Vulnerabilities > CVE-2015-7849 - Use After Free vulnerability in NTP

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
ntp
netapp
CWE-416
nessus
NVD
Published: 2017-08-07
Updated: 2017-11-10

Summary

Use-after-free vulnerability in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote authenticated users to possibly execute arbitrary code or cause a denial of service (crash) via crafted packets.

Vulnerable Configurations

Part Description Count
Application
Ntp
769
Application
Netapp
3
OS
Netapp
2

Common Weakness Enumeration (CWE)

Nessus

  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-649.NASL
    descriptionThis update for ntp fixes the following issues : - Update to 4.2.8p7 (boo#977446) : - CVE-2016-1547, boo#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, boo#977461: Interleave-pivot - CVE-2016-1549, boo#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, boo#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, boo#977450: Refclock impersonation vulnerability - CVE-2016-2516, boo#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, boo#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, boo#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, boo#977458: ctl_getitem() return value not always checked. - integrate ntp-fork.patch - Improve the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 - Restrict the parser in the startup script to the first occurrance of
    last seen2020-06-05
    modified2016-06-01
    plugin id91403
    published2016-06-01
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91403
    titleopenSUSE Security Update : ntp (openSUSE-2016-649)
  • NASL familyMisc.
    NASL idNTP_4_2_8P4.NASL
    descriptionThe version of the remote NTP server is 3.x or 4.x prior to 4.2.8p4. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the ntp_crypto.c file due to improper validation of the
    last seen2020-06-01
    modified2020-06-02
    plugin id86631
    published2015-10-28
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86631
    titleNetwork Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p4 Multiple Vulnerabilities
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_C4A18A1277FC11E5A687206A8A720317.NASL
    descriptionntp.org reports : NTF
    last seen2020-06-01
    modified2020-06-02
    plugin id86519
    published2015-10-22
    reporterThis script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86519
    titleFreeBSD : ntp -- 13 low- and medium-severity vulnerabilities (c4a18a12-77fc-11e5-a687-206a8a720317)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1247-1.NASL
    descriptionntp was updated to version 4.2.8p6 to fix 28 security issues. Major functional changes : - The
    last seen2020-06-01
    modified2020-06-02
    plugin id90991
    published2016-05-09
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90991
    titleSUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1247-1)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2015-302-03.NASL
    descriptionNew ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id86664
    published2015-10-30
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/86664
    titleSlackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2015-302-03)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201607-15.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201607-15 (NTP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id92485
    published2016-07-21
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92485
    titleGLSA-201607-15 : NTP: Multiple vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2015-2058-1.NASL
    descriptionThis ntp update provides the following security and non security fixes : - Update to 4.2.8p4 to fix several security issues (bsc#951608) : - CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values - CVE-2015-7854: Password Length Memory Corruption Vulnerability - CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow - CVE-2015-7852 ntpq atoascii() Memory Corruption Vulnerability - CVE-2015-7851 saveconfig Directory Traversal Vulnerability - CVE-2015-7850 remote config logfile-keyfile - CVE-2015-7849 trusted key use-after-free - CVE-2015-7848 mode 7 loop counter underrun - CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC - CVE-2015-7703 configuration directives
    last seen2020-06-01
    modified2020-06-02
    plugin id87010
    published2015-11-23
    reporterThis script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/87010
    titleSUSE SLED11 / SLES11 Security Update : ntp (SUSE-SU-2015:2058-1)
  • NASL familyFirewalls
    NASL idPFSENSE_SA-15_08.NASL
    descriptionAccording to its self-reported version number, the remote pfSense install is prior to 2.2.5. It is, therefore, affected by multiple vulnerabilities as stated in the referenced vendor advisories.
    last seen2020-06-01
    modified2020-06-02
    plugin id106497
    published2018-01-31
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106497
    titlepfSense < 2.2.5 Multiple Vulnerabilities (SA-15_08)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1311-1.NASL
    descriptionThis network time protocol server ntp was updated to 4.2.8p6 to fix the following issues : Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837) Major functional changes : - The
    last seen2020-06-01
    modified2020-06-02
    plugin id91248
    published2016-05-19
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91248
    titleSUSE SLES11 Security Update : ntp (SUSE-SU-2016:1311-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2015-767.NASL
    descriptionThis ntp update provides the following security and non security fixes : - Update to 4.2.8p4 to fix several security issues (bsc#951608) : - CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values - CVE-2015-7854: Password Length Memory Corruption Vulnerability - CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow - CVE-2015-7852 ntpq atoascii() Memory Corruption Vulnerability - CVE-2015-7851 saveconfig Directory Traversal Vulnerability - CVE-2015-7850 remote config logfile-keyfile - CVE-2015-7849 trusted key use-after-free - CVE-2015-7848 mode 7 loop counter underrun - CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC - CVE-2015-7703 configuration directives
    last seen2020-06-05
    modified2015-11-20
    plugin id86964
    published2015-11-20
    reporterThis script is Copyright (C) 2015-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/86964
    titleopenSUSE Security Update : ntp (openSUSE-2015-767)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1912-1.NASL
    descriptionNTP was updated to version 4.2.8p8 to fix several security issues and to ensure the continued maintainability of the package. These security issues were fixed : CVE-2016-4953: Bad authentication demobilized ephemeral associations (bsc#982065). CVE-2016-4954: Processing spoofed server packets (bsc#982066). CVE-2016-4955: Autokey association reset (bsc#982067). CVE-2016-4956: Broadcast interleave (bsc#982068). CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS (bsc#977459). CVE-2016-1548: Prevent the change of time of an ntpd client or denying service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode (bsc#977461). CVE-2016-1549: Sybil vulnerability: ephemeral association attack (bsc#977451). CVE-2016-1550: Improve security against buffer comparison timing attacks (bsc#977464). CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y CVE-2016-2516: Duplicate IPs on unconfig directives could have caused an assertion botch in ntpd (bsc#977452). CVE-2016-2517: Remote configuration trustedkey/ requestkey/controlkey values are not properly validated (bsc#977455). CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966). CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). CVE-2015-7976: ntpq saveconfig command allowed dangerous characters in filenames (bsc#962802). CVE-2015-7975: nextvar() missing length check (bsc#962988). CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might have allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a
    last seen2020-06-01
    modified2020-06-02
    plugin id93186
    published2016-08-29
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93186
    titleSUSE SLES10 Security Update : ntp (SUSE-SU-2016:1912-1)

Talos

idTALOS-2015-0054
last seen2019-05-29
published2015-10-21
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2015-0054
titleNetwork Time Protocol Trusted Keys Memory Corruption Vulnerability

References