any untrusted (public) network. You can always enable these queries for specific trusted networks. For more details please see the “Access Control Support” chapter in the ntp.conf(5) man page. last seen 2020-06-01 modified 2020-06-02 plugin id 72016 published 2014-01-20 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/72016 title GLSA-201401-08 : NTP: Traffic amplification NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2016-3613.NASL description Description of changes: [4.2.6p5-10.0.1.el6_8.1] - add disable monitor to default ntp.conf [CVE-2013-5211] last seen 2020-06-01 modified 2020-06-02 plugin id 93449 published 2016-09-13 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93449 title Oracle Linux 6 : ntp (ELSA-2016-3613) NASL family Misc. NASL id VMWARE_ESXI_5_5_BUILD_1623387_REMOTE.NASL description The remote VMware ESXi host is version 5.5 prior to build 1623387. It is, therefore, affected by multiple vulnerabilities : - Multiple integer overflow conditions exist in the bundled GNU C Library (glibc) due to improper validation of user-supplied input. A remote attacker can exploit these issues to cause a buffer overflow, resulting in a denial of service condition. (CVE-2013-4332) - A flaw exists in the monlist feature in NTP. A remote attacker can exploit this flaw, using a specially crafted packet to load the query function in monlist, to conduct a distributed denial of service attack. (CVE-2013-5211) last seen 2020-06-01 modified 2020-06-02 plugin id 83781 published 2015-05-22 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83781 title ESXi 5.5 < Build 1623387 Multiple Vulnerabilities (remote check) NASL family Misc. NASL id VMWARE_ESXI_5_1_BUILD_1743201_REMOTE.NASL description The remote VMware ESXi host is version 5.1 prior to build 1743201. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the monlist feature in NTP. A remote attacker can exploit this flaw, using a specially crafted packet to load the query function in monlist, to conduct a distributed denial of service attack. (CVE-2013-5211) - An unspecified privilege escalation vulnerability exists that allows an attacker to gain host OS privileges or cause a denial of service condition by modifying a configuration file. (CVE-2014-8370) - A flaw exists in the VMware Authorization process (vmware-authd) due to improper validation of user-supplied input. A remote attacker can exploit this to cause a denial of service condition. (CVE-2015-1044) last seen 2020-06-01 modified 2020-06-02 plugin id 81084 published 2015-01-29 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81084 title ESXi 5.1 < Build 1743201 Multiple Vulnerabilities (remote check) NASL family Misc. NASL id NTP_MONLIST_ENABLED.NASL description The version of ntpd running on the remote host has the last seen 2020-06-01 modified 2020-06-02 plugin id 71783 published 2014-01-02 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71783 title Network Time Protocol Daemon (ntpd) monlist Command Enabled DoS
Packetstorm
data source | https://packetstormsecurity.com/files/download/127492/ntpamp.py.txt |
id | PACKETSTORM:127492 |
last seen | 2016-12-05 |
published | 2014-07-16 |
reporter | DaRkReD |
source | https://packetstormsecurity.com/files/127492/NTP-Amplification-Denial-Of-Service-Tool.html |
title | NTP Amplification Denial Of Service Tool |
The Hacker News
id | THN:465F1B217D51F604B360DA109B4F9B83 |
last seen | 2018-01-27 |
modified | 2014-01-03 |
published | 2014-01-02 |
reporter | Wang Wei |
source | https://thehackernews.com/2014/01/Network-Time-Protocol-Reflection-DDoS-Attack-Tool.html |
title | Abusing Network Time Protocol (NTP) to perform massive Reflection DDoS attack |
References
- http://lists.ntp.org/pipermail/pool/2011-December/005616.html
- http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-dev/ntp-dev-4.2.7p26.tar.gz
- http://bugs.ntp.org/show_bug.cgi?id=1532
- http://openwall.com/lists/oss-security/2013/12/30/7
- http://openwall.com/lists/oss-security/2013/12/30/6
- http://www.us-cert.gov/ncas/alerts/TA14-013A
- http://marc.info/?l=bugtraq&m=138971294629419&w=2
- http://www.kb.cert.org/vuls/id/348126
- http://ics-cert.us-cert.gov/advisories/ICSA-14-051-04
- http://www.securitytracker.com/id/1030433
- http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095892
- http://secunia.com/advisories/59726
- http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5095861
- http://aix.software.ibm.com/aix/efixes/security/ntp_advisory.asc
- http://secunia.com/advisories/59288
- http://lists.opensuse.org/opensuse-updates/2014-09/msg00031.html
- http://marc.info/?l=bugtraq&m=144182594518755&w=2
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjul2016-3090544.html
- http://www.securityfocus.com/bid/64692
- https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04790232
- https://puppet.com/security/cve/puppetlabs-ntp-nov-2015-advisory