Vulnerabilities > CVE-2016-1551 - 7PK - Security Features vulnerability in multiple products

047910
CVSS 2.6 - LOW
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
high complexity
ntp
ntpsec
CWE-254
nessus

Summary

ntpd in NTP 4.2.8p3 and NTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 relies on the underlying operating system to protect it from requests that impersonate reference clocks. Because reference clocks are treated like other peers and stored in the same structure, any packet with a source ip address of a reference clock (127.127.1.1 for example) that reaches the receive() function will match that reference clock's peer record and will be treated as a trusted peer. Any system that lacks the typical martian packet filtering which would block these packets is in danger of having its time controlled by an attacker.

Vulnerable Configurations

Part Description Count
Application
Ntp
1
Application
Ntpsec
1

Common Weakness Enumeration (CWE)

Nessus

  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2016-120-01.NASL
    descriptionNew ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id90800
    published2016-05-02
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90800
    titleSlackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2016-120-01)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Slackware Security Advisory 2016-120-01. The text 
    # itself is copyright (C) Slackware Linux, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(90800);
      script_version("2.11");
      script_cvs_date("Date: 2019/03/15 15:35:01");
    
      script_cve_id("CVE-2015-7704", "CVE-2015-8138", "CVE-2016-1547", "CVE-2016-1548", "CVE-2016-1549", "CVE-2016-1550", "CVE-2016-1551", "CVE-2016-2516", "CVE-2016-2517", "CVE-2016-2518", "CVE-2016-2519");
      script_xref(name:"SSA", value:"2016-120-01");
    
      script_name(english:"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2016-120-01)");
      script_summary(english:"Checks for updated package in /var/log/packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Slackware host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0,
    14.1, and -current to fix security issues."
      );
      # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.630758
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?41983d03"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected ntp package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:slackware:slackware_linux:ntp");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.1");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:13.37");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.0");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:slackware:slackware_linux:14.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2016/04/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/05/02");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Slackware Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Slackware/release", "Host/Slackware/packages");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("slackware.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Slackware/release")) audit(AUDIT_OS_NOT, "Slackware");
    if (!get_kb_item("Host/Slackware/packages")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Slackware", cpu);
    
    
    flag = 0;
    if (slackware_check(osver:"13.0", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"i486", pkgnum:"1_slack13.0")) flag++;
    if (slackware_check(osver:"13.0", arch:"x86_64", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"x86_64", pkgnum:"1_slack13.0")) flag++;
    
    if (slackware_check(osver:"13.1", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"i486", pkgnum:"1_slack13.1")) flag++;
    if (slackware_check(osver:"13.1", arch:"x86_64", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"x86_64", pkgnum:"1_slack13.1")) flag++;
    
    if (slackware_check(osver:"13.37", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"i486", pkgnum:"1_slack13.37")) flag++;
    if (slackware_check(osver:"13.37", arch:"x86_64", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"x86_64", pkgnum:"1_slack13.37")) flag++;
    
    if (slackware_check(osver:"14.0", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"i486", pkgnum:"1_slack14.0")) flag++;
    if (slackware_check(osver:"14.0", arch:"x86_64", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"x86_64", pkgnum:"1_slack14.0")) flag++;
    
    if (slackware_check(osver:"14.1", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"i486", pkgnum:"1_slack14.1")) flag++;
    if (slackware_check(osver:"14.1", arch:"x86_64", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"x86_64", pkgnum:"1_slack14.1")) flag++;
    
    if (slackware_check(osver:"current", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"i586", pkgnum:"1")) flag++;
    if (slackware_check(osver:"current", arch:"x86_64", pkgname:"ntp", pkgver:"4.2.8p7", pkgarch:"x86_64", pkgnum:"1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyAIX Local Security Checks
    NASL idAIX_NTP_V3_ADVISORY7.NASL
    descriptionThe version of NTP installed on the remote AIX host is affected by the following vulnerabilities : - A time serving flaw exists in the trusted key system due to improper key checks. An authenticated, remote attacker can exploit this to perform impersonation attacks between authenticated peers. (CVE-2015-7974) - An information disclosure vulnerability exists in the message authentication functionality in libntp that is triggered during the handling of a series of specially crafted messages. An adjacent attacker can exploit this to partially recover the message digest key. (CVE-2016-1550) - A flaw exists due to improper filtering of IPv4
    last seen2020-06-01
    modified2020-06-02
    plugin id102128
    published2017-08-03
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/102128
    titleAIX NTP v3 Advisory : ntp_advisory7.asc (IV87614) (IV87419) (IV87615) (IV87420) (IV87939)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(102128);
      script_version("3.8");
      script_cvs_date("Date: 2018/07/17 12:00:06");
    
      script_cve_id(
        "CVE-2015-7974",
        "CVE-2016-1550",
        "CVE-2016-1551",
        "CVE-2016-2517",
        "CVE-2016-2518",
        "CVE-2016-2519"
      );
      script_bugtraq_id(
        81960,
        88189,
        88204,
        88219,
        88226,
        88261
      );
      script_xref(name:"CERT", value:"718152");
    
      script_name(english:"AIX NTP v3 Advisory : ntp_advisory7.asc (IV87614) (IV87419) (IV87615) (IV87420) (IV87939)");
      script_summary(english:"Checks the version of the ntp packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote AIX host has a version of NTP installed that is affected
    by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of NTP installed on the remote AIX host is affected by
    the following vulnerabilities :
    
      - A time serving flaw exists in the trusted key system
        due to improper key checks. An authenticated, remote
        attacker can exploit this to perform impersonation
        attacks between authenticated peers. (CVE-2015-7974)
    
      - An information disclosure vulnerability exists in the
        message authentication functionality in libntp that is
        triggered during the handling of a series of specially
        crafted messages. An adjacent attacker can exploit this
        to partially recover the message digest key.
        (CVE-2016-1550)
    
      - A flaw exists due to improper filtering of IPv4 'bogon'
        packets received from a network. An unauthenticated,
        remote attacker can exploit this to spoof packets to
        appear to come from a specific reference clock.
        (CVE-2016-1551)
    
      - A denial of service vulnerability exists that allows an
        authenticated, remote attacker to manipulate the value
        of the trustedkey, controlkey, or requestkey via a
        crafted packet, preventing authentication with ntpd
        until the daemon has been restarted. (CVE-2016-2517)
    
      - An out-of-bounds read error exists in the MATCH_ASSOC()
        function that occurs during the creation of peer
        associations with hmode greater than 7. An
        authenticated, remote attacker can exploit this, via a
        specially crafted packet, to cause a denial of service.
        (CVE-2016-2518)
    
      - An overflow condition exists in the ctl_getitem()
        function in ntpd due to improper validation of
        user-supplied input when reporting return values. An
        authenticated, remote attacker can exploit this to cause
        ntpd to abort. (CVE-2016-2519)");
      script_set_attribute(attribute:"see_also", value:"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc");
      script_set_attribute(attribute:"solution", value:
    "A fix is available and can be downloaded from the IBM AIX website.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/12/12");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/03");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:ibm:aix");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:ntp:ntp");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"AIX Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/AIX/lslpp", "Host/local_checks_enabled", "Host/AIX/version");
    
      exit(0);
    }
    
    include("aix.inc");
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    oslevel = get_kb_item("Host/AIX/version");
    if (isnull(oslevel)) audit(AUDIT_UNKNOWN_APP_VER, "AIX");
    oslevel = oslevel - "AIX-";
    
    oslevelcomplete = chomp(get_kb_item("Host/AIX/oslevelsp"));
    if (isnull(oslevelcomplete)) audit(AUDIT_UNKNOWN_APP_VER, "AIX");
    oslevelparts = split(oslevelcomplete, sep:'-', keep:0);
    if ( max_index(oslevelparts) != 4 ) audit(AUDIT_UNKNOWN_APP_VER, "AIX");
    ml = oslevelparts[1];
    sp = oslevelparts[2];
    
    if ( ! get_kb_item("Host/AIX/lslpp") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    if ( get_kb_item("Host/AIX/emgr_failure" ) ) exit(0, "This AIX package check is disabled because : "+get_kb_item("Host/AIX/emgr_failure") );
    
    flag = 0;
    
    aix_ntp_vulns = {
      "5.3": {
        "12": {
          "09": {
            "bos.net.tcp.client": {
              "minfilesetver":"5.3.12.0",
              "maxfilesetver":"5.3.12.10",
              "patch":"(IV87614m9a|IV92194m9a|IV96305m9a)"
            }
          }
        }
      },
      "6.1": {
        "09": {
          "05": {
            "bos.net.tcp.client": {
              "minfilesetver":"6.1.9.0",
              "maxfilesetver":"6.1.9.102",
              "patch":"(IV87419m5d)"
            }
          },
          "06": {
            "bos.net.tcp.client": {
              "minfilesetver":"6.1.9.0",
              "maxfilesetver":"6.1.9.102",
              "patch":"(IV87419m6a|IV91803m6a)"
            }
          },
          "07": {
            "bos.net.tcp.client": {
              "minfilesetver":"6.1.9.0",
              "maxfilesetver":"6.1.9.102",
              "patch":"(IV87419m7a|IV91803m6a|IV96306m9a)"
            }
          }
        }
      },
      "7.1": {
        "03": {
          "05": {
            "bos.net.tcp.client": {
              "minfilesetver":"7.1.3.0",
              "maxfilesetver":"7.1.3.45",
              "patch":"(IV87615m5a|IV92193m5a)"
            }
          },
          "06": {
            "bos.net.tcp.client": {
              "minfilesetver":"7.1.3.0",
              "maxfilesetver":"7.1.3.46",
              "patch":"(IV87615m6a|IV92193m5a)"
            }
          },
          "07": {
            "bos.net.tcp.client": {
              "minfilesetver":"7.1.3.0",
              "maxfilesetver":"7.1.3.47",
              "patch":"(IV87615m7a|IV92193m5a|IV96307m9a)"
            }
          }
        },
        "04": {
          "00": {
            "bos.net.tcp.client": {
              "minfilesetver":"7.1.4.0",
              "maxfilesetver":"7.1.4.1",
              "patch":"(IV87420m0a)"
            }
          },
          "01": {
            "bos.net.tcp.client": {
              "minfilesetver":"7.1.4.0",
              "maxfilesetver":"7.1.4.1",
              "patch":"(IV87420m0a|IV91951m3a)"
            }
          },
          "02": {
            "bos.net.tcp.client": {
              "minfilesetver":"7.1.4.0",
              "maxfilesetver":"7.1.4.1",
              "patch":"(IV87420m2a|IV91951m3a|IV96308m4a)"
            }
          }
        }
      },
      "7.2": {
       "00": {
          "00": {
            "bos.net.tcp.ntp": {
              "minfilesetver":"7.2.0.0",
              "maxfilesetver":"7.2.0.2",
              "patch":"(IV87939m0b|IV92192m2a)"
            },
            "bos.net.tcp.ntpd": {
              "minfilesetver":"7.2.0.0",
              "maxfilesetver":"7.2.0.2",
              "patch":"(IV87939m0b|IV92192m2a)"
            }
          },
          "01": {
            "bos.net.tcp.ntp": {
              "minfilesetver":"7.2.0.0",
              "maxfilesetver":"7.2.0.2",
              "patch":"(IV87939m0b|IV92192m2a)"
            },
            "bos.net.tcp.ntpd": {
              "minfilesetver":"7.2.0.0",
              "maxfilesetver":"7.2.0.2",
              "patch":"(IV87939m0b|IV92192m2a)"
            }
          },
          "02": {
            "bos.net.tcp.ntp": {
              "minfilesetver":"7.2.0.0",
              "maxfilesetver":"7.2.0.2",
              "patch":"(IV87939m2a|IV92192m2a|IV96309m4a)"
            },
            "bos.net.tcp.ntpd": {
              "minfilesetver":"7.2.0.0",
              "maxfilesetver":"7.2.0.2",
              "patch":"(IV87939m2a|IV92192m2a|IV96309m4a)"
            }
          }
        }
      }
    };
    
    version_report = "AIX " + oslevel;
    if ( empty_or_null(aix_ntp_vulns[oslevel]) ) {
      os_options = join( sort( keys(aix_ntp_vulns) ), sep:' / ' );
      audit(AUDIT_OS_NOT, os_options, version_report);
    }
    
    version_report = version_report + " ML " + ml;
    if ( empty_or_null(aix_ntp_vulns[oslevel][ml]) ) {
      ml_options = join( sort( keys(aix_ntp_vulns[oslevel]) ), sep:' / ' );
      audit(AUDIT_OS_NOT, "ML " + ml_options, version_report);
    }
    
    version_report = version_report + " SP " + sp;
    if ( empty_or_null(aix_ntp_vulns[oslevel][ml][sp]) ) {
      sp_options = join( sort( keys(aix_ntp_vulns[oslevel][ml]) ), sep:' / ' );
      audit(AUDIT_OS_NOT, "SP " + sp_options, version_report);
    }
    
    foreach package ( keys(aix_ntp_vulns[oslevel][ml][sp]) ) {
      package_info = aix_ntp_vulns[oslevel][ml][sp][package];
      minfilesetver = package_info["minfilesetver"];
      maxfilesetver = package_info["maxfilesetver"];
      patch =         package_info["patch"];
      if (aix_check_ifix(release:oslevel, ml:ml, sp:sp, patch:patch, package:package, minfilesetver:minfilesetver, maxfilesetver:maxfilesetver) < 0) flag++;
    }
    
    if (flag)
    {
      aix_report_extra = ereg_replace(string:aix_report_get(), pattern:"[()]", replace:"");
      aix_report_extra = ereg_replace(string:aix_report_extra, pattern:"[|]", replace:" or ");
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : aix_report_extra
      );
    }
    else
    {
      tested = aix_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bos.net.tcp.ntp / bos.net.tcp.ntpd / bos.net.tcp.client");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-649.NASL
    descriptionThis update for ntp fixes the following issues : - Update to 4.2.8p7 (boo#977446) : - CVE-2016-1547, boo#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, boo#977461: Interleave-pivot - CVE-2016-1549, boo#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, boo#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, boo#977450: Refclock impersonation vulnerability - CVE-2016-2516, boo#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, boo#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, boo#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, boo#977458: ctl_getitem() return value not always checked. - integrate ntp-fork.patch - Improve the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 - Restrict the parser in the startup script to the first occurrance of
    last seen2020-06-05
    modified2016-06-01
    plugin id91403
    published2016-06-01
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91403
    titleopenSUSE Security Update : ntp (openSUSE-2016-649)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV87939.NASL
    descriptionNTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128).
    last seen2017-10-29
    modified2017-08-03
    plugin id93352
    published2016-09-08
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=93352
    titleAIX 7.2 TL 0 : ntp (IV87939) (deprecated)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV87419.NASL
    descriptionNTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128).
    last seen2017-10-29
    modified2017-08-03
    plugin id93348
    published2016-09-08
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=93348
    titleAIX 6.1 TL 9 : ntp (IV87419) (deprecated)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV87420.NASL
    descriptionNTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128).
    last seen2017-10-29
    modified2017-08-03
    plugin id93349
    published2016-09-08
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=93349
    titleAIX 7.1 TL 4 : ntp (IV87420) (deprecated)
  • NASL familyAIX Local Security Checks
    NASL idAIX_NTP_V4_ADVISORY7.NASL
    descriptionThe version of NTP installed on the remote AIX host is affected by the following vulnerabilities : - A time serving flaw exists in the trusted key system due to improper key checks. An authenticated, remote attacker can exploit this to perform impersonation attacks between authenticated peers. (CVE-2015-7974) - A denial of service vulnerability exists due to improper handling of a crafted Crypto NAK Packet with a source address spoofed to match that of an existing associated peer. An unauthenticated, remote attacker can exploit this to demobilize a client association. (CVE-2016-1547) - An information disclosure vulnerability exists in the message authentication functionality in libntp that is triggered during the handling of a series of specially crafted messages. An adjacent attacker can exploit this to partially recover the message digest key. (CVE-2016-1550) - A flaw exists due to improper filtering of IPv4
    last seen2020-06-01
    modified2020-06-02
    plugin id99183
    published2017-04-04
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/99183
    titleAIX NTP v4 Advisory : ntp_advisory7.asc (IV87278) (IV87279)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV87614.NASL
    descriptionNTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128).
    last seen2017-10-29
    modified2017-08-03
    plugin id93350
    published2016-09-08
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=93350
    titleAIX 5.3 TL 12 : ntp (IV87614) (deprecated)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1278-1.NASL
    descriptionThis update for ntp to 4.2.8p7 fixes the following issues : - CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, bsc#977461: Interleave-pivot - CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, bsc#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability - CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, bsc#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked. - This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 Bugs fixed : - Restrict the parser in the startup script to the first occurrance of
    last seen2020-06-01
    modified2020-06-02
    plugin id91120
    published2016-05-13
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91120
    titleSUSE SLES11 Security Update : ntp (SUSE-SU-2016:1278-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201607-15.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201607-15 (NTP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id92485
    published2016-07-21
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92485
    titleGLSA-201607-15 : NTP: Multiple vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1568-1.NASL
    descriptionntp was updated to version 4.2.8p8 to fix 17 security issues. These security issues were fixed : - CVE-2016-4956: Broadcast interleave (bsc#982068). - CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). - CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). - CVE-2016-4954: Processing spoofed server packets (bsc#982066). - CVE-2016-4955: Autokey association reset (bsc#982067). - CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a
    last seen2020-06-01
    modified2020-06-02
    plugin id91663
    published2016-06-17
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91663
    titleSUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1568-1)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV87615.NASL
    descriptionNTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128).
    last seen2017-10-29
    modified2017-08-03
    plugin id93351
    published2016-09-08
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=93351
    titleAIX 7.1 TL 3 : ntp (IV87615) (deprecated)
  • NASL familyMisc.
    NASL idNTP_4_2_8P7.NASL
    descriptionThe version of the remote NTP server is 3.x or 4.x prior to 4.2.8p7. It is, therefore, affected by the following vulnerabilities : - A denial of service vulnerability exists due to improper validation of the origin timestamp field when handling a Kiss-of-Death (KoD) packet. An unauthenticated, remote attacker can exploit this to cause a client to stop querying its servers, preventing the client from updating its clock. (CVE-2015-7704) - A flaw exists in the receive() function in ntp_proto.c that allows packets with an origin timestamp of zero to bypass security checks. An unauthenticated, remote attacker can exploit this to spoof arbitrary content. (CVE-2015-8138) - A denial of service vulnerability exists due to improper handling of a crafted Crypto NAK Packet with a source address spoofed to match that of an existing associated peer. An unauthenticated, remote attacker can exploit this to demobilize a client association. (CVE-2016-1547) - A denial of service vulnerability exists due to improper handling of packets spoofed to appear to be from a valid ntpd server. An unauthenticated, remote attacker can exploit this to cause NTP to switch from basic client/server mode to interleaved symmetric mode, causing the client to reject future legitimate responses. (CVE-2016-1548) - A race condition exists that is triggered during the handling of a saturation of ephemeral associations. An authenticated, remote attacker can exploit this to defeat NTP
    last seen2020-06-01
    modified2020-06-02
    plugin id90923
    published2016-05-05
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90923
    titleNetwork Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p7 Multiple Vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1291-1.NASL
    descriptionThis update for ntp to 4.2.8p7 fixes the following issues : - CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, bsc#977461: Interleave-pivot - CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, bsc#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability - CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, bsc#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked. - This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 Bugs fixed : - Restrict the parser in the startup script to the first occurrance of
    last seen2020-06-01
    modified2020-06-02
    plugin id91159
    published2016-05-16
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91159
    titleSUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1291-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1912-1.NASL
    descriptionNTP was updated to version 4.2.8p8 to fix several security issues and to ensure the continued maintainability of the package. These security issues were fixed : CVE-2016-4953: Bad authentication demobilized ephemeral associations (bsc#982065). CVE-2016-4954: Processing spoofed server packets (bsc#982066). CVE-2016-4955: Autokey association reset (bsc#982067). CVE-2016-4956: Broadcast interleave (bsc#982068). CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS (bsc#977459). CVE-2016-1548: Prevent the change of time of an ntpd client or denying service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode (bsc#977461). CVE-2016-1549: Sybil vulnerability: ephemeral association attack (bsc#977451). CVE-2016-1550: Improve security against buffer comparison timing attacks (bsc#977464). CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y CVE-2016-2516: Duplicate IPs on unconfig directives could have caused an assertion botch in ntpd (bsc#977452). CVE-2016-2517: Remote configuration trustedkey/ requestkey/controlkey values are not properly validated (bsc#977455). CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966). CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). CVE-2015-7976: ntpq saveconfig command allowed dangerous characters in filenames (bsc#962802). CVE-2015-7975: nextvar() missing length check (bsc#962988). CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might have allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a
    last seen2020-06-01
    modified2020-06-02
    plugin id93186
    published2016-08-29
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93186
    titleSUSE SLES10 Security Update : ntp (SUSE-SU-2016:1912-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-599.NASL
    descriptionThis update for ntp to 4.2.8p7 fixes the following issues : - CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, bsc#977461: Interleave-pivot - CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, bsc#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability - CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, bsc#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked. - This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 Bugs fixed : - Restrict the parser in the startup script to the first occurrance of
    last seen2020-06-05
    modified2016-05-20
    plugin id91269
    published2016-05-20
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91269
    titleopenSUSE Security Update : ntp (openSUSE-2016-599)
  • NASL familyJunos Local Security Checks
    NASL idJUNIPER_SPACE_JSA_10826.NASL
    descriptionAccording to its self-reported version number, the version of Junos Space running on the remote device is < 17.1R1, and is therefore affected by multiple vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id104100
    published2017-10-23
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104100
    titleJuniper Junos Space < 17.1R1 Multiple Vulnerabilities (JSA10826)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_B2487D9A0C3011E6ACD0D050996490D0.NASL
    descriptionNetwork Time Foundation reports : NTF
    last seen2020-06-01
    modified2020-06-02
    plugin id90742
    published2016-04-27
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/90742
    titleFreeBSD : ntp -- multiple vulnerabilities (b2487d9a-0c30-11e6-acd0-d050996490d0)

Seebug

bulletinFamilyexploit
description### SUMMARY ntpd relies on the underlying operating system to protect it from requests that impersonate reference clocks. Because reference clocks are treated like other peers and stored in the same structure, any packet with a source ip address of a reference clock (127.127.1.1 for example) that reaches the receive() function will match that reference clock's peer record and will be treated as a trusted peer. Any system that lacks the typical martian packet filtering [1] which would block these packets is in danger of having its time controlled by an attacker. The read_network_packet() function in ntp_io.c addresses this issue for IPv6 with Bug 2672, because some OS's were known to not block spoofed ::1 addresses. Some, if not all, reference clock drivers set their origin values to zero. It would be trivial to control time on a system with one of these drivers configured if these spoofed packets were not filtered. ntpd should filter IPv4 packets with the address of 127.127.x.x for proactive protection for systems that fail to implement martian packet filtering. [1] https://en.wikipedia.org/wiki/Martian_packet ### TESTED VERSIONS NTP 4.2.8p3 NTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 ### PRODUCT URLS http://www.ntp.org/ https://www.ntpsec.org/ ### CVSSv3 Score CVSSv2: 2.6 - (AV:N/AC:H/Au:N/C:N/I:P/A:N) CVSSv3: 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N ### MITIGATION (optional) Modern Operating Systems already mitigate this vulnerability. For instances where the user can't rely on their OS to filter martian packets, they could introduce additional filtering though a firewall. ### TIMELINE * 2016-01-07 - Vulnerability disclosed to CERT * 2016-04-26 - Public Release
idSSV:96785
last seen2017-11-19
modified2017-10-26
published2017-10-26
reporterRoot
titleNetwork Time Protocol ntpd Reference Clock Impersonation Vulnerability(CVE-2016-1551)

Talos

idTALOS-2016-0132
last seen2019-05-29
published2016-04-26
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0132
titleNetwork Time Protocol ntpd Reference Clock Impersonation Vulnerability