Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.NTP_4_2_8P10.NASL
HistoryMar 27, 2017 - 12:00 a.m.

Network Time Protocol Daemon (ntpd) 4.x < 4.2.8p10 Multiple Vulnerabilities

2017-03-2700:00:00
This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
402
JSON

The version of the remote NTP server is 4.x prior to 4.2.8p10. It is, therefore, affected by the following vulnerabilities :

  • A denial of service vulnerability exists in the receive() function within file ntpd/ntp_proto.c due to the expected origin timestamp being cleared when a packet with a zero origin timestamp is received. An unauthenticated, remote attacker can exploit this issue, via specially crafted network packets, to reset the expected origin timestamp for a target peer, resulting in legitimate replies being dropped. (CVE-2016-9042)

  • An out-of-bounds write error exists in the mx4200_send() function within file ntpd/refclock_mx4200.c due to improper handling of the return value of the snprintf() and vsnprintf() functions. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or possibly the execution of arbitrary code.
    However, neither the researcher nor vendor could find any exploitable code path. (CVE-2017-6451)

  • A stack-based buffer overflow condition exists in the addSourceToRegistry() function within file ports/winnt/instsrv/instsrv.c due to improper validation of certain input when adding registry keys. A local attacker can exploit this to execute arbitrary code.
    (CVE-2017-6452)

  • A flaw exists due to dynamic link library (DLL) files being preloaded when they are defined in the inherited environment variable โ€˜PPSAPI_DLLSโ€™. A local attacker can exploit this, via specially crafted DLL files, to execute arbitrary code with elevated privileges.
    (CVE-2017-6455)

  • Multiple stack-based buffer overflow conditions exist in various wrappers around the ctl_putdata() function within file ntpd/ntp_control.c due to improper validation of certain input from the ntp.conf file.
    An unauthenticated, remote attacker can exploit these, by convincing a user into deploying a specially crafted ntp.conf file, to cause a denial of service condition or possibly the execution of arbitrary code.
    (CVE-2017-6458)

  • A flaw exists in the addKeysToRegistry() function within file ports/winnt/instsrv/instsrv.c when running the Windows installer due to improper termination of strings used for adding registry keys, which may cause malformed registry entries to be created. A local attacker can exploit this issue to possibly disclose sensitive memory contents. (CVE-2017-6459)

  • A stack-based buffer overflow condition exists in the reslist() function within file ntpq/ntpq-subs.c when handling server responses due to improper validation of certain input. An unauthenticated, remote attacker can exploit this, by convincing a user to connect to a malicious NTP server and by using a specially crafted server response, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-6460)

  • A stack-based buffer overflow condition exists in the datum_pts_receive() function within file ntpd/refclock_datum.c when handling handling packets from the โ€˜/dev/datumโ€™ device due to improper validation of certain input. A local attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-6462)

  • A denial of service vulnerability exists within file ntpd/ntp_config.c when handling โ€˜unpeerโ€™ configuration options. An authenticated, remote attacker can exploit this issue, via an โ€˜unpeerโ€™ option value of โ€˜0โ€™, to crash the ntpd daemon. (CVE-2017-6463)

  • A denial of service vulnerability exists when handling configuration directives. An authenticated, remote attacker can exploit this, via a malformed โ€˜modeโ€™ configuration directive, to crash the ntpd daemon.
    (CVE-2017-6464)

  • A flaw exists in the ntpq_stripquotes() function within file ntpq/libntpq.c due to the function returning an incorrect value. An unauthenticated, remote attacker can possibly exploit this to have an unspecified impact.

  • An off-by-one overflow condition exists in the oncore_receive() function in file ntpd/refclock_oncore.c that possibly allows an unauthenticated, remote attacker to have an unspecified impact.

  • A flaw exists due to certain code locations not invoking the appropriate ereallocarray() and eallocarray() functions. An unauthenticated, remote attacker can possibly exploit this to have an unspecified impact.

  • A flaw exists due to the static inclusion of unused code from the libisc, libevent, and libopts libraries. An unauthenticated, remote attacker can possibly exploit this to have an unspecified impact.

  • A security weakness exists in the Makefile due to a failure to provide compile or link flags to offer hardened security options by default.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(97988);
  script_version("1.14");
  script_cvs_date("Date: 2019/01/02 11:18:37");

  script_cve_id(
    "CVE-2016-9042",
    "CVE-2017-6451",
    "CVE-2017-6452",
    "CVE-2017-6455",
    "CVE-2017-6458",
    "CVE-2017-6459",
    "CVE-2017-6460",
    "CVE-2017-6462",
    "CVE-2017-6463",
    "CVE-2017-6464"
  );
  script_bugtraq_id(
    97045,
    97046,
    97049,
    97050,
    97051,
    97052,
    97058
  );
  script_xref(name:"CERT", value:"325339");

  script_name(english:"Network Time Protocol Daemon (ntpd) 4.x < 4.2.8p10 Multiple Vulnerabilities");
  script_summary(english:"Checks for a vulnerable NTP server.");

  script_set_attribute(attribute:"synopsis", value:
"The remote NTP server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of the remote NTP server is 4.x prior to 4.2.8p10. It is,
therefore, affected by the following vulnerabilities :

  - A denial of service vulnerability exists in the
    receive() function within file ntpd/ntp_proto.c due to
    the expected origin timestamp being cleared when a
    packet with a zero origin timestamp is received. An
    unauthenticated, remote attacker can exploit this issue,
    via specially crafted network packets, to reset the
    expected origin timestamp for a target peer, resulting
    in legitimate replies being dropped. (CVE-2016-9042)

  - An out-of-bounds write error exists in the mx4200_send()
    function within file ntpd/refclock_mx4200.c due to
    improper handling of the return value of the snprintf()
    and vsnprintf() functions. An unauthenticated, remote
    attacker can exploit this to cause a denial of service
    condition or possibly the execution of arbitrary code.
    However, neither the researcher nor vendor could find
    any exploitable code path. (CVE-2017-6451)

  - A stack-based buffer overflow condition exists in the
    addSourceToRegistry() function within file
    ports/winnt/instsrv/instsrv.c due to improper validation
    of certain input when adding registry keys. A local
    attacker can exploit this to execute arbitrary code.
    (CVE-2017-6452)

  - A flaw exists due to dynamic link library (DLL) files
    being preloaded when they are defined in the inherited
    environment variable 'PPSAPI_DLLS'. A local attacker can
    exploit this, via specially crafted DLL files, to
    execute arbitrary code with elevated privileges.
    (CVE-2017-6455)

  - Multiple stack-based buffer overflow conditions exist in
    various wrappers around the ctl_putdata() function
    within file ntpd/ntp_control.c due to improper
    validation of certain input from the ntp.conf file.
    An unauthenticated, remote attacker can exploit these,
    by convincing a user into deploying a specially
    crafted ntp.conf file, to cause a denial of service
    condition or possibly the execution of arbitrary code.
    (CVE-2017-6458)

  - A flaw exists in the addKeysToRegistry() function within
    file ports/winnt/instsrv/instsrv.c when running the
    Windows installer due to improper termination of strings
    used for adding registry keys, which may cause malformed
    registry entries to be created. A local attacker can
    exploit this issue to possibly disclose sensitive memory
    contents. (CVE-2017-6459)

  - A stack-based buffer overflow condition exists in the
    reslist() function within file ntpq/ntpq-subs.c when
    handling server responses due to improper validation of
    certain input. An unauthenticated, remote attacker can
    exploit this, by convincing a user to connect to a
    malicious NTP server and by using a specially crafted
    server response, to cause a denial of service condition
    or the execution of arbitrary code. (CVE-2017-6460)

  - A stack-based buffer overflow condition exists in the
    datum_pts_receive() function within file
    ntpd/refclock_datum.c when handling handling packets
    from the '/dev/datum' device due to improper validation
    of certain input. A local attacker can exploit this to
    cause a denial of service condition or the execution of
    arbitrary code. (CVE-2017-6462)

  - A denial of service vulnerability exists within file
    ntpd/ntp_config.c when handling 'unpeer' configuration
    options. An authenticated, remote attacker can exploit
    this issue, via an 'unpeer' option value of '0', to
    crash the ntpd daemon. (CVE-2017-6463)

  - A denial of service vulnerability exists when handling
    configuration directives. An authenticated, remote
    attacker can exploit this, via a malformed 'mode'
    configuration directive, to crash the ntpd daemon.
    (CVE-2017-6464)

  - A flaw exists in the ntpq_stripquotes() function within
    file ntpq/libntpq.c due to the function returning an
    incorrect value. An unauthenticated, remote attacker can
    possibly exploit this to have an unspecified impact.

  - An off-by-one overflow condition exists in the
    oncore_receive() function in file ntpd/refclock_oncore.c
    that possibly allows an unauthenticated, remote attacker
    to have an unspecified impact.

  - A flaw exists due to certain code locations not invoking
    the appropriate ereallocarray() and eallocarray()
    functions. An unauthenticated, remote attacker can
    possibly exploit this to have an unspecified impact.

  - A flaw exists due to the static inclusion of unused code
    from the libisc, libevent, and libopts libraries. An
    unauthenticated, remote attacker can possibly exploit
    this to have an unspecified impact.

  - A security weakness exists in the Makefile due to a
    failure to provide compile or link flags to offer
    hardened security options by default.");
  # http://support.ntp.org/bin/view/Main/SecurityNotice#March_2017_ntp_4_2_8p10_NTP_Secu
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?68156231");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3361");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3376");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3377");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3378");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3379");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3380");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3381");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3382");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3383");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3384");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3385");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3386");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3387");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3388");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3389");
  script_set_attribute(attribute:"solution", value:
"Upgrade to NTP version 4.2.8p10 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-6458");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/02/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/03/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/03/27");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ntp:ntp");
  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ntp_open.nasl");
  script_require_keys("NTP/Running", "Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

# Make sure NTP server is running
get_kb_item_or_exit('NTP/Running');

app_name = "NTP Server";

port = get_kb_item("Services/udp/ntp");
if (empty_or_null(port)) port = 123;

version = get_kb_item_or_exit("Services/ntp/version");
if (version == 'unknown') audit(AUDIT_UNKNOWN_APP_VER, app_name);

match = eregmatch(string:version, pattern:"([0-9a-z.]+)");
if (isnull(match) || empty_or_null(match[1])) audit(AUDIT_UNKNOWN_APP_VER, app_name);

# Paranoia check
if (report_paranoia < 2) audit(AUDIT_PARANOID);

ver = match[1];
verfields = split(ver, sep:".", keep:FALSE);
major = int(verfields[0]);
minor = int(verfields[1]);
if ('p' >< verfields[2])
{
  revpatch = split(verfields[2], sep:"p", keep:FALSE);
  rev = int(revpatch[0]);
  patch = int(revpatch[1]);
}
else
{
  rev = verfields[2];
  patch = 0;
}

# This vulnerability affects NTP 4.x < 4.2.8p10
# Check for vuln, else audit out.
if (
  (major == 4 && minor < 2) ||
  (major == 4 && minor == 2 && rev < 8) ||
  (major == 4 && minor == 2 && rev == 8 && patch < 10)
)
{
  fix = "4.2.8p10";
}
else audit(AUDIT_INST_VER_NOT_VULN, app_name, version);

report =
  '\n  Installed version : ' + version +
  '\n  Fixed version     : ' + fix +
  '\n';

security_report_v4(
  port  : port,
  proto : "udp",
  extra : report,
  severity : SECURITY_WARNING
);
exit(0);
VendorProductVersionCPE
ntpntpcpe:/a:ntp:ntp

References

Related

nessus 46
slackware 1
openvas 19
symantec 1
fedora 3
ibm 14
amazon 2
mageia 1
freebsd_advisory 1
freebsd 1
aix 1
redhat 2
centos 2
ubuntu 2
oraclelinux 3
cloudfoundry 1
debiancve 10
redhatcve 10
prion 10
cve 10
f5 7
ubuntucve 10
paloalto 1
checkpoint_advisories 1
veracode 4
talos 1
seebug 1
ics 1
apple 2
nessus
nessus
Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : ntp (SSA:2017-112-02)
2017-04-24 00:00:00
Photon OS 1.0: Ntp PHSA-2017-0010
2019-02-07 00:00:00
SUSE SLES11 Security Update : ntp (SUSE-SU-2017:1052-1)
2017-04-19 00:00:00
slackware
slackware
[slackware-security] ntp
2017-04-22 16:42:41
openvas
openvas
NTP.org 'ntpd' Multiple Denial-of-Service Vulnerabilities (Mar 2017)
2017-03-23 00:00:00
Slackware: Security Advisory (SSA:2017-112-02)
2022-04-21 00:00:00
SUSE: Security Advisory (SUSE-SU-2017:1047-1)
2021-04-19 00:00:00
symantec
symantec
SA147 : March 2017 NTP Security Vulnerabilities
2017-04-13 08:00:00
fedora
fedora
[SECURITY] Fedora 26 Update: ntp-4.2.8p10-1.fc26
2017-04-01 18:10:49
[SECURITY] Fedora 25 Update: ntp-4.2.6p5-44.fc25
2017-03-29 01:35:03
[SECURITY] Fedora 24 Update: ntp-4.2.6p5-44.fc24
2017-04-18 16:49:59
ibm
ibm
Security Bulletin: Vulnerabilities in ntp affect IBM Integrated Management Module II (IMM2) for System x, Flex and BladeCenter Systems
2023-04-14 14:32:25
Security Bulletin: Multiple vulnerabilities in ntp affect IBM Flex System Manager (FSM)
2018-06-18 01:38:11
Security Bulletin: Vulnerabilities in NTP affect IBM Chassis Management Module
2019-01-31 02:25:02
amazon
amazon
Medium: ntp
2017-04-20 05:54:00
Medium: ntp
2018-05-10 17:11:00
mageia
mageia
Updated ntp packages fix security vulnerability
2017-05-09 09:35:29
freebsd_advisory
freebsd_advisory
FreeBSD-SA-17:03.ntp
2017-04-12 00:00:00
freebsd
freebsd
FreeBSD -- Multiple vulnerabilities of ntp
2017-04-12 00:00:00
aix
aix
There are multiple vulnerabilities in NTPv3 and NTPv4 that impact AIX,There are multiple vulnerabilities in NTPv3 and NTPv4 that impact AIX.,There are multiple vulnerabilities in NTPv3 and NTPv4 that impact VIOS
2017-07-06 14:53:51
redhat
redhat
(RHSA-2018:0855) Moderate: ntp security, bug fix, and enhancement update
2018-04-10 05:02:34
(RHSA-2017:3071) Moderate: ntp security update
2017-10-26 06:19:03
centos
centos
ntp, ntpdate security update
2017-10-26 11:47:10
ntp, ntpdate, sntp security update
2018-04-26 17:47:34
ubuntu
ubuntu
NTP vulnerabilities
2017-07-05 00:00:00
NTP vulnerabilities
2019-01-23 00:00:00
oraclelinux
oraclelinux
ntp security update
2018-12-19 00:00:00
ntp security, bug fix, and enhancement update
2018-04-16 00:00:00
ntp security update
2017-10-26 00:00:00
cloudfoundry
cloudfoundry
USN-3349-1: NTP vulnerabilities | Cloud Foundry
2017-08-04 00:00:00
debiancve
debiancve
CVE-2016-9042
2018-06-04 20:29:00
CVE-2017-6455
2017-03-27 17:59:00
CVE-2017-6459
2017-03-27 17:59:00
redhatcve
redhatcve
CVE-2016-9042
2017-03-22 02:17:57
CVE-2017-6455
2017-03-24 09:21:25
CVE-2017-6460
2017-03-22 02:18:22
prion
prion
Race condition
2018-06-04 20:29:00
Code injection
2017-03-27 17:59:00
Stack overflow
2017-03-27 17:59:00
cve
cve
CVE-2016-9042
2018-06-04 20:29:00
CVE-2017-6452
2017-03-27 17:59:00
CVE-2017-6460
2017-03-27 17:59:00
f5
f5
K39041624 : NTP vulnerability CVE-2016-9042
2017-05-11 00:00:00
K31310492 : NTP vulnerability CVE-2017-6460
2017-05-08 00:00:00
K32262483 : NTP vulnerability CVE-2017-6451
2017-05-08 00:00:00
ubuntucve
ubuntucve
CVE-2017-6455
2017-03-27 00:00:00
CVE-2017-6460
2017-03-27 00:00:00
CVE-2017-6459
2017-03-27 00:00:00
paloalto
paloalto
NTP Vulnerability
2017-07-27 17:15:00
checkpoint_advisories
checkpoint_advisories
Network Time Protocol Daemon peer xmit mode Denial of Service (CVE-2017-6464)
2017-05-11 00:00:00
veracode
veracode
Denial Of Service (DoS)
2019-05-02 06:37:19
Denial Of Service (DoS)
2019-01-15 09:19:43
Arbitrary Code Execution
2020-09-21 06:30:33
talos
talos
Network Time Protocol Origin Timestamp Check Denial of Service Vulnerability
2017-03-29 00:00:00
seebug
seebug
Network Time Protocol Origin Timestamp Check Denial of Service Vulnerability(CVE-2016-9042)
2017-09-20 00:00:00
ics
ics
Siemens SIMATIC NET CP 443-1 OPC UA
2021-06-08 12:00:00
apple
apple
About the security content of macOS High Sierra 10.13
2017-09-25 00:00:00
About the security content of macOS High Sierra 10.13 - Apple Support
2020-02-06 07:51:09
JSON
Related for NTP_4_2_8P10.NASL
nessus46slackware1openvas19symantec1fedora3ibm14amazon2mageia1freebsd_advisory1freebsd1aix1redhat2centos2ubuntu2oraclelinux3cloudfoundry1debiancve10redhatcve10prion10cve10f57ubuntucve10paloalto1checkpoint_advisories1veracode4talos1seebug1ics1apple2