Vulnerabilities > CVE-2016-1548 - Data Processing Errors vulnerability in NTP 4.2.8

CVSS 7.2 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

LOW

Availability impact

LOW

network

low complexity

ntp

CWE-19

nessus

NVD

Published: 2017-01-06

Updated: 2021-11-17

Summary

An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. After making this switch, the client in NTP 4.2.8p4 and earlier and NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c will reject all future legitimate server responses. It is possible to force the victim client to move time after the mode has been changed. ntpq gives no indication that the mode has been switched.

Vulnerable Configurations

Part	Description	Count
Application	Ntp NTP NTP 4.2.8	1

Common Weakness Enumeration (CWE)

CWE-19 - Data Processing Errors

Common Attack Pattern Enumeration and Classification (CAPEC)

Overflow Buffers
Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
XML Nested Payloads
Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
XML Oversized Payloads
Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
XML Client-Side Attack
Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
XML Parser Attack
Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]

Nessus

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DLA-559.NASL
description	Several vulnerabilities were discovered in the Network Time Protocol daemon and utility programs : CVE-2015-7974 Matt Street discovered that insufficient key validation allows impersonation attacks between authenticated peers. CVE-2015-7977 / CVE-2015-7978 Stephen Gray discovered that a NULL pointer dereference and a buffer overflow in the handling of
last seen	2020-03-17
modified	2016-07-26
plugin id	92546
published	2016-07-26
reporter	This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/92546
title	Debian DLA-559-1 : ntp security update
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-559-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(92546); script_version("2.12"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2015-7974", "CVE-2015-7977", "CVE-2015-7978", "CVE-2015-7979", "CVE-2015-8138", "CVE-2015-8158", "CVE-2016-1547", "CVE-2016-1548", "CVE-2016-1550", "CVE-2016-2516", "CVE-2016-2518"); script_name(english:"Debian DLA-559-1 : ntp security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities were discovered in the Network Time Protocol daemon and utility programs : CVE-2015-7974 Matt Street discovered that insufficient key validation allows impersonation attacks between authenticated peers. CVE-2015-7977 / CVE-2015-7978 Stephen Gray discovered that a NULL pointer dereference and a buffer overflow in the handling of 'ntpdc reslist' commands may result in denial of service. CVE-2015-7979 Aanchal Malhotra discovered that if NTP is configured for broadcast mode, an attacker can send malformed authentication packets which break associations with the server for other broadcast clients. CVE-2015-8138 Matthew van Gundy and Jonathan Gardner discovered that missing validation of origin timestamps in ntpd clients may result in denial of service. CVE-2015-8158 Jonathan Gardner discovered that missing input sanitising in ntpq may result in denial of service. CVE-2016-1547 Stephen Gray and Matthew van Gundy discovered that incorrect handling of crypto NAK packets my result in denial of service. CVE-2016-1548 Jonathan Gardner and Miroslav Lichvar discovered that ntpd clients could be forced to change from basic client/server mode to interleaved symmetric mode, preventing time synchronisation. CVE-2016-1550 Matthew van Gundy, Stephen Gray and Loganaden Velvindron discovered that timing leaks in the the packet authentication code could result in recovery of a message digest. CVE-2016-2516 Yihan Lian discovered that duplicate IPs on 'unconfig' directives will trigger an assert. CVE-2016-2518 Yihan Lian discovered that an OOB memory access could potentially crash ntpd. For Debian 7 'Wheezy', these problems have been fixed in version 1:4.2.6.p5+dfsg-2+deb7u7. We recommend that you upgrade your ntp packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2016/07/msg00021.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/ntp" ); script_set_attribute( attribute:"solution", value:"Upgrade the affected ntp, ntp-doc, and ntpdate packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ntp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ntp-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ntpdate"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2016/07/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"ntp", reference:"1:4.2.6.p5+dfsg-2+deb7u7")) flag++; if (deb_check(release:"7.0", prefix:"ntp-doc", reference:"1:4.2.6.p5+dfsg-2+deb7u7")) flag++; if (deb_check(release:"7.0", prefix:"ntpdate", reference:"1:4.2.6.p5+dfsg-2+deb7u7")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2016-5B2EB0BF9C.NASL
description	Security fix for CVE-2016-1548, CVE-2016-2516, CVE-2016-2518, CVE-2016-1550 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2016-05-12
plugin id	91062
published	2016-05-12
reporter	This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/91062
title	Fedora 23 : ntp-4.2.6p5-40.fc23 (2016-5b2eb0bf9c)

NASL family	Slackware Local Security Checks
NASL id	SLACKWARE_SSA_2016-120-01.NASL
description	New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	90800
published	2016-05-02
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90800
title	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2016-120-01)

NASL family	F5 Networks Local Security Checks
NASL id	F5_BIGIP_SOL64505405.NASL
description	ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548. (CVE-2016-4956)
last seen	2020-06-01
modified	2020-06-02
plugin id	95967
published	2016-12-21
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/95967
title	F5 Networks BIG-IP : NTP vulnerability (K64505405)

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2017-0165.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : - add disable monitor to default ntp.conf [CVE-2013-5211] - fix buffer overflow in datum refclock driver (CVE-2017-6462) - fix crash with invalid unpeer command (CVE-2017-6463) - fix potential crash with invalid server command (CVE-2017-6464) - don
last seen	2020-06-01
modified	2020-06-02
plugin id	104204
published	2017-10-27
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/104204
title	OracleVM 3.3 / 3.4 : ntp (OVMSA-2017-0165)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2016-1141.NASL
description	An update for ntp is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Network Time Protocol (NTP) is used to synchronize a computer
last seen	2020-06-01
modified	2020-06-02
plugin id	91420
published	2016-06-01
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/91420
title	RHEL 6 / 7 : ntp (RHSA-2016:1141)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2016-1552.NASL
description	An update for ntp is now available for Red Hat Enterprise Linux 6.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Network Time Protocol (NTP) is used to synchronize a computer
last seen	2020-06-01
modified	2020-06-02
plugin id	92718
published	2016-08-04
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/92718
title	RHEL 6 : ntp (RHSA-2016:1552)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-3629.NASL
description	Several vulnerabilities were discovered in the Network Time Protocol daemon and utility programs : - CVE-2015-7974 Matt Street discovered that insufficient key validation allows impersonation attacks between authenticated peers. - CVE-2015-7977 CVE-2015-7978 Stephen Gray discovered that a NULL pointer dereference and a buffer overflow in the handling of
last seen	2020-06-01
modified	2020-06-02
plugin id	92571
published	2016-07-27
reporter	This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/92571
title	Debian DSA-3629-1 : ntp - security update

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2016-649.NASL
description	This update for ntp fixes the following issues : - Update to 4.2.8p7 (boo#977446) : - CVE-2016-1547, boo#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, boo#977461: Interleave-pivot - CVE-2016-1549, boo#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, boo#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, boo#977450: Refclock impersonation vulnerability - CVE-2016-2516, boo#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, boo#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, boo#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, boo#977458: ctl_getitem() return value not always checked. - integrate ntp-fork.patch - Improve the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 - Restrict the parser in the startup script to the first occurrance of
last seen	2020-06-05
modified	2016-06-01
plugin id	91403
published	2016-06-01
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/91403
title	openSUSE Security Update : ntp (openSUSE-2016-649)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2016-777D838C1B.NASL
description	Security fix for CVE-2016-1548, CVE-2016-2516, CVE-2016-2518, CVE-2016-1550 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2016-07-14
plugin id	92113
published	2016-07-14
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/92113
title	Fedora 22 : ntp (2016-777d838c1b)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2017-1125.NASL
description	According to the versions of the ntp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors.(CVE-2015-8139) - NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7 is enabled, allows remote attackers to cause a denial of service (ntpd abort) by using the same IP address multiple times in an unconfig directive.(CVE-2016-2516) - The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.(CVE-2016-4954) - ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time.(CVE-2016-4955) - ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548.(CVE-2016-4956) - Buffer overflow in the legacy Datum Programmable Time Server (DPTS) refclock driver in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows local users to have unspecified impact via a crafted /dev/datum device.(CVE-2017-6462) - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote authenticated users to cause a denial of service (daemon crash) via an invalid setting in a :config directive, related to the unpeer option.(CVE-2017-6463) - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote attackers to cause a denial of service (ntpd crash) via a malformed mode configuration directive.(CVE-2017-6464) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-06
modified	2017-07-10
plugin id	101311
published	2017-07-10
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/101311
title	EulerOS 2.0 SP2 : ntp (EulerOS-SA-2017-1125)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2017-1124.NASL
description	According to the versions of the ntp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors.i1/4^CVE-2015-8139i1/4%0 - NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7 is enabled, allows remote attackers to cause a denial of service (ntpd abort) by using the same IP address multiple times in an unconfig directive.i1/4^CVE-2016-2516i1/4%0 - The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.i1/4^CVE-2016-4954i1/4%0 - ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time.i1/4^CVE-2016-4955i1/4%0 - ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548.i1/4^CVE-2016-4956i1/4%0 - Buffer overflow in the legacy Datum Programmable Time Server (DPTS) refclock driver in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows local users to have unspecified impact via a crafted /dev/datum device.i1/4^CVE-2017-6462i1/4%0 - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote authenticated users to cause a denial of service (daemon crash) via an invalid setting in a :config directive, related to the unpeer option.i1/4^CVE-2017-6463i1/4%0 - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote attackers to cause a denial of service (ntpd crash) via a malformed mode configuration directive.i1/4^CVE-2017-6464i1/4%0 Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-05-06
modified	2017-07-10
plugin id	101310
published	2017-07-10
reporter	This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/101310
title	EulerOS 2.0 SP1 : ntp (EulerOS-SA-2017-1124)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-1278-1.NASL
description	This update for ntp to 4.2.8p7 fixes the following issues : - CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, bsc#977461: Interleave-pivot - CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, bsc#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability - CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, bsc#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked. - This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 Bugs fixed : - Restrict the parser in the startup script to the first occurrance of
last seen	2020-06-01
modified	2020-06-02
plugin id	91120
published	2016-05-13
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/91120
title	SUSE SLES11 Security Update : ntp (SUSE-SU-2016:1278-1)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-201607-15.NASL
description	The remote host is affected by the vulnerability described in GLSA-201607-15 (NTP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly cause a Denial of Service condition. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	92485
published	2016-07-21
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/92485
title	GLSA-201607-15 : NTP: Multiple vulnerabilities

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2016-1141.NASL
description	An update for ntp is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Network Time Protocol (NTP) is used to synchronize a computer
last seen	2020-06-01
modified	2020-06-02
plugin id	91394
published	2016-06-01
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/91394
title	CentOS 6 / 7 : ntp (CESA-2016:1141)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-1568-1.NASL
description	ntp was updated to version 4.2.8p8 to fix 17 security issues. These security issues were fixed : - CVE-2016-4956: Broadcast interleave (bsc#982068). - CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). - CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). - CVE-2016-4954: Processing spoofed server packets (bsc#982066). - CVE-2016-4955: Autokey association reset (bsc#982067). - CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a
last seen	2020-06-01
modified	2020-06-02
plugin id	91663
published	2016-06-17
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/91663
title	SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1568-1)

NASL family	Amazon Linux Local Security Checks
NASL id	ALA_ALAS-2016-708.NASL
description	It was found that an ntpd client could be forced to change from basic client/server mode to the interleaved symmetric mode. A remote attacker could use a spoofed packet that, when processed by an ntpd client, would cause that client to reject all future legitimate server responses, effectively disabling time synchronization on that client. (CVE-2016-1548) An out-of-bounds access flaw was found in the way ntpd processed certain packets. An authenticated attacker could use a crafted packet to create a peer association with hmode of 7 and larger, which could potentially (although highly unlikely) cause ntpd to crash. (CVE-2016-2518) A flaw was found in the way libntp performed message authentication. An attacker able to observe the timing of the comparison function used in packet authentication could potentially use this flaw to recover the message digest. (CVE-2016-1550) Assertion failure in ntpd on duplicate IPs on unconfig directives (CVE-2016-2516)
last seen	2020-06-01
modified	2020-06-02
plugin id	91467
published	2016-06-06
reporter	This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/91467
title	Amazon Linux AMI : ntp (ALAS-2016-708)

NASL family	Misc.
NASL id	NTP_4_2_8P7.NASL
description	The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p7. It is, therefore, affected by the following vulnerabilities : - A denial of service vulnerability exists due to improper validation of the origin timestamp field when handling a Kiss-of-Death (KoD) packet. An unauthenticated, remote attacker can exploit this to cause a client to stop querying its servers, preventing the client from updating its clock. (CVE-2015-7704) - A flaw exists in the receive() function in ntp_proto.c that allows packets with an origin timestamp of zero to bypass security checks. An unauthenticated, remote attacker can exploit this to spoof arbitrary content. (CVE-2015-8138) - A denial of service vulnerability exists due to improper handling of a crafted Crypto NAK Packet with a source address spoofed to match that of an existing associated peer. An unauthenticated, remote attacker can exploit this to demobilize a client association. (CVE-2016-1547) - A denial of service vulnerability exists due to improper handling of packets spoofed to appear to be from a valid ntpd server. An unauthenticated, remote attacker can exploit this to cause NTP to switch from basic client/server mode to interleaved symmetric mode, causing the client to reject future legitimate responses. (CVE-2016-1548) - A race condition exists that is triggered during the handling of a saturation of ephemeral associations. An authenticated, remote attacker can exploit this to defeat NTP
last seen	2020-06-01
modified	2020-06-02
plugin id	90923
published	2016-05-05
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90923
title	Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p7 Multiple Vulnerabilities

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-1555.NASL
description	According to the versions of the ntp packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - It was found that when ntp is configured with rate limiting for all associations the limits are also applied to responses received from its configured sources. A remote attacker who knows the sources can cause a denial of service by preventing ntpd from accepting valid responses from its sources.(CVE-2016-7426) - ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors.(CVE-2015-8139) - A NULL pointer dereference flaw was found in the way ntpd processed
last seen	2020-06-01
modified	2020-06-02
plugin id	125008
published	2019-05-14
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/125008
title	EulerOS Virtualization 3.0.1.0 : ntp (EulerOS-SA-2019-1555)

NASL family	F5 Networks Local Security Checks
NASL id	F5_BIGIP_SOL63675293.NASL
description	An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. After making this switch, the client in NTP 4.2.8p4 and earlier and NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c will reject all future legitimate server responses. It is possible to force the victim client to move time after the mode has been changed. ntpq gives no indication that the mode has been switched. (CVE-2016-1548)
last seen	2020-06-01
modified	2020-06-02
plugin id	97156
published	2017-02-15
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/97156
title	F5 Networks BIG-IP : NTP vulnerability (K63675293)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-1291-1.NASL
description	This update for ntp to 4.2.8p7 fixes the following issues : - CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, bsc#977461: Interleave-pivot - CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, bsc#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability - CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, bsc#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked. - This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 Bugs fixed : - Restrict the parser in the startup script to the first occurrance of
last seen	2020-06-01
modified	2020-06-02
plugin id	91159
published	2016-05-16
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/91159
title	SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1291-1)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2016-1912-1.NASL
description	NTP was updated to version 4.2.8p8 to fix several security issues and to ensure the continued maintainability of the package. These security issues were fixed : CVE-2016-4953: Bad authentication demobilized ephemeral associations (bsc#982065). CVE-2016-4954: Processing spoofed server packets (bsc#982066). CVE-2016-4955: Autokey association reset (bsc#982067). CVE-2016-4956: Broadcast interleave (bsc#982068). CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS (bsc#977459). CVE-2016-1548: Prevent the change of time of an ntpd client or denying service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode (bsc#977461). CVE-2016-1549: Sybil vulnerability: ephemeral association attack (bsc#977451). CVE-2016-1550: Improve security against buffer comparison timing attacks (bsc#977464). CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y CVE-2016-2516: Duplicate IPs on unconfig directives could have caused an assertion botch in ntpd (bsc#977452). CVE-2016-2517: Remote configuration trustedkey/ requestkey/controlkey values are not properly validated (bsc#977455). CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966). CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). CVE-2015-7976: ntpq saveconfig command allowed dangerous characters in filenames (bsc#962802). CVE-2015-7975: nextvar() missing length check (bsc#962988). CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might have allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a
last seen	2020-06-01
modified	2020-06-02
plugin id	93186
published	2016-08-29
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/93186
title	SUSE SLES10 Security Update : ntp (SUSE-SU-2016:1912-1)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2016-599.NASL
description	This update for ntp to 4.2.8p7 fixes the following issues : - CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, bsc#977461: Interleave-pivot - CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, bsc#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability - CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, bsc#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked. - This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 Bugs fixed : - Restrict the parser in the startup script to the first occurrance of
last seen	2020-06-05
modified	2016-05-20
plugin id	91269
published	2016-05-20
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/91269
title	openSUSE Security Update : ntp (openSUSE-2016-599)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-3096-1.NASL
description	Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to perform a replay attack. (CVE-2015-7973) Matt Street discovered that NTP incorrectly verified peer associations of symmetric keys. A remote attacker could use this issue to perform an impersonation attack. (CVE-2015-7974) Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled memory. An attacker could possibly use this issue to cause ntpq to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-7975) Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled dangerous characters in filenames. An attacker could possibly use this issue to overwrite arbitrary files. (CVE-2015-7976) Stephen Gray discovered that NTP incorrectly handled large restrict lists. An attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7977, CVE-2015-7978) Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7979) Jonathan Gardner discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could use this issue to spoof peer servers. (CVE-2015-8138) Jonathan Gardner discovered that the NTP ntpq utility did not properly handle certain incorrect values. An attacker could possibly use this issue to cause ntpq to hang, resulting in a denial of service. (CVE-2015-8158) It was discovered that the NTP cronjob incorrectly cleaned up the statistics directory. A local attacker could possibly use this to escalate privileges. (CVE-2016-0727) Stephen Gray and Matthew Van Gundy discovered that NTP incorrectly validated crypto-NAKs. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1547) Miroslav Lichvar and Jonathan Gardner discovered that NTP incorrectly handled switching to interleaved symmetric mode. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1548) Matthew Van Gundy, Stephen Gray and Loganaden Velvindron discovered that NTP incorrectly handled message authentication. A remote attacker could possibly use this issue to recover the message digest key. (CVE-2016-1550) Yihan Lian discovered that NTP incorrectly handled duplicate IPs on unconfig directives. An authenticated remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2516) Yihan Lian discovered that NTP incorrectly handled certail peer associations. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2518) Jakub Prokes discovered that NTP incorrectly handled certain spoofed packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4954) Miroslav Lichvar discovered that NTP incorrectly handled certain packets when autokey is enabled. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4955) Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed broadcast packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4956) In the default installation, attackers would be isolated by the NTP AppArmor profile. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	93896
published	2016-10-06
reporter	Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/93896
title	Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : ntp vulnerabilities (USN-3096-1)

NASL family	Huawei Local Security Checks
NASL id	EULEROS_SA-2019-1556.NASL
description	According to the versions of the ntp packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A vulnerability was discovered in the NTP server
last seen	2020-06-01
modified	2020-06-02
plugin id	125009
published	2019-05-14
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/125009
title	EulerOS Virtualization 3.0.1.0 : ntp (EulerOS-SA-2019-1556)

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2016-1141.NASL
description	From Red Hat Security Advisory 2016:1141 : An update for ntp is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Network Time Protocol (NTP) is used to synchronize a computer
last seen	2020-06-01
modified	2020-06-02
plugin id	91418
published	2016-06-01
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/91418
title	Oracle Linux 6 / 7 : ntp (ELSA-2016-1141)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20160531_NTP_ON_SL6_X.NASL
description	Security Fix(es) : - It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time. (CVE-2015-7979) - A denial of service flaw was found in the way NTP handled preemptable client associations. A remote attacker could send several crypto NAK packets to a victim client, each with a spoofed source address of an existing associated peer, preventing that client from synchronizing its time. (CVE-2016-1547) - It was found that an ntpd client could be forced to change from basic client/server mode to the interleaved symmetric mode. A remote attacker could use a spoofed packet that, when processed by an ntpd client, would cause that client to reject all future legitimate server responses, effectively disabling time synchronization on that client. (CVE-2016-1548) - A flaw was found in the way NTP
last seen	2020-03-18
modified	2016-06-17
plugin id	91644
published	2016-06-17
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/91644
title	Scientific Linux Security Update : ntp on SL6.x, SL7.x i386/x86_64 (20160531)

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2016-0082.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : - don
last seen	2020-06-01
modified	2020-06-02
plugin id	91419
published	2016-06-01
reporter	This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/91419
title	OracleVM 3.3 / 3.4 : ntp (OVMSA-2016-0082)

NASL family	Junos Local Security Checks
NASL id	JUNIPER_SPACE_JSA_10826.NASL
description	According to its self-reported version number, the version of Junos Space running on the remote device is < 17.1R1, and is therefore affected by multiple vulnerabilities.
last seen	2020-06-01
modified	2020-06-02
plugin id	104100
published	2017-10-23
reporter	This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/104100
title	Juniper Junos Space < 17.1R1 Multiple Vulnerabilities (JSA10826)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2016-ED8C6C0426.NASL
description	Security fix for CVE-2016-1548, CVE-2016-2516, CVE-2016-2518, CVE-2016-1550 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2016-05-09
plugin id	90977
published	2016-05-09
reporter	This script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/90977
title	Fedora 24 : ntp-4.2.6p5-40.fc24 (2016-ed8c6c0426)

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_B2487D9A0C3011E6ACD0D050996490D0.NASL
description	Network Time Foundation reports : NTF
last seen	2020-06-01
modified	2020-06-02
plugin id	90742
published	2016-04-27
reporter	This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/90742
title	FreeBSD : ntp -- multiple vulnerabilities (b2487d9a-0c30-11e6-acd0-d050996490d0)

NASL family	Misc.
NASL id	ARISTA_EOS_SA0019.NASL
description	The version of Arista Networks EOS running on the remote device is affected by multiple vulnerabilities : - A flaw exists in NTP in the receive() function within file ntpd/ntp_proto.c that allows packets with an origin timestamp of zero to bypass security checks. An unauthenticated, remote attacker can exploit this to spoof arbitrary content. (CVE-2015-8138) - A flaw exists in NTP when handling crafted Crypto NAK Packets having spoofed source addresses that match an existing associated peer. A unauthenticated, remote attacker can exploit this to demobilize a client association, resulting in a denial of service condition. (CVE-2016-1547) - A flaw exists in NTP when handling packets that have been spoofed to appear to be coming from a valid ntpd server, which may cause a switch to interleaved symmetric mode. An unauthenticated, remote attacker can exploit this, via a packet having a spoofed timestamp, to cause the client to reject future legitimate server responses, resulting in a denial of service condition. (CVE-2016-1548) - A flaw exits in NTP when handling a saturation of ephemeral associations. An authenticated, remote attacker can exploit this to defeat the clock selection algorithm and thereby modify a victim
last seen	2020-03-17
modified	2018-02-28
plugin id	107061
published	2018-02-28
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/107061
title	Arista Networks EOS Multiple Vulnerabilities (SA0019)

NASL family	Amazon Linux Local Security Checks
NASL id	ALA_ALAS-2016-727.NASL
description	It was discovered that ntpq and ntpdc disclosed the origin timestamp to unauthenticated clients, which could permit such clients to forge the server
last seen	2020-06-01
modified	2020-06-02
plugin id	92662
published	2016-08-02
reporter	This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/92662
title	Amazon Linux AMI : ntp (ALAS-2016-727)

Redhat

advisories

rhsa
id RHSA-2016:1141
rhsa
id RHSA-2016:1552

rpms

ntp-0:4.2.6p5-10.el6.1
ntp-0:4.2.6p5-22.el7_2.2
ntp-debuginfo-0:4.2.6p5-10.el6.1
ntp-debuginfo-0:4.2.6p5-22.el7_2.2
ntp-doc-0:4.2.6p5-10.el6.1
ntp-doc-0:4.2.6p5-22.el7_2.2
ntp-perl-0:4.2.6p5-10.el6.1
ntp-perl-0:4.2.6p5-22.el7_2.2
ntpdate-0:4.2.6p5-10.el6.1
ntpdate-0:4.2.6p5-22.el7_2.2
sntp-0:4.2.6p5-22.el7_2.2
ntp-0:4.2.6p5-5.el6_7.5
ntp-debuginfo-0:4.2.6p5-5.el6_7.5
ntp-doc-0:4.2.6p5-5.el6_7.5
ntp-perl-0:4.2.6p5-5.el6_7.5
ntpdate-0:4.2.6p5-5.el6_7.5

Seebug

bulletinFamily	exploit
description	### SUMMARY It is possible to change the time of an ntpd client or deny service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode. An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. After making this switch, the client will reject all future legitimate server responses. It is possible to force the victim client to move time after the mode has been changed. ntpq gives no indication that the mode has been switched. ### TESTED VERSIONS ntp 4.2.8p4 NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c ### PRODUCT URLS http://www.ntp.org http://www.ntpsec.org/ ### DETAILS In basic modes, ntpd attempts to protect against spoofed packets from off-path attackers by using the transmit timestamp in each request as a nonce. ntpd notes the time it transmitted its last request in the peer->aorg variable. When a legitimate peer composes a response, the peer will initialize the origin timestamp in the response packet to the value of the transmit timestamp from the request packet. Any response packet that does not carry the expected origin timestamp should be discarded as bogus. receive() contains the following check for a bogus packet in basic mode: ``` } else if (peer->flip == 0) { if (!L_ISEQU(&p_org, &peer->aorg)) { peer->bogusorg++; peer->flash \|= TEST2; /* bogus / msyslog(LOG_INFO, "receive: Unexpected origin timestamp from %s", ntoa(&peer->srcadr)); if ( !L_ISZERO(&peer->dst) && L_ISEQU(&p_org, &peer->dst)) { peer->flip = 1; report_event(PEVNT_XLEAVE, peer, NULL); } return; / Bogus packet, we are done / } else { L_CLR(&peer->aorg); } } ``` If the incoming packet has an origin timestamp that does not match the origin expected for a basic mode packet (the last client transmit time), there is an additional check that determines if this packet is a valid interleaved mode packet This check compares the incoming origin timestamp to peer->dst, the last time the client received a packet from the peer. If they match, the client moves to interleaved mode (peer->flip = 1; Only the value of peer->flip changes and neither symmetric nor broadcast mode are explicitly enabled, however the change effectively places the client in interleaved symmetric mode and will be discussed as such). This happens even when the client is not configured for interleaved symmetric mode in the ntp.conf file. Once a client has been changed to interleaved mode, all future legitimate server responses are ignored because the server is still in basic mode. The server sets the origin timestamp in outgoing packets to the transmit time of the client packets it receives. However, the client, instead of doing the above basic mode check, verifies the incoming server packet with this code from receive(): ``` } else if ( !L_ISZERO(&peer->dst) && !L_ISEQU(&p_org, &peer->dst)) { peer->bogusorg++; peer->flags \|= FLAG_XBOGUS; peer->flash \|= TEST2; / bogus / return; / Bogus packet, we are done / } ``` The client is expecting the origin timestamp to match peer->dst rather than its last transmit timestamp. This results in all future legitimate server responses failing with TEST2 and TEST3 (marked elsewhere in the receive() function). It should be noted that the client never changes the peer modes stored in the peer struct (pmode and hmode). Both continue to be Server (4) and Client (3), respectively. The mode change occurs only through the value of peer->flip. Anytime the peer is reset it comes back in basic mode. The peer is reset every time the clock is stepped (via clear_all()), but the legitimate server will never cause the clock to step since the client is rejecting all its packets. The client can only be switched back to basic mode with a restart of ntpd. Obtaining peer->dst: ntpq can be used to retrieve the precise peer->dst time with the following command: ``` ntpq -c "rv <assoc id> rec" <victim host> ``` Even if ntpq did not reveal this variable, ntpd's current design for switching to interleaved mode should be considered vulnerable. If there is ever a weakness that allows an attacker to brute-force peer->dst (e.g. the random fuzz in the timestamp is found to be insufficient to protect against a brute-force attack within a poll period), the attacker only needs to send one packet to switch the mode and DoS the client. UPDATE: Miroslav Lichvar of RedHat has discovered that NTP leaks peer->dst via the NTP packet reftime field. ### CHANGING TIME: It is possible to set the time on the client after it has changed to interleaved symmetric mode. The attacker must have ongoing access to the current value of peer->dst since it is updated each time the victim receives a spoofed packet. Again, ntpq makes this easier but it is not required. The attacker can send spoofed time updates with peer->dst in the origin timestamp field to be considered for clock selection. The spoofed packets must set the transmit timestamp (xmt) to this same value in order to minimize delay. The receive timestamp (rec) must be set to the time of peer->dst when the last legitimate server packet was received to approximate what value aorg or borg will be when processpacket() computes the delay and offset. aorg and borg are set to the current system time in peerxmit() right after the client sends out a packet to the server. They are used alternately depending on the value of flip, which alternates between 1 and -1 every time a poll update is sent. The delay and offset are calculated as: ``` When flip == 1 delay = (rec - borg) - (xmt - peer->dst) offset = ((rec - borg) + (xmt - peer->dst)) / 2 When flip == -1 delay = (rec - aorg) - (xmt - peer->dst) offset = ((rec - aorg) + (xmt - peer->dst)) / 2 ``` The attacker can control rec and xmt. The attacker can gain access to peer->dst through ntpq or by guessing at the delay. But the attacker has no insight into aorg or borg. Both values are sent out alternately in the transmit timestamp field in client packets. But the value sent out is always the last one used, never the one that is about to be used. To keep delay between 0 and 1 seconds and win the clock selection, the attacker must estimate a time for aorg or borg that is within a second of the real values. On modern networks with low delay, if the attacker uses peer->dst time (the time the client received a response to that request) as an estimate, it will generally fall within a second of aorg or borg, the time the packet was sent. If normal delay in a certain network is usually larger, and if it is within a predictable range, the attacker could fudge for that time by adjusting the receive timestamp. Since the peer will be reset to basic mode after stepping the clock, the attacker must send one more packet with peer->dst as the origin timestamp to pivot the client back to interleaved mode. Once this is done, the attacker does not need to send any more packets to maintain the incorrect time since no legitimate server packets will be processed. The client will continue to move forward in time from the incorrect time the attacker provided. If the attacker wants to change the time further, the client will continue to process spoofed packets as long as the attacker continues to correctly set the origin timestamp. Ideally, a basic mode client would not move to interleaved mode unless it was explicitly configured to do so. If a dynamic mode transition is required, the client needs a way to detect that the legitimate server it is talking to is in basic mode allowing the client to change back to basic mode without requiring a clock step to occur first. Additionally, the peer->dst value should be treated as sensitive and ntpq should not have access it. On Nov 12, 2015, Cisco ASIG received notification that Miroslav Lichvar of RedHat had independently discovered and reported this vulnerability to the NTP project. ASIG's initial analysis indicated that, with access to ntpq, this vulnerability allows time spoofing. To our knowledge, Miroslav's initial analysis indicated that this vulnerability was an off-path denial of service. It appears that the attacks can be combined to allow time spoofing by an off-path attacker without access to ntpq. ### MITIGATION The only mitigation is to upgrade to ntp-4.2.8p. ntp-4.2.8p fixes a number of other critical issues in addition to this vulnerability. If your system’s ntpd is packaged by the system vendor, apply your vendor’s security update as soon as it becomes available. There are no other mitigations to prevent an ntpd client from changing to interleaved mode when the origin timestamp matches the peer->dst timestamp. Disabling ntpq access will make it more difficult, though not impossible, for an attacker to determine the peer->dst timestamp. ntpq can be disabled via restrict configuration directives as in: ``` restrict -4 default noquery ... restrict -6 default noquery ... ``` ### TIMELINE 2015-10-30 - Initial Discovery by Cisco ASIG, analysis begins * 2015-11-12 - Reported to NTP project by Miroslav Lichvar of RedHat after independent discovery * 2015-11-12 - Miroslav Lichvar of RedHat notifies Cisco ASIG of independent discovery * 2015-11-16 - Disclosure to CERT * 2016-01-19 - CERT reports to NTP
id	SSV:96784
last seen	2017-11-19
modified	2017-10-26
published	2017-10-26
reporter	Root
title	Network Time Protocol Forced Interleaved Time Spoofing Vulnerability(CVE-2016-1548)

bulletinFamily	exploit
description	### Summary An exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. A specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, preventing legitimate monitoring. A remote, unauthenticated, network attacker can trigger this vulnerability. ### Tested Versions * NTP 4.2.8p3 * NTP 4.2.8p8 * NTPsec 0.9.1 * NTPsec 0.9.3 ### Product URLs * http://www.ntp.org * http://www.ntpsec.org/ ### CVSS Scores * CVSSv2: 6.4 - (AV:N/AC:L/Au:N/C:P/I:P/A:N) * CVSSv3: 6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N ### Details ntpd provides a `trap` functionality that sends asynchronous notifications to a number of `trap receivers` whenever an event of interest occurs. Example events of interest include: association mobilization and demobilization, authentication failures, reachability changes, etc. Since at least ntp-4.0.94 (July 21, 1999), ntpd has allowed traps to be configured via control (mode 6) and private (mode 7) NTP modes. Though private mode requires messages modifying trap settings to be be authenticated, control mode allows unauthenticated packets to modify trap settings using the `SETTRAP` and `UNSETTRAP` control messages. This vulnerability can be used to achieve several goals: * Time Shifting: If an attacker controls a host that is allowed to receive traps (i.e. not restricted by `restrict noquery` or `restrict notrap`), the attacker can instruct a victim ntpd instance to send traps to the attacker's host. Whenever a reportable event occurs for some peer, the victim ntpd will send a trap to the attacker leaking all the peer variables associated with that peer. The information leaked includes the peer's org and rec variables allowing the attacker to bypass TEST2 and impersonate said peer in a manner similar to CVE-2015-8139 and CVE-2016-1548. The attacker can force the victim ntpd to leak the information for any peer at any time by triggering a reportable event for said peer. There are multiple methods to trigger a reportable event for a peer, among them spoofing an invalid crypto-NAK or incorrectly authenticated packet from the peer. NOTE: With ntp-4.2.8p8 and earlier the 0rigin attack (CVE-2015-8138) [1] already allows impersonation of reachable peers. In those ntpd versions, this vulnerability provides another method for impersonating unreachable peers. * DDoS Amplification: An attacker can use an ntpd instance as a DDoS amplifier to DDoS hosts that are allowed to receive traps from the ntpd instance using the following technique. The amplification factor is 12-13x. The attacker forges a `SETTRAP` packet from the `victim` to the `amplifier`, causing the `amplifier` to set a trap for the `victim`. The attacker then repeatedly triggers reportable events causing trap messages to be sent to the victim. E.g. the attacker rapidly forges invalid crypto-NAKs and/or bad_auth packets from the `victim`'s `sys_peer`. ntpd attempts to limit the number of consecutive traps sent for events of a single type. To maximize effect, the attacker can alternate between events of different types. ntpd will periodically time out old traps when a new one is set. Therefore, for a long-term attack, the attacker may need to periodically refresh the trap on the `amplifier`. Evading Monitoring: In an environment where dynamically configured traps are used to modify an ntpd instance, an unauthenticated attacker can remove traps set by legitimate monitoring systems by spoofing the source address of the `trap receiver` in an `UNSETTRAP` message. Authentication should be required in order to modify trap configuration. ### Mitigation Several mitigations can lessen the impact of this vulnerability. 1. Unauthorized hosts can be prevented from receiving traps using the `restrict default notrap` restriction. This setting is the default on many modern Linux systems. This mitigation has no effect on the "Evading Monitoring" impact described above because the alleged sender of the packet is an authorized trap receiver. 2. Block NTP control mode trap configuration commands using a firewall or IPS. It does not appear that support for configuring control mode traps was ever implemented in ntpq, the reference NTP control mode client. As such, on most networks blocking control mode trap configuration commands should have no effect on legitimate traffic. Specifically, firewalls should block packets with the following characteristics: * UDP Destination Port: 123 * NTP Mode: 6 * NTP Control Operation Code: 6 (SETTRAP) or 31 (UNSETTRAP) Traps specified in ntp.conf cannot be modified using this vulnerability. [1] http://www.talosintelligence.com/reports/TALOS-2016-0077/ ### Timeline * 2016-09-20 - Vendor Disclosure * 2016-11-21 - Public Release
id	SSV:96647
last seen	2017-11-19
modified	2017-10-11
published	2017-10-11
reporter	Root
title	Network Time Protocol Control Mode Unauthenticated Trap Information Disclosure and DDoS Amplification Vulnerability(CVE-2016-9310)

Talos

id	TALOS-2016-0203
last seen	2019-05-29
published	2016-11-21
reporter	Talos Intelligence
source	http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0203
title	Network Time Protocol Control Mode Unauthenticated Trap Information Disclosure and DDoS Amplification Vulnerability

id	TALOS-2016-0082
last seen	2019-05-29
published	2016-04-26
reporter	Talos Intelligence
source	http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0082
title	Network Time Protocol Forced Interleaved Time Spoofing Vulnerability