Vulnerabilities > CVE-2015-7973 - 7PK - Security Features vulnerability in multiple products

CVSS 5.8 - MEDIUM

Attack vector

NETWORK

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

nessus

NVD

Published: 2017-01-30

Updated: 2021-04-26

Summary

NTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast mode, allows man-in-the-middle attackers to conduct replay attacks by sniffing the network.

Vulnerable Configurations

Part	Description	Count
Application	Ntp NTP NTP - NTP NTP 4.0 NTP NTP 4.0.72 NTP NTP 4.0.73 NTP NTP 4.0.90 NTP NTP 4.0.91 NTP NTP 4.0.92 NTP NTP 4.0.93 NTP NTP 4.0.94 NTP NTP 4.0.95 NTP NTP 4.0.96 NTP NTP 4.0.97 NTP NTP 4.0.98 NTP NTP 4.0.99 NTP NTP 4.1.0 NTP NTP 4.1.2 NTP NTP 4.2.0 NTP NTP 4.2.2 NTP NTP 4.2.4 NTP NTP 4.2.5 NTP NTP 4.2.6 NTP NTP 4.2.7 NTP NTP 4.2.7P444 NTP NTP 4.2.8 NTP NTP 4.3.0 NTP NTP 4.3.1 NTP NTP 4.3.2 NTP NTP 4.3.3 NTP NTP 4.3.4 NTP NTP 4.3.5 NTP NTP 4.3.6 NTP NTP 4.3.7 NTP NTP 4.3.8 NTP NTP 4.3.9 NTP NTP 4.3.10 NTP NTP 4.3.11 NTP NTP 4.3.12 NTP NTP 4.3.13 NTP NTP 4.3.14 NTP NTP 4.3.15 NTP NTP 4.3.16 NTP NTP 4.3.17 NTP NTP 4.3.18 NTP NTP 4.3.19 NTP NTP 4.3.20 NTP NTP 4.3.21 NTP NTP 4.3.22 NTP NTP 4.3.23 NTP NTP 4.3.24 NTP NTP 4.3.25 NTP NTP 4.3.26 NTP NTP 4.3.27 NTP NTP 4.3.28 NTP NTP 4.3.29 NTP NTP 4.3.30 NTP NTP 4.3.31 NTP NTP 4.3.32 NTP NTP 4.3.33 NTP NTP 4.3.34 NTP NTP 4.3.35 NTP NTP 4.3.36 NTP NTP 4.3.37 NTP NTP 4.3.38 NTP NTP 4.3.39 NTP NTP 4.3.40 NTP NTP 4.3.41 NTP NTP 4.3.42 NTP NTP 4.3.43 NTP NTP 4.3.44 NTP NTP 4.3.45 NTP NTP 4.3.46 NTP NTP 4.3.47 NTP NTP 4.3.48 NTP NTP 4.3.49 NTP NTP 4.3.50 NTP NTP 4.3.51 NTP NTP 4.3.52 NTP NTP 4.3.53 NTP NTP 4.3.54 NTP NTP 4.3.55 NTP NTP 4.3.56 NTP NTP 4.3.57 NTP NTP 4.3.58 NTP NTP 4.3.59 NTP NTP 4.3.60 NTP NTP 4.3.61 NTP NTP 4.3.62 NTP NTP 4.3.63 NTP NTP 4.3.64 NTP NTP 4.3.65 NTP NTP 4.3.66 NTP NTP 4.3.67 NTP NTP 4.3.68 NTP NTP 4.3.69 NTP NTP 4.3.70 NTP NTP 4.3.71 NTP NTP 4.3.72 NTP NTP 4.3.73 NTP NTP 4.3.74 NTP NTP 4.3.75 NTP NTP 4.3.76 NTP NTP 4.3.77 NTP NTP 4.3.78 NTP NTP 4.3.79 NTP NTP 4.3.80 NTP NTP 4.3.81 NTP NTP 4.3.82 NTP NTP 4.3.83 NTP NTP 4.3.84 NTP NTP 4.3.85 NTP NTP 4.3.86 NTP NTP 4.3.87 NTP NTP 4.3.88 NTP NTP 4.3.89	800
Application	Netapp Netapp Clustered Data Ontap - Netapp Oncommand Balance -	2
OS	Siemens Siemens TIM 4R IE Firmware * Siemens TIM 4R IE Dnp3 Firmware *	2
OS	Freebsd Freebsd Freebsd 9.3 Freebsd Freebsd 10.0 Freebsd Freebsd 10.1 Freebsd Freebsd 10.2	68
OS	Canonical Canonical Ubuntu Linux 12.04 Canonical Ubuntu Linux 14.04 Canonical Ubuntu Linux 16.04	3
Hardware	Siemens Siemens TIM 4R IE - Siemens TIM 4R IE Dnp3 -	2

Common Weakness Enumeration (CWE)

CWE-254 - 7PK - Security Features

Nessus

NASL family	Slackware Local Security Checks
NASL id	SLACKWARE_SSA_2016-054-04.NASL
description	New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	88912
published	2016-02-24
reporter	This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/88912
title	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2016-054-04)

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_5237F5D7C02011E5B397D050996490D0.NASL
description	Network Time Foundation reports : NTF
last seen	2020-06-01
modified	2020-06-02
plugin id	88068
published	2016-01-22
reporter	This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/88068
title	FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2016-649.NASL
description	This update for ntp fixes the following issues : - Update to 4.2.8p7 (boo#977446) : - CVE-2016-1547, boo#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, boo#977461: Interleave-pivot - CVE-2016-1549, boo#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, boo#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, boo#977450: Refclock impersonation vulnerability - CVE-2016-2516, boo#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, boo#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, boo#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, boo#977458: ctl_getitem() return value not always checked. - integrate ntp-fork.patch - Improve the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 - Restrict the parser in the startup script to the first occurrance of
last seen	2020-06-05
modified	2016-06-01
plugin id	91403
published	2016-06-01
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/91403
title	openSUSE Security Update : ntp (openSUSE-2016-649)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-2215.NASL
description	According to the versions of the ntp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - NTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast mode, allows man-in-the-middle attackers to conduct replay attacks by sniffing the network.(CVE-2015-7973) - ntpd in ntp before 4.2.8p3 with remote configuration enabled allows remote authenticated users with knowledge of the configuration password and access to a computer entrusted to perform remote configuration to cause a denial of service (service crash) via a NULL byte in a crafted configuration directive packet.(CVE-2015-5146) - Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.(CVE-2018-7183) - ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the
last seen	2020-05-08
modified	2019-11-08
plugin id	130677
published	2019-11-08
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/130677
title	EulerOS 2.0 SP5 : ntp (EulerOS-SA-2019-2215)

NASL family	AIX Local Security Checks
NASL id	AIX_NTP_V3_ADVISORY6.NASL
description	The version of NTP installed on the remote AIX host is affected by the following vulnerabilities : - A flaw exists in the receive() function due to the use of authenticated broadcast mode. A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-7973) - A NULL pointer dereference flaw exists in ntp_request.c that is triggered when handling ntpdc relist commands. A remote attacker can exploit this, via a specially crafted request, to crash the service, resulting in a denial of service condition. (CVE-2015-7977) - An unspecified flaw exists in authenticated broadcast mode. A remote attacker can exploit this, via specially crafted packets, to cause a denial of service condition. (CVE-2015-7979) - A flaw exists in ntpq and ntpdc that allows a remote attacker to disclose sensitive information in timestamps. (CVE-2015-8139) - A flaw exists in the ntpq protocol that is triggered during the handling of an improper sequence of numbers. A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-8140) - A flaw exists in the ntpq client that is triggered when handling packets that cause a loop in the getresponse() function. A remote attacker can exploit this to cause an infinite loop, resulting in a denial of service condition. (CVE-2015-8158)
last seen	2020-06-01
modified	2020-06-02
plugin id	92356
published	2016-07-18
reporter	This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/92356
title	AIX NTP v3 Advisory : ntp_advisory6.asc (IV83984) (IV83993) (IV83994) (IV83995) (IV84269)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-1247-1.NASL
description	ntp was updated to version 4.2.8p6 to fix 28 security issues. Major functional changes : - The
last seen	2020-06-01
modified	2020-06-02
plugin id	90991
published	2016-05-09
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90991
title	SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1247-1)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2020-1210.NASL
description	According to the versions of the ntp packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the
last seen	2020-03-19
modified	2020-03-13
plugin id	134499
published	2020-03-13
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/134499
title	EulerOS Virtualization for ARM 64 3.0.2.0 : ntp (EulerOS-SA-2020-1210)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2020-1457.NASL
description	According to the versions of the ntp packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - NTP through 4.2.8p12 has a NULL Pointer Dereference.(CVE-2019-8936) - ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the
last seen	2020-04-30
modified	2020-04-16
plugin id	135619
published	2020-04-16
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/135619
title	EulerOS Virtualization 3.0.2.2 : ntp (EulerOS-SA-2020-1457)

NASL family	Firewalls
NASL id	PFSENSE_SA-16_02.NASL
description	According to its self-reported version number, the remote pfSense install is prior to 2.3. It is, therefore, affected by multiple vulnerabilities.
last seen	2020-06-01
modified	2020-06-02
plugin id	106499
published	2018-01-31
reporter	This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/106499
title	pfSense < 2.3 Multiple Vulnerabilities (SA-16_01 - SA-16_02)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-1175-1.NASL
description	ntp was updated to version 4.2.8p6 to fix 12 security issues. These security issues were fixed : - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	90820
published	2016-05-02
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90820
title	SUSE SLES11 Security Update : ntp (SUSE-SU-2016:1175-1)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-201607-15.NASL
description	The remote host is affected by the vulnerability described in GLSA-201607-15 (NTP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly cause a Denial of Service condition. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	92485
published	2016-07-21
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/92485
title	GLSA-201607-15 : NTP: Multiple vulnerabilities

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-1311-1.NASL
description	This network time protocol server ntp was updated to 4.2.8p6 to fix the following issues : Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837) Major functional changes : - The
last seen	2020-06-01
modified	2020-06-02
plugin id	91248
published	2016-05-19
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/91248
title	SUSE SLES11 Security Update : ntp (SUSE-SU-2016:1311-1)

NASL family	AIX Local Security Checks
NASL id	AIX_IV83984.NASL
description	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop. This plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.
last seen	2017-10-29
modified	2017-01-19
plugin id	91516
published	2016-06-09
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=91516
title	AIX 6.1 TL 9 : ntp (IV83984) (deprecated)

NASL family	AIX Local Security Checks
NASL id	AIX_IV83995.NASL
description	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop. This plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.
last seen	2017-10-29
modified	2017-01-19
plugin id	91519
published	2016-06-09
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=91519
title	AIX 7.2 TL 0 : ntp (IV83995) (deprecated)

NASL family	Misc.
NASL id	NTP_4_2_8P6.NASL
description	The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p6. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the receive() function due to the use of authenticated broadcast mode. A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-7973) - A time serving flaw exists in the trusted key system due to improper key checks. An authenticated, remote attacker can exploit this to perform impersonation attacks between authenticated peers. (CVE-2015-7974) - An overflow condition exists in the nextvar() function due to improper validation of user-supplied input. A local attacker can exploit this to cause a buffer overflow, resulting in a denial of service condition. (CVE-2015-7975) - A flaw exists in ntp_control.c due to improper filtering of special characters in filenames by the saveconfig command. An authenticated, remote attacker can exploit this to inject arbitrary content. (CVE-2015-7976) - A NULL pointer dereference flaw exists in ntp_request.c that is triggered when handling ntpdc relist commands. A remote attacker can exploit this, via a specially crafted request, to crash the service, resulting in a denial of service condition. (CVE-2015-7977) - A flaw exists in ntpdc that is triggered during the handling of the relist command. A remote attacker can exploit this, via recursive traversals of the restriction list, to exhaust available space on the call stack, resulting in a denial of service condition. CVE-2015-7978) - An unspecified flaw exists in authenticated broadcast mode. A remote attacker can exploit this, via specially crafted packets, to cause a denial of service condition. (CVE-2015-7979) - A flaw exists in the receive() function that allows packets with an origin timestamp of zero to bypass security checks. A remote attacker can exploit this to spoof arbitrary content. (CVE-2015-8138) - A flaw exists in ntpq and ntpdc that allows a remote attacker to disclose sensitive information in timestamps. (CVE-2015-8139) - A flaw exists in the ntpq protocol that is triggered during the handling of an improper sequence of numbers. A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-8140) - A flaw exists in the ntpq client that is triggered when handling packets that cause a loop in the getresponse() function. A remote attacker can exploit this to cause an infinite loop, resulting in a denial of service condition. (CVE-2015-8158)
last seen	2020-06-01
modified	2020-06-02
plugin id	88054
published	2016-01-21
reporter	This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/88054
title	Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p6 Multiple Vulnerabilities

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-1912-1.NASL
description	NTP was updated to version 4.2.8p8 to fix several security issues and to ensure the continued maintainability of the package. These security issues were fixed : CVE-2016-4953: Bad authentication demobilized ephemeral associations (bsc#982065). CVE-2016-4954: Processing spoofed server packets (bsc#982066). CVE-2016-4955: Autokey association reset (bsc#982067). CVE-2016-4956: Broadcast interleave (bsc#982068). CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS (bsc#977459). CVE-2016-1548: Prevent the change of time of an ntpd client or denying service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode (bsc#977461). CVE-2016-1549: Sybil vulnerability: ephemeral association attack (bsc#977451). CVE-2016-1550: Improve security against buffer comparison timing attacks (bsc#977464). CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y CVE-2016-2516: Duplicate IPs on unconfig directives could have caused an assertion botch in ntpd (bsc#977452). CVE-2016-2517: Remote configuration trustedkey/ requestkey/controlkey values are not properly validated (bsc#977455). CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966). CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). CVE-2015-7976: ntpq saveconfig command allowed dangerous characters in filenames (bsc#962802). CVE-2015-7975: nextvar() missing length check (bsc#962988). CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might have allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a
last seen	2020-06-01
modified	2020-06-02
plugin id	93186
published	2016-08-29
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/93186
title	SUSE SLES10 Security Update : ntp (SUSE-SU-2016:1912-1)

NASL family	AIX Local Security Checks
NASL id	AIX_NTP_V4_ADVISORY6.NASL
description	The version of NTP installed on the remote AIX host is affected by the following vulnerabilities : - A flaw exists in the receive() function due to the use of authenticated broadcast mode. A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-7973) - A NULL pointer dereference flaw exists in ntp_request.c that is triggered when handling ntpdc relist commands. A remote attacker can exploit this, via a specially crafted request, to crash the service, resulting in a denial of service condition. (CVE-2015-7977) - An unspecified flaw exists in authenticated broadcast mode. A remote attacker can exploit this, via specially crafted packets, to cause a denial of service condition. (CVE-2015-7979) - A flaw exists in ntpq and ntpdc that allows a remote attacker to disclose sensitive information in timestamps. (CVE-2015-8139) - A flaw exists in the ntpq protocol that is triggered during the handling of an improper sequence of numbers. A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-8140) - A flaw exists in the ntpq client that is triggered when handling packets that cause a loop in the getresponse() function. A remote attacker can exploit this to cause an infinite loop, resulting in a denial of service condition. (CVE-2015-8158)
last seen	2020-06-01
modified	2020-06-02
plugin id	92357
published	2016-07-18
reporter	This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/92357
title	AIX NTP v4 Advisory : ntp_advisory6.asc (IV83983) (IV83992)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-1177-1.NASL
description	ntp was updated to version 4.2.8p6 to fix 12 security issues. Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837) These security issues were fixed : - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	90821
published	2016-05-02
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90821
title	SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1177-1)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-2637.NASL
description	According to the versions of the ntp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - NTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast mode, allows man-in-the-middle attackers to conduct replay attacks by sniffing the network.(CVE-2015-7973) - NTP before 4.2.8p7 and 4.3.x before 4.3.92 allows remote attackers to cause a denial of service (prevent subsequent authentication) by leveraging knowledge of the controlkey or requestkey and sending a crafted packet to ntpd, which changes the value of trustedkey, controlkey, or requestkey. NOTE: this vulnerability exists because of a CVE-2016-2516 regression.(CVE-2016-2517) - ntpd in ntp before 4.2.8p3 with remote configuration enabled allows remote authenticated users with knowledge of the configuration password and access to a computer entrusted to perform remote configuration to cause a denial of service (service crash) via a NULL byte in a crafted configuration directive packet.(CVE-2015-5146) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-08
modified	2019-12-18
plugin id	132172
published	2019-12-18
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/132172
title	EulerOS 2.0 SP3 : ntp (EulerOS-SA-2019-2637)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-3096-1.NASL
description	Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to perform a replay attack. (CVE-2015-7973) Matt Street discovered that NTP incorrectly verified peer associations of symmetric keys. A remote attacker could use this issue to perform an impersonation attack. (CVE-2015-7974) Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled memory. An attacker could possibly use this issue to cause ntpq to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-7975) Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled dangerous characters in filenames. An attacker could possibly use this issue to overwrite arbitrary files. (CVE-2015-7976) Stephen Gray discovered that NTP incorrectly handled large restrict lists. An attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7977, CVE-2015-7978) Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7979) Jonathan Gardner discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could use this issue to spoof peer servers. (CVE-2015-8138) Jonathan Gardner discovered that the NTP ntpq utility did not properly handle certain incorrect values. An attacker could possibly use this issue to cause ntpq to hang, resulting in a denial of service. (CVE-2015-8158) It was discovered that the NTP cronjob incorrectly cleaned up the statistics directory. A local attacker could possibly use this to escalate privileges. (CVE-2016-0727) Stephen Gray and Matthew Van Gundy discovered that NTP incorrectly validated crypto-NAKs. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1547) Miroslav Lichvar and Jonathan Gardner discovered that NTP incorrectly handled switching to interleaved symmetric mode. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1548) Matthew Van Gundy, Stephen Gray and Loganaden Velvindron discovered that NTP incorrectly handled message authentication. A remote attacker could possibly use this issue to recover the message digest key. (CVE-2016-1550) Yihan Lian discovered that NTP incorrectly handled duplicate IPs on unconfig directives. An authenticated remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2516) Yihan Lian discovered that NTP incorrectly handled certail peer associations. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2518) Jakub Prokes discovered that NTP incorrectly handled certain spoofed packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4954) Miroslav Lichvar discovered that NTP incorrectly handled certain packets when autokey is enabled. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4955) Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed broadcast packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4956) In the default installation, attackers would be isolated by the NTP AppArmor profile. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	93896
published	2016-10-06
reporter	Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/93896
title	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : ntp vulnerabilities (USN-3096-1)

NASL family	AIX Local Security Checks
NASL id	AIX_IV83993.NASL
description	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop. This plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.
last seen	2017-10-29
modified	2017-01-19
plugin id	91517
published	2016-06-09
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=91517
title	AIX 7.1 TL 3 : ntp (IV83993) (deprecated)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2016-578.NASL
description	ntp was updated to version 4.2.8p6 to fix 12 security issues. Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837) These security issues were fixed : - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629). These non-security issues were fixed : - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added the authreg directive. - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which caused the synchronization to fail. - bsc#782060: Speedup ntpq. - bsc#916617: Add /var/db/ntp-kod. - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen quite a lot on loaded systems. - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST. - Add ntp-fork.patch and build with threads disabled to allow name resolution even when running chrooted. This update was imported from the SUSE:SLE-12-SP1:Update update project.
last seen	2020-06-05
modified	2016-05-13
plugin id	91111
published	2016-05-13
reporter	This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/91111
title	openSUSE Security Update : ntp (openSUSE-2016-578)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-2446.NASL
description	According to the versions of the ntp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - NTP before 4.2.8p7 and 4.3.x before 4.3.92 allows remote attackers to cause a denial of service (prevent subsequent authentication) by leveraging knowledge of the controlkey or requestkey and sending a crafted packet to ntpd, which changes the value of trustedkey, controlkey, or requestkey. NOTE: this vulnerability exists because of a CVE-2016-2516 regression.(CVE-2016-2517) - NTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast mode, allows man-in-the-middle attackers to conduct replay attacks by sniffing the network.(CVE-2015-7973) - ntpd in ntp before 4.2.8p3 with remote configuration enabled allows remote authenticated users with knowledge of the configuration password and access to a computer entrusted to perform remote configuration to cause a denial of service (service crash) via a NULL byte in a crafted configuration directive packet.(CVE-2015-5146) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-08
modified	2019-12-04
plugin id	131600
published	2019-12-04
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/131600
title	EulerOS 2.0 SP2 : ntp (EulerOS-SA-2019-2446)

NASL family	AIX Local Security Checks
NASL id	AIX_IV83994.NASL
description	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop. This plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.
last seen	2017-10-29
modified	2017-01-19
plugin id	91518
published	2016-06-09
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=91518
title	AIX 7.1 TL 4 : ntp (IV83994) (deprecated)

NASL family	AIX Local Security Checks
NASL id	AIX_IV84269.NASL
description	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop. This plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.
last seen	2017-10-29
modified	2017-01-19
plugin id	91520
published	2016-06-09
reporter	Tenable
source	https://www.tenable.com/plugins/index.php?view=single&id=91520
title	AIX 5.3 TL 12 : ntp (IV84269) (deprecated)

Seebug

bulletinFamily	exploit
description	### Summary An exploitable denial of service vulnerability exists in the broadcast mode replay prevention functionality of ntpd. To prevent replay of broadcast mode packets, ntpd rejects broadcast mode packets with non-monotonically increasing transmit timestamps. Remote unauthenticated attackers can send specially crafted broadcast mode NTP packets to cause ntpd to reject all broadcast mode packets from legitimate NTP broadcast servers. ### Tested Versions NTP 4.2.8p6 ### Product URLs http://www.ntp.org/ ### CVSS Scores CVSSv2: 5.0 - (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv3: 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L ### Details In response to the NTP Deja Vu vulnerability (CVE-2015-7973), ntp-4.2.8p6 introduced several new integrity checks on incoming broadcast mode packets. Upon receipt of a broadcast mode packet, before authentication is enforced, ntpd will reject the packet if any of the following conditions hold: 1. The packet poll value is out of bounds for the broadcast association, i.e. ``` pkt->ppoll < peer->minpoll \|\| pkt->ppoll > peer->maxpoll ``` 2. The packet was received before a full poll interval has elapsed since the last broadcast packet was received from the packet's sender. i.e. A server cannot ingress packets more frequently than `peer->minpoll`. 3. The packet transmit timestamp is less than the last seen broadcast packet transmit timestamp from the packet's sender. i.e. Broadcast packet transmit timestamps must be monotonically increasing. The following logic is used to ensure that packet transmit timestamps are monotonically increasing: ``` /* ntp-4.2.8p6 ntpd/ntp_proto.c / 1305 if (MODE_BROADCAST == hismode) { ... 1351 tdiff = p_xmt; 1352 L_SUB(&tdiff, &peer->bxmt); 1353 if (tdiff.l_i < 0) { 1354 msyslog(LOG_INFO, "receive: broadcast packet from %s contains non-monotonic timestamp: %#010x.%08x -> %#010x.%08x", 1355 stoa(&rbufp->recv_srcadr), 1356 peer->bxmt.l_ui, peer->bxmt.l_uf, 1357 p_xmt.l_ui, p_xmt.l_uf 1358 ); 1359 ++bail; 1360 } 1361 1362 peer->bxmt = p_xmt; 1363 1364 if (bail) { 1365 peer->timelastrec = current_time; 1366 sys_declined++; 1367 return; 1368 } 1369 } ``` If the packet transmit timestamp is less than the transmit timestamp on the last received broadcast packet from this association (`p_xmt - peer->bxmt < 0`), the packet will be discarded. Unfortunately, line 1362 updates the saved transmit timestamp for alleged sender of the packet (`peer->bxmt`) before the packet is discarded. The update takes place even if the packet is unauthenticated and fails the previous integrity checks. This leads to a trivial denial of service attack. The attacker: 1. Discovers the IP address of the victim's broadcast server. e.g. Send the victim a client mode NTP packet and discover the broadcast server from the refid field of the victim's reply. 2. Every poll period, send the victim a spoofed broadcast mode packet from the broadcast server with a transmit timestamp in the future. This will move `peer->bxmt` forward so that any legitimate packet will be rejected by the non-monotonic timestamp check. The attacker does not need to be on the same subnet as the victim. The attacker can address the spoofed broadcast NTP packet directly to the victim's IP address. * The attacker can choose any reasonably small estimate for the poll period. Because the `peer->bxmt` update happens even when a packet fails the poll period checks, there is no penalty for sending packets too frequently. To prevent this vulnerability, `peer->bxmt` should only be updated when a packet authenticates correctly. This is the approach taken in the patch below. ### Mitigation There is no workaround for this issue. Because the vulnerable logic is executed before authentication is enforced, authentication and the `restrict notrust` ntpd.conf directive have no effect. An attacker can bypass `notrust` restrictions by sending incorrectly authenticated packets. In order to succeed in an attack, the attacker must send at least one spoofed packet per poll period. Therefore observing more than one NTP broadcast packet from the same sender address per poll period indicates a possible attack. The following patch can be used to fix this vulnerability: ``` From 097fd4dae9ac4927d7cfa8011fd42f704bd02c45 Mon Sep 17 00:00:00 2001 From: Matthew Van Gundy <[email protected]> Date: Tue, 26 Jan 2016 15:00:28 -0500 Subject: [PATCH] Fix unauthenticated broadcast mode denial of service (peer->bxmt) --- include/ntp_fp.h \| 1 + ntpd/ntp_proto.c \| 22 ++++++++++++++++------ 2 files changed, 17 insertions(+), 6 deletions(-) diff --git a/include/ntp_fp.h b/include/ntp_fp.h index 7806932..ad7a01d 100644 --- a/include/ntp_fp.h +++ b/include/ntp_fp.h @@ -242,6 +242,7 @@ typedef u_int32 u_fp; #define L_ISGTU(a, b) M_ISGTU((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf) #define L_ISHIS(a, b) M_ISHIS((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf) #define L_ISGEQ(a, b) M_ISGEQ((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf) +#define L_ISGEQU(a, b) L_ISHIS(a, b) #define L_ISEQU(a, b) M_ISEQU((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf) /* diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c index ad45409..ac469ce 100644 --- a/ntpd/ntp_proto.c +++ b/ntpd/ntp_proto.c @@ -1305,7 +1305,6 @@ receive( if (MODE_BROADCAST == hismode) { u_char poll; int bail = 0; - l_fp tdiff; DPRINTF(2, ("receive: PROCPKT/BROADCAST: prev pkt %ld seconds ago, ppoll: %d, %d secs\n", (current_time - peer->timelastrec), @@ -1348,9 +1347,8 @@ receive( ++bail; } - tdiff = p_xmt; - L_SUB(&tdiff, &peer->bxmt); - if (tdiff.l_i < 0) { + /* Use L_ISGEQU() to ensure unsigned comparison / + if (!L_ISGEQU(&p_xmt, &peer->bxmt)) { msyslog(LOG_INFO, "receive: broadcast packet from %s contains non-monotonic timestamp: %#010x.%08x -> %#010x.%08x", stoa(&rbufp->recv_srcadr), peer->bxmt.l_ui, peer->bxmt.l_uf, @@ -1359,8 +1357,6 @@ receive( ++bail; } - peer->bxmt = p_xmt; - if (bail) { peer->timelastrec = current_time; sys_declined++; @@ -1563,6 +1559,14 @@ receive( peer->xmt = p_xmt; / + * Now that we know the packet is correctly authenticated, + * update peer->bxmt if needed + / + if (MODE_BROADCAST == hismode) { + peer->bxmt = p_xmt; + } + + / * Set the peer ppoll to the maximum of the packet ppoll and the * peer minpoll. If a kiss-o'-death, set the peer minpoll to * this maximum and advance the headway to give the sender some @@ -2400,6 +2404,7 @@ peer_clear( ) { u_char u; + l_fp bxmt = peer->bxmt; #ifdef AUTOKEY /* @@ -2436,6 +2441,11 @@ peer_clear( peer->flash = peer_unfit(peer); peer->jitter = LOGTOD(sys_precision); + /* Don't throw away our broadcast replay protection / + if (peer->hmode == MODE_BCLIENT) { + peer->bxmt = bxmt; + } + / * If interleave mode, initialize the alternate origin switch. / ``` ### Timeline 2016-09-12 - Vendor Disclosure * 2016-11-21 - Public Release
id	SSV:96650
last seen	2017-11-19
modified	2017-10-11
published	2017-10-11
reporter	Root
title	Network Time Protocol Broadcast Mode Replay Prevention Denial of Service Vulnerability(CVE-2016-7427)

bulletinFamily	exploit
description	### Summary An exploitable denial of service vulnerability exists in the broadcast mode poll interval enforcement functionality of ntpd. To limit abuse, ntpd restricts the rate at which each broadcast association will process incoming packets. ntpd will reject broadcast mode packets that arrive before the poll interval specified in the preceding broadcast packet expires. A vulnerability exists which allows remote unauthenticated attackers to send specially crafted broadcast mode NTP packets which will cause ntpd to reject all broadcast mode packets from legitimate NTP broadcast servers. ### Tested Versions NTP 4.2.8p6 ### Product URLs http://www.ntp.org/ ### CVSS Scores * CVSSv2: 5.0 - (AV:N/AC:L/Au:N/C:N/I:N/A:P) * CVSSv3: 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L ### Details In response to the NTP Deja Vu vulnerability (CVE-2015-7973), ntp-4.2.8p6 introduced several new integrity checks on incoming broadcast mode packets. Upon receipt of a broadcast mode packet, before authentication is enforced, ntpd will reject the packet if any of the following conditions hold: 1. The packet poll value is out of bounds for the broadcast association, i.e. ``` pkt->ppoll < peer->minpoll \|\| pkt->ppoll > peer->maxpoll ``` 2. The packet was received before a full poll interval has elapsed since the last broadcast packet was received from the packet's sender. i.e. A server cannot ingress packets more frequently than `peer->minpoll`. 3. The packet transmit timestamp is less than the last seen broadcast packet transmit timestamp from the packet's sender. i.e. Broadcast packet transmit timestamps must be monotonically increasing. The following logic is used to ensure constraint 2, which ensures that broadcast associations will process only one incoming packet per poll interval: ``` /* ntp-4.2.8p6 ntpd/ntp_proto.c / 1305 if (MODE_BROADCAST == hismode) { ... 1341 if ( (current_time - peer->timelastrec) 1342 < (1 << pkt->ppoll)) { 1343 msyslog(LOG_INFO, "receive: broadcast packet from %s arrived after %ld, not %d seconds!", 1344 stoa(&rbufp->recv_srcadr), 1345 (current_time - peer->timelastrec), 1346 (1 << pkt->ppoll) 1347 ); 1348 ++bail; 1349 } ... 1361 1362 peer->bxmt = p_xmt; 1363 1364 if (bail) { 1365 peer->timelastrec = current_time; 1366 sys_declined++; 1367 return; 1368 } 1369 } ``` If the time elapsed since the last broadcast packet was received from this peer is less than the poll interval declared by the sender (`(current_time - peer->timelastrec) < (1 << pkt->ppoll)`), the packet will be discarded. (A previous check ensures that `pkt->ppoll` is within acceptable bounds.) Unfortunately, line 1341 compares the current time against the last time any broadcast mode packet was received with a source IP address of the peer (`peer->timelastrec`). In contrast to `peer->timereceived`, which is updated only when a clean (correctly authenticated and passing integrity checks) packet is received, `peer->timelastrec` is updated by all incoming broadcast packets including spoofed and replayed packets. This leads to a trivial denial of service attack. The attacker: 1. Discovers the IP address of the victim's broadcast server. e.g. Send the victim a client mode NTP packet and discover the broadcast server from the refid field of the victim's reply. 2. At least once per poll period, send the victim a spoofed broadcast mode packet from the broadcast server. This will set `peer->timelastrec = current_time` such that, when a legitimate packet is received, it will appear to have been received too early (`(current_time - peer->timelastrec) < (1 << pkt->ppoll)`) and will be discarded. The attacker does not need to be on the same subnet as the victim. The attacker can address the spoofed broadcast NTP packet directly to the victim's IP address. * The attacker can choose any reasonably small estimate for the poll period. Because the `peer->timelastrec` update happens even when a packet fails the poll period check, there is no penalty for sending packets too frequently. To prevent this vulnerability, ntpd should only discard packets broadcast packets when less than one poll interval has elapsed since the last legitimate packet has been received (`peer->timereceived`). ### Mitigation There is no workaround for this issue. Because the vulnerable logic is executed before authentication is enforced, authentication and the `restrict notrust` ntpd.conf directive have no effect. An attacker can bypass `notrust` restrictions by sending incorrectly authenticated packets. In order to succeed in an attack, the attacker must send at least one spoofed packet per poll period. Therefore observing more than one NTP broadcast packet from the same sender address per poll period indicates a possible attack. The following patch can be used to fix this vulnerability: ``` From 8522882496d3df2bd764de6d8f7afac4a8d84006 Mon Sep 17 00:00:00 2001 From: Matthew Van Gundy <[email protected]> Date: Fri, 5 Feb 2016 17:38:32 -0500 Subject: [PATCH] Fix unauthenticated broadcast mode denial of service (peer->timelastrec) Drop packets if they arrive less than one poll interval since the last clean packet received on an association. If we compare against the last time that any packet was received, even one that will be dropped for failing integrity checks, an attacker can DoS the association by sending incorrectly authenticated packets or replaying old packets to keep bumping the peer->timelastrec timer forward. --- include/ntp.h \| 4 +++- ntpd/ntp_proto.c \| 13 +++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/include/ntp.h b/include/ntp.h index 6a4e9aa..cbf6cec 100644 --- a/include/ntp.h +++ b/include/ntp.h @@ -383,7 +383,9 @@ struct peer { * Statistic counters / u_long timereset; / time stat counters were reset / - u_long timelastrec; / last packet received time / + u_long timelastrec; / last packet received time (may + * include spoofed, replayed, or other + * invalid packets) / u_long timereceived; / last (clean) packet received time / u_long timereachable; / last reachable/unreachable time / diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c index ad45409..1ea5cee 100644 --- a/ntpd/ntp_proto.c +++ b/ntpd/ntp_proto.c @@ -1338,11 +1338,20 @@ receive( ++bail; } - if ( (current_time - peer->timelastrec) + / + * Ensure that at least one poll interval has + * elapsed since the last clean packet was + * received. We limit the check to clean + * packets to prevent replayed packets and + * incorrectly authenticated packets, which + * we'll discard, from being used to create a + * denial of service condition. + / + if ( (current_time - peer->timereceived) < (1 << pkt->ppoll)) { msyslog(LOG_INFO, "receive: broadcast packet from %s arrived after %ld, not %d seconds!", stoa(&rbufp->recv_srcadr), - (current_time - peer->timelastrec), + (current_time - peer->timereceived), (1 << pkt->ppoll) ); ++bail; -- 2.5.2 ``` ### Timeline 2016-09-12 - Vendor Disclosure * 2016-11-21 - Public Release
id	SSV:96648
last seen	2017-11-19
modified	2017-10-11
published	2017-10-11
reporter	Root
title	Network Time Protocol Broadcast Mode Poll Interval Enforcement Denial of Service Vulnerability(CVE-2016-7428)

Talos

id	TALOS-2016-0131
last seen	2019-05-29
published	2016-11-21
reporter	Talos Intelligence
source	http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0131
title	Network Time Protocol Broadcast Mode Replay Prevention Denial of Service Vulnerability

id	TALOS-2016-0130
last seen	2019-05-29
published	2016-11-21
reporter	Talos Intelligence
source	http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0130
title	Network Time Protocol Broadcast Mode Poll Interval Enforcement Denial of Service Vulnerability

id	TALOS-2016-0070
last seen	2019-05-29
published	2016-01-19
reporter	Talos Intelligence
source	http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0070
title	Network Time Protocol Deja Vu: Broadcast Mode Replay Vulnerability

References

CVE is a registered MITRE Corporation trademark and MITRE's CVE website is the authoritative source of CVE content. CWE is a registered MITRE Corporation trademark and MITRE's CWE website is the authoritative source of CWE content.