Vulnerabilities > CVE-2015-8138 - Improper Input Validation vulnerability in NTP

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
ntp
CWE-20
nessus

Summary

NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to bypass the origin timestamp validation via a packet with an origin timestamp set to zero.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Server Side Include (SSI) Injection
    An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
  • Cross Zone Scripting
    An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
  • Cross Site Scripting through Log Files
    An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
  • Command Line Execution through SQL Injection
    An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-0063.NASL
    descriptionUpdated ntp packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Network Time Protocol (NTP) is used to synchronize a computer
    last seen2020-06-01
    modified2020-06-02
    plugin id88172
    published2016-01-26
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/88172
    titleRHEL 6 / 7 : ntp (RHSA-2016:0063)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2016:0063. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(88172);
      script_version("2.20");
      script_cvs_date("Date: 2019/10/24 15:35:41");
    
      script_cve_id("CVE-2015-8138");
      script_xref(name:"RHSA", value:"2016:0063");
    
      script_name(english:"RHEL 6 / 7 : ntp (RHSA-2016:0063)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated ntp packages that fix one security issue are now available for
    Red Hat Enterprise Linux 6 and 7.
    
    Red Hat Product Security has rated this update as having Important
    security impact. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available from the
    CVE link in the References section.
    
    The Network Time Protocol (NTP) is used to synchronize a computer's
    time with a referenced time source.
    
    It was discovered that ntpd as a client did not correctly check the
    originate timestamp in received packets. A remote attacker could use
    this flaw to send a crafted packet to an ntpd client that would
    effectively disable synchronization with the server, or push arbitrary
    offset/delay measurements to modify the time on the client.
    (CVE-2015-8138)
    
    All ntp users are advised to upgrade to these updated packages, which
    contain a backported patch to resolve this issue. After installing the
    update, the ntpd daemon will restart automatically."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2016:0063"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2015-8138"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ntp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ntp-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ntp-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ntp-perl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ntpdate");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:sntp");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6.7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.2");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.6");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7.7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/30");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/01/25");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/01/26");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(6|7)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x / 7.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2016:0063";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"ntp-4.2.6p5-5.el6_7.4")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"ntp-4.2.6p5-5.el6_7.4")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ntp-4.2.6p5-5.el6_7.4")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"ntp-debuginfo-4.2.6p5-5.el6_7.4")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"ntp-debuginfo-4.2.6p5-5.el6_7.4")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ntp-debuginfo-4.2.6p5-5.el6_7.4")) flag++;
    
      if (rpm_check(release:"RHEL6", reference:"ntp-doc-4.2.6p5-5.el6_7.4")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"ntp-perl-4.2.6p5-5.el6_7.4")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"ntp-perl-4.2.6p5-5.el6_7.4")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ntp-perl-4.2.6p5-5.el6_7.4")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"i686", reference:"ntpdate-4.2.6p5-5.el6_7.4")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"s390x", reference:"ntpdate-4.2.6p5-5.el6_7.4")) flag++;
    
      if (rpm_check(release:"RHEL6", cpu:"x86_64", reference:"ntpdate-4.2.6p5-5.el6_7.4")) flag++;
    
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"ntp-4.2.6p5-22.el7_2.1")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"ntp-4.2.6p5-22.el7_2.1")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"ntp-debuginfo-4.2.6p5-22.el7_2.1")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"ntp-debuginfo-4.2.6p5-22.el7_2.1")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"ntp-doc-4.2.6p5-22.el7_2.1")) flag++;
    
      if (rpm_check(release:"RHEL7", reference:"ntp-perl-4.2.6p5-22.el7_2.1")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"ntpdate-4.2.6p5-22.el7_2.1")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"ntpdate-4.2.6p5-22.el7_2.1")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"s390x", reference:"sntp-4.2.6p5-22.el7_2.1")) flag++;
    
      if (rpm_check(release:"RHEL7", cpu:"x86_64", reference:"sntp-4.2.6p5-22.el7_2.1")) flag++;
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_WARNING,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ntp / ntp-debuginfo / ntp-doc / ntp-perl / ntpdate / sntp");
      }
    }
    
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2016-054-04.NASL
    descriptionNew ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id88912
    published2016-02-24
    reporterThis script is Copyright (C) 2016-2017 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/88912
    titleSlackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2016-054-04)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-559.NASL
    descriptionSeveral vulnerabilities were discovered in the Network Time Protocol daemon and utility programs : CVE-2015-7974 Matt Street discovered that insufficient key validation allows impersonation attacks between authenticated peers. CVE-2015-7977 / CVE-2015-7978 Stephen Gray discovered that a NULL pointer dereference and a buffer overflow in the handling of
    last seen2020-03-17
    modified2016-07-26
    plugin id92546
    published2016-07-26
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/92546
    titleDebian DLA-559-1 : ntp security update
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2016-120-01.NASL
    descriptionNew ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id90800
    published2016-05-02
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90800
    titleSlackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2016-120-01)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_5237F5D7C02011E5B397D050996490D0.NASL
    descriptionNetwork Time Foundation reports : NTF
    last seen2020-06-01
    modified2020-06-02
    plugin id88068
    published2016-01-22
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/88068
    titleFreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-8BB1932088.NASL
    descriptionSecurity fix for CVE-2015-7974, CVE-2015-8138, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8158 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-03-04
    plugin id89577
    published2016-03-04
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/89577
    titleFedora 23 : ntp-4.2.6p5-36.fc23 (2016-8bb1932088)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-3629.NASL
    descriptionSeveral vulnerabilities were discovered in the Network Time Protocol daemon and utility programs : - CVE-2015-7974 Matt Street discovered that insufficient key validation allows impersonation attacks between authenticated peers. - CVE-2015-7977 CVE-2015-7978 Stephen Gray discovered that a NULL pointer dereference and a buffer overflow in the handling of
    last seen2020-06-01
    modified2020-06-02
    plugin id92571
    published2016-07-27
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92571
    titleDebian DSA-3629-1 : ntp - security update
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20160125_NTP_ON_SL6_X.NASL
    descriptionIt was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client. (CVE-2015-8138) After installing the update, the ntpd daemon will restart automatically.
    last seen2020-03-18
    modified2016-01-26
    plugin id88175
    published2016-01-26
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/88175
    titleScientific Linux Security Update : ntp on SL6.x, SL7.x i386/x86_64 (20160125)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-649.NASL
    descriptionThis update for ntp fixes the following issues : - Update to 4.2.8p7 (boo#977446) : - CVE-2016-1547, boo#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, boo#977461: Interleave-pivot - CVE-2016-1549, boo#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, boo#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, boo#977450: Refclock impersonation vulnerability - CVE-2016-2516, boo#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, boo#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, boo#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, boo#977458: ctl_getitem() return value not always checked. - integrate ntp-fork.patch - Improve the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 - Restrict the parser in the startup script to the first occurrance of
    last seen2020-06-05
    modified2016-06-01
    plugin id91403
    published2016-06-01
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91403
    titleopenSUSE Security Update : ntp (openSUSE-2016-649)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1247-1.NASL
    descriptionntp was updated to version 4.2.8p6 to fix 28 security issues. Major functional changes : - The
    last seen2020-06-01
    modified2020-06-02
    plugin id90991
    published2016-05-09
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90991
    titleSUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1247-1)
  • NASL familyFirewalls
    NASL idPFSENSE_SA-16_02.NASL
    descriptionAccording to its self-reported version number, the remote pfSense install is prior to 2.3. It is, therefore, affected by multiple vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id106499
    published2018-01-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106499
    titlepfSense < 2.3 Multiple Vulnerabilities (SA-16_01 - SA-16_02)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1175-1.NASL
    descriptionntp was updated to version 4.2.8p6 to fix 12 security issues. These security issues were fixed : - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id90820
    published2016-05-02
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90820
    titleSUSE SLES11 Security Update : ntp (SUSE-SU-2016:1175-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201607-15.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201607-15 (NTP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id92485
    published2016-07-21
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92485
    titleGLSA-201607-15 : NTP: Multiple vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1311-1.NASL
    descriptionThis network time protocol server ntp was updated to 4.2.8p6 to fix the following issues : Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837) Major functional changes : - The
    last seen2020-06-01
    modified2020-06-02
    plugin id91248
    published2016-05-19
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91248
    titleSUSE SLES11 Security Update : ntp (SUSE-SU-2016:1311-1)
  • NASL familyMisc.
    NASL idNTP_4_2_8P7.NASL
    descriptionThe version of the remote NTP server is 3.x or 4.x prior to 4.2.8p7. It is, therefore, affected by the following vulnerabilities : - A denial of service vulnerability exists due to improper validation of the origin timestamp field when handling a Kiss-of-Death (KoD) packet. An unauthenticated, remote attacker can exploit this to cause a client to stop querying its servers, preventing the client from updating its clock. (CVE-2015-7704) - A flaw exists in the receive() function in ntp_proto.c that allows packets with an origin timestamp of zero to bypass security checks. An unauthenticated, remote attacker can exploit this to spoof arbitrary content. (CVE-2015-8138) - A denial of service vulnerability exists due to improper handling of a crafted Crypto NAK Packet with a source address spoofed to match that of an existing associated peer. An unauthenticated, remote attacker can exploit this to demobilize a client association. (CVE-2016-1547) - A denial of service vulnerability exists due to improper handling of packets spoofed to appear to be from a valid ntpd server. An unauthenticated, remote attacker can exploit this to cause NTP to switch from basic client/server mode to interleaved symmetric mode, causing the client to reject future legitimate responses. (CVE-2016-1548) - A race condition exists that is triggered during the handling of a saturation of ephemeral associations. An authenticated, remote attacker can exploit this to defeat NTP
    last seen2020-06-01
    modified2020-06-02
    plugin id90923
    published2016-05-05
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90923
    titleNetwork Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p7 Multiple Vulnerabilities
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1555.NASL
    descriptionAccording to the versions of the ntp packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - It was found that when ntp is configured with rate limiting for all associations the limits are also applied to responses received from its configured sources. A remote attacker who knows the sources can cause a denial of service by preventing ntpd from accepting valid responses from its sources.(CVE-2016-7426) - ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors.(CVE-2015-8139) - A NULL pointer dereference flaw was found in the way ntpd processed
    last seen2020-06-01
    modified2020-06-02
    plugin id125008
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125008
    titleEulerOS Virtualization 3.0.1.0 : ntp (EulerOS-SA-2019-1555)
  • NASL familyMisc.
    NASL idNTP_4_2_8P6.NASL
    descriptionThe version of the remote NTP server is 3.x or 4.x prior to 4.2.8p6. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the receive() function due to the use of authenticated broadcast mode. A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-7973) - A time serving flaw exists in the trusted key system due to improper key checks. An authenticated, remote attacker can exploit this to perform impersonation attacks between authenticated peers. (CVE-2015-7974) - An overflow condition exists in the nextvar() function due to improper validation of user-supplied input. A local attacker can exploit this to cause a buffer overflow, resulting in a denial of service condition. (CVE-2015-7975) - A flaw exists in ntp_control.c due to improper filtering of special characters in filenames by the saveconfig command. An authenticated, remote attacker can exploit this to inject arbitrary content. (CVE-2015-7976) - A NULL pointer dereference flaw exists in ntp_request.c that is triggered when handling ntpdc relist commands. A remote attacker can exploit this, via a specially crafted request, to crash the service, resulting in a denial of service condition. (CVE-2015-7977) - A flaw exists in ntpdc that is triggered during the handling of the relist command. A remote attacker can exploit this, via recursive traversals of the restriction list, to exhaust available space on the call stack, resulting in a denial of service condition. CVE-2015-7978) - An unspecified flaw exists in authenticated broadcast mode. A remote attacker can exploit this, via specially crafted packets, to cause a denial of service condition. (CVE-2015-7979) - A flaw exists in the receive() function that allows packets with an origin timestamp of zero to bypass security checks. A remote attacker can exploit this to spoof arbitrary content. (CVE-2015-8138) - A flaw exists in ntpq and ntpdc that allows a remote attacker to disclose sensitive information in timestamps. (CVE-2015-8139) - A flaw exists in the ntpq protocol that is triggered during the handling of an improper sequence of numbers. A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-8140) - A flaw exists in the ntpq client that is triggered when handling packets that cause a loop in the getresponse() function. A remote attacker can exploit this to cause an infinite loop, resulting in a denial of service condition. (CVE-2015-8158)
    last seen2020-06-01
    modified2020-06-02
    plugin id88054
    published2016-01-21
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/88054
    titleNetwork Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p6 Multiple Vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1912-1.NASL
    descriptionNTP was updated to version 4.2.8p8 to fix several security issues and to ensure the continued maintainability of the package. These security issues were fixed : CVE-2016-4953: Bad authentication demobilized ephemeral associations (bsc#982065). CVE-2016-4954: Processing spoofed server packets (bsc#982066). CVE-2016-4955: Autokey association reset (bsc#982067). CVE-2016-4956: Broadcast interleave (bsc#982068). CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS (bsc#977459). CVE-2016-1548: Prevent the change of time of an ntpd client or denying service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode (bsc#977461). CVE-2016-1549: Sybil vulnerability: ephemeral association attack (bsc#977451). CVE-2016-1550: Improve security against buffer comparison timing attacks (bsc#977464). CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y CVE-2016-2516: Duplicate IPs on unconfig directives could have caused an assertion botch in ntpd (bsc#977452). CVE-2016-2517: Remote configuration trustedkey/ requestkey/controlkey values are not properly validated (bsc#977455). CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966). CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). CVE-2015-7976: ntpq saveconfig command allowed dangerous characters in filenames (bsc#962802). CVE-2015-7975: nextvar() missing length check (bsc#962988). CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might have allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a
    last seen2020-06-01
    modified2020-06-02
    plugin id93186
    published2016-08-29
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93186
    titleSUSE SLES10 Security Update : ntp (SUSE-SU-2016:1912-1)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2016-0006.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - don
    last seen2020-06-01
    modified2020-06-02
    plugin id88169
    published2016-01-26
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/88169
    titleOracleVM 3.3 : ntp (OVMSA-2016-0006)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2016-0063.NASL
    descriptionUpdated ntp packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Network Time Protocol (NTP) is used to synchronize a computer
    last seen2020-06-01
    modified2020-06-02
    plugin id88147
    published2016-01-26
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/88147
    titleCentOS 6 / 7 : ntp (CESA-2016:0063)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2016-649.NASL
    descriptionIt was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client. (CVE-2015-8138) A NULL pointer dereference flaw was found in the way ntpd processed
    last seen2020-06-01
    modified2020-06-02
    plugin id88661
    published2016-02-10
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/88661
    titleAmazon Linux AMI : ntp (ALAS-2016-649)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1177-1.NASL
    descriptionntp was updated to version 4.2.8p6 to fix 12 security issues. Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837) These security issues were fixed : - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id90821
    published2016-05-02
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90821
    titleSUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1177-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-34BC10A2C8.NASL
    descriptionSecurity fix for CVE-2015-7974, CVE-2015-8138, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8158 ---- Security fix for CVE-2015-7704, CVE-2015-5300, CVE-2015-7692, CVE-2015-7871, CVE-2015-7702, CVE-2015-7691, CVE-2015-7852, CVE-2015-7701 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-03-04
    plugin id89510
    published2016-03-04
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89510
    titleFedora 22 : ntp-4.2.6p5-36.fc22 (2016-34bc10a2c8)
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL71245322.NASL
    descriptionNTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to bypass the origin timestamp validation via a packet with an origin timestamp set to zero. (CVE-2015-8138)
    last seen2020-06-01
    modified2020-06-02
    plugin id88888
    published2016-02-23
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/88888
    titleF5 Networks BIG-IP : NTP vulnerability (K71245322)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3096-1.NASL
    descriptionAanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to perform a replay attack. (CVE-2015-7973) Matt Street discovered that NTP incorrectly verified peer associations of symmetric keys. A remote attacker could use this issue to perform an impersonation attack. (CVE-2015-7974) Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled memory. An attacker could possibly use this issue to cause ntpq to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-7975) Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled dangerous characters in filenames. An attacker could possibly use this issue to overwrite arbitrary files. (CVE-2015-7976) Stephen Gray discovered that NTP incorrectly handled large restrict lists. An attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7977, CVE-2015-7978) Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7979) Jonathan Gardner discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could use this issue to spoof peer servers. (CVE-2015-8138) Jonathan Gardner discovered that the NTP ntpq utility did not properly handle certain incorrect values. An attacker could possibly use this issue to cause ntpq to hang, resulting in a denial of service. (CVE-2015-8158) It was discovered that the NTP cronjob incorrectly cleaned up the statistics directory. A local attacker could possibly use this to escalate privileges. (CVE-2016-0727) Stephen Gray and Matthew Van Gundy discovered that NTP incorrectly validated crypto-NAKs. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1547) Miroslav Lichvar and Jonathan Gardner discovered that NTP incorrectly handled switching to interleaved symmetric mode. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1548) Matthew Van Gundy, Stephen Gray and Loganaden Velvindron discovered that NTP incorrectly handled message authentication. A remote attacker could possibly use this issue to recover the message digest key. (CVE-2016-1550) Yihan Lian discovered that NTP incorrectly handled duplicate IPs on unconfig directives. An authenticated remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2516) Yihan Lian discovered that NTP incorrectly handled certail peer associations. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2518) Jakub Prokes discovered that NTP incorrectly handled certain spoofed packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4954) Miroslav Lichvar discovered that NTP incorrectly handled certain packets when autokey is enabled. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4955) Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed broadcast packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4956) In the default installation, attackers would be isolated by the NTP AppArmor profile. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id93896
    published2016-10-06
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93896
    titleUbuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : ntp vulnerabilities (USN-3096-1)
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2016-0082.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - don
    last seen2020-06-01
    modified2020-06-02
    plugin id91419
    published2016-06-01
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91419
    titleOracleVM 3.3 / 3.4 : ntp (OVMSA-2016-0082)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-578.NASL
    descriptionntp was updated to version 4.2.8p6 to fix 12 security issues. Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837) These security issues were fixed : - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629). These non-security issues were fixed : - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added the authreg directive. - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which caused the synchronization to fail. - bsc#782060: Speedup ntpq. - bsc#916617: Add /var/db/ntp-kod. - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen quite a lot on loaded systems. - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST. - Add ntp-fork.patch and build with threads disabled to allow name resolution even when running chrooted. This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen2020-06-05
    modified2016-05-13
    plugin id91111
    published2016-05-13
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/91111
    titleopenSUSE Security Update : ntp (openSUSE-2016-578)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2016-0063.NASL
    descriptionFrom Red Hat Security Advisory 2016:0063 : Updated ntp packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Network Time Protocol (NTP) is used to synchronize a computer
    last seen2020-06-01
    modified2020-06-02
    plugin id88167
    published2016-01-26
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/88167
    titleOracle Linux 6 / 7 : ntp (ELSA-2016-0063)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_B2487D9A0C3011E6ACD0D050996490D0.NASL
    descriptionNetwork Time Foundation reports : NTF
    last seen2020-06-01
    modified2020-06-02
    plugin id90742
    published2016-04-27
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90742
    titleFreeBSD : ntp -- multiple vulnerabilities (b2487d9a-0c30-11e6-acd0-d050996490d0)
  • NASL familyMisc.
    NASL idARISTA_EOS_SA0019.NASL
    descriptionThe version of Arista Networks EOS running on the remote device is affected by multiple vulnerabilities : - A flaw exists in NTP in the receive() function within file ntpd/ntp_proto.c that allows packets with an origin timestamp of zero to bypass security checks. An unauthenticated, remote attacker can exploit this to spoof arbitrary content. (CVE-2015-8138) - A flaw exists in NTP when handling crafted Crypto NAK Packets having spoofed source addresses that match an existing associated peer. A unauthenticated, remote attacker can exploit this to demobilize a client association, resulting in a denial of service condition. (CVE-2016-1547) - A flaw exists in NTP when handling packets that have been spoofed to appear to be coming from a valid ntpd server, which may cause a switch to interleaved symmetric mode. An unauthenticated, remote attacker can exploit this, via a packet having a spoofed timestamp, to cause the client to reject future legitimate server responses, resulting in a denial of service condition. (CVE-2016-1548) - A flaw exits in NTP when handling a saturation of ephemeral associations. An authenticated, remote attacker can exploit this to defeat the clock selection algorithm and thereby modify a victim
    last seen2020-03-17
    modified2018-02-28
    plugin id107061
    published2018-02-28
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107061
    titleArista Networks EOS Multiple Vulnerabilities (SA0019)

Redhat

advisories
bugzilla
id1299442
titleCVE-2015-8138 ntp: missing check for zero originate timestamp
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 6 is installed
      ovaloval:com.redhat.rhba:tst:20111656003
    • OR
      • AND
        • commentntpdate is earlier than 0:4.2.6p5-5.el6_7.4
          ovaloval:com.redhat.rhsa:tst:20160063001
        • commentntpdate is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20142024008
      • AND
        • commentntp is earlier than 0:4.2.6p5-5.el6_7.4
          ovaloval:com.redhat.rhsa:tst:20160063003
        • commentntp is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20142024006
      • AND
        • commentntp-doc is earlier than 0:4.2.6p5-5.el6_7.4
          ovaloval:com.redhat.rhsa:tst:20160063005
        • commentntp-doc is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20142024004
      • AND
        • commentntp-perl is earlier than 0:4.2.6p5-5.el6_7.4
          ovaloval:com.redhat.rhsa:tst:20160063007
        • commentntp-perl is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20142024002
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentntp-doc is earlier than 0:4.2.6p5-22.el7_2.1
          ovaloval:com.redhat.rhsa:tst:20160063010
        • commentntp-doc is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20142024004
      • AND
        • commentntp-perl is earlier than 0:4.2.6p5-22.el7_2.1
          ovaloval:com.redhat.rhsa:tst:20160063011
        • commentntp-perl is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20142024002
      • AND
        • commentsntp is earlier than 0:4.2.6p5-22.el7_2.1
          ovaloval:com.redhat.rhsa:tst:20160063012
        • commentsntp is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20142024013
      • AND
        • commentntp is earlier than 0:4.2.6p5-22.el7_2.1
          ovaloval:com.redhat.rhsa:tst:20160063014
        • commentntp is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20142024006
      • AND
        • commentntpdate is earlier than 0:4.2.6p5-22.el7_2.1
          ovaloval:com.redhat.rhsa:tst:20160063015
        • commentntpdate is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhsa:tst:20142024008
rhsa
idRHSA-2016:0063
released2016-01-25
severityImportant
titleRHSA-2016:0063: ntp security update (Important)
rpms
  • ntp-0:4.2.6p5-22.el7_2.1
  • ntp-0:4.2.6p5-5.el6_7.4
  • ntp-debuginfo-0:4.2.6p5-22.el7_2.1
  • ntp-debuginfo-0:4.2.6p5-5.el6_7.4
  • ntp-doc-0:4.2.6p5-22.el7_2.1
  • ntp-doc-0:4.2.6p5-5.el6_7.4
  • ntp-perl-0:4.2.6p5-22.el7_2.1
  • ntp-perl-0:4.2.6p5-5.el6_7.4
  • ntpdate-0:4.2.6p5-22.el7_2.1
  • ntpdate-0:4.2.6p5-5.el6_7.4
  • sntp-0:4.2.6p5-22.el7_2.1

Seebug

  • bulletinFamilyexploit
    description### Summary An exploitable denial of service vulnerability exists in the origin timestamp check functionality of ntpd 4.2.8p9. A specially crafted unauthenticated network packet can be used to reset the expected origin timestamp for target peers. Legitimate replies from targeted peers will fail the origin timestamp check (TEST2) causing the reply to be dropped and creating a denial of service condition. ### Tested Versions NTP 4.2.8p9 ### Product URLs http://www.ntp.org ### CVSSv3 Score CVSSv2: 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv3: 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L ### Details In most modes, NTP prevents spoofing by off-path attackers by verifying that the origin timestamp of an incoming NTP packet matches the transmit timestamp on the daemon's last outgoing packet --- using the transmit and origin timestamps as a per-request nonce. This test described in RFC 5905 and dubbed TEST2 in ntpd's source code. To prevent an NTP daemon from accepting responses to duplicated request packets, RFC 5095 also specifies that the expected origin timestamp should be set to zero after successfully validating the origin timestamp of an incoming packet. Unfortunately, ntpd releases before 4.2.8p9 did not correctly reject incoming packets bearing a zero origin timestamp. This allowed a trivial bypass of TEST2, the origin timestamp check, by setting the origin timestamp on spoofed packets equal to zero (CVE-2015-8138,CVE-2016-7431). ntp-4.2.8p9 fixes CVE-2015-8138 by rejecting packets with zero origin timestamps in all modes where that is not expected legitimate behavior. However, for reasons unknown, before rejecting a packet bearing a zero origin timestamp, ntp-4.2.8p9 clears the expected origin timestamp (peer->aorg) as can be seen in the following abstracted code: ``` if (0) { } else if (L_ISZERO(&p_org)) { char *action; L_CLR(&peer->aorg); ... peer->bogusorg++; peer->flash |= TEST2; /* bogus */ ... /* packet will be dropped */ } else if (!L_ISEQU(&p_org, &peer->aorg)) { peer->bogusorg++; peer->flash |= TEST2; /* bogus */ ... /* packet will be dropped */ } else { L_CLR(&peer->aorg); } ``` This leads to a trivial denial of service. An unauthenticated network attacker who knows the address of one of the peers of a victim ntpd process can send the victim ntpd spoofed packets with the source address of the peer and a zero origin timestamp in order to reset peer->aorg for that peer. This will cause the next packet sent from the peer to fail the origin timestamp check (TEST2) and be dropped. The attacker can repeat this each poll period for all known peers in order to prevent their packets from being accepted by the victim ntpd. This attack is very effective against symmetric associations where the duration between an outgoing packet from the victim ntpd and its "response" will be on the order of seconds to minutes. The attack is more difficult for client-server associations where the request-response window is likely to be on the order of milliseconds. However, if the attacker can observe the victim ntpd's request packet, it can attempt to race the remote peer's legitimate response. An attacker can learn the currently selected peer of a victim ntpd process by sending the victim a client mode request and reading the peer's address from the refid field of the victim's response. This allows the attacker to target the currently selected peer one at a time until it has learned and targeted all peers of the victim ntpd process. If the victim allows NTP control queries or the attacker can observe the victim's NTP traffic, the attacker can easily learn all the victim's peers. The call to LCLR(&peer->aorg) when a zero-origin timestamp packet is received appears unnecessary and should be removed. To see that clearing peer->aorg is unnecessary, let's consider the operation of each NTP mode in turn after omitting the LCLR(&peer->aorg): * Client-Server: Servers are stateless, so the change has no effect on them. Clients should not be sending requests with zero transmit timestamps and, therefore, should not be receiving responses with zero origin timestamps. Thus, removing the L_CLR(&peer->aorg) should have no effect on legitimate client-server behavior. * Broadcast: Broadcast packets are handled separately and thus are not influenced by the behavior of this code. * Symmetric (Active and Passive): When two symmetric peers are synchronized to a legitimate time source (0 < stratum < 16) and the association between them is fully operational, the origin timestamp on incoming packets will be non-zero and equal to peer->aorg, thus avoiding the L_CLR(&peer->aorg). The interesting cases occur when there is packet loss or one peer resets their association (e.g. ntpd is restarted). Without loss of generality, let A be the sender and B the recipient of the first packet with pkt->org != peer->aorg. If A reset its association with B, pkt->org == 0. Otherwise, pkt->org != 0 && pkt->org != peer->aorg. In either case, B will mark the packet as having failed TEST2. However, if the packet is authenticated correctly for the association, B will update peer->xmt = pkt->xmt before rejecting the packet due to failing TEST2. In B's next packet to A, it will set pkt->org = peer->xmt and peer->aorg = pkt->xmt, ensuring that the packet will pass TEST2 at A, causing it to be accepted by A, and overwriting any previous value of peer->aorg at B. A will update its peer variables for B as well, ensuring that A's next packet will be accepted by B. From this point on, the symmetric association between A and B has successfully resynchronized. Thus, we see that recovery from packet loss or peer restart is not hampered by allowing peer->aorg to maintain its previous value when a packet with a zero origin timestamp is received. Further to the point, ntpd versions prior to ntp-4.2.8p6 did not clear peer->aorg upon receipt of a packet bearing a zero origin timestamp. ### Mitigation The only ntpd-based mitigations for this vulnerability are to try to make it harder for an attacker to guess the peers of ntpd instances and to monitor ntpd logs for messages such as the following: ``` ntpd[16767]: receive: Drop 0 origin timestamp from [email protected] xmt 0xdbe84918.63324800 ntpd[16767]: receive: Unexpected origin timestamp 0xdbe849a1.279a6fea does not match aorg 0000000000.00000000 from [email protected] xmt 0xdbe849a4.52a12e3a ``` All ntpd instances should be configured to block control queries from untrusted servers. This is best practice. All ntpd clients should block all incoming traffic that does not originate from a known peer address. This can be accomplished with a stateful firewall. Because peer->aorg is cleared before authentication is enforced, enabling NTP authentication does not prevent exploitation of this vulnerability. ### Timeline * 2017-01-04 - Vendor Disclosure * 2017-03-29 - Public Release ### CREDIT * Discovered by Matthew Van Gundy of Cisco ASIG.
    idSSV:96543
    last seen2017-11-19
    modified2017-09-20
    published2017-09-20
    reporterRoot
    titleNetwork Time Protocol Origin Timestamp Check Denial of Service Vulnerability(CVE-2016-9042)
  • bulletinFamilyexploit
    description### Summary An exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. A specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, preventing legitimate monitoring. A remote, unauthenticated, network attacker can trigger this vulnerability. ### Tested Versions * NTP 4.2.8p3 * NTP 4.2.8p8 * NTPsec 0.9.1 * NTPsec 0.9.3 ### Product URLs * http://www.ntp.org * http://www.ntpsec.org/ ### CVSS Scores * CVSSv2: 6.4 - (AV:N/AC:L/Au:N/C:P/I:P/A:N) * CVSSv3: 6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N ### Details ntpd provides a `trap` functionality that sends asynchronous notifications to a number of `trap receivers` whenever an event of interest occurs. Example events of interest include: association mobilization and demobilization, authentication failures, reachability changes, etc. Since at least ntp-4.0.94 (July 21, 1999), ntpd has allowed traps to be configured via control (mode 6) and private (mode 7) NTP modes. Though private mode requires messages modifying trap settings to be be authenticated, control mode allows unauthenticated packets to modify trap settings using the `SETTRAP` and `UNSETTRAP` control messages. This vulnerability can be used to achieve several goals: * Time Shifting: If an attacker controls a host that is allowed to receive traps (i.e. not restricted by `restrict noquery` or `restrict notrap`), the attacker can instruct a victim ntpd instance to send traps to the attacker's host. Whenever a reportable event occurs for some peer, the victim ntpd will send a trap to the attacker leaking all the peer variables associated with that peer. The information leaked includes the peer's org and rec variables allowing the attacker to bypass TEST2 and impersonate said peer in a manner similar to CVE-2015-8139 and CVE-2016-1548. The attacker can force the victim ntpd to leak the information for any peer at any time by triggering a reportable event for said peer. There are multiple methods to trigger a reportable event for a peer, among them spoofing an invalid crypto-NAK or incorrectly authenticated packet from the peer. NOTE: With ntp-4.2.8p8 and earlier the 0rigin attack (CVE-2015-8138) [1] already allows impersonation of reachable peers. In those ntpd versions, this vulnerability provides another method for impersonating unreachable peers. * DDoS Amplification: An attacker can use an ntpd instance as a DDoS amplifier to DDoS hosts that are allowed to receive traps from the ntpd instance using the following technique. The amplification factor is 12-13x. The attacker forges a `SETTRAP` packet from the `victim` to the `amplifier`, causing the `amplifier` to set a trap for the `victim`. The attacker then repeatedly triggers reportable events causing trap messages to be sent to the victim. E.g. the attacker rapidly forges invalid crypto-NAKs and/or bad_auth packets from the `victim`'s `sys_peer`. ntpd attempts to limit the number of consecutive traps sent for events of a single type. To maximize effect, the attacker can alternate between events of different types. ntpd will periodically time out old traps when a new one is set. Therefore, for a long-term attack, the attacker may need to periodically refresh the trap on the `amplifier`. Evading Monitoring: In an environment where dynamically configured traps are used to modify an ntpd instance, an unauthenticated attacker can remove traps set by legitimate monitoring systems by spoofing the source address of the `trap receiver` in an `UNSETTRAP` message. Authentication should be required in order to modify trap configuration. ### Mitigation Several mitigations can lessen the impact of this vulnerability. 1. Unauthorized hosts can be prevented from receiving traps using the `restrict default notrap` restriction. This setting is the default on many modern Linux systems. This mitigation has no effect on the "Evading Monitoring" impact described above because the alleged sender of the packet is an authorized trap receiver. 2. Block NTP control mode trap configuration commands using a firewall or IPS. It does not appear that support for configuring control mode traps was ever implemented in ntpq, the reference NTP control mode client. As such, on most networks blocking control mode trap configuration commands should have no effect on legitimate traffic. Specifically, firewalls should block packets with the following characteristics: * UDP Destination Port: 123 * NTP Mode: 6 * NTP Control Operation Code: 6 (SETTRAP) or 31 (UNSETTRAP) Traps specified in ntp.conf cannot be modified using this vulnerability. [1] http://www.talosintelligence.com/reports/TALOS-2016-0077/ ### Timeline * 2016-09-20 - Vendor Disclosure * 2016-11-21 - Public Release
    idSSV:96647
    last seen2017-11-19
    modified2017-10-11
    published2017-10-11
    reporterRoot
    titleNetwork Time Protocol Control Mode Unauthenticated Trap Information Disclosure and DDoS Amplification Vulnerability(CVE-2016-9310)

Talos

References