Vulnerabilities > CVE-2015-8139 - Improper Access Control vulnerability in NTP 4.2.4/4.2.7/4.2.8

047910
CVSS 5.3 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
LOW
Availability impact
NONE
network
low complexity
ntp
CWE-284
nessus

Summary

ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors.

Vulnerable Configurations

Part Description Count
Application
Ntp
3

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-89E0874533.NASL
    descriptionSecurity fix for CVE-2015-8139, CVE-2016-4954, CVE-2016-4955, CVE-2016-4956 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-07-15
    plugin id92265
    published2016-07-15
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92265
    titleFedora 23 : ntp (2016-89e0874533)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2016-89e0874533.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(92265);
      script_version("2.7");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2015-8139", "CVE-2016-4954", "CVE-2016-4955", "CVE-2016-4956");
      script_xref(name:"FEDORA", value:"2016-89e0874533");
    
      script_name(english:"Fedora 23 : ntp (2016-89e0874533)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security fix for CVE-2015-8139, CVE-2016-4954, CVE-2016-4955,
    CVE-2016-4956
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-89e0874533"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected ntp package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:ntp");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:23");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/07/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/15");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^23([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 23", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC23", reference:"ntp-4.2.6p5-41.fc23")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ntp");
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_5237F5D7C02011E5B397D050996490D0.NASL
    descriptionNetwork Time Foundation reports : NTF
    last seen2020-06-01
    modified2020-06-02
    plugin id88068
    published2016-01-22
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/88068
    titleFreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2020 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(88068);
      script_version("2.14");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/22");
    
      script_cve_id("CVE-2015-7973", "CVE-2015-7974", "CVE-2015-7975", "CVE-2015-7976", "CVE-2015-7977", "CVE-2015-7978", "CVE-2015-7979", "CVE-2015-8138", "CVE-2015-8139", "CVE-2015-8140", "CVE-2015-8158");
      script_xref(name:"FreeBSD", value:"SA-16:09.ntp");
    
      script_name(english:"FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis",
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "Network Time Foundation reports :
    
    NTF's NTP Project has been notified of the following low- and
    medium-severity vulnerabilities that are fixed in ntp-4.2.8p6,
    released on Tuesday, 19 January 2016 :
    
    - Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported
    by Cisco ASIG.
    
    - Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.
    Reported by Cisco ASIG.
    
    - Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on
    authenticated broadcast mode. Reported by Cisco ASIG.
    
    - Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of
    restriction list. Reported by Cisco ASIG.
    
    - Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported
    by Cisco ASIG.
    
    - Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous
    characters in filenames. Reported by Cisco ASIG.
    
    - Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported
    by Cisco ASIG.
    
    - Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows
    impersonation between authenticated peers. Reported by Cisco ASIG.
    
    - Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated
    broadcast mode. Reported by Cisco ASIG.
    
    Additionally, mitigations are published for the following two issues :
    
    - Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.
    Reported by Cisco ASIG.
    
    - Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose
    origin. Reported by Cisco ASIG."
      );
      # http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?d42322ca"
      );
      # https://vuxml.freebsd.org/freebsd/5237f5d7-c020-11e5-b397-d050996490d0.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?ac5aee1a"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ntp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ntp-devel");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/01/20");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/01/21");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/01/22");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"ntp<4.2.8p6")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"ntp-devel<4.3.90")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-649.NASL
    descriptionThis update for ntp fixes the following issues : - Update to 4.2.8p7 (boo#977446) : - CVE-2016-1547, boo#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, boo#977461: Interleave-pivot - CVE-2016-1549, boo#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, boo#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, boo#977450: Refclock impersonation vulnerability - CVE-2016-2516, boo#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, boo#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, boo#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, boo#977458: ctl_getitem() return value not always checked. - integrate ntp-fork.patch - Improve the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 - Restrict the parser in the startup script to the first occurrance of
    last seen2020-06-05
    modified2016-06-01
    plugin id91403
    published2016-06-01
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91403
    titleopenSUSE Security Update : ntp (openSUSE-2016-649)
  • NASL familyAIX Local Security Checks
    NASL idAIX_NTP_V3_ADVISORY6.NASL
    descriptionThe version of NTP installed on the remote AIX host is affected by the following vulnerabilities : - A flaw exists in the receive() function due to the use of authenticated broadcast mode. A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-7973) - A NULL pointer dereference flaw exists in ntp_request.c that is triggered when handling ntpdc relist commands. A remote attacker can exploit this, via a specially crafted request, to crash the service, resulting in a denial of service condition. (CVE-2015-7977) - An unspecified flaw exists in authenticated broadcast mode. A remote attacker can exploit this, via specially crafted packets, to cause a denial of service condition. (CVE-2015-7979) - A flaw exists in ntpq and ntpdc that allows a remote attacker to disclose sensitive information in timestamps. (CVE-2015-8139) - A flaw exists in the ntpq protocol that is triggered during the handling of an improper sequence of numbers. A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-8140) - A flaw exists in the ntpq client that is triggered when handling packets that cause a loop in the getresponse() function. A remote attacker can exploit this to cause an infinite loop, resulting in a denial of service condition. (CVE-2015-8158)
    last seen2020-06-01
    modified2020-06-02
    plugin id92356
    published2016-07-18
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/92356
    titleAIX NTP v3 Advisory : ntp_advisory6.asc (IV83984) (IV83993) (IV83994) (IV83995) (IV84269)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-0255-1.NASL
    descriptionThis update for ntp fixes the following issues: ntp was updated to 4.2.8p9. Security issues fixed : - CVE-2016-9311, CVE-2016-9310, bsc#1011377: Mode 6 unauthenticated trap information disclosure and DDoS vector. - CVE-2016-7427, bsc#1011390: Broadcast Mode Replay Prevention DoS. - CVE-2016-7428, bsc#1011417: Broadcast Mode Poll Interval Enforcement DoS. - CVE-2016-7431, bsc#1011395: Regression: 010-origin: Zero Origin Timestamp Bypass. - CVE-2016-7434, bsc#1011398: NULL pointer dereference in _IO_str_init_static_internal(). - CVE-2016-7429, bsc#1011404: Interface selection attack. - CVE-2016-7426, bsc#1011406: Client rate limiting and server responses. - CVE-2016-7433, bsc#1011411: Reboot sync calculation problem. - CVE-2015-8140: ntpq vulnerable to replay attacks. - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. - CVE-2015-5219: An endless loop due to incorrect precision to double conversion (bsc#943216). Non-security issues fixed : - Fix a spurious error message. - Other bugfixes, see /usr/share/doc/packages/ntp/ChangeLog. - Fix a regression in
    last seen2020-06-01
    modified2020-06-02
    plugin id96715
    published2017-01-24
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96715
    titleSUSE SLES11 Security Update : ntp (SUSE-SU-2017:0255-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1125.NASL
    descriptionAccording to the versions of the ntp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors.(CVE-2015-8139) - NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7 is enabled, allows remote attackers to cause a denial of service (ntpd abort) by using the same IP address multiple times in an unconfig directive.(CVE-2016-2516) - The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.(CVE-2016-4954) - ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time.(CVE-2016-4955) - ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548.(CVE-2016-4956) - Buffer overflow in the legacy Datum Programmable Time Server (DPTS) refclock driver in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows local users to have unspecified impact via a crafted /dev/datum device.(CVE-2017-6462) - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote authenticated users to cause a denial of service (daemon crash) via an invalid setting in a :config directive, related to the unpeer option.(CVE-2017-6463) - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote attackers to cause a denial of service (ntpd crash) via a malformed mode configuration directive.(CVE-2017-6464) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-07-10
    plugin id101311
    published2017-07-10
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101311
    titleEulerOS 2.0 SP2 : ntp (EulerOS-SA-2017-1125)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1124.NASL
    descriptionAccording to the versions of the ntp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors.i1/4^CVE-2015-8139i1/4%0 - NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7 is enabled, allows remote attackers to cause a denial of service (ntpd abort) by using the same IP address multiple times in an unconfig directive.i1/4^CVE-2016-2516i1/4%0 - The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.i1/4^CVE-2016-4954i1/4%0 - ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time.i1/4^CVE-2016-4955i1/4%0 - ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548.i1/4^CVE-2016-4956i1/4%0 - Buffer overflow in the legacy Datum Programmable Time Server (DPTS) refclock driver in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows local users to have unspecified impact via a crafted /dev/datum device.i1/4^CVE-2017-6462i1/4%0 - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote authenticated users to cause a denial of service (daemon crash) via an invalid setting in a :config directive, related to the unpeer option.i1/4^CVE-2017-6463i1/4%0 - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote attackers to cause a denial of service (ntpd crash) via a malformed mode configuration directive.i1/4^CVE-2017-6464i1/4%0 Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-07-10
    plugin id101310
    published2017-07-10
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101310
    titleEulerOS 2.0 SP1 : ntp (EulerOS-SA-2017-1124)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1247-1.NASL
    descriptionntp was updated to version 4.2.8p6 to fix 28 security issues. Major functional changes : - The
    last seen2020-06-01
    modified2020-06-02
    plugin id90991
    published2016-05-09
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90991
    titleSUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1247-1)
  • NASL familyFirewalls
    NASL idPFSENSE_SA-16_02.NASL
    descriptionAccording to its self-reported version number, the remote pfSense install is prior to 2.3. It is, therefore, affected by multiple vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id106499
    published2018-01-31
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106499
    titlepfSense < 2.3 Multiple Vulnerabilities (SA-16_01 - SA-16_02)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1175-1.NASL
    descriptionntp was updated to version 4.2.8p6 to fix 12 security issues. These security issues were fixed : - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id90820
    published2016-05-02
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90820
    titleSUSE SLES11 Security Update : ntp (SUSE-SU-2016:1175-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201607-15.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201607-15 (NTP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id92485
    published2016-07-21
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92485
    titleGLSA-201607-15 : NTP: Multiple vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1311-1.NASL
    descriptionThis network time protocol server ntp was updated to 4.2.8p6 to fix the following issues : Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837) Major functional changes : - The
    last seen2020-06-01
    modified2020-06-02
    plugin id91248
    published2016-05-19
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91248
    titleSUSE SLES11 Security Update : ntp (SUSE-SU-2016:1311-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-50B0066B7F.NASL
    descriptionSecurity fix for CVE-2015-8139, CVE-2016-4954, CVE-2016-4955, CVE-2016-4956 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-07-14
    plugin id92095
    published2016-07-14
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92095
    titleFedora 24 : ntp (2016-50b0066b7f)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV83984.NASL
    descriptionhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop. This plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.
    last seen2017-10-29
    modified2017-01-19
    plugin id91516
    published2016-06-09
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=91516
    titleAIX 6.1 TL 9 : ntp (IV83984) (deprecated)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1555.NASL
    descriptionAccording to the versions of the ntp packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - It was found that when ntp is configured with rate limiting for all associations the limits are also applied to responses received from its configured sources. A remote attacker who knows the sources can cause a denial of service by preventing ntpd from accepting valid responses from its sources.(CVE-2016-7426) - ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors.(CVE-2015-8139) - A NULL pointer dereference flaw was found in the way ntpd processed
    last seen2020-06-01
    modified2020-06-02
    plugin id125008
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125008
    titleEulerOS Virtualization 3.0.1.0 : ntp (EulerOS-SA-2019-1555)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV83995.NASL
    descriptionhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop. This plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.
    last seen2017-10-29
    modified2017-01-19
    plugin id91519
    published2016-06-09
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=91519
    titleAIX 7.2 TL 0 : ntp (IV83995) (deprecated)
  • NASL familyMisc.
    NASL idNTP_4_2_8P6.NASL
    descriptionThe version of the remote NTP server is 3.x or 4.x prior to 4.2.8p6. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the receive() function due to the use of authenticated broadcast mode. A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-7973) - A time serving flaw exists in the trusted key system due to improper key checks. An authenticated, remote attacker can exploit this to perform impersonation attacks between authenticated peers. (CVE-2015-7974) - An overflow condition exists in the nextvar() function due to improper validation of user-supplied input. A local attacker can exploit this to cause a buffer overflow, resulting in a denial of service condition. (CVE-2015-7975) - A flaw exists in ntp_control.c due to improper filtering of special characters in filenames by the saveconfig command. An authenticated, remote attacker can exploit this to inject arbitrary content. (CVE-2015-7976) - A NULL pointer dereference flaw exists in ntp_request.c that is triggered when handling ntpdc relist commands. A remote attacker can exploit this, via a specially crafted request, to crash the service, resulting in a denial of service condition. (CVE-2015-7977) - A flaw exists in ntpdc that is triggered during the handling of the relist command. A remote attacker can exploit this, via recursive traversals of the restriction list, to exhaust available space on the call stack, resulting in a denial of service condition. CVE-2015-7978) - An unspecified flaw exists in authenticated broadcast mode. A remote attacker can exploit this, via specially crafted packets, to cause a denial of service condition. (CVE-2015-7979) - A flaw exists in the receive() function that allows packets with an origin timestamp of zero to bypass security checks. A remote attacker can exploit this to spoof arbitrary content. (CVE-2015-8138) - A flaw exists in ntpq and ntpdc that allows a remote attacker to disclose sensitive information in timestamps. (CVE-2015-8139) - A flaw exists in the ntpq protocol that is triggered during the handling of an improper sequence of numbers. A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-8140) - A flaw exists in the ntpq client that is triggered when handling packets that cause a loop in the getresponse() function. A remote attacker can exploit this to cause an infinite loop, resulting in a denial of service condition. (CVE-2015-8158)
    last seen2020-06-01
    modified2020-06-02
    plugin id88054
    published2016-01-21
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/88054
    titleNetwork Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p6 Multiple Vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-3193-1.NASL
    descriptionThis update for ntp fixes the following issues : - Simplify ntpd
    last seen2020-06-01
    modified2020-06-02
    plugin id95986
    published2016-12-21
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95986
    titleSUSE SLES11 Security Update : ntp (SUSE-SU-2016:3193-1)
  • NASL familyAIX Local Security Checks
    NASL idAIX_NTP_V4_ADVISORY6.NASL
    descriptionThe version of NTP installed on the remote AIX host is affected by the following vulnerabilities : - A flaw exists in the receive() function due to the use of authenticated broadcast mode. A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-7973) - A NULL pointer dereference flaw exists in ntp_request.c that is triggered when handling ntpdc relist commands. A remote attacker can exploit this, via a specially crafted request, to crash the service, resulting in a denial of service condition. (CVE-2015-7977) - An unspecified flaw exists in authenticated broadcast mode. A remote attacker can exploit this, via specially crafted packets, to cause a denial of service condition. (CVE-2015-7979) - A flaw exists in ntpq and ntpdc that allows a remote attacker to disclose sensitive information in timestamps. (CVE-2015-8139) - A flaw exists in the ntpq protocol that is triggered during the handling of an improper sequence of numbers. A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-8140) - A flaw exists in the ntpq client that is triggered when handling packets that cause a loop in the getresponse() function. A remote attacker can exploit this to cause an infinite loop, resulting in a denial of service condition. (CVE-2015-8158)
    last seen2020-06-01
    modified2020-06-02
    plugin id92357
    published2016-07-18
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/92357
    titleAIX NTP v4 Advisory : ntp_advisory6.asc (IV83983) (IV83992)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1177-1.NASL
    descriptionntp was updated to version 4.2.8p6 to fix 12 security issues. Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837) These security issues were fixed : - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id90821
    published2016-05-02
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90821
    titleSUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1177-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-C3BD6A3496.NASL
    descriptionSecurity fix for CVE-2015-8139, CVE-2016-4954, CVE-2016-4955, CVE-2016-4956 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-07-15
    plugin id92288
    published2016-07-15
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92288
    titleFedora 22 : ntp (2016-c3bd6a3496)
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL00329831.NASL
    descriptionCVE-2015-8139 ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors. CVE-2015-8140 The ntpq protocol in NTP before 4.2.8p7 allows remote attackers to conduct replay attacks by sniffing the network.
    last seen2020-06-01
    modified2020-06-02
    plugin id97499
    published2017-03-03
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/97499
    titleF5 Networks BIG-IP : NTP vulnerabilities (K00329831)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV83993.NASL
    descriptionhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop. This plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.
    last seen2017-10-29
    modified2017-01-19
    plugin id91517
    published2016-06-09
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=91517
    titleAIX 7.1 TL 3 : ntp (IV83993) (deprecated)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-578.NASL
    descriptionntp was updated to version 4.2.8p6 to fix 12 security issues. Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837) These security issues were fixed : - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629). These non-security issues were fixed : - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added the authreg directive. - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which caused the synchronization to fail. - bsc#782060: Speedup ntpq. - bsc#916617: Add /var/db/ntp-kod. - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen quite a lot on loaded systems. - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST. - Add ntp-fork.patch and build with threads disabled to allow name resolution even when running chrooted. This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen2020-06-05
    modified2016-05-13
    plugin id91111
    published2016-05-13
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/91111
    titleopenSUSE Security Update : ntp (openSUSE-2016-578)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV83994.NASL
    descriptionhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop. This plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.
    last seen2017-10-29
    modified2017-01-19
    plugin id91518
    published2016-06-09
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=91518
    titleAIX 7.1 TL 4 : ntp (IV83994) (deprecated)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2016-727.NASL
    descriptionIt was discovered that ntpq and ntpdc disclosed the origin timestamp to unauthenticated clients, which could permit such clients to forge the server
    last seen2020-06-01
    modified2020-06-02
    plugin id92662
    published2016-08-02
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/92662
    titleAmazon Linux AMI : ntp (ALAS-2016-727)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV84269.NASL
    descriptionhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop. This plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.
    last seen2017-10-29
    modified2017-01-19
    plugin id91520
    published2016-06-09
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=91520
    titleAIX 5.3 TL 12 : ntp (IV84269) (deprecated)

Seebug

bulletinFamilyexploit
description### Summary An exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. A specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, preventing legitimate monitoring. A remote, unauthenticated, network attacker can trigger this vulnerability. ### Tested Versions * NTP 4.2.8p3 * NTP 4.2.8p8 * NTPsec 0.9.1 * NTPsec 0.9.3 ### Product URLs * http://www.ntp.org * http://www.ntpsec.org/ ### CVSS Scores * CVSSv2: 6.4 - (AV:N/AC:L/Au:N/C:P/I:P/A:N) * CVSSv3: 6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N ### Details ntpd provides a `trap` functionality that sends asynchronous notifications to a number of `trap receivers` whenever an event of interest occurs. Example events of interest include: association mobilization and demobilization, authentication failures, reachability changes, etc. Since at least ntp-4.0.94 (July 21, 1999), ntpd has allowed traps to be configured via control (mode 6) and private (mode 7) NTP modes. Though private mode requires messages modifying trap settings to be be authenticated, control mode allows unauthenticated packets to modify trap settings using the `SETTRAP` and `UNSETTRAP` control messages. This vulnerability can be used to achieve several goals: * Time Shifting: If an attacker controls a host that is allowed to receive traps (i.e. not restricted by `restrict noquery` or `restrict notrap`), the attacker can instruct a victim ntpd instance to send traps to the attacker's host. Whenever a reportable event occurs for some peer, the victim ntpd will send a trap to the attacker leaking all the peer variables associated with that peer. The information leaked includes the peer's org and rec variables allowing the attacker to bypass TEST2 and impersonate said peer in a manner similar to CVE-2015-8139 and CVE-2016-1548. The attacker can force the victim ntpd to leak the information for any peer at any time by triggering a reportable event for said peer. There are multiple methods to trigger a reportable event for a peer, among them spoofing an invalid crypto-NAK or incorrectly authenticated packet from the peer. NOTE: With ntp-4.2.8p8 and earlier the 0rigin attack (CVE-2015-8138) [1] already allows impersonation of reachable peers. In those ntpd versions, this vulnerability provides another method for impersonating unreachable peers. * DDoS Amplification: An attacker can use an ntpd instance as a DDoS amplifier to DDoS hosts that are allowed to receive traps from the ntpd instance using the following technique. The amplification factor is 12-13x. The attacker forges a `SETTRAP` packet from the `victim` to the `amplifier`, causing the `amplifier` to set a trap for the `victim`. The attacker then repeatedly triggers reportable events causing trap messages to be sent to the victim. E.g. the attacker rapidly forges invalid crypto-NAKs and/or bad_auth packets from the `victim`'s `sys_peer`. ntpd attempts to limit the number of consecutive traps sent for events of a single type. To maximize effect, the attacker can alternate between events of different types. ntpd will periodically time out old traps when a new one is set. Therefore, for a long-term attack, the attacker may need to periodically refresh the trap on the `amplifier`. Evading Monitoring: In an environment where dynamically configured traps are used to modify an ntpd instance, an unauthenticated attacker can remove traps set by legitimate monitoring systems by spoofing the source address of the `trap receiver` in an `UNSETTRAP` message. Authentication should be required in order to modify trap configuration. ### Mitigation Several mitigations can lessen the impact of this vulnerability. 1. Unauthorized hosts can be prevented from receiving traps using the `restrict default notrap` restriction. This setting is the default on many modern Linux systems. This mitigation has no effect on the "Evading Monitoring" impact described above because the alleged sender of the packet is an authorized trap receiver. 2. Block NTP control mode trap configuration commands using a firewall or IPS. It does not appear that support for configuring control mode traps was ever implemented in ntpq, the reference NTP control mode client. As such, on most networks blocking control mode trap configuration commands should have no effect on legitimate traffic. Specifically, firewalls should block packets with the following characteristics: * UDP Destination Port: 123 * NTP Mode: 6 * NTP Control Operation Code: 6 (SETTRAP) or 31 (UNSETTRAP) Traps specified in ntp.conf cannot be modified using this vulnerability. [1] http://www.talosintelligence.com/reports/TALOS-2016-0077/ ### Timeline * 2016-09-20 - Vendor Disclosure * 2016-11-21 - Public Release
idSSV:96647
last seen2017-11-19
modified2017-10-11
published2017-10-11
reporterRoot
titleNetwork Time Protocol Control Mode Unauthenticated Trap Information Disclosure and DDoS Amplification Vulnerability(CVE-2016-9310)

Talos

References