Vulnerabilities > CVE-2016-4957 - NULL Pointer Dereference vulnerability in multiple products

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH
network
low complexity
ntp
oracle
novell
suse
opensuse
CWE-476
nessus

Summary

ntpd in NTP before 4.2.8p8 allows remote attackers to cause a denial of service (daemon crash) via a crypto-NAK packet. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-1547.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyAIX Local Security Checks
    NASL idAIX_IV87939.NASL
    descriptionNTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128).
    last seen2017-10-29
    modified2017-08-03
    plugin id93352
    published2016-09-08
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=93352
    titleAIX 7.2 TL 0 : ntp (IV87939) (deprecated)
    code
    #%NASL_MIN_LEVEL 999999
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The text in the description was extracted from AIX Security
    # Advisory ntp_advisory7.asc.
    #
    # @DEPRECATED@
    #
    # Disabled on 2017/07/20. Deprecated by aix_ntp_v3_advisory7.nasl.
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(93352);
      script_version("2.7");
      script_cvs_date("Date: 2018/07/20  0:18:51");
    
      script_cve_id("CVE-2015-7974", "CVE-2016-1547", "CVE-2016-1550", "CVE-2016-1551", "CVE-2016-2517", "CVE-2016-2518", "CVE-2016-2519", "CVE-2016-4953", "CVE-2016-4954", "CVE-2016-4955", "CVE-2016-4957");
    
      script_name(english:"AIX 7.2 TL 0 : ntp (IV87939) (deprecated)");
      script_summary(english:"Check for APAR IV87939");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"This plugin has been deprecated."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "NTPv3 and NTPv4 are vulnerable to :
    
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could
    allow a remote authenticated attacker to conduct spoofing attacks,
    caused by a missing key check. An attacker could exploit this
    vulnerability to impersonate a peer. NTP could allow a local attacker
    to bypass security restrictions, caused by the failure to use a
    constant-time memory comparison function when validating the
    authentication digest on incoming packets. By sending a specially
    crafted packet with an authentication payload, an attacker could
    exploit this vulnerability to conduct a timing attack to compute the
    value of the valid authentication digest. While the majority OSes
    implement martian packet filtering in their network stack, at least
    regarding 127.0.0.0/8, a rare few will allow packets claiming to be
    from 127.0.0.0/8 that arrive over physical network. On these OSes, if
    ntpd is configured to use a reference clock an attacker can inject
    packets over the network that look like they are coming from that
    reference clock. If ntpd was expressly configured to allow for remote
    configuration, a malicious user who knows the controlkey for ntpq or
    the requestkey for ntpdc (if mode7 is expressly enabled) can create a
    session with ntpd and then send a crafted packet to ntpd that will
    change the value of the trustedkey, controlkey, or requestkey to a
    value that will prevent any subsequent authentication with ntpd until
    ntpd is restarted. NTP is vulnerable to a denial of service, caused by
    an error when using a specially crafted packet to create a peer
    association with hmode > 7. An attacker could exploit this
    vulnerability to cause the MATCH_ASSOC() function to trigger an
    out-of-bounds read. NTP is vulnerable to a denial of service, caused
    by the failure to always check the ctl_getitem() function return
    value. By sending an overly large value, an attacker could exploit
    this vulnerability to cause a denial of service. NTP is vulnerable to
    a denial of service, caused by the demobilization of a preemptable
    client association. By sending specially crafted crypto NAK packets,
    an attacker could exploit this vulnerability to cause a denial of
    service. NTP is vulnerable to a denial of service, caused by the
    improper handling of packets. By sending specially crafted CRYPTO_NAK
    packets, an attacker could exploit this vulnerability to cause ntpd to
    crash. NTP is vulnerable to a denial of service, caused by the
    improper handling of packets. By sending specially crafted CRYPTO_NAK
    packets to an ephemeral peer target prior to a response being sent, a
    remote attacker could exploit this vulnerability to demobilize the
    ephemeral association. NTP is vulnerable to a denial of service,
    caused by the improper handling of packets. By sending spoofed server
    packets with correct origin timestamps, a remote attacker could
    exploit this vulnerability to cause a false leap indication to be set.
    NTP is vulnerable to a denial of service, caused by the improper
    handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC
    packets with correct origin timestamps, a remote attacker could
    exploit this vulnerability to cause the autokey association to reset.
    
    This plugin has been deprecated to better accommodate iFix
    supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin
    id 102128)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory7.asc"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"n/a"
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:ibm:aix:7.2");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/06");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/09/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/09/08");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");
      script_family(english:"AIX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/AIX/lslpp", "Host/local_checks_enabled", "Host/AIX/version");
    
      exit(0);
    }
    
    exit(0, "This plugin has been deprecated. Use aix_ntp_v3_advisory7.nasl (plugin ID 102128) instead.");
    
    include("audit.inc");
    include("global_settings.inc");
    include("aix.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if ( ! get_kb_item("Host/AIX/version") ) audit(AUDIT_OS_NOT, "AIX");
    if ( ! get_kb_item("Host/AIX/lslpp") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    if ( get_kb_item("Host/AIX/emgr_failure" ) ) exit(0, "This iFix check is disabled because : "+get_kb_item("Host/AIX/emgr_failure") );
    
    flag = 0;
    
    if (aix_check_ifix(release:"7.2", ml:"00", sp:"00", patch:"IV87939m0b", package:"bos.net.tcp.ntp", minfilesetver:"7.2.0.0", maxfilesetver:"7.2.0.2") < 0) flag++;
    if (aix_check_ifix(release:"7.2", ml:"00", sp:"00", patch:"IV87939m0b", package:"bos.net.tcp.ntpd", minfilesetver:"7.2.0.0", maxfilesetver:"7.2.0.2") < 0) flag++;
    if (aix_check_ifix(release:"7.2", ml:"00", sp:"01", patch:"IV87939m0b", package:"bos.net.tcp.ntp", minfilesetver:"7.2.0.0", maxfilesetver:"7.2.0.2") < 0) flag++;
    if (aix_check_ifix(release:"7.2", ml:"00", sp:"01", patch:"IV87939m0b", package:"bos.net.tcp.ntpd", minfilesetver:"7.2.0.0", maxfilesetver:"7.2.0.2") < 0) flag++;
    if (aix_check_ifix(release:"7.2", ml:"00", sp:"02", patch:"IV87939m2a", package:"bos.net.tcp.ntp", minfilesetver:"7.2.0.0", maxfilesetver:"7.2.0.2") < 0) flag++;
    if (aix_check_ifix(release:"7.2", ml:"00", sp:"02", patch:"IV87939m2a", package:"bos.net.tcp.ntpd", minfilesetver:"7.2.0.0", maxfilesetver:"7.2.0.2") < 0) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get());
      else security_warning(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV87419.NASL
    descriptionNTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128).
    last seen2017-10-29
    modified2017-08-03
    plugin id93348
    published2016-09-08
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=93348
    titleAIX 6.1 TL 9 : ntp (IV87419) (deprecated)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV87420.NASL
    descriptionNTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128).
    last seen2017-10-29
    modified2017-08-03
    plugin id93349
    published2016-09-08
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=93349
    titleAIX 7.1 TL 4 : ntp (IV87420) (deprecated)
  • NASL familyAIX Local Security Checks
    NASL idAIX_NTP_V4_ADVISORY7.NASL
    descriptionThe version of NTP installed on the remote AIX host is affected by the following vulnerabilities : - A time serving flaw exists in the trusted key system due to improper key checks. An authenticated, remote attacker can exploit this to perform impersonation attacks between authenticated peers. (CVE-2015-7974) - A denial of service vulnerability exists due to improper handling of a crafted Crypto NAK Packet with a source address spoofed to match that of an existing associated peer. An unauthenticated, remote attacker can exploit this to demobilize a client association. (CVE-2016-1547) - An information disclosure vulnerability exists in the message authentication functionality in libntp that is triggered during the handling of a series of specially crafted messages. An adjacent attacker can exploit this to partially recover the message digest key. (CVE-2016-1550) - A flaw exists due to improper filtering of IPv4
    last seen2020-06-01
    modified2020-06-02
    plugin id99183
    published2017-04-04
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/99183
    titleAIX NTP v4 Advisory : ntp_advisory7.asc (IV87278) (IV87279)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV87614.NASL
    descriptionNTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128).
    last seen2017-10-29
    modified2017-08-03
    plugin id93350
    published2016-09-08
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=93350
    titleAIX 5.3 TL 12 : ntp (IV87614) (deprecated)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-727.NASL
    descriptionntp was updated to fix five security issues. These security issues were fixed : - CVE-2016-4953: Bad authentication demobilizes ephemeral associations (bsc#982065). - CVE-2016-4954: Processing spoofed server packets (bsc#982066). - CVE-2016-4955: Autokey association reset (bsc#982067). - CVE-2016-4956: Broadcast interleave (bsc#982068). - CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). These non-security issues were fixed : - bsc#979302: Change the process name of the forking DNS worker process to avoid the impression that ntpd is started twice. - bsc#979981: ntp-wait does not accept fractional seconds, so use 1 instead of 0.2 in ntp-wait.service. - bsc#981422: Don
    last seen2020-06-05
    modified2016-06-16
    plugin id91630
    published2016-06-16
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/91630
    titleopenSUSE Security Update : ntp (openSUSE-2016-727)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201607-15.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201607-15 (NTP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id92485
    published2016-07-21
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92485
    titleGLSA-201607-15 : NTP: Multiple vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1568-1.NASL
    descriptionntp was updated to version 4.2.8p8 to fix 17 security issues. These security issues were fixed : - CVE-2016-4956: Broadcast interleave (bsc#982068). - CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). - CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). - CVE-2016-4954: Processing spoofed server packets (bsc#982066). - CVE-2016-4955: Autokey association reset (bsc#982067). - CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a
    last seen2020-06-01
    modified2020-06-02
    plugin id91663
    published2016-06-17
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91663
    titleSUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1568-1)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-750.NASL
    descriptionntp was updated to version 4.2.8p8 to fix five security issues. These security issues were fixed : - CVE-2016-4953: Bad authentication demobilizes ephemeral associations (bsc#982065). - CVE-2016-4954: Processing spoofed server packets (bsc#982066). - CVE-2016-4955: Autokey association reset (bsc#982067). - CVE-2016-4956: Broadcast interleave (bsc#982068). - CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). These non-security issues were fixed : - Keep the parent process alive until the daemon has finished initialisation, to make sure that the PID file exists when the parent returns. - bsc#979302: Change the process name of the forking DNS worker process to avoid the impression that ntpd is started twice. - bsc#981422: Don
    last seen2020-06-05
    modified2016-06-21
    plugin id91721
    published2016-06-21
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/91721
    titleopenSUSE Security Update : ntp (openSUSE-2016-750)
  • NASL familyAIX Local Security Checks
    NASL idAIX_IV87615.NASL
    descriptionNTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128).
    last seen2017-10-29
    modified2017-08-03
    plugin id93351
    published2016-09-08
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=93351
    titleAIX 7.1 TL 3 : ntp (IV87615) (deprecated)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2016-155-01.NASL
    descriptionNew ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id91462
    published2016-06-06
    reporterThis script is Copyright (C) 2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/91462
    titleSlackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2016-155-01)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1602-1.NASL
    descriptionntp was updated to version 4.2.8p8 to fix five security issues. These security issues were fixed : - CVE-2016-4953: Bad authentication demobilizes ephemeral associations (bsc#982065). - CVE-2016-4954: Processing spoofed server packets (bsc#982066). - CVE-2016-4955: Autokey association reset (bsc#982067). - CVE-2016-4956: Broadcast interleave (bsc#982068). - CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id93153
    published2016-08-29
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93153
    titleSUSE SLES11 Security Update : ntp (SUSE-SU-2016:1602-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1563-1.NASL
    descriptionntp was updated to version 4.2.8p8 to fix five security issues. These security issues were fixed : - CVE-2016-4953: Bad authentication demobilizes ephemeral associations (bsc#982065). - CVE-2016-4954: Processing spoofed server packets (bsc#982066). - CVE-2016-4955: Autokey association reset (bsc#982067). - CVE-2016-4956: Broadcast interleave (bsc#982068). - CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id91662
    published2016-06-17
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91662
    titleSUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1563-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1912-1.NASL
    descriptionNTP was updated to version 4.2.8p8 to fix several security issues and to ensure the continued maintainability of the package. These security issues were fixed : CVE-2016-4953: Bad authentication demobilized ephemeral associations (bsc#982065). CVE-2016-4954: Processing spoofed server packets (bsc#982066). CVE-2016-4955: Autokey association reset (bsc#982067). CVE-2016-4956: Broadcast interleave (bsc#982068). CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS (bsc#977459). CVE-2016-1548: Prevent the change of time of an ntpd client or denying service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode (bsc#977461). CVE-2016-1549: Sybil vulnerability: ephemeral association attack (bsc#977451). CVE-2016-1550: Improve security against buffer comparison timing attacks (bsc#977464). CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y CVE-2016-2516: Duplicate IPs on unconfig directives could have caused an assertion botch in ntpd (bsc#977452). CVE-2016-2517: Remote configuration trustedkey/ requestkey/controlkey values are not properly validated (bsc#977455). CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966). CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). CVE-2015-7976: ntpq saveconfig command allowed dangerous characters in filenames (bsc#962802). CVE-2015-7975: nextvar() missing length check (bsc#962988). CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might have allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a
    last seen2020-06-01
    modified2020-06-02
    plugin id93186
    published2016-08-29
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93186
    titleSUSE SLES10 Security Update : ntp (SUSE-SU-2016:1912-1)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_7CFCEA05600A11E6A6C314DAE9D210B8.NASL
    descriptionMultiple vulnerabilities have been discovered in the NTP suite : The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that could cause ntpd to crash. [CVE-2016-4957, Reported by Nicolas Edet of Cisco] An attacker who knows the origin timestamp and can send a spoofed packet containing a CRYPTO-NAK to an ephemeral peer target before any other response is sent can demobilize that association. [CVE-2016-4953, Reported by Miroslav Lichvar of Red Hat] An attacker who is able to spoof packets with correct origin timestamps from enough servers before the expected response packets arrive at the target machine can affect some peer variables and, for example, cause a false leap indication to be set. [CVE-2016-4954, Reported by Jakub Prokes of Red Hat] An attacker who is able to spoof a packet with a correct origin timestamp before the expected response packet arrives at the target machine can send a CRYPTO_NAK or a bad MAC and cause the association
    last seen2020-06-01
    modified2020-06-02
    plugin id92927
    published2016-08-12
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92927
    titleFreeBSD : FreeBSD -- Multiple ntp vulnerabilities (7cfcea05-600a-11e6-a6c3-14dae9d210b8)
  • NASL familyMisc.
    NASL idNTP_4_2_8P8.NASL
    descriptionThe version of the remote NTP server is 4.x prior to 4.2.8p8 or 4.3.x prior to 4.3.93. It is, therefore, affected by the following vulnerabilities : - A denial of service vulnerability exists when handling authentication due to improper packet timestamp checks. An unauthenticated, remote attacker can exploit this, via a specially crafted and spoofed packet, to demobilize the ephemeral associations. (CVE-2016-4953) - A flaw exists that is triggered when handling spoofed packets. An unauthenticated, remote attacker can exploit this, via specially crafted packets, to affect peer variables (e.g., cause leap indications to be set). Note that the attacker must be able to spoof packets with correct origin timestamps from servers before expected response packets arrive. (CVE-2016-4954) - A flaw exists that is triggered when handling spoofed packets. An unauthenticated, remote attacker can exploit this, via specially crafted packets, to reset autokey associations. Note that the attacker must be able to spoof packets with correct origin timestamps from servers before expected response packets arrive. (CVE-2016-4955) - A flaw exists when handling broadcast associations that allows an unauthenticated, remote attacker to cause a broadcast client to change into interleave mode. (CVE-2016-4956) - A denial of service vulnerability exists when handling CRYPTO_NAK packets that allows an unauthenticated, remote attacker to cause a crash. Note that this issue only affects versions 4.2.8p7 and 4.3.92. (CVE-2016-4957)
    last seen2020-04-30
    modified2016-06-08
    plugin id91515
    published2016-06-08
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91515
    titleNetwork Time Protocol Daemon (ntpd) 4.x < 4.2.8p8 / 4.3.x < 4.3.93 Multiple Vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2016-1584-1.NASL
    descriptionntp was updated to version 4.2.8p8 to fix five security issues. These security issues were fixed : - CVE-2016-4953: Bad authentication demobilizes ephemeral associations (bsc#982065). - CVE-2016-4954: Processing spoofed server packets (bsc#982066). - CVE-2016-4955: Autokey association reset (bsc#982067). - CVE-2016-4956: Broadcast interleave (bsc#982068). - CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id91666
    published2016-06-17
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/91666
    titleSUSE SLES11 Security Update : ntp (SUSE-SU-2016:1584-1)

Seebug

bulletinFamilyexploit
description### Summary An exploitable denial of service vulnerability exists in the trap functionality of ntpd. If an ntpd instance is configured to send traps, a specially crafted network packet can be used to cause a null pointer dereference resulting in a denial of service. This vulnerability can be triggered by a remote unauthenticated attacker. ### Tested Versions * NTP 4.2.8p8 * NTPsec 0.9.3 ### Product URLs * http://www.ntp.org * http://www.ntpsec.org/ ### CVSS Scores CVSSv2: 7.1 - (AV:N/AC:M/Au:N/C:N/I:N/A:C) CVSSv3: 5.9 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H ### Details When reporting traps, the ntpd reportevent(err, peer, str) function asserts that peer != NULL if err is a "peer event". Thus if reportevent() can be called with NULL peer parameter, ntpd will abort() causing a DoS condition. ntp-4.2.8p7 introduced a variety of validity checks on crypto-NAK packets to address the nak-dos vulnerability (CVE-2016-1547). When any of these validity checks fail, ntpd reports an event to any trap receivers with: reportevent(PEVNTAUTH, peer, "Invalid_NAK"). If the source address and mode of the incoming crypto-NAK packet do not correspond to an existing peer, the peer argument will be NULL causing the INSIST(peer != NULL) assertion to fail when report_event() attempts to report the event to its trap recipients. It may also be possible to trigger reporting of a peer event without a valid peer on other code paths. For example, checkleapsec() in ntptimer.c calls: ``` report_event(PEVNT_ARMED, sys_peer, NULL); ``` If ntpd's syspeer advertises a leap second and then the host running ntpd becomes temporarily disconnected, it may be possible for checkleapsec() to be called without a valid sys_peer leading to the assertion failure above. This crash can be reliably triggered on ntp-4.2.8p8. We are reporting this defect against NTPsec 0.9.3 as well because it contains the same incorrect logic in reportevent(). However we did not attempt to exploit this vulnerability on NTPsec because triggering a call to reportevent() with a NULL peer is not as straightforward as with ntp-4.2.8p8. The fix for CRYPTO_NAK crash (CVE-2016-4957) introduced in ntp-4.2.8p8 does not address this vulnerability. Though traps are not configured in most common NTP environments, attackers can employ "Network Time Protocol Control Mode Unauthenticated Trap Information Disclosure and DDoS Amplification Vulnerability" (TALOS-2016-0203) in order to configure a trap in order to exploit this vulnerability. ### Mitigation Successful exploitation of this vulnerability requires ntpd to be configured with trap recipients. Systems can be protected by removing all "trap" commands from ntp.conf and adopting the mitigations for "Network Time Protocol Control Mode Unauthenticated Trap Information Disclosure and DDoS Amplification Vulnerability" (TALOS-2016-0203). ### Timeline * 2016-09-20 - Vendor Disclosure * 2016-11-21 - Public Release
idSSV:96649
last seen2017-11-19
modified2017-10-11
published2017-10-11
reporterRoot
titleNetwork Time Protocol Trap Crash Denial of Service Vulnerability(CVE-2016-9311)

Talos

idTALOS-2016-0204
last seen2019-05-29
published2016-11-21
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0204
titleNetwork Time Protocol Trap Crash Denial of Service Vulnerability

References