Vulnerabilities > CVE-2016-1549 - Data Processing Errors vulnerability in NTP 4.2.8
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim's clock.
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- XML Nested Payloads Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
- XML Oversized Payloads Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
- XML Client-Side Attack Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
- XML Parser Attack Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]
Nessus
NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2016-120-01.NASL description New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 90800 published 2016-05-02 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90800 title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2016-120-01) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Slackware Security Advisory 2016-120-01. The text # itself is copyright (C) Slackware Linux, Inc. # include("compat.inc"); if (description) { script_id(90800); script_version("2.11"); script_cvs_date("Date: 2019/03/15 15:35:01"); script_cve_id("CVE-2015-7704", "CVE-2015-8138", "CVE-2016-1547", "CVE-2016-1548", "CVE-2016-1549", "CVE-2016-1550", "CVE-2016-1551", "CVE-2016-2516", "CVE-2016-2517", "CVE-2016-2518", "CVE-2016-2519"); script_xref(name:"SSA", value:"2016-120-01"); script_name(english:"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2016-120-01)"); script_summary(english:"Checks for updated package in /var/log/packages"); script_set_attribute( attribute:"synopsis", value:"The remote Slackware host is missing a security update." ); script_set_attribute( attribute:"description", value: "New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues." ); # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.630758 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?41983d03" ); script_set_attribute(attribute:"solution", value:"Update the affected ntp package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:ntp"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.37"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.1"); script_set_attribute(attribute:"patch_publication_date", value:"2016/04/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Slackware Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("slackware.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware"); if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu); flag = 0; if (slackware_check(osver:"13.0", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"i486", pkgnum:"1_slack13.0")) flag++; if (slackware_check(osver:"13.0", arch:"x86_64", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"x86_64", pkgnum:"1_slack13.0")) flag++; if (slackware_check(osver:"13.1", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"i486", pkgnum:"1_slack13.1")) flag++; if (slackware_check(osver:"13.1", arch:"x86_64", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"x86_64", pkgnum:"1_slack13.1")) flag++; if (slackware_check(osver:"13.37", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"i486", pkgnum:"1_slack13.37")) flag++; if (slackware_check(osver:"13.37", arch:"x86_64", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"x86_64", pkgnum:"1_slack13.37")) flag++; if (slackware_check(osver:"14.0", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"i486", pkgnum:"1_slack14.0")) flag++; if (slackware_check(osver:"14.0", arch:"x86_64", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"x86_64", pkgnum:"1_slack14.0")) flag++; if (slackware_check(osver:"14.1", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"i486", pkgnum:"1_slack14.1")) flag++; if (slackware_check(osver:"14.1", arch:"x86_64", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"x86_64", pkgnum:"1_slack14.1")) flag++; if (slackware_check(osver:"current", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"i586", pkgnum:"1")) flag++; if (slackware_check(osver:"current", arch:"x86_64", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"x86_64", pkgnum:"1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2018-1083.NASL description ntpd in ntp 4.2.x before 4.2.8p7 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim last seen 2020-06-01 modified 2020-06-02 plugin id 117607 published 2018-09-20 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117607 title Amazon Linux AMI : ntp (ALAS-2018-1083) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2018-1083. # include("compat.inc"); if (description) { script_id(117607); script_version("1.2"); script_cvs_date("Date: 2019/04/05 23:25:05"); script_cve_id("CVE-2018-12327", "CVE-2018-7170"); script_xref(name:"ALAS", value:"2018-1083"); script_name(english:"Amazon Linux AMI : ntp (ALAS-2018-1083)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "ntpd in ntp 4.2.x before 4.2.8p7 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549 .(CVE-2018-7170) The ntpq and ntpdc command-line utilities that are part of ntp package are vulnerable to stack-based buffer overflow via crafted hostname. Applications using these vulnerable utilities with an untrusted input may be potentially exploited, resulting in a crash or arbitrary code execution under privileges of that application.(CVE-2018-12327)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2018-1083.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update ntp' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ntp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ntp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ntp-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ntp-perl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ntpdate"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2018/09/19"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/20"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"ntp-4.2.8p12-1.39.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"ntp-debuginfo-4.2.8p12-1.39.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"ntp-doc-4.2.8p12-1.39.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"ntp-perl-4.2.8p12-1.39.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"ntpdate-4.2.8p12-1.39.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ntp / ntp-debuginfo / ntp-doc / ntp-perl / ntpdate"); }NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1765-1.NASL description This update for ntp fixes the following issues : - Update to 4.2.8p11 (bsc#1082210) : - CVE-2016-1549: Sybil vulnerability: ephemeral association attack. While fixed in ntp-4.2.8p7, there are significant additional protections for this issue in 4.2.8p11. - CVE-2018-7182: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak. (bsc#1083426) - CVE-2018-7170: Multiple authenticated ephemeral associations. (bsc#1083424) - CVE-2018-7184: Interleaved symmetric mode cannot recover from bad state. (bsc#1083422) - CVE-2018-7185: Unauthenticated packet can reset authenticated interleaved association. (bsc#1083420) - CVE-2018-7183: ntpq:decodearr() can write beyond its buffer limit.(bsc#1083417) - Don last seen 2020-06-01 modified 2020-06-02 plugin id 110639 published 2018-06-21 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110639 title SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2018:1765-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from SUSE update advisory SUSE-SU-2018:1765-1. # The text itself is copyright (C) SUSE. # include("compat.inc"); if (description) { script_id(110639); script_version("1.9"); script_cvs_date("Date: 2019/09/10 13:51:48"); script_cve_id("CVE-2016-1549", "CVE-2018-7170", "CVE-2018-7182", "CVE-2018-7183", "CVE-2018-7184", "CVE-2018-7185"); script_name(english:"SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2018:1765-1)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote SUSE host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "This update for ntp fixes the following issues : - Update to 4.2.8p11 (bsc#1082210) : - CVE-2016-1549: Sybil vulnerability: ephemeral association attack. While fixed in ntp-4.2.8p7, there are significant additional protections for this issue in 4.2.8p11. - CVE-2018-7182: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak. (bsc#1083426) - CVE-2018-7170: Multiple authenticated ephemeral associations. (bsc#1083424) - CVE-2018-7184: Interleaved symmetric mode cannot recover from bad state. (bsc#1083422) - CVE-2018-7185: Unauthenticated packet can reset authenticated interleaved association. (bsc#1083420) - CVE-2018-7183: ntpq:decodearr() can write beyond its buffer limit.(bsc#1083417) - Don't use libevent's cached time stamps in sntp. (bsc#1077445) This update is a reissue of the previous update with LTSS channels included. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1077445" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1082063" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1082210" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1083417" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1083420" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1083422" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1083424" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.suse.com/show_bug.cgi?id=1083426" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2016-1549/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-7170/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-7182/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-7183/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-7184/" ); script_set_attribute( attribute:"see_also", value:"https://www.suse.com/security/cve/CVE-2018-7185/" ); # https://www.suse.com/support/update/announcement/2018/suse-su-20181765-1/ script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?2c461920" ); script_set_attribute( attribute:"solution", value: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or 'zypper patch'. Alternatively you can run the command listed for your product : SUSE OpenStack Cloud 7:zypper in -t patch SUSE-OpenStack-Cloud-7-2018-1188=1 SUSE Linux Enterprise Server for SAP 12-SP2:zypper in -t patch SUSE-SLE-SAP-12-SP2-2018-1188=1 SUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch SUSE-SLE-SAP-12-SP1-2018-1188=1 SUSE Linux Enterprise Server 12-SP3:zypper in -t patch SUSE-SLE-SERVER-12-SP3-2018-1188=1 SUSE Linux Enterprise Server 12-SP2-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-SP2-2018-1188=1 SUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch SUSE-SLE-SERVER-12-SP1-2018-1188=1 SUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch SUSE-SLE-DESKTOP-12-SP3-2018-1188=1 SUSE Enterprise Storage 4:zypper in -t patch SUSE-Storage-4-2018-1188=1 SUSE CaaS Platform ALL : To install this update, use the SUSE CaaS Platform Velum dashboard. It will inform you if it detects new updates and let you then trigger updating of the complete cluster in a controlled way." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ntp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ntp-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ntp-debugsource"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ntp-doc"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/06"); script_set_attribute(attribute:"patch_publication_date", value:"2018/06/20"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/21"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE"); os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE"); os_ver = os_ver[1]; if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu); sp = get_kb_item("Host/SuSE/patchlevel"); if (isnull(sp)) sp = "0"; if (os_ver == "SLES12" && (! preg(pattern:"^(1|2|3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP1/2/3", os_ver + " SP" + sp); if (os_ver == "SLED12" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP3", os_ver + " SP" + sp); flag = 0; if (rpm_check(release:"SLES12", sp:"1", reference:"ntp-4.2.8p11-64.5.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"ntp-debuginfo-4.2.8p11-64.5.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"ntp-debugsource-4.2.8p11-64.5.1")) flag++; if (rpm_check(release:"SLES12", sp:"1", reference:"ntp-doc-4.2.8p11-64.5.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"ntp-4.2.8p11-64.5.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"ntp-debuginfo-4.2.8p11-64.5.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"ntp-debugsource-4.2.8p11-64.5.1")) flag++; if (rpm_check(release:"SLES12", sp:"3", reference:"ntp-doc-4.2.8p11-64.5.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"ntp-4.2.8p11-64.5.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"ntp-debuginfo-4.2.8p11-64.5.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"ntp-debugsource-4.2.8p11-64.5.1")) flag++; if (rpm_check(release:"SLES12", sp:"2", reference:"ntp-doc-4.2.8p11-64.5.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"ntp-4.2.8p11-64.5.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"ntp-debuginfo-4.2.8p11-64.5.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"ntp-debugsource-4.2.8p11-64.5.1")) flag++; if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"ntp-doc-4.2.8p11-64.5.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ntp"); }NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-649.NASL description This update for ntp fixes the following issues : - Update to 4.2.8p7 (boo#977446) : - CVE-2016-1547, boo#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, boo#977461: Interleave-pivot - CVE-2016-1549, boo#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, boo#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, boo#977450: Refclock impersonation vulnerability - CVE-2016-2516, boo#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, boo#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, boo#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, boo#977458: ctl_getitem() return value not always checked. - integrate ntp-fork.patch - Improve the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 - Restrict the parser in the startup script to the first occurrance of last seen 2020-06-05 modified 2016-06-01 plugin id 91403 published 2016-06-01 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91403 title openSUSE Security Update : ntp (openSUSE-2016-649) NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2018-1009.NASL description Ephemeral association time spoofing additional protection ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim last seen 2020-06-01 modified 2020-06-02 plugin id 109688 published 2018-05-11 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109688 title Amazon Linux 2 : ntp (ALAS-2018-1009) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_AF485EF41C5811E88477D05099C0AE8C.NASL description Network Time Foundation reports : The NTP Project at Network Time Foundation is releasing ntp-4.2.8p11. This release addresses five security issues in ntpd : - LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#961909: Sybil vulnerability: ephemeral association attack - INFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#961909 : ctl_getitem(): buffer read overrun leads to undefined behavior and information leak - LOW: Sec 3415 / CVE-2018-7170 / VU#961909: Multiple authenticated ephemeral associations - LOW: Sec 3453 / CVE-2018-7184 / VU#961909: Interleaved symmetric mode cannot recover from bad state - LOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#961909 : Unauthenticated packet can reset authenticated interleaved association one security issue in ntpq : - MEDIUM: Sec 3414 / CVE-2018-7183 / VU#961909 : ntpq:decodearr() can write beyond its buffer limit and provides over 33 bugfixes and 32 other improvements. last seen 2020-06-01 modified 2020-06-02 plugin id 107046 published 2018-02-28 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107046 title FreeBSD : ntp -- multiple vulnerabilities (af485ef4-1c58-11e8-8477-d05099c0ae8c) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2018-1009.NASL description Ephemeral association time spoofing additional protection ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim last seen 2020-06-01 modified 2020-06-02 plugin id 109697 published 2018-05-11 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109697 title Amazon Linux AMI : ntp (ALAS-2018-1009) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-1278-1.NASL description This update for ntp to 4.2.8p7 fixes the following issues : - CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, bsc#977461: Interleave-pivot - CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, bsc#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability - CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, bsc#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked. - This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 Bugs fixed : - Restrict the parser in the startup script to the first occurrance of last seen 2020-06-01 modified 2020-06-02 plugin id 91120 published 2016-05-13 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91120 title SUSE SLES11 Security Update : ntp (SUSE-SU-2016:1278-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201607-15.NASL description The remote host is affected by the vulnerability described in GLSA-201607-15 (NTP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 92485 published 2016-07-21 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92485 title GLSA-201607-15 : NTP: Multiple vulnerabilities NASL family Misc. NASL id NTP_4_2_8P12.NASL description The version of the remote NTP server is 4.x prior to 4.2.8p12, or is 4.3.x prior to 4.3.94. It is, therefore, affected by the following vulnerabilities: - A race condition exists that is triggered during the handling of a saturation of ephemeral associations. An authenticated, remote attacker can exploit this to defeat NTP last seen 2020-06-01 modified 2020-06-02 plugin id 111968 published 2018-08-17 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111968 title Network Time Protocol Daemon (ntpd) 4.x < 4.2.8p12 / 4.3.x < 4.3.94 Multiple Vulnerabilities NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2018-229-01.NASL description New ntp packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 111995 published 2018-08-20 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111995 title Slackware 14.0 / 14.1 / 14.2 / current : ntp (SSA:2018-229-01) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2018-060-02.NASL description New ntp packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 107103 published 2018-03-02 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107103 title Slackware 14.0 / 14.1 / 14.2 / current : ntp (SSA:2018-060-02) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-1568-1.NASL description ntp was updated to version 4.2.8p8 to fix 17 security issues. These security issues were fixed : - CVE-2016-4956: Broadcast interleave (bsc#982068). - CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). - CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). - CVE-2016-4954: Processing spoofed server packets (bsc#982066). - CVE-2016-4955: Autokey association reset (bsc#982067). - CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a last seen 2020-06-01 modified 2020-06-02 plugin id 91663 published 2016-06-17 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91663 title SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1568-1) NASL family Misc. NASL id NTP_4_2_8P7.NASL description The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p7. It is, therefore, affected by the following vulnerabilities : - A denial of service vulnerability exists due to improper validation of the origin timestamp field when handling a Kiss-of-Death (KoD) packet. An unauthenticated, remote attacker can exploit this to cause a client to stop querying its servers, preventing the client from updating its clock. (CVE-2015-7704) - A flaw exists in the receive() function in ntp_proto.c that allows packets with an origin timestamp of zero to bypass security checks. An unauthenticated, remote attacker can exploit this to spoof arbitrary content. (CVE-2015-8138) - A denial of service vulnerability exists due to improper handling of a crafted Crypto NAK Packet with a source address spoofed to match that of an existing associated peer. An unauthenticated, remote attacker can exploit this to demobilize a client association. (CVE-2016-1547) - A denial of service vulnerability exists due to improper handling of packets spoofed to appear to be from a valid ntpd server. An unauthenticated, remote attacker can exploit this to cause NTP to switch from basic client/server mode to interleaved symmetric mode, causing the client to reject future legitimate responses. (CVE-2016-1548) - A race condition exists that is triggered during the handling of a saturation of ephemeral associations. An authenticated, remote attacker can exploit this to defeat NTP last seen 2020-06-01 modified 2020-06-02 plugin id 90923 published 2016-05-05 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90923 title Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p7 Multiple Vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0808-1.NASL description This update for ntp fixes the following issues: Security issues fixed : - CVE-2016-1549: Significant additional protections against CVE-2016-1549 that was fixed in ntp-4.2.8p7 (bsc#1082210). - CVE-2018-7170: Ephemeral association time spoofing additional protection (bsc#1083424). - CVE-2018-7182: Buffer read overrun leads information leak in ctl_getitem() (bsc#1083426). - CVE-2018-7183: decodearr() can write beyond its buffer limit (bsc#1083417). - CVE-2018-7184: Interleaved symmetric mode cannot recover from bad state (bsc#1083422). - CVE-2018-7185: Unauthenticated packet can reset authenticated interleaved association (bsc#1083420). Bug fixes : - bsc#1077445: Don last seen 2020-06-01 modified 2020-06-02 plugin id 108651 published 2018-03-27 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108651 title SUSE SLES11 Security Update : ntp (SUSE-SU-2018:0808-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-0956-1.NASL description This update for ntp fixes the following issues : - Update to 4.2.8p11 (bsc#1082210) : - CVE-2016-1549: Sybil vulnerability: ephemeral association attack. While fixed in ntp-4.2.8p7, there are significant additional protections for this issue in 4.2.8p11. - CVE-2018-7182: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak. (bsc#1083426) - CVE-2018-7170: Multiple authenticated ephemeral associations. (bsc#1083424) - CVE-2018-7184: Interleaved symmetric mode cannot recover from bad state. (bsc#1083422) - CVE-2018-7185: Unauthenticated packet can reset authenticated interleaved association. (bsc#1083420) - CVE-2018-7183: ntpq:decodearr() can write beyond its buffer limit.(bsc#1083417) - Don last seen 2020-06-01 modified 2020-06-02 plugin id 109085 published 2018-04-17 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109085 title SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2018:0956-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-1291-1.NASL description This update for ntp to 4.2.8p7 fixes the following issues : - CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, bsc#977461: Interleave-pivot - CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, bsc#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability - CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, bsc#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked. - This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 Bugs fixed : - Restrict the parser in the startup script to the first occurrance of last seen 2020-06-01 modified 2020-06-02 plugin id 91159 published 2016-05-16 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91159 title SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1291-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-1912-1.NASL description NTP was updated to version 4.2.8p8 to fix several security issues and to ensure the continued maintainability of the package. These security issues were fixed : CVE-2016-4953: Bad authentication demobilized ephemeral associations (bsc#982065). CVE-2016-4954: Processing spoofed server packets (bsc#982066). CVE-2016-4955: Autokey association reset (bsc#982067). CVE-2016-4956: Broadcast interleave (bsc#982068). CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS (bsc#977459). CVE-2016-1548: Prevent the change of time of an ntpd client or denying service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode (bsc#977461). CVE-2016-1549: Sybil vulnerability: ephemeral association attack (bsc#977451). CVE-2016-1550: Improve security against buffer comparison timing attacks (bsc#977464). CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y CVE-2016-2516: Duplicate IPs on unconfig directives could have caused an assertion botch in ntpd (bsc#977452). CVE-2016-2517: Remote configuration trustedkey/ requestkey/controlkey values are not properly validated (bsc#977455). CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966). CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). CVE-2015-7976: ntpq saveconfig command allowed dangerous characters in filenames (bsc#962802). CVE-2015-7975: nextvar() missing length check (bsc#962988). CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might have allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a last seen 2020-06-01 modified 2020-06-02 plugin id 93186 published 2016-08-29 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93186 title SUSE SLES10 Security Update : ntp (SUSE-SU-2016:1912-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-599.NASL description This update for ntp to 4.2.8p7 fixes the following issues : - CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, bsc#977461: Interleave-pivot - CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, bsc#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability - CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, bsc#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked. - This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 Bugs fixed : - Restrict the parser in the startup script to the first occurrance of last seen 2020-06-05 modified 2016-05-20 plugin id 91269 published 2016-05-20 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91269 title openSUSE Security Update : ntp (openSUSE-2016-599) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-376.NASL description This update for ntp fixes the following issues : - Update to 4.2.8p11 (bsc#1082210) : - CVE-2016-1549: Sybil vulnerability: ephemeral association attack. While fixed in ntp-4.2.8p7, there are significant additional protections for this issue in 4.2.8p11. - CVE-2018-7182: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak. (bsc#1083426) - CVE-2018-7170: Multiple authenticated ephemeral associations. (bsc#1083424) - CVE-2018-7184: Interleaved symmetric mode cannot recover from bad state. (bsc#1083422) - CVE-2018-7185: Unauthenticated packet can reset authenticated interleaved association. (bsc#1083420) - CVE-2018-7183: ntpq:decodearr() can write beyond its buffer limit.(bsc#1083417) - Don last seen 2020-06-05 modified 2018-04-18 plugin id 109102 published 2018-04-18 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109102 title openSUSE Security Update : ntp (openSUSE-2018-376) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1464-1.NASL description This update for ntp fixes the following issues : - Update to 4.2.8p11 (bsc#1082210) : - CVE-2016-1549: Sybil vulnerability: ephemeral association attack. While fixed in ntp-4.2.8p7, there are significant additional protections for this issue in 4.2.8p11. - CVE-2018-7182: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak. (bsc#1083426) - CVE-2018-7170: Multiple authenticated ephemeral associations. (bsc#1083424) - CVE-2018-7184: Interleaved symmetric mode cannot recover from bad state. (bsc#1083422) - CVE-2018-7185: Unauthenticated packet can reset authenticated interleaved association. (bsc#1083420) - CVE-2018-7183: ntpq:decodearr() can write beyond its buffer limit.(bsc#1083417) - Don last seen 2020-06-01 modified 2020-06-02 plugin id 110224 published 2018-05-30 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110224 title SUSE SLES12 Security Update : ntp (SUSE-SU-2018:1464-1) NASL family Misc. NASL id NTP_4_2_8P11.NASL description The version of the remote NTP server is 4.x prior to 4.2.8p11. It is, therefore, affected by multiple vulnerabilities, which allow denial of service attacks, information disclosure and possibly, remote code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 107258 published 2018-03-09 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107258 title Network Time Protocol Daemon (ntpd) 4.x < 4.2.8p11 Multiple Vulnerabilities NASL family Junos Local Security Checks NASL id JUNIPER_SPACE_JSA_10826.NASL description According to its self-reported version number, the version of Junos Space running on the remote device is < 17.1R1, and is therefore affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 104100 published 2017-10-23 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104100 title Juniper Junos Space < 17.1R1 Multiple Vulnerabilities (JSA10826) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1765-2.NASL description This update for ntp fixes the following issues : Update to 4.2.8p11 (bsc#1082210) : - CVE-2016-1549: Sybil vulnerability: ephemeral association attack. While fixed in ntp-4.2.8p7, there are significant additional protections for this issue in 4.2.8p11. - CVE-2018-7182: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak. (bsc#1083426) - CVE-2018-7170: Multiple authenticated ephemeral associations. (bsc#1083424) - CVE-2018-7184: Interleaved symmetric mode cannot recover from bad state. (bsc#1083422) - CVE-2018-7185: Unauthenticated packet can reset authenticated interleaved association. (bsc#1083420) - CVE-2018-7183: ntpq:decodearr() can write beyond its buffer limit.(bsc#1083417) Don last seen 2020-06-01 modified 2020-06-02 plugin id 118269 published 2018-10-22 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118269 title SUSE SLES12 Security Update : ntp (SUSE-SU-2018:1765-2) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_B2487D9A0C3011E6ACD0D050996490D0.NASL description Network Time Foundation reports : NTF last seen 2020-06-01 modified 2020-06-02 plugin id 90742 published 2016-04-27 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90742 title FreeBSD : ntp -- multiple vulnerabilities (b2487d9a-0c30-11e6-acd0-d050996490d0) NASL family Misc. NASL id ARISTA_EOS_SA0019.NASL description The version of Arista Networks EOS running on the remote device is affected by multiple vulnerabilities : - A flaw exists in NTP in the receive() function within file ntpd/ntp_proto.c that allows packets with an origin timestamp of zero to bypass security checks. An unauthenticated, remote attacker can exploit this to spoof arbitrary content. (CVE-2015-8138) - A flaw exists in NTP when handling crafted Crypto NAK Packets having spoofed source addresses that match an existing associated peer. A unauthenticated, remote attacker can exploit this to demobilize a client association, resulting in a denial of service condition. (CVE-2016-1547) - A flaw exists in NTP when handling packets that have been spoofed to appear to be coming from a valid ntpd server, which may cause a switch to interleaved symmetric mode. An unauthenticated, remote attacker can exploit this, via a packet having a spoofed timestamp, to cause the client to reject future legitimate server responses, resulting in a denial of service condition. (CVE-2016-1548) - A flaw exits in NTP when handling a saturation of ephemeral associations. An authenticated, remote attacker can exploit this to defeat the clock selection algorithm and thereby modify a victim last seen 2020-03-17 modified 2018-02-28 plugin id 107061 published 2018-02-28 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107061 title Arista Networks EOS Multiple Vulnerabilities (SA0019)
Seebug
| bulletinFamily | exploit |
| description | ### SUMMARY ntpd is vulnerable to Sybil attacks. A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win ntpd's clock selection algorithm and modify a victim's clock. ### TESTED VERSIONS NTP 4.2.8p3 NTP 4.2.8p4 NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 NTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 ### PRODUCT URLS http://www.ntp.org http://www.ntpsec.org ### CVSS SCORE CVSSv2: 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) CVSSv3: 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N ### DETAILS ntpd has the ability to create ephemeral peer associations on the fly in response to certain kinds of incoming requests. In most common configurations, if an incoming request will cause a new ephemeral association to be mobilized, ntpd requires the request to be authenticated under a trusted symmetric key. However, ntpd does not enforce any limit on the number of active ephemeral associations that may be created under a single key making ntpd vulnerable to Sybil attacks. A malicious authenticated peer can use its knowledge of the trusted key that it shares with a victim ntpd process in order to create multiple ephemeral associations with the victim from different source IP addresses. Each of these malicious associations can advertise false time to the victim. If the malicious associations providing consistent false time advertisements outweigh the number of legitimate peer associations, the victim will sync to the time advertised by the attacker. RFC 5905 does not appear to mandate any specific behavior with regard to authenticating ephemeral associations. Therefore, we recommend that an incoming request only mobilize an ephemeral association if both of the following conditions hold: * There are no non-preemptible peer associations configured to use that key. This prevents ephemeral associations from being created by configured, non-preemptible peers. * There are no preemptible peer associations authenticated under that key. This prevents a malicious ephemeral peer from creating more than one peer association using a given key. If the IP address of an ephemeral peer changes, eventually the association will be demobilized at which time a new incoming request can cause a new association to be mobilized with a new IP address. An alternative allowing faster failover: when an incoming request will mobilize a new ephemeral association, demobilize all preemptible peer associations authenticated under the key used to authenticate the incoming request before the new association is mobilized. This vulnerability has been successfully exploited using symmetric ephemeral associations. However, ephemeral broadcast and manycast associations are also likely to be vulnerable. To our knowledge, any ntpd instance configured using the 'trustedkey' directive is vulnerable, as in: ``` keys /etc/ntp.keys trustedkey 1 ... ``` There does not appear to be any other configuration directives that would affect or mitigate this vulnerability. ntpd instances that are not configured with the 'trustedkey' directive are not vulnerable. Though this vulnerability has only been confirmed against specific releases of NTP and NTPsec, any release of ntp-3 or ntp-4 may be affected. ### ATTACK SCENARIO To illustrate this attack, a malicious authenticated ephemeral peer (attacker1) with knowledge of keyid 2 trusted by ntp-client-4.2.8p4 will create multiple malicious ephemeral peer associations with ntp-client-4.2.8p4, overwhelm the victim's legitimate time sources, and cause ntp-client-4.2.8p4 to modify its clock. We will illustrate this by querying ntp-client-4.2.8p4 for its active peer associations with: ``` ntpq -c lpeer ``` Initially, ntp-client-4.2.8p4 is peered with one legitimate server (ntp-server). ``` remote refid st t when poll reach delay offset jitter ============================================================================== *ntp-server .LOCL. 1 u 5 8 377 0.043 -0.051 0.414 ``` As a proof-of-concept, the attacker will attempt to move the victim's clock back by an amount just under the panic threshold, 15 minutes in this case. (Significantly larger steps have been achieved with some ntpd releases.) The attacker spins up three attacking nodes at different IP addresses (attacker1..3). After the attacking nodes are well synchronized, the attacker commences the attack by adding the following configuration line to each attacking node instructing it to peer with the victim using keyid 2: ``` peer ntp-client-4.2.8p4 key 2 noselect minpoll 3 maxpoll 3 ``` As a result, we see that ntp-client-4.2.8p4 now has 3 new malicious peers. ``` remote refid st t when poll reach delay offset jitter ============================================================================== *ntp-server .LOCL. 1 u 3 8 377 0.130 0.479 0.399 attacker1 .LOCL. 1 S 5 8 1 0.000 0.000 0.000 attacker2 192.168.33.14 2 S 5 8 1 0.000 0.000 0.000 attacker3 192.168.33.14 2 S 4 8 1 0.000 0.000 0.000 ``` The attackers consistently provide time advertisements that are about 15 minutes behind the time advertised by the legitimate ntp-server. Because the attackers outnumber legitimate peers, eventually the victim selects an attacker as its system peer indicating that it will synchronize its time to the attackers. ``` remote refid st t when poll reach delay offset jitter ============================================================================== xntp-server .LOCL. 1 u 1 8 377 0.130 0.479 0.501 *attacker1 .LOCL. 1 S 2 8 3 0.457 -931554 0.000 +attacker2 192.168.33.14 2 S 2 8 3 0.644 -931553 0.000 +attacker3 192.168.33.14 2 S 1 8 3 0.583 -931553 0.000 ``` Eventually, the victim steps its clock. ``` remote refid st t when poll reach delay offset jitter ============================================================================== ntp-server .STEP. 16 u - 8 0 0.000 0.000 0.000 attacker1 .STEP. 16 S 14 8 0 0.000 0.000 0.000 attacker2 .STEP. 16 S 52 8 0 0.000 0.000 0.000 attacker3 .STEP. 16 S 45 8 0 0.000 0.000 0.000 ``` After stepping the clock, we see that the victim is 931 seconds behind ntp-server confirming the attack. ``` remote refid st t when poll reach delay offset jitter ============================================================================== *ntp-server .LOCL. 1 u 2 8 1 0.379 931553. 0.317 attacker1 .STEP. 16 S 19 8 0 0.000 0.000 0.000 attacker2 .STEP. 16 S 57 8 0 0.000 0.000 0.000 attacker3 .STEP. 16 S 50 8 0 0.000 0.000 0.000 ``` While ntp-server is initially selected as the system peer after the clock step, the attacking nodes quickly regain their status as preferred time sources. ``` remote refid st t when poll reach delay offset jitter ============================================================================== xntp-server .LOCL. 1 u 5 8 3 0.278 931552. 0.638 *attacker1 .LOCL. 1 S 4 8 6 0.044 -0.346 0.049 +attacker2 192.168.33.14 2 S 4 8 6 0.593 0.520 0.441 +attacker3 192.168.33.14 2 S 3 8 6 0.758 0.020 0.074 ``` At this point, the attacker has control of the victim's clock and can continue to make modifications. ### MITIGATION The most complete mitigation is to upgrade to ntp-TBD or NTPsec TBD. If your system's ntpd is packaged by the system vendor, apply your vendor's security update as soon as it becomes available. Administrators that are not using authenticated NTP can prevent exploitation by removing any unused 'trustedkey' configuration directives from their ntpd configuration file. If your system supports a host-based firewall which blocks incoming traffic, such as the Windows Firewall, Mac OS X Application Firewall, or firewalls such as Uncomplicated Firewall or iptables on Linux, you should enable it. For other systems, appropriate firewall rules will depend on your environment. Use the following recommendations as a guideline: * NTP clients should block incoming NTP packets from any IP address that is not a known, legitimate peer * NTP servers should block incoming symmetric active (NTP mode 1), server (NTP mode 4), and broadcast (NTP mode 5) packets from any IP address that is not a known, legitimate peer ### DETECTION In most common configurations, you can use ntpq to query the ntpd process running on your system for its list of peers. Any unexpected peers that are not configured in your ntp.conf file could indicate an attack. For example, if your system is configured to be a client of ntp-server and you expect one peer (known-peer), the appearance of additional peers (sybil) could indicate an attack: ``` $ ntpq -c lpeer remote refid st t when poll reach delay offset jitter ============================================================================== *ntp-server .LOCL. 1 u 1 8 377 0.130 0.479 0.501 known-peer .LOCL. 1 S 2 8 3 0.457 -931554 0.000 sybil 192.168.33.14 2 S 2 8 3 0.644 -931553 0.000 ``` You can delete any rogue associations by restarting ntpd after applying the mitigations above. If you have a compatible IDS product, the following Snort rules detect exploits of this vulnerability: TBD. At the network level, multiple symmetric, broadcast, or manycast associations using the same keyid could indicate an attack. ### TIMELINE 2016-01-19 - CERT reports to NTP |
| id | SSV:96788 |
| last seen | 2017-11-19 |
| modified | 2017-10-26 |
| published | 2017-10-26 |
| reporter | Root |
| title | Network Time Protocol Ephemeral Association Time Spoofing Vulnerability(CVE-2016-1549) |
Talos
| id | TALOS-2016-0083 |
| last seen | 2019-05-29 |
| published | 2016-04-26 |
| reporter | Talos Intelligence |
| source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0083 |
| title | Network Time Protocol Ephemeral Association Time Spoofing Vulnerability |
References
- http://www.talosintelligence.com/reports/TALOS-2016-0083/
- http://www.securityfocus.com/bid/88200
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- https://security.gentoo.org/glsa/201607-15
- http://www.securitytracker.com/id/1035705
- https://security.netapp.com/advisory/ntap-20171004-0002/
- https://security.FreeBSD.org/advisories/FreeBSD-SA-16:16.ntp.asc
- https://www.synology.com/support/security/Synology_SA_18_13
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03962en_us