Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.NTP_4_2_8P9.NASL
HistoryDec 06, 2016 - 12:00 a.m.

Network Time Protocol Daemon (ntpd) 4.x < 4.2.8p9 Multiple Vulnerabilities

2016-12-0600:00:00
This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
129
JSON

The version of the remote NTP server is 4.x prior to 4.2.8p9. It is, therefore, affected by the following vulnerabilities :

  • A denial of service vulnerability exists when rate limiting is configured for all associations, the limits also being applied to responses received from the configured sources. An unauthenticated, remote attacker can exploit this, by periodically sending spoofed packets, to keep rate limiting active, resulting in valid responses not being accepted by ntpd from its sources. (CVE-2016-7426)

  • A denial of service vulnerability exists in the broadcast mode replay prevention functionality. An unauthenticated, adjacent attacker can exploit this, via specially crafted broadcast mode NTP packets periodically injected into the broadcast domain, to cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers. (CVE-2016-7427)

  • A denial of service vulnerability exists in the broadcast mode poll interval functionality. An unauthenticated, adjacent attacker can exploit this, via specially crafted broadcast mode NTP packets, to cause ntpd to reject packets from a legitimate NTP broadcast server. (CVE-2016-7428)

  • A denial of service vulnerability exists when receiving server responses on sockets that correspond to different interfaces than what were used in the request. An unauthenticated, remote attacker can exploit this, by sending repeated requests using specially crafted packets with spoofed source addresses, to cause ntpd to select the incorrect interface for the source, which prevents it from sending new requests until the interface list is refreshed. This eventually results in preventing ntpd from synchronizing with the source.
    (CVE-2016-7429)

  • A flaw exists that allows packets with an origin timestamp of zero to bypass security checks. An unauthenticated, remote attacker can exploit this to spoof arbitrary content. (CVE-2016-7431)

  • A flaw exists due to the root delay being included twice, which may result in the jitter value being higher than expected. An unauthenticated, remote attacker can exploit this to cause a denial of service condition.
    (CVE-2016-7433)

  • A denial of service vulnerability exists when handling specially crafted mrulist query packets that allows an unauthenticated, remote attacker to crash ntpd.
    (CVE-2016-7434)

  • A flaw exists in the control mode (mode 6) functionality when handling specially crafted control mode packets. An unauthenticated, adjacent attacker can exploit this to set or disable ntpd traps, resulting in the disclosure of potentially sensitive information, disabling of legitimate monitoring, or DDoS amplification.
    (CVE-2016-9310)

  • A NULL pointer dereference flaw exists in the report_event() function within file ntpd/ntp_control.c when the trap service handles certain peer events. An unauthenticated, remote attacker can exploit this, via a specially crafted packet, to cause a denial of service condition. (CVE-2016-9311)

  • A denial of service vulnerability exists when handling oversize UDP packets that allows an unauthenticated, remote attacker to crash ntpd. Note that this vulnerability only affects Windows versions.
    (CVE-2016-9312)

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(95575);
  script_version("1.11");
  script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/27");

  script_cve_id(
    "CVE-2016-7426",
    "CVE-2016-7427",
    "CVE-2016-7428",
    "CVE-2016-7429",
    "CVE-2016-7431",
    "CVE-2016-7433",
    "CVE-2016-7434",
    "CVE-2016-9310",
    "CVE-2016-9311",
    "CVE-2016-9312"
  );
  script_bugtraq_id(
    94444,
    94446,
    94447,
    94448,
    94450,
    94451,
    94452,
    94453,
    94454,
    94455
  );
  script_xref(name:"CERT", value:"633847");

  script_name(english:"Network Time Protocol Daemon (ntpd) 4.x < 4.2.8p9 Multiple Vulnerabilities");
  script_summary(english:"Checks for a vulnerable NTP server.");

  script_set_attribute(attribute:"synopsis", value:
"The remote NTP server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The version of the remote NTP server is 4.x prior to 4.2.8p9. It is,
therefore, affected by the following vulnerabilities :

  - A denial of service vulnerability exists when rate
    limiting is configured for all associations, the limits
    also being applied to responses received from the
    configured sources. An unauthenticated, remote attacker
    can exploit this, by periodically sending spoofed
    packets, to keep rate limiting active, resulting in
    valid responses not being accepted by ntpd from its
    sources. (CVE-2016-7426)

  - A denial of service vulnerability exists in the
    broadcast mode replay prevention functionality. An
    unauthenticated, adjacent attacker can exploit this, via
    specially crafted broadcast mode NTP packets
    periodically injected into the broadcast domain, to
    cause ntpd to reject broadcast mode packets from
    legitimate NTP broadcast servers. (CVE-2016-7427)

  - A denial of service vulnerability exists in the
    broadcast mode poll interval functionality. An
    unauthenticated, adjacent attacker can exploit this, via
    specially crafted broadcast mode NTP packets, to cause
    ntpd to reject packets from a legitimate NTP broadcast
    server. (CVE-2016-7428)

  - A denial of service vulnerability exists when receiving
    server responses on sockets that correspond to different
    interfaces than what were used in the request. An
    unauthenticated, remote attacker can exploit this, by
    sending repeated requests using specially crafted
    packets with spoofed source addresses, to cause ntpd
    to select the incorrect interface for the source, which
    prevents it from sending new requests until the
    interface list is refreshed. This eventually results in
    preventing ntpd from synchronizing with the source.
    (CVE-2016-7429)

  - A flaw exists that allows packets with an origin
    timestamp of zero to bypass security checks. An
    unauthenticated, remote attacker can exploit this to
    spoof arbitrary content. (CVE-2016-7431)

  - A flaw exists due to the root delay being included
    twice, which may result in the jitter value being higher
    than expected. An unauthenticated, remote attacker can
    exploit this to cause a denial of service condition.
    (CVE-2016-7433)

  - A denial of service vulnerability exists when handling
    specially crafted mrulist query packets that allows an
    unauthenticated, remote attacker to crash ntpd.
    (CVE-2016-7434)

  - A flaw exists in the control mode (mode 6) functionality
    when handling specially crafted control mode packets. An
    unauthenticated, adjacent attacker can exploit this to
    set or disable ntpd traps, resulting in the disclosure
    of potentially sensitive information, disabling of
    legitimate monitoring, or DDoS amplification.
    (CVE-2016-9310)

  - A NULL pointer dereference flaw exists in the
    report_event() function within file ntpd/ntp_control.c
    when the trap service handles certain peer events. An
    unauthenticated, remote attacker can exploit this, via
    a specially crafted packet, to cause a denial of service
    condition. (CVE-2016-9311)

  - A denial of service vulnerability exists when handling
    oversize UDP packets that allows an unauthenticated,
    remote attacker to crash ntpd. Note that this
    vulnerability only affects Windows versions.
    (CVE-2016-9312)");
  # http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?08645c8c");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3067");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3071");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3072");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3082");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3102");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3110");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3113");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3114");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3118");
  script_set_attribute(attribute:"see_also", value:"http://support.ntp.org/bin/view/Main/NtpBug3119");
  script_set_attribute(attribute:"solution", value:
"Upgrade to NTP version 4.2.8p9 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-9311");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/11/21");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/11/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/12/06");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ntp:ntp");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ntp_open.nasl");
  script_require_keys("NTP/Running", "Settings/ParanoidReport");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");

# Make sure NTP server is running
get_kb_item_or_exit('NTP/Running');

app_name = "NTP Server";

port = get_kb_item("Services/udp/ntp");
if (empty_or_null(port)) port = 123;

version = get_kb_item_or_exit("Services/ntp/version");
if (version == 'unknown') audit(AUDIT_UNKNOWN_APP_VER, app_name);

match = eregmatch(string:version, pattern:"([0-9a-z.]+)");
if (isnull(match) || empty_or_null(match[1])) audit(AUDIT_UNKNOWN_APP_VER, app_name);

# Paranoia check
if (report_paranoia < 2) audit(AUDIT_PARANOID);

ver = match[1];
verfields = split(ver, sep:".", keep:FALSE);
major = int(verfields[0]);
minor = int(verfields[1]);
if ('p' >< verfields[2])
{
  revpatch = split(verfields[2], sep:"p", keep:FALSE);
  rev = int(revpatch[0]);
  patch = int(revpatch[1]);
}
else
{
  rev = verfields[2];
  patch = 0;
}

# This vulnerability affects NTP 4.x < 4.2.8p9
# Check for vuln, else audit out.
if (
  (major == 4 && minor < 2) ||
  (major == 4 && minor == 2 && rev < 8) ||
  (major == 4 && minor == 2 && rev == 8 && patch < 9)
)
{
  fix = "4.2.8p9";
}
else audit(AUDIT_INST_VER_NOT_VULN, app_name, version);

report =
  '\n  Installed version : ' + version +
  '\n  Fixed version     : ' + fix +
  '\n';

security_report_v4(
  port  : port,
  proto : "udp",
  extra : report,
  severity : SECURITY_HOLE
);
exit(0);
VendorProductVersionCPE
ntpntpcpe:/a:ntp:ntp

References

Related

nessus 45
slackware 1
symantec 1
freebsd 2
openvas 28
cert 1
ibm 18
archlinux 1
huawei 1
freebsd_advisory 1
cisco 1
fedora 3
oraclelinux 4
f5 6
amazon 2
redhat 1
centos 1
aix 1
mageia 1
ubuntu 2
cloudfoundry 1
myhack58 3
checkpoint_advisories 2
debiancve 10
exploitpack 1
thn 1
seebug 6
redhatcve 10
prion 10
ubuntucve 11
cve 10
zdt 1
hackerone 1
veracode 4
packetstorm 1
threatpost 1
talos 5
nessus
nessus
Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : ntp (SSA:2016-326-01)
2016-11-22 00:00:00
FreeBSD : ntp -- multiple vulnerabilities (8db8d62a-b08b-11e6-8eba-d050996490d0)
2016-11-23 00:00:00
Photon OS 1.0: Ntpstat PHSA-2017-0003
2019-02-07 00:00:00
slackware
slackware
[slackware-security] ntp
2016-11-21 19:25:10
symantec
symantec
SA139 : November 2016 NTP Security Vulnerabilities
2017-01-12 08:00:00
freebsd
freebsd
ntp -- multiple vulnerabilities
2016-11-21 00:00:00
FreeBSD -- Multiple vulnerabilities of ntp
2016-12-22 00:00:00
openvas
openvas
Slackware: Security Advisory (SSA:2016-326-01)
2022-04-21 00:00:00
NTP.org 'ntpd' 4.0.90 - 4.2.8p8, 4.3.0 - 4.3.93 Multiple Vulnerabilities (Nov 2016)
2016-06-03 00:00:00
SUSE: Security Advisory (SUSE-SU-2016:3195-1)
2021-04-19 00:00:00
cert
cert
NTP.org ntpd contains multiple denial of service vulnerabilities
2016-11-21 00:00:00
ibm
ibm
Security Bulletin: Vulnerabilities in NTP affect IBM Flex System Chassis Management Module (CMM)
2019-01-31 02:25:02
Security Bulletin: Multiple vulnerabilities in Network Time Protocol (NTP) affect WebSphere DataPower XC10 Appliance
2018-06-15 07:07:23
Security Bulletin: Multiple vulnerabilities in NTP affect IBM Security Network Protection
2018-06-16 21:50:34
archlinux
archlinux
[ASA-201611-28] ntp: multiple issues
2016-11-26 00:00:00
huawei
huawei
Security Advisory - Multiple NTPd Vulnerabilities in Huawei Products
2017-11-29 00:00:00
freebsd_advisory
freebsd_advisory
FreeBSD-SA-16:39.ntp
2016-12-22 00:00:00
cisco
cisco
Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: November 2016
2016-11-23 16:00:00
fedora
fedora
[SECURITY] Fedora 23 Update: ntp-4.2.6p5-43.fc23
2016-12-08 03:20:50
[SECURITY] Fedora 25 Update: ntp-4.2.6p5-43.fc25
2016-12-08 03:53:53
[SECURITY] Fedora 24 Update: ntp-4.2.6p5-43.fc24
2016-12-07 20:21:32
oraclelinux
oraclelinux
ntp security update
2017-02-06 00:00:00
ntp security, bug fix, and enhancement update
2018-04-16 00:00:00
ntp security update
2017-10-26 00:00:00
f5
f5
K80996302 : Multiple NTP vulnerabilities
2016-12-16 00:00:00
K63326092 : NTP vulnerability CVE-2016-7434
2016-11-29 00:00:00
SOL63326092 - NTP vulnerability CVE-2016-7434
2016-11-29 00:00:00
amazon
amazon
Medium: ntp
2017-01-04 17:00:00
Medium: ntp
2018-05-10 17:11:00
redhat
redhat
(RHSA-2017:0252) Moderate: ntp security update
2017-02-06 03:59:03
centos
centos
ntp, ntpdate, sntp security update
2017-02-06 11:25:17
aix
aix
There are multiple vulnerabilities in NTPv3 and NTPv4 that impact AIX.
2017-02-13 15:32:47
mageia
mageia
Updated ntp packages fix security vulnerabilities
2016-12-08 10:33:24
ubuntu
ubuntu
NTP vulnerabilities
2017-07-05 00:00:00
NTP vulnerabilities
2019-01-23 00:00:00
cloudfoundry
cloudfoundry
USN-3349-1: NTP vulnerabilities | Cloud Foundry
2017-08-04 00:00:00
myhack58
myhack58
Doing things the NTP----CVE-2016-7434 vulnerability analysis-vulnerability warning-the black bar safety net
2016-12-03 00:00:00
Doing things the NTP----CVE-2016-7434 vulnerability analysis-vulnerability warning-the black bar safety net
2016-12-03 00:00:00
NTPD denial of service vulnerability, CVE-2016-7434 analysis-vulnerability warning-the black bar safety net
2016-12-17 00:00:00
checkpoint_advisories
checkpoint_advisories
Network Time Protocol Windows Daemon getEndptFromIoCtx Denial of Service (CVE-2016-9312)
2017-01-10 00:00:00
NTP Daemon _IO_str_init_static_internal Denial of Service (CVE-2016-7434)
2016-11-23 00:00:00
debiancve
debiancve
CVE-2016-9312
2017-01-13 16:59:00
CVE-2016-7434
2017-01-13 16:59:00
CVE-2016-7427
2017-01-13 16:59:00
exploitpack
exploitpack
NTP 4.2.8p8 - Denial of Service
2016-11-21 00:00:00
thn
thn
NTP DoS Exploit Released — Update Your Servers to Patch 10 Flaws
2016-11-22 22:49:00
seebug
seebug
ntpd remote pre-auth DoS (CVE-2016-7434)
2016-11-23 00:00:00
Network Time Protocol Broadcast Mode Replay Prevention Denial of Service Vulnerability(CVE-2016-7427)
2017-10-11 00:00:00
Network Time Protocol Broadcast Mode Poll Interval Enforcement Denial of Service Vulnerability(CVE-2016-7428)
2017-10-11 00:00:00
redhatcve
redhatcve
CVE-2016-9312
2017-01-04 08:47:26
CVE-2016-7434
2016-11-22 10:47:41
CVE-2016-7429
2016-11-22 11:17:39
prion
prion
Code injection
2017-01-13 16:59:00
Design/Logic Flaw
2017-01-13 16:59:00
Code injection
2017-01-13 16:59:00
ubuntucve
ubuntucve
CVE-2016-9312
2017-01-13 00:00:00
CVE-2016-7434
2017-01-13 00:00:00
CVE-2016-7433
2017-01-13 00:00:00
cve
cve
CVE-2016-9312
2017-01-13 16:59:00
CVE-2016-7427
2017-01-13 16:59:00
CVE-2016-7428
2017-01-13 16:59:00
zdt
zdt
NTP 4.2.8p8 - Denial of Service Exploit
2016-11-23 00:00:00
hackerone
hackerone
Internet Bug Bounty: ntpd: read_mru_list() does inadequate incoming packet checks
2016-06-25 21:36:45
veracode
veracode
Denial Of Service (DoS)
2019-05-02 06:30:44
Denial Of Service (DoS)
2019-01-15 09:15:56
Denial Of Service (DoS)
2019-05-02 06:30:44
packetstorm
packetstorm
ntpd 4.2.7.p22 / 4.3.0 Denial Of Service
2016-11-22 00:00:00
threatpost
threatpost
Exploit Code Released for NTP Vulnerability
2016-11-22 10:30:41
talos
talos
Network Time Protocol Broadcast Mode Replay Prevention Denial of Service Vulnerability
2016-11-21 00:00:00
Network Time Protocol Broadcast Mode Poll Interval Enforcement Denial of Service Vulnerability
2016-11-21 00:00:00
Network Time Protocol Origin Timestamp Check Denial of Service Vulnerability
2017-03-29 00:00:00
JSON
Related for NTP_4_2_8P9.NASL
nessus45slackware1symantec1freebsd2openvas28cert1ibm18archlinux1huawei1freebsd_advisory1cisco1fedora3oraclelinux4f56amazon2redhat1centos1aix1mageia1ubuntu2cloudfoundry1myhack583checkpoint_advisories2debiancve10exploitpack1thn1seebug6redhatcve10prion10ubuntucve11cve10zdt1hackerone1veracode4packetstorm1threatpost1talos5