Vulnerabilities > CVE-2016-1549 - Data Processing Errors vulnerability in NTP 4.2.8

047910
CVSS 4.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
ntp
CWE-19
nessus

Summary

A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim's clock.

Vulnerable Configurations

Part Description Count
Application
Ntp
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • XML Nested Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By nesting XML data and causing this data to be continuously self-referential, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization. An attacker's goal is to leverage parser failure to his or her advantage. In most cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it may be possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.230.1].
  • XML Oversized Payloads
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. By supplying oversized payloads in input vectors that will be processed by the XML parser, an attacker can cause the XML parser to consume more resources while processing, causing excessive memory consumption and CPU utilization, and potentially cause execution of arbitrary code. An attacker's goal is to leverage parser failure to his or her advantage. In many cases this type of an attack will result in a denial of service due to an application becoming unstable, freezing, or crash. However it is possible to cause a crash resulting in arbitrary code execution, leading to a jump from the data plane to the control plane [R.231.1].
  • XML Client-Side Attack
    Client applications such as web browsers that process HTML data often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.484.1]
  • XML Parser Attack
    Applications often need to transform data in and out of the XML format by using an XML parser. It may be possible for an attacker to inject data that may have an adverse effect on the XML parser when it is being processed. These adverse effects may include the parser crashing, consuming too much of a resource, executing too slowly, executing code supplied by an attacker, allowing usage of unintended system functionality, etc. An attacker's goal is to leverage parser failure to his or her advantage. In some cases it may be possible to jump from the data plane to the control plane via bad data being passed to an XML parser. [R.99.1]

Nessus

  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2016-120-01.NASL
    descriptionNew ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id90800
    published2016-05-02
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90800
    titleSlackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2016-120-01)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Slackware Security Advisory 2016-120-01. The text 
    # itself is copyright (C) Slackware Linux, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(90800);
      script_version("2.11");
      script_cvs_date("Date: 2019/03/15 15:35:01");
    
      script_cve_id("CVE-2015-7704", "CVE-2015-8138", "CVE-2016-1547", "CVE-2016-1548", "CVE-2016-1549", "CVE-2016-1550", "CVE-2016-1551", "CVE-2016-2516", "CVE-2016-2517", "CVE-2016-2518", "CVE-2016-2519");
      script_xref(name:"SSA", value:"2016-120-01");
    
      script_name(english:"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2016-120-01)");
      script_summary(english:"Checks for updated package in /var/log/packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Slackware host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0,
    14.1, and -current to fix security issues."
      );
      # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.630758
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?41983d03"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected ntp package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:ntp");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.37");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2016/04/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/02");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Slackware Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("slackware.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
    if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
    
    
    flag = 0;
    if (slackware_check(osver:"13.0", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"i486", pkgnum:"1_slack13.0")) flag++;
    if (slackware_check(osver:"13.0", arch:"x86_64", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"x86_64", pkgnum:"1_slack13.0")) flag++;
    
    if (slackware_check(osver:"13.1", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"i486", pkgnum:"1_slack13.1")) flag++;
    if (slackware_check(osver:"13.1", arch:"x86_64", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"x86_64", pkgnum:"1_slack13.1")) flag++;
    
    if (slackware_check(osver:"13.37", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"i486", pkgnum:"1_slack13.37")) flag++;
    if (slackware_check(osver:"13.37", arch:"x86_64", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"x86_64", pkgnum:"1_slack13.37")) flag++;
    
    if (slackware_check(osver:"14.0", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"i486", pkgnum:"1_slack14.0")) flag++;
    if (slackware_check(osver:"14.0", arch:"x86_64", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"x86_64", pkgnum:"1_slack14.0")) flag++;
    
    if (slackware_check(osver:"14.1", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"i486", pkgnum:"1_slack14.1")) flag++;
    if (slackware_check(osver:"14.1", arch:"x86_64", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"x86_64", pkgnum:"1_slack14.1")) flag++;
    
    if (slackware_check(osver:"current", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"i586", pkgnum:"1")) flag++;
    if (slackware_check(osver:"current", arch:"x86_64", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"x86_64", pkgnum:"1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2018-1083.NASL
    descriptionntpd in ntp 4.2.x before 4.2.8p7 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim
    last seen2020-06-01
    modified2020-06-02
    plugin id117607
    published2018-09-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117607
    titleAmazon Linux AMI : ntp (ALAS-2018-1083)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2018-1083.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(117607);
      script_version("1.2");
      script_cvs_date("Date: 2019/04/05 23:25:05");
    
      script_cve_id("CVE-2018-12327", "CVE-2018-7170");
      script_xref(name:"ALAS", value:"2018-1083");
    
      script_name(english:"Amazon Linux AMI : ntp (ALAS-2018-1083)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "ntpd in ntp 4.2.x before 4.2.8p7 allows authenticated users that know
    the private symmetric key to create arbitrarily-many ephemeral
    associations in order to win the clock selection of ntpd and modify a
    victim's clock via a Sybil attack. This issue exists because of an
    incomplete fix for CVE-2016-1549 .(CVE-2018-7170)
    
    The ntpq and ntpdc command-line utilities that are part of ntp package
    are vulnerable to stack-based buffer overflow via crafted hostname.
    Applications using these vulnerable utilities with an untrusted input
    may be potentially exploited, resulting in a crash or arbitrary code
    execution under privileges of that application.(CVE-2018-12327)"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2018-1083.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Run 'yum update ntp' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ntp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ntp-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ntp-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ntp-perl");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:ntpdate");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2018/09/19");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/09/20");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"ntp-4.2.8p12-1.39.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"ntp-debuginfo-4.2.8p12-1.39.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"ntp-doc-4.2.8p12-1.39.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"ntp-perl-4.2.8p12-1.39.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"ntpdate-4.2.8p12-1.39.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ntp / ntp-debuginfo / ntp-doc / ntp-perl / ntpdate");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1765-1.NASL
    descriptionThis update for ntp fixes the following issues : - Update to 4.2.8p11 (bsc#1082210) : - CVE-2016-1549: Sybil vulnerability: ephemeral association attack. While fixed in ntp-4.2.8p7, there are significant additional protections for this issue in 4.2.8p11. - CVE-2018-7182: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak. (bsc#1083426) - CVE-2018-7170: Multiple authenticated ephemeral associations. (bsc#1083424) - CVE-2018-7184: Interleaved symmetric mode cannot recover from bad state. (bsc#1083422) - CVE-2018-7185: Unauthenticated packet can reset authenticated interleaved association. (bsc#1083420) - CVE-2018-7183: ntpq:decodearr() can write beyond its buffer limit.(bsc#1083417) - Don
    last seen2020-06-01
    modified2020-06-02
    plugin id110639
    published2018-06-21
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110639
    titleSUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2018:1765-1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from SUSE update advisory SUSE-SU-2018:1765-1.
    # The text itself is copyright (C) SUSE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(110639);
      script_version("1.9");
      script_cvs_date("Date: 2019/09/10 13:51:48");
    
      script_cve_id("CVE-2016-1549", "CVE-2018-7170", "CVE-2018-7182", "CVE-2018-7183", "CVE-2018-7184", "CVE-2018-7185");
    
      script_name(english:"SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2018:1765-1)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote SUSE host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This update for ntp fixes the following issues :
    
      - Update to 4.2.8p11 (bsc#1082210) :
    
      - CVE-2016-1549: Sybil vulnerability: ephemeral
        association attack. While fixed in ntp-4.2.8p7, there
        are significant additional protections for this issue in
        4.2.8p11.
    
      - CVE-2018-7182: ctl_getitem(): buffer read overrun leads
        to undefined behavior and information leak.
        (bsc#1083426)
    
      - CVE-2018-7170: Multiple authenticated ephemeral
        associations. (bsc#1083424)
    
      - CVE-2018-7184: Interleaved symmetric mode cannot recover
        from bad state. (bsc#1083422)
    
      - CVE-2018-7185: Unauthenticated packet can reset
        authenticated interleaved association. (bsc#1083420)
    
      - CVE-2018-7183: ntpq:decodearr() can write beyond its
        buffer limit.(bsc#1083417)
    
      - Don't use libevent's cached time stamps in sntp.
        (bsc#1077445) This update is a reissue of the previous
        update with LTSS channels included.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the SUSE security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1077445"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082063"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1082210"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083417"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083420"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083422"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083424"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.suse.com/show_bug.cgi?id=1083426"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2016-1549/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-7170/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-7182/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-7183/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-7184/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://www.suse.com/security/cve/CVE-2018-7185/"
      );
      # https://www.suse.com/support/update/announcement/2018/suse-su-20181765-1/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?2c461920"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "To install this SUSE Security Update use the SUSE recommended
    installation methods like YaST online_update or 'zypper patch'.
    
    Alternatively you can run the command listed for your product :
    
    SUSE OpenStack Cloud 7:zypper in -t patch
    SUSE-OpenStack-Cloud-7-2018-1188=1
    
    SUSE Linux Enterprise Server for SAP 12-SP2:zypper in -t patch
    SUSE-SLE-SAP-12-SP2-2018-1188=1
    
    SUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch
    SUSE-SLE-SAP-12-SP1-2018-1188=1
    
    SUSE Linux Enterprise Server 12-SP3:zypper in -t patch
    SUSE-SLE-SERVER-12-SP3-2018-1188=1
    
    SUSE Linux Enterprise Server 12-SP2-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-SP2-2018-1188=1
    
    SUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch
    SUSE-SLE-SERVER-12-SP1-2018-1188=1
    
    SUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch
    SUSE-SLE-DESKTOP-12-SP3-2018-1188=1
    
    SUSE Enterprise Storage 4:zypper in -t patch
    SUSE-Storage-4-2018-1188=1
    
    SUSE CaaS Platform ALL :
    
    To install this update, use the SUSE CaaS Platform Velum dashboard. It
    will inform you if it detects new updates and let you then trigger
    updating of the complete cluster in a controlled way."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ntp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ntp-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ntp-debugsource");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:suse_linux:ntp-doc");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:suse_linux:12");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/01/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/06/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/06/21");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/SuSE/release", "Host/SuSE/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release !~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "SUSE");
    os_ver = pregmatch(pattern: "^(SLE(S|D)\d+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "SUSE");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(SLED12|SLES12)$", string:os_ver)) audit(AUDIT_OS_NOT, "SUSE SLED12 / SLES12", "SUSE " + os_ver);
    
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if (cpu !~ "^i[3-6]86$" && "x86_64" >!< cpu && "s390x" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "SUSE " + os_ver, cpu);
    
    sp = get_kb_item("Host/SuSE/patchlevel");
    if (isnull(sp)) sp = "0";
    if (os_ver == "SLES12" && (! preg(pattern:"^(1|2|3)$", string:sp))) audit(AUDIT_OS_NOT, "SLES12 SP1/2/3", os_ver + " SP" + sp);
    if (os_ver == "SLED12" && (! preg(pattern:"^(3)$", string:sp))) audit(AUDIT_OS_NOT, "SLED12 SP3", os_ver + " SP" + sp);
    
    
    flag = 0;
    if (rpm_check(release:"SLES12", sp:"1", reference:"ntp-4.2.8p11-64.5.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"ntp-debuginfo-4.2.8p11-64.5.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"ntp-debugsource-4.2.8p11-64.5.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"1", reference:"ntp-doc-4.2.8p11-64.5.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"ntp-4.2.8p11-64.5.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"ntp-debuginfo-4.2.8p11-64.5.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"ntp-debugsource-4.2.8p11-64.5.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"3", reference:"ntp-doc-4.2.8p11-64.5.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"ntp-4.2.8p11-64.5.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"ntp-debuginfo-4.2.8p11-64.5.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"ntp-debugsource-4.2.8p11-64.5.1")) flag++;
    if (rpm_check(release:"SLES12", sp:"2", reference:"ntp-doc-4.2.8p11-64.5.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"ntp-4.2.8p11-64.5.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"ntp-debuginfo-4.2.8p11-64.5.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"ntp-debugsource-4.2.8p11-64.5.1")) flag++;
    if (rpm_check(release:"SLED12", sp:"3", cpu:"x86_64", reference:"ntp-doc-4.2.8p11-64.5.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ntp");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-649.NASL
    descriptionThis update for ntp fixes the following issues : - Update to 4.2.8p7 (boo#977446) : - CVE-2016-1547, boo#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, boo#977461: Interleave-pivot - CVE-2016-1549, boo#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, boo#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, boo#977450: Refclock impersonation vulnerability - CVE-2016-2516, boo#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, boo#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, boo#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, boo#977458: ctl_getitem() return value not always checked. - integrate ntp-fork.patch - Improve the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 - Restrict the parser in the startup script to the first occurrance of
    last seen2020-06-05
    modified2016-06-01
    plugin id91403
    published2016-06-01
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91403
    titleopenSUSE Security Update : ntp (openSUSE-2016-649)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2018-1009.NASL
    descriptionEphemeral association time spoofing additional protection ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim
    last seen2020-06-01
    modified2020-06-02
    plugin id109688
    published2018-05-11
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109688
    titleAmazon Linux 2 : ntp (ALAS-2018-1009)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_AF485EF41C5811E88477D05099C0AE8C.NASL
    descriptionNetwork Time Foundation reports : The NTP Project at Network Time Foundation is releasing ntp-4.2.8p11. This release addresses five security issues in ntpd : - LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#961909: Sybil vulnerability: ephemeral association attack - INFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#961909 : ctl_getitem(): buffer read overrun leads to undefined behavior and information leak - LOW: Sec 3415 / CVE-2018-7170 / VU#961909: Multiple authenticated ephemeral associations - LOW: Sec 3453 / CVE-2018-7184 / VU#961909: Interleaved symmetric mode cannot recover from bad state - LOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#961909 : Unauthenticated packet can reset authenticated interleaved association one security issue in ntpq : - MEDIUM: Sec 3414 / CVE-2018-7183 / VU#961909 : ntpq:decodearr() can write beyond its buffer limit and provides over 33 bugfixes and 32 other improvements.
    last seen2020-06-01
    modified2020-06-02
    plugin id107046
    published2018-02-28
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107046
    titleFreeBSD : ntp -- multiple vulnerabilities (af485ef4-1c58-11e8-8477-d05099c0ae8c)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2018-1009.NASL
    descriptionEphemeral association time spoofing additional protection ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim
    last seen2020-06-01
    modified2020-06-02
    plugin id109697
    published2018-05-11
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109697
    titleAmazon Linux AMI : ntp (ALAS-2018-1009)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1278-1.NASL
    descriptionThis update for ntp to 4.2.8p7 fixes the following issues : - CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, bsc#977461: Interleave-pivot - CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, bsc#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability - CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, bsc#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked. - This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 Bugs fixed : - Restrict the parser in the startup script to the first occurrance of
    last seen2020-06-01
    modified2020-06-02
    plugin id91120
    published2016-05-13
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91120
    titleSUSE SLES11 Security Update : ntp (SUSE-SU-2016:1278-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201607-15.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201607-15 (NTP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id92485
    published2016-07-21
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92485
    titleGLSA-201607-15 : NTP: Multiple vulnerabilities
  • NASL familyMisc.
    NASL idNTP_4_2_8P12.NASL
    descriptionThe version of the remote NTP server is 4.x prior to 4.2.8p12, or is 4.3.x prior to 4.3.94. It is, therefore, affected by the following vulnerabilities: - A race condition exists that is triggered during the handling of a saturation of ephemeral associations. An authenticated, remote attacker can exploit this to defeat NTP
    last seen2020-06-01
    modified2020-06-02
    plugin id111968
    published2018-08-17
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111968
    titleNetwork Time Protocol Daemon (ntpd) 4.x < 4.2.8p12 / 4.3.x < 4.3.94 Multiple Vulnerabilities
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2018-229-01.NASL
    descriptionNew ntp packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id111995
    published2018-08-20
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111995
    titleSlackware 14.0 / 14.1 / 14.2 / current : ntp (SSA:2018-229-01)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2018-060-02.NASL
    descriptionNew ntp packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id107103
    published2018-03-02
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107103
    titleSlackware 14.0 / 14.1 / 14.2 / current : ntp (SSA:2018-060-02)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1568-1.NASL
    descriptionntp was updated to version 4.2.8p8 to fix 17 security issues. These security issues were fixed : - CVE-2016-4956: Broadcast interleave (bsc#982068). - CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). - CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). - CVE-2016-4954: Processing spoofed server packets (bsc#982066). - CVE-2016-4955: Autokey association reset (bsc#982067). - CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a
    last seen2020-06-01
    modified2020-06-02
    plugin id91663
    published2016-06-17
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91663
    titleSUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1568-1)
  • NASL familyMisc.
    NASL idNTP_4_2_8P7.NASL
    descriptionThe version of the remote NTP server is 3.x or 4.x prior to 4.2.8p7. It is, therefore, affected by the following vulnerabilities : - A denial of service vulnerability exists due to improper validation of the origin timestamp field when handling a Kiss-of-Death (KoD) packet. An unauthenticated, remote attacker can exploit this to cause a client to stop querying its servers, preventing the client from updating its clock. (CVE-2015-7704) - A flaw exists in the receive() function in ntp_proto.c that allows packets with an origin timestamp of zero to bypass security checks. An unauthenticated, remote attacker can exploit this to spoof arbitrary content. (CVE-2015-8138) - A denial of service vulnerability exists due to improper handling of a crafted Crypto NAK Packet with a source address spoofed to match that of an existing associated peer. An unauthenticated, remote attacker can exploit this to demobilize a client association. (CVE-2016-1547) - A denial of service vulnerability exists due to improper handling of packets spoofed to appear to be from a valid ntpd server. An unauthenticated, remote attacker can exploit this to cause NTP to switch from basic client/server mode to interleaved symmetric mode, causing the client to reject future legitimate responses. (CVE-2016-1548) - A race condition exists that is triggered during the handling of a saturation of ephemeral associations. An authenticated, remote attacker can exploit this to defeat NTP
    last seen2020-06-01
    modified2020-06-02
    plugin id90923
    published2016-05-05
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90923
    titleNetwork Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p7 Multiple Vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0808-1.NASL
    descriptionThis update for ntp fixes the following issues: Security issues fixed : - CVE-2016-1549: Significant additional protections against CVE-2016-1549 that was fixed in ntp-4.2.8p7 (bsc#1082210). - CVE-2018-7170: Ephemeral association time spoofing additional protection (bsc#1083424). - CVE-2018-7182: Buffer read overrun leads information leak in ctl_getitem() (bsc#1083426). - CVE-2018-7183: decodearr() can write beyond its buffer limit (bsc#1083417). - CVE-2018-7184: Interleaved symmetric mode cannot recover from bad state (bsc#1083422). - CVE-2018-7185: Unauthenticated packet can reset authenticated interleaved association (bsc#1083420). Bug fixes : - bsc#1077445: Don
    last seen2020-06-01
    modified2020-06-02
    plugin id108651
    published2018-03-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108651
    titleSUSE SLES11 Security Update : ntp (SUSE-SU-2018:0808-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-0956-1.NASL
    descriptionThis update for ntp fixes the following issues : - Update to 4.2.8p11 (bsc#1082210) : - CVE-2016-1549: Sybil vulnerability: ephemeral association attack. While fixed in ntp-4.2.8p7, there are significant additional protections for this issue in 4.2.8p11. - CVE-2018-7182: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak. (bsc#1083426) - CVE-2018-7170: Multiple authenticated ephemeral associations. (bsc#1083424) - CVE-2018-7184: Interleaved symmetric mode cannot recover from bad state. (bsc#1083422) - CVE-2018-7185: Unauthenticated packet can reset authenticated interleaved association. (bsc#1083420) - CVE-2018-7183: ntpq:decodearr() can write beyond its buffer limit.(bsc#1083417) - Don
    last seen2020-06-01
    modified2020-06-02
    plugin id109085
    published2018-04-17
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109085
    titleSUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2018:0956-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1291-1.NASL
    descriptionThis update for ntp to 4.2.8p7 fixes the following issues : - CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, bsc#977461: Interleave-pivot - CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, bsc#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability - CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, bsc#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked. - This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 Bugs fixed : - Restrict the parser in the startup script to the first occurrance of
    last seen2020-06-01
    modified2020-06-02
    plugin id91159
    published2016-05-16
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91159
    titleSUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1291-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1912-1.NASL
    descriptionNTP was updated to version 4.2.8p8 to fix several security issues and to ensure the continued maintainability of the package. These security issues were fixed : CVE-2016-4953: Bad authentication demobilized ephemeral associations (bsc#982065). CVE-2016-4954: Processing spoofed server packets (bsc#982066). CVE-2016-4955: Autokey association reset (bsc#982067). CVE-2016-4956: Broadcast interleave (bsc#982068). CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS (bsc#977459). CVE-2016-1548: Prevent the change of time of an ntpd client or denying service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode (bsc#977461). CVE-2016-1549: Sybil vulnerability: ephemeral association attack (bsc#977451). CVE-2016-1550: Improve security against buffer comparison timing attacks (bsc#977464). CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y CVE-2016-2516: Duplicate IPs on unconfig directives could have caused an assertion botch in ntpd (bsc#977452). CVE-2016-2517: Remote configuration trustedkey/ requestkey/controlkey values are not properly validated (bsc#977455). CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966). CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). CVE-2015-7976: ntpq saveconfig command allowed dangerous characters in filenames (bsc#962802). CVE-2015-7975: nextvar() missing length check (bsc#962988). CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might have allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a
    last seen2020-06-01
    modified2020-06-02
    plugin id93186
    published2016-08-29
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93186
    titleSUSE SLES10 Security Update : ntp (SUSE-SU-2016:1912-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-599.NASL
    descriptionThis update for ntp to 4.2.8p7 fixes the following issues : - CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, bsc#977461: Interleave-pivot - CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, bsc#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability - CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, bsc#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked. - This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 Bugs fixed : - Restrict the parser in the startup script to the first occurrance of
    last seen2020-06-05
    modified2016-05-20
    plugin id91269
    published2016-05-20
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91269
    titleopenSUSE Security Update : ntp (openSUSE-2016-599)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-376.NASL
    descriptionThis update for ntp fixes the following issues : - Update to 4.2.8p11 (bsc#1082210) : - CVE-2016-1549: Sybil vulnerability: ephemeral association attack. While fixed in ntp-4.2.8p7, there are significant additional protections for this issue in 4.2.8p11. - CVE-2018-7182: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak. (bsc#1083426) - CVE-2018-7170: Multiple authenticated ephemeral associations. (bsc#1083424) - CVE-2018-7184: Interleaved symmetric mode cannot recover from bad state. (bsc#1083422) - CVE-2018-7185: Unauthenticated packet can reset authenticated interleaved association. (bsc#1083420) - CVE-2018-7183: ntpq:decodearr() can write beyond its buffer limit.(bsc#1083417) - Don
    last seen2020-06-05
    modified2018-04-18
    plugin id109102
    published2018-04-18
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109102
    titleopenSUSE Security Update : ntp (openSUSE-2018-376)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1464-1.NASL
    descriptionThis update for ntp fixes the following issues : - Update to 4.2.8p11 (bsc#1082210) : - CVE-2016-1549: Sybil vulnerability: ephemeral association attack. While fixed in ntp-4.2.8p7, there are significant additional protections for this issue in 4.2.8p11. - CVE-2018-7182: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak. (bsc#1083426) - CVE-2018-7170: Multiple authenticated ephemeral associations. (bsc#1083424) - CVE-2018-7184: Interleaved symmetric mode cannot recover from bad state. (bsc#1083422) - CVE-2018-7185: Unauthenticated packet can reset authenticated interleaved association. (bsc#1083420) - CVE-2018-7183: ntpq:decodearr() can write beyond its buffer limit.(bsc#1083417) - Don
    last seen2020-06-01
    modified2020-06-02
    plugin id110224
    published2018-05-30
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110224
    titleSUSE SLES12 Security Update : ntp (SUSE-SU-2018:1464-1)
  • NASL familyMisc.
    NASL idNTP_4_2_8P11.NASL
    descriptionThe version of the remote NTP server is 4.x prior to 4.2.8p11. It is, therefore, affected by multiple vulnerabilities, which allow denial of service attacks, information disclosure and possibly, remote code execution.
    last seen2020-06-01
    modified2020-06-02
    plugin id107258
    published2018-03-09
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107258
    titleNetwork Time Protocol Daemon (ntpd) 4.x < 4.2.8p11 Multiple Vulnerabilities
  • NASL familyJunos Local Security Checks
    NASL idJUNIPER_SPACE_JSA_10826.NASL
    descriptionAccording to its self-reported version number, the version of Junos Space running on the remote device is < 17.1R1, and is therefore affected by multiple vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id104100
    published2017-10-23
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104100
    titleJuniper Junos Space < 17.1R1 Multiple Vulnerabilities (JSA10826)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1765-2.NASL
    descriptionThis update for ntp fixes the following issues : Update to 4.2.8p11 (bsc#1082210) : - CVE-2016-1549: Sybil vulnerability: ephemeral association attack. While fixed in ntp-4.2.8p7, there are significant additional protections for this issue in 4.2.8p11. - CVE-2018-7182: ctl_getitem(): buffer read overrun leads to undefined behavior and information leak. (bsc#1083426) - CVE-2018-7170: Multiple authenticated ephemeral associations. (bsc#1083424) - CVE-2018-7184: Interleaved symmetric mode cannot recover from bad state. (bsc#1083422) - CVE-2018-7185: Unauthenticated packet can reset authenticated interleaved association. (bsc#1083420) - CVE-2018-7183: ntpq:decodearr() can write beyond its buffer limit.(bsc#1083417) Don
    last seen2020-06-01
    modified2020-06-02
    plugin id118269
    published2018-10-22
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118269
    titleSUSE SLES12 Security Update : ntp (SUSE-SU-2018:1765-2)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_B2487D9A0C3011E6ACD0D050996490D0.NASL
    descriptionNetwork Time Foundation reports : NTF
    last seen2020-06-01
    modified2020-06-02
    plugin id90742
    published2016-04-27
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90742
    titleFreeBSD : ntp -- multiple vulnerabilities (b2487d9a-0c30-11e6-acd0-d050996490d0)
  • NASL familyMisc.
    NASL idARISTA_EOS_SA0019.NASL
    descriptionThe version of Arista Networks EOS running on the remote device is affected by multiple vulnerabilities : - A flaw exists in NTP in the receive() function within file ntpd/ntp_proto.c that allows packets with an origin timestamp of zero to bypass security checks. An unauthenticated, remote attacker can exploit this to spoof arbitrary content. (CVE-2015-8138) - A flaw exists in NTP when handling crafted Crypto NAK Packets having spoofed source addresses that match an existing associated peer. A unauthenticated, remote attacker can exploit this to demobilize a client association, resulting in a denial of service condition. (CVE-2016-1547) - A flaw exists in NTP when handling packets that have been spoofed to appear to be coming from a valid ntpd server, which may cause a switch to interleaved symmetric mode. An unauthenticated, remote attacker can exploit this, via a packet having a spoofed timestamp, to cause the client to reject future legitimate server responses, resulting in a denial of service condition. (CVE-2016-1548) - A flaw exits in NTP when handling a saturation of ephemeral associations. An authenticated, remote attacker can exploit this to defeat the clock selection algorithm and thereby modify a victim
    last seen2020-03-17
    modified2018-02-28
    plugin id107061
    published2018-02-28
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/107061
    titleArista Networks EOS Multiple Vulnerabilities (SA0019)

Seebug

bulletinFamilyexploit
description### SUMMARY ntpd is vulnerable to Sybil attacks. A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win ntpd's clock selection algorithm and modify a victim's clock. ### TESTED VERSIONS NTP 4.2.8p3 NTP 4.2.8p4 NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 NTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 ### PRODUCT URLS http://www.ntp.org http://www.ntpsec.org ### CVSS SCORE CVSSv2: 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) CVSSv3: 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N ### DETAILS ntpd has the ability to create ephemeral peer associations on the fly in response to certain kinds of incoming requests. In most common configurations, if an incoming request will cause a new ephemeral association to be mobilized, ntpd requires the request to be authenticated under a trusted symmetric key. However, ntpd does not enforce any limit on the number of active ephemeral associations that may be created under a single key making ntpd vulnerable to Sybil attacks. A malicious authenticated peer can use its knowledge of the trusted key that it shares with a victim ntpd process in order to create multiple ephemeral associations with the victim from different source IP addresses. Each of these malicious associations can advertise false time to the victim. If the malicious associations providing consistent false time advertisements outweigh the number of legitimate peer associations, the victim will sync to the time advertised by the attacker. RFC 5905 does not appear to mandate any specific behavior with regard to authenticating ephemeral associations. Therefore, we recommend that an incoming request only mobilize an ephemeral association if both of the following conditions hold: * There are no non-preemptible peer associations configured to use that key. This prevents ephemeral associations from being created by configured, non-preemptible peers. * There are no preemptible peer associations authenticated under that key. This prevents a malicious ephemeral peer from creating more than one peer association using a given key. If the IP address of an ephemeral peer changes, eventually the association will be demobilized at which time a new incoming request can cause a new association to be mobilized with a new IP address. An alternative allowing faster failover: when an incoming request will mobilize a new ephemeral association, demobilize all preemptible peer associations authenticated under the key used to authenticate the incoming request before the new association is mobilized. This vulnerability has been successfully exploited using symmetric ephemeral associations. However, ephemeral broadcast and manycast associations are also likely to be vulnerable. To our knowledge, any ntpd instance configured using the 'trustedkey' directive is vulnerable, as in: ``` keys /etc/ntp.keys trustedkey 1 ... ``` There does not appear to be any other configuration directives that would affect or mitigate this vulnerability. ntpd instances that are not configured with the 'trustedkey' directive are not vulnerable. Though this vulnerability has only been confirmed against specific releases of NTP and NTPsec, any release of ntp-3 or ntp-4 may be affected. ### ATTACK SCENARIO To illustrate this attack, a malicious authenticated ephemeral peer (attacker1) with knowledge of keyid 2 trusted by ntp-client-4.2.8p4 will create multiple malicious ephemeral peer associations with ntp-client-4.2.8p4, overwhelm the victim's legitimate time sources, and cause ntp-client-4.2.8p4 to modify its clock. We will illustrate this by querying ntp-client-4.2.8p4 for its active peer associations with: ``` ntpq -c lpeer ``` Initially, ntp-client-4.2.8p4 is peered with one legitimate server (ntp-server). ``` remote refid st t when poll reach delay offset jitter ============================================================================== *ntp-server .LOCL. 1 u 5 8 377 0.043 -0.051 0.414 ``` As a proof-of-concept, the attacker will attempt to move the victim's clock back by an amount just under the panic threshold, 15 minutes in this case. (Significantly larger steps have been achieved with some ntpd releases.) The attacker spins up three attacking nodes at different IP addresses (attacker1..3). After the attacking nodes are well synchronized, the attacker commences the attack by adding the following configuration line to each attacking node instructing it to peer with the victim using keyid 2: ``` peer ntp-client-4.2.8p4 key 2 noselect minpoll 3 maxpoll 3 ``` As a result, we see that ntp-client-4.2.8p4 now has 3 new malicious peers. ``` remote refid st t when poll reach delay offset jitter ============================================================================== *ntp-server .LOCL. 1 u 3 8 377 0.130 0.479 0.399 attacker1 .LOCL. 1 S 5 8 1 0.000 0.000 0.000 attacker2 192.168.33.14 2 S 5 8 1 0.000 0.000 0.000 attacker3 192.168.33.14 2 S 4 8 1 0.000 0.000 0.000 ``` The attackers consistently provide time advertisements that are about 15 minutes behind the time advertised by the legitimate ntp-server. Because the attackers outnumber legitimate peers, eventually the victim selects an attacker as its system peer indicating that it will synchronize its time to the attackers. ``` remote refid st t when poll reach delay offset jitter ============================================================================== xntp-server .LOCL. 1 u 1 8 377 0.130 0.479 0.501 *attacker1 .LOCL. 1 S 2 8 3 0.457 -931554 0.000 +attacker2 192.168.33.14 2 S 2 8 3 0.644 -931553 0.000 +attacker3 192.168.33.14 2 S 1 8 3 0.583 -931553 0.000 ``` Eventually, the victim steps its clock. ``` remote refid st t when poll reach delay offset jitter ============================================================================== ntp-server .STEP. 16 u - 8 0 0.000 0.000 0.000 attacker1 .STEP. 16 S 14 8 0 0.000 0.000 0.000 attacker2 .STEP. 16 S 52 8 0 0.000 0.000 0.000 attacker3 .STEP. 16 S 45 8 0 0.000 0.000 0.000 ``` After stepping the clock, we see that the victim is 931 seconds behind ntp-server confirming the attack. ``` remote refid st t when poll reach delay offset jitter ============================================================================== *ntp-server .LOCL. 1 u 2 8 1 0.379 931553. 0.317 attacker1 .STEP. 16 S 19 8 0 0.000 0.000 0.000 attacker2 .STEP. 16 S 57 8 0 0.000 0.000 0.000 attacker3 .STEP. 16 S 50 8 0 0.000 0.000 0.000 ``` While ntp-server is initially selected as the system peer after the clock step, the attacking nodes quickly regain their status as preferred time sources. ``` remote refid st t when poll reach delay offset jitter ============================================================================== xntp-server .LOCL. 1 u 5 8 3 0.278 931552. 0.638 *attacker1 .LOCL. 1 S 4 8 6 0.044 -0.346 0.049 +attacker2 192.168.33.14 2 S 4 8 6 0.593 0.520 0.441 +attacker3 192.168.33.14 2 S 3 8 6 0.758 0.020 0.074 ``` At this point, the attacker has control of the victim's clock and can continue to make modifications. ### MITIGATION The most complete mitigation is to upgrade to ntp-TBD or NTPsec TBD. If your system's ntpd is packaged by the system vendor, apply your vendor's security update as soon as it becomes available. Administrators that are not using authenticated NTP can prevent exploitation by removing any unused 'trustedkey' configuration directives from their ntpd configuration file. If your system supports a host-based firewall which blocks incoming traffic, such as the Windows Firewall, Mac OS X Application Firewall, or firewalls such as Uncomplicated Firewall or iptables on Linux, you should enable it. For other systems, appropriate firewall rules will depend on your environment. Use the following recommendations as a guideline: * NTP clients should block incoming NTP packets from any IP address that is not a known, legitimate peer * NTP servers should block incoming symmetric active (NTP mode 1), server (NTP mode 4), and broadcast (NTP mode 5) packets from any IP address that is not a known, legitimate peer ### DETECTION In most common configurations, you can use ntpq to query the ntpd process running on your system for its list of peers. Any unexpected peers that are not configured in your ntp.conf file could indicate an attack. For example, if your system is configured to be a client of ntp-server and you expect one peer (known-peer), the appearance of additional peers (sybil) could indicate an attack: ``` $ ntpq -c lpeer remote refid st t when poll reach delay offset jitter ============================================================================== *ntp-server .LOCL. 1 u 1 8 377 0.130 0.479 0.501 known-peer .LOCL. 1 S 2 8 3 0.457 -931554 0.000 sybil 192.168.33.14 2 S 2 8 3 0.644 -931553 0.000 ``` You can delete any rogue associations by restarting ntpd after applying the mitigations above. If you have a compatible IDS product, the following Snort rules detect exploits of this vulnerability: TBD. At the network level, multiple symmetric, broadcast, or manycast associations using the same keyid could indicate an attack. ### TIMELINE 2016-01-19 - CERT reports to NTP
idSSV:96788
last seen2017-11-19
modified2017-10-26
published2017-10-26
reporterRoot
titleNetwork Time Protocol Ephemeral Association Time Spoofing Vulnerability(CVE-2016-1549)

Talos

idTALOS-2016-0083
last seen2019-05-29
published2016-04-26
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0083
titleNetwork Time Protocol Ephemeral Association Time Spoofing Vulnerability