Vulnerabilities > CVE-2016-4954 - Race Condition vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
ntp
oracle
suse
opensuse
siemens
CWE-362
nessus

Summary

The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.

Vulnerable Configurations

Part Description Count
Application
Ntp
812
Application
Suse
3
OS
Oracle
2
OS
Suse
5
OS
Opensuse
2
OS
Siemens
3
Hardware
Siemens
3

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-89E0874533.NASL
    descriptionSecurity fix for CVE-2015-8139, CVE-2016-4954, CVE-2016-4955, CVE-2016-4956 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-07-15
    plugin id92265
    published2016-07-15
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92265
    titleFedora 23 : ntp (2016-89e0874533)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2016-89e0874533.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(92265);
      script_version("2.7");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2015-8139", "CVE-2016-4954", "CVE-2016-4955", "CVE-2016-4956");
      script_xref(name:"FEDORA", value:"2016-89e0874533");
    
      script_name(english:"Fedora 23 : ntp (2016-89e0874533)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Security fix for CVE-2015-8139, CVE-2016-4954, CVE-2016-4955,
    CVE-2016-4956
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-89e0874533"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected ntp package.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:ntp");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:23");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/07/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/07/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/15");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^23([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 23", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC23", reference:"ntp-4.2.6p5-41.fc23")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_WARNING,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ntp");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1125.NASL
    descriptionAccording to the versions of the ntp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors.(CVE-2015-8139) - NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7 is enabled, allows remote attackers to cause a denial of service (ntpd abort) by using the same IP address multiple times in an unconfig directive.(CVE-2016-2516) - The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.(CVE-2016-4954) - ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time.(CVE-2016-4955) - ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548.(CVE-2016-4956) - Buffer overflow in the legacy Datum Programmable Time Server (DPTS) refclock driver in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows local users to have unspecified impact via a crafted /dev/datum device.(CVE-2017-6462) - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote authenticated users to cause a denial of service (daemon crash) via an invalid setting in a :config directive, related to the unpeer option.(CVE-2017-6463) - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote attackers to cause a denial of service (ntpd crash) via a malformed mode configuration directive.(CVE-2017-6464) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-07-10
    plugin id101311
    published2017-07-10
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101311
    titleEulerOS 2.0 SP2 : ntp (EulerOS-SA-2017-1125)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101311);
      script_version("3.14");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/04");
    
      script_cve_id(
        "CVE-2015-8139",
        "CVE-2016-2516",
        "CVE-2016-4954",
        "CVE-2016-4955",
        "CVE-2016-4956",
        "CVE-2017-6462",
        "CVE-2017-6463",
        "CVE-2017-6464"
      );
    
      script_name(english:"EulerOS 2.0 SP2 : ntp (EulerOS-SA-2017-1125)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the ntp packages installed, the EulerOS
    installation on the remote host is affected by the following
    vulnerabilities :
    
      - ntpq in NTP before 4.2.8p7 allows remote attackers to
        obtain origin timestamps and then impersonate peers via
        unspecified vectors.(CVE-2015-8139)
    
      - NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7
        is enabled, allows remote attackers to cause a denial
        of service (ntpd abort) by using the same IP address
        multiple times in an unconfig directive.(CVE-2016-2516)
    
      - The process_packet function in ntp_proto.c in ntpd in
        NTP 4.x before 4.2.8p8 allows remote attackers to cause
        a denial of service (peer-variable modification) by
        sending spoofed packets from many source IP addresses
        in a certain scenario, as demonstrated by triggering an
        incorrect leap indication.(CVE-2016-4954)
    
      - ntpd in NTP 4.x before 4.2.8p8, when autokey is
        enabled, allows remote attackers to cause a denial of
        service (peer-variable clearing and association outage)
        by sending (1) a spoofed crypto-NAK packet or (2) a
        packet with an incorrect MAC value at a certain
        time.(CVE-2016-4955)
    
      - ntpd in NTP 4.x before 4.2.8p8 allows remote attackers
        to cause a denial of service (interleaved-mode
        transition and time change) via a spoofed broadcast
        packet. NOTE: this vulnerability exists because of an
        incomplete fix for CVE-2016-1548.(CVE-2016-4956)
    
      - Buffer overflow in the legacy Datum Programmable Time
        Server (DPTS) refclock driver in NTP before 4.2.8p10
        and 4.3.x before 4.3.94 allows local users to have
        unspecified impact via a crafted /dev/datum
        device.(CVE-2017-6462)
    
      - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows
        remote authenticated users to cause a denial of service
        (daemon crash) via an invalid setting in a :config
        directive, related to the unpeer option.(CVE-2017-6463)
    
      - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows
        remote attackers to cause a denial of service (ntpd
        crash) via a malformed mode configuration
        directive.(CVE-2017-6464)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1125
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?319f2a38");
      script_set_attribute(attribute:"solution", value:
    "Update the affected ntp packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2017/06/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/10");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ntp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:ntpdate");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
    
    flag = 0;
    
    pkgs = ["ntp-4.2.6p5-25.0.1.h6",
            "ntpdate-4.2.6p5-25.0.1.h6"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ntp");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2017-1124.NASL
    descriptionAccording to the versions of the ntp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors.i1/4^CVE-2015-8139i1/4%0 - NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7 is enabled, allows remote attackers to cause a denial of service (ntpd abort) by using the same IP address multiple times in an unconfig directive.i1/4^CVE-2016-2516i1/4%0 - The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.i1/4^CVE-2016-4954i1/4%0 - ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time.i1/4^CVE-2016-4955i1/4%0 - ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548.i1/4^CVE-2016-4956i1/4%0 - Buffer overflow in the legacy Datum Programmable Time Server (DPTS) refclock driver in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows local users to have unspecified impact via a crafted /dev/datum device.i1/4^CVE-2017-6462i1/4%0 - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote authenticated users to cause a denial of service (daemon crash) via an invalid setting in a :config directive, related to the unpeer option.i1/4^CVE-2017-6463i1/4%0 - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote attackers to cause a denial of service (ntpd crash) via a malformed mode configuration directive.i1/4^CVE-2017-6464i1/4%0 Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-05-06
    modified2017-07-10
    plugin id101310
    published2017-07-10
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101310
    titleEulerOS 2.0 SP1 : ntp (EulerOS-SA-2017-1124)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV87939.NASL
    descriptionNTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128).
    last seen2017-10-29
    modified2017-08-03
    plugin id93352
    published2016-09-08
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=93352
    titleAIX 7.2 TL 0 : ntp (IV87939) (deprecated)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV87419.NASL
    descriptionNTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128).
    last seen2017-10-29
    modified2017-08-03
    plugin id93348
    published2016-09-08
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=93348
    titleAIX 6.1 TL 9 : ntp (IV87419) (deprecated)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV87420.NASL
    descriptionNTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128).
    last seen2017-10-29
    modified2017-08-03
    plugin id93349
    published2016-09-08
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=93349
    titleAIX 7.1 TL 4 : ntp (IV87420) (deprecated)
  • NASL familyAIX Local Security Checks
    NASL idAIX_NTP_V4_ADVISORY7.NASL
    descriptionThe version of NTP installed on the remote AIX host is affected by the following vulnerabilities : - A time serving flaw exists in the trusted key system due to improper key checks. An authenticated, remote attacker can exploit this to perform impersonation attacks between authenticated peers. (CVE-2015-7974) - A denial of service vulnerability exists due to improper handling of a crafted Crypto NAK Packet with a source address spoofed to match that of an existing associated peer. An unauthenticated, remote attacker can exploit this to demobilize a client association. (CVE-2016-1547) - An information disclosure vulnerability exists in the message authentication functionality in libntp that is triggered during the handling of a series of specially crafted messages. An adjacent attacker can exploit this to partially recover the message digest key. (CVE-2016-1550) - A flaw exists due to improper filtering of IPv4
    last seen2020-06-01
    modified2020-06-02
    plugin id99183
    published2017-04-04
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/99183
    titleAIX NTP v4 Advisory : ntp_advisory7.asc (IV87278) (IV87279)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV87614.NASL
    descriptionNTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128).
    last seen2017-10-29
    modified2017-08-03
    plugin id93350
    published2016-09-08
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=93350
    titleAIX 5.3 TL 12 : ntp (IV87614) (deprecated)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-727.NASL
    descriptionntp was updated to fix five security issues. These security issues were fixed : - CVE-2016-4953: Bad authentication demobilizes ephemeral associations (bsc#982065). - CVE-2016-4954: Processing spoofed server packets (bsc#982066). - CVE-2016-4955: Autokey association reset (bsc#982067). - CVE-2016-4956: Broadcast interleave (bsc#982068). - CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). These non-security issues were fixed : - bsc#979302: Change the process name of the forking DNS worker process to avoid the impression that ntpd is started twice. - bsc#979981: ntp-wait does not accept fractional seconds, so use 1 instead of 0.2 in ntp-wait.service. - bsc#981422: Don
    last seen2020-06-05
    modified2016-06-16
    plugin id91630
    published2016-06-16
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/91630
    titleopenSUSE Security Update : ntp (openSUSE-2016-727)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201607-15.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201607-15 (NTP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id92485
    published2016-07-21
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92485
    titleGLSA-201607-15 : NTP: Multiple vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1568-1.NASL
    descriptionntp was updated to version 4.2.8p8 to fix 17 security issues. These security issues were fixed : - CVE-2016-4956: Broadcast interleave (bsc#982068). - CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). - CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). - CVE-2016-4954: Processing spoofed server packets (bsc#982066). - CVE-2016-4955: Autokey association reset (bsc#982067). - CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a
    last seen2020-06-01
    modified2020-06-02
    plugin id91663
    published2016-06-17
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91663
    titleSUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1568-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-750.NASL
    descriptionntp was updated to version 4.2.8p8 to fix five security issues. These security issues were fixed : - CVE-2016-4953: Bad authentication demobilizes ephemeral associations (bsc#982065). - CVE-2016-4954: Processing spoofed server packets (bsc#982066). - CVE-2016-4955: Autokey association reset (bsc#982067). - CVE-2016-4956: Broadcast interleave (bsc#982068). - CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). These non-security issues were fixed : - Keep the parent process alive until the daemon has finished initialisation, to make sure that the PID file exists when the parent returns. - bsc#979302: Change the process name of the forking DNS worker process to avoid the impression that ntpd is started twice. - bsc#981422: Don
    last seen2020-06-05
    modified2016-06-21
    plugin id91721
    published2016-06-21
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/91721
    titleopenSUSE Security Update : ntp (openSUSE-2016-750)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV87615.NASL
    descriptionNTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128).
    last seen2017-10-29
    modified2017-08-03
    plugin id93351
    published2016-09-08
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=93351
    titleAIX 7.1 TL 3 : ntp (IV87615) (deprecated)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-50B0066B7F.NASL
    descriptionSecurity fix for CVE-2015-8139, CVE-2016-4954, CVE-2016-4955, CVE-2016-4956 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-07-14
    plugin id92095
    published2016-07-14
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92095
    titleFedora 24 : ntp (2016-50b0066b7f)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2016-155-01.NASL
    descriptionNew ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id91462
    published2016-06-06
    reporterThis script is Copyright (C) 2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/91462
    titleSlackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2016-155-01)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1602-1.NASL
    descriptionntp was updated to version 4.2.8p8 to fix five security issues. These security issues were fixed : - CVE-2016-4953: Bad authentication demobilizes ephemeral associations (bsc#982065). - CVE-2016-4954: Processing spoofed server packets (bsc#982066). - CVE-2016-4955: Autokey association reset (bsc#982067). - CVE-2016-4956: Broadcast interleave (bsc#982068). - CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id93153
    published2016-08-29
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93153
    titleSUSE SLES11 Security Update : ntp (SUSE-SU-2016:1602-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1563-1.NASL
    descriptionntp was updated to version 4.2.8p8 to fix five security issues. These security issues were fixed : - CVE-2016-4953: Bad authentication demobilizes ephemeral associations (bsc#982065). - CVE-2016-4954: Processing spoofed server packets (bsc#982066). - CVE-2016-4955: Autokey association reset (bsc#982067). - CVE-2016-4956: Broadcast interleave (bsc#982068). - CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id91662
    published2016-06-17
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91662
    titleSUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1563-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1555.NASL
    descriptionAccording to the versions of the ntp packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - It was found that when ntp is configured with rate limiting for all associations the limits are also applied to responses received from its configured sources. A remote attacker who knows the sources can cause a denial of service by preventing ntpd from accepting valid responses from its sources.(CVE-2016-7426) - ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors.(CVE-2015-8139) - A NULL pointer dereference flaw was found in the way ntpd processed
    last seen2020-06-01
    modified2020-06-02
    plugin id125008
    published2019-05-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125008
    titleEulerOS Virtualization 3.0.1.0 : ntp (EulerOS-SA-2019-1555)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1912-1.NASL
    descriptionNTP was updated to version 4.2.8p8 to fix several security issues and to ensure the continued maintainability of the package. These security issues were fixed : CVE-2016-4953: Bad authentication demobilized ephemeral associations (bsc#982065). CVE-2016-4954: Processing spoofed server packets (bsc#982066). CVE-2016-4955: Autokey association reset (bsc#982067). CVE-2016-4956: Broadcast interleave (bsc#982068). CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS (bsc#977459). CVE-2016-1548: Prevent the change of time of an ntpd client or denying service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode (bsc#977461). CVE-2016-1549: Sybil vulnerability: ephemeral association attack (bsc#977451). CVE-2016-1550: Improve security against buffer comparison timing attacks (bsc#977464). CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y CVE-2016-2516: Duplicate IPs on unconfig directives could have caused an assertion botch in ntpd (bsc#977452). CVE-2016-2517: Remote configuration trustedkey/ requestkey/controlkey values are not properly validated (bsc#977455). CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966). CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). CVE-2015-7976: ntpq saveconfig command allowed dangerous characters in filenames (bsc#962802). CVE-2015-7975: nextvar() missing length check (bsc#962988). CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might have allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a
    last seen2020-06-01
    modified2020-06-02
    plugin id93186
    published2016-08-29
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93186
    titleSUSE SLES10 Security Update : ntp (SUSE-SU-2016:1912-1)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_7CFCEA05600A11E6A6C314DAE9D210B8.NASL
    descriptionMultiple vulnerabilities have been discovered in the NTP suite : The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that could cause ntpd to crash. [CVE-2016-4957, Reported by Nicolas Edet of Cisco] An attacker who knows the origin timestamp and can send a spoofed packet containing a CRYPTO-NAK to an ephemeral peer target before any other response is sent can demobilize that association. [CVE-2016-4953, Reported by Miroslav Lichvar of Red Hat] An attacker who is able to spoof packets with correct origin timestamps from enough servers before the expected response packets arrive at the target machine can affect some peer variables and, for example, cause a false leap indication to be set. [CVE-2016-4954, Reported by Jakub Prokes of Red Hat] An attacker who is able to spoof a packet with a correct origin timestamp before the expected response packet arrives at the target machine can send a CRYPTO_NAK or a bad MAC and cause the association
    last seen2020-06-01
    modified2020-06-02
    plugin id92927
    published2016-08-12
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92927
    titleFreeBSD : FreeBSD -- Multiple ntp vulnerabilities (7cfcea05-600a-11e6-a6c3-14dae9d210b8)
  • NASL familyMisc.
    NASL idNTP_4_2_8P8.NASL
    descriptionThe version of the remote NTP server is 4.x prior to 4.2.8p8 or 4.3.x prior to 4.3.93. It is, therefore, affected by the following vulnerabilities : - A denial of service vulnerability exists when handling authentication due to improper packet timestamp checks. An unauthenticated, remote attacker can exploit this, via a specially crafted and spoofed packet, to demobilize the ephemeral associations. (CVE-2016-4953) - A flaw exists that is triggered when handling spoofed packets. An unauthenticated, remote attacker can exploit this, via specially crafted packets, to affect peer variables (e.g., cause leap indications to be set). Note that the attacker must be able to spoof packets with correct origin timestamps from servers before expected response packets arrive. (CVE-2016-4954) - A flaw exists that is triggered when handling spoofed packets. An unauthenticated, remote attacker can exploit this, via specially crafted packets, to reset autokey associations. Note that the attacker must be able to spoof packets with correct origin timestamps from servers before expected response packets arrive. (CVE-2016-4955) - A flaw exists when handling broadcast associations that allows an unauthenticated, remote attacker to cause a broadcast client to change into interleave mode. (CVE-2016-4956) - A denial of service vulnerability exists when handling CRYPTO_NAK packets that allows an unauthenticated, remote attacker to cause a crash. Note that this issue only affects versions 4.2.8p7 and 4.3.92. (CVE-2016-4957)
    last seen2020-04-30
    modified2016-06-08
    plugin id91515
    published2016-06-08
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91515
    titleNetwork Time Protocol Daemon (ntpd) 4.x < 4.2.8p8 / 4.3.x < 4.3.93 Multiple Vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1584-1.NASL
    descriptionntp was updated to version 4.2.8p8 to fix five security issues. These security issues were fixed : - CVE-2016-4953: Bad authentication demobilizes ephemeral associations (bsc#982065). - CVE-2016-4954: Processing spoofed server packets (bsc#982066). - CVE-2016-4955: Autokey association reset (bsc#982067). - CVE-2016-4956: Broadcast interleave (bsc#982068). - CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id91666
    published2016-06-17
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91666
    titleSUSE SLES11 Security Update : ntp (SUSE-SU-2016:1584-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-C3BD6A3496.NASL
    descriptionSecurity fix for CVE-2015-8139, CVE-2016-4954, CVE-2016-4955, CVE-2016-4956 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-07-15
    plugin id92288
    published2016-07-15
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92288
    titleFedora 22 : ntp (2016-c3bd6a3496)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3096-1.NASL
    descriptionAanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to perform a replay attack. (CVE-2015-7973) Matt Street discovered that NTP incorrectly verified peer associations of symmetric keys. A remote attacker could use this issue to perform an impersonation attack. (CVE-2015-7974) Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled memory. An attacker could possibly use this issue to cause ntpq to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-7975) Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled dangerous characters in filenames. An attacker could possibly use this issue to overwrite arbitrary files. (CVE-2015-7976) Stephen Gray discovered that NTP incorrectly handled large restrict lists. An attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7977, CVE-2015-7978) Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7979) Jonathan Gardner discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could use this issue to spoof peer servers. (CVE-2015-8138) Jonathan Gardner discovered that the NTP ntpq utility did not properly handle certain incorrect values. An attacker could possibly use this issue to cause ntpq to hang, resulting in a denial of service. (CVE-2015-8158) It was discovered that the NTP cronjob incorrectly cleaned up the statistics directory. A local attacker could possibly use this to escalate privileges. (CVE-2016-0727) Stephen Gray and Matthew Van Gundy discovered that NTP incorrectly validated crypto-NAKs. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1547) Miroslav Lichvar and Jonathan Gardner discovered that NTP incorrectly handled switching to interleaved symmetric mode. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1548) Matthew Van Gundy, Stephen Gray and Loganaden Velvindron discovered that NTP incorrectly handled message authentication. A remote attacker could possibly use this issue to recover the message digest key. (CVE-2016-1550) Yihan Lian discovered that NTP incorrectly handled duplicate IPs on unconfig directives. An authenticated remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2516) Yihan Lian discovered that NTP incorrectly handled certail peer associations. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2518) Jakub Prokes discovered that NTP incorrectly handled certain spoofed packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4954) Miroslav Lichvar discovered that NTP incorrectly handled certain packets when autokey is enabled. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4955) Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed broadcast packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4956) In the default installation, attackers would be isolated by the NTP AppArmor profile. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id93896
    published2016-10-06
    reporterUbuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93896
    titleUbuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : ntp vulnerabilities (USN-3096-1)
  • NASL familyF5 Networks Local Security Checks
    NASL idF5_BIGIP_SOL82644737.NASL
    descriptionThe process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication. (CVE-2016-4954)
    last seen2020-06-01
    modified2020-06-02
    plugin id95971
    published2016-12-21
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/95971
    titleF5 Networks BIG-IP : NTP vulnerability (K82644737)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2016-727.NASL
    descriptionIt was discovered that ntpq and ntpdc disclosed the origin timestamp to unauthenticated clients, which could permit such clients to forge the server
    last seen2020-06-01
    modified2020-06-02
    plugin id92662
    published2016-08-02
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/92662
    titleAmazon Linux AMI : ntp (ALAS-2016-727)

References