Executive Summary

Summary
Title NTP.org ntpd contains multiple denial of service vulnerabilities
Informations
Name VU#633847 First vendor Publication 2016-11-21
Vendor VU-CERT Last vendor Modification 2016-11-21
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:N/I:N/A:C)
Cvss Base Score 7.1 Attack Range Network
Cvss Impact Score 6.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#633847

NTP.org ntpd contains multiple denial of service vulnerabilities

Original Release date: 21 Nov 2016 | Last revised: 21 Nov 2016

Overview

NTP.org ntpd prior to 4.2.8p9 contains multiple denial of service vulnerabilities.

Description

NTP.org's ntpd prior to version 4.2.8p9 contains multiple denial of service vulnerabilities.

CWE-476: NULL Pointer Dereference - CVE-2016-9311

According to NTP.org, "ntpd does not enable trap service by default. If trap service has been explicitly enabled, an attacker can send a specially crafted packet to cause a null pointer dereference that will crash ntpd, resulting in a denial of service. Affects Windows only."

CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') - CVE-2016-9310

According to NTP.org, "An exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. If, against long-standing BCP recommendations, "restrict default noquery ..." is not specified, a specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, disabling legitimate monitoring. A remote, unauthenticated, network attacker can trigger this vulnerability."

CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') - CVE-2016-7427

According to NTP.org, "The broadcast mode of NTP is expected to only be used in a trusted network. If the broadcast network is accessible to an attacker, a potentially exploitable denial of service vulnerability in ntpd's broadcast mode replay prevention functionality can be abused. An attacker with access to the NTP broadcast domain can periodically inject specially crafted broadcast mode NTP packets into the broadcast domain which, while being logged by ntpd, can cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers."


CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') - CVE-2016-7428

According to NTP.org, "The broadcast mode of NTP is expected to only be used in a trusted network. If the broadcast network is accessible to an attacker, a potentially exploitable denial of service vulnerability in ntpd's broadcast mode poll interval enforcement functionality can be abused. To limit abuse, ntpd restricts the rate at which each broadcast association will process incoming packets. ntpd will reject broadcast mode packets that arrive before the poll interval specified in the preceding broadcast packet expires. An attacker with access to the NTP broadcast domain can send specially crafted broadcast mode NTP packets to the broadcast domain which, while being logged by ntpd, will cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers."

CWE-410: Insufficient Resource Pool - CVE-2016-9312

According to NTP.org, "If a vulnerable instance of ntpd on Windows receives a crafted malicious packet that is "too big", ntpd will stop working."

CWE-20: Improper Input Validation - CVE-2016-7431

According to NTP.org, "Zero Origin timestamp problems were fixed by Bug 2945 in ntp-4.2.8p6. However, subsequent timestamp validation checks introduced a regression in the handling of some Zero origin timestamp checks."

CWE-20: Improper Input Validation - CVE-2016-7434

According to NTP.org, "If ntpd is configured to allow mrulist query requests from a server that sends a crafted malicious packet, ntpd will crash on receipt of that crafted malicious mrulist query packet."

CWE-605: Multiple Binds to the Same Port - CVE-2016-7429

According to NTP.org, "When ntpd receives a server response on a socket that corresponds to a different interface than was used for the request, the peer structure is updated to use the interface for new requests. If ntpd is running on a host with multiple interfaces in separate networks and the operating system doesn't check source address in received packets (e.g. rp_filter on Linux is set to 0), an attacker that knows the address of the source can send a packet with spoofed source address which will cause ntpd to select wrong interface for the source and prevent it from sending new requests until the list of interfaces is refreshed, which happens on routing changes or every 5 minutes by default. If the attack is repeated often enough (once per second), ntpd will not be able to synchronize with the source."

CWE-410: Insufficient Resource Pool - CVE-2016-7426

According to NTP.org, "When ntpd is configured with rate limiting for all associations (restrict default limited in ntp.conf), the limits are applied also to responses received from its configured sources. An attacker who knows the sources (e.g., from an IPv4 refid in server response) and knows the system is (mis)configured in this way can periodically send packets with spoofed source address to keep the rate limiting activated and prevent ntpd from accepting valid responses from its sources."

CWE-682: Incorrect Calculation - CVE-2016-7433

According to NTP.org, "Bug 2085 described a condition where the root delay was included twice, causing the jitter value to be higher than expected. Due to a misinterpretation of a small-print variable in The Book, the fix for this problem was incorrect, resulting in a root distance that did not include the peer dispersion. The calculations and formulae have been reviewed and reconciled, and the code has been updated accordingly."

For more information, please see NTP.org's security advisory.

The CVSS score below is based on CVE-2016-9312.

Impact

A remote unauthenticated attacker may be able to perform a denial of service on ntpd.

Solution

Implement BCP-38.

Use "restrict default noquery ..." in your ntp.conf file. Only allow mode 6 queries from trusted networks and hosts.

Apply an update

Upgrade to 4.2.8p9, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page.

Monitor ntpd

Properly monitor your ntpd instances, and auto-restart ntpd (without -g) if it stops running.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
NTP ProjectAffected-18 Nov 2016
CoreOSNot Affected21 Nov 201621 Nov 2016
ACCESSUnknown21 Nov 201621 Nov 2016
Alcatel-LucentUnknown21 Nov 201621 Nov 2016
AppleUnknown21 Nov 201621 Nov 2016
Arch LinuxUnknown21 Nov 201621 Nov 2016
Arista Networks, Inc.Unknown21 Nov 201621 Nov 2016
Aruba NetworksUnknown21 Nov 201621 Nov 2016
AT&TUnknown21 Nov 201621 Nov 2016
Avaya, Inc.Unknown21 Nov 201621 Nov 2016
Barracuda NetworksUnknown21 Nov 201621 Nov 2016
Belkin, Inc.Unknown21 Nov 201621 Nov 2016
Blue Coat SystemsUnknown21 Nov 201621 Nov 2016
Brocade Communication SystemsUnknown21 Nov 201621 Nov 2016
CA TechnologiesUnknown21 Nov 201621 Nov 2016
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

GroupScoreVector
Base7.8AV:N/AC:L/Au:N/C:N/I:N/A:C
Temporal6.1E:POC/RL:OF/RC:C
Environmental6.1CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

  • http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se
  • nwtime.org/ntp428p9_release

Credit

NTP.org thanks Matthew Van Gundy of Cisco, Robert Pajak, Sharon Goldberg and Aanchal Malhotra of Boston University, Magnus Stubman, Miroslav Lichvar of Red Hat, and Brian Utterback of Oracle for reporting these vulnerabilities.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:CVE-2016-7426CVE-2016-7427CVE-2016-7428CVE-2016-7429CVE-2016-7431CVE-2016-7433CVE-2016-7434CVE-2016-9310CVE-2016-9312
  • Date Public:21 Nov 2016
  • Date First Published:21 Nov 2016
  • Date Last Updated:21 Nov 2016
  • Document Revision:22

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/633847

CWE : Common Weakness Enumeration

% Id Name
40 % CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')
20 % CWE-20 Improper Input Validation
10 % CWE-682 Incorrect Calculation
10 % CWE-476 NULL Pointer Dereference
10 % CWE-399 Resource Management Errors
10 % CWE-18 Source Code

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 1
Application 899
Os 1
Os 2
Os 2
Os 4
Os 5
Os 3
Os 2

Snort® IPS/IDS

Date Description
2017-01-04 ntpd mrulist control message command null pointer dereference attempt
RuleID : 40897 - Revision : 3 - Type : SERVER-OTHER
2016-12-29 ntpd mrulist control message command null pointer dereference attempt
RuleID : 40864 - Revision : 3 - Type : SERVER-OTHER
2016-12-29 ntpd mrulist control message command null pointer dereference attempt
RuleID : 40863 - Revision : 3 - Type : SERVER-OTHER
2016-12-29 ntpd mrulist control message command null pointer dereference attempt
RuleID : 40862 - Revision : 3 - Type : SERVER-OTHER
2016-12-29 ntpd mrulist control message command null pointer dereference attempt
RuleID : 40861 - Revision : 3 - Type : SERVER-OTHER
2016-12-29 ntpd mrulist control message command null pointer dereference attempt
RuleID : 40860 - Revision : 3 - Type : SERVER-OTHER
2016-12-29 ntpd mrulist control message command null pointer dereference attempt
RuleID : 40859 - Revision : 3 - Type : SERVER-OTHER
2016-12-29 ntpd mrulist control message command null pointer dereference attempt
RuleID : 40858 - Revision : 3 - Type : SERVER-OTHER
2016-12-29 ntpd mrulist control message command null pointer dereference attempt
RuleID : 40857 - Revision : 3 - Type : SERVER-OTHER
2016-12-29 ntpd mrulist control message command null pointer dereference attempt
RuleID : 40856 - Revision : 3 - Type : SERVER-OTHER
2016-12-29 ntpd mrulist control message command null pointer dereference attempt
RuleID : 40855 - Revision : 3 - Type : SERVER-OTHER

Nessus® Vulnerability Scanner

Date Description
2018-08-17 Name : The remote PhotonOS host is missing multiple security updates.
File : PhotonOS_PHSA-2017-0003.nasl - Type : ACT_GATHER_INFO
2018-05-11 Name : The remote Amazon Linux 2 host is missing a security update.
File : al2_ALAS-2018-1009.nasl - Type : ACT_GATHER_INFO
2017-10-27 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2017-0165.nasl - Type : ACT_GATHER_INFO
2017-10-20 Name : A network management system installed on the remote host is affected by multi...
File : oracle_ilom_3_2_6.nasl - Type : ACT_GATHER_INFO
2017-08-03 Name : The remote AIX host has a version of NTP installed that is affected by multip...
File : aix_ntp_v3_advisory8.nasl - Type : ACT_GATHER_INFO
2017-07-13 Name : The remote Virtuozzo host is missing a security update.
File : Virtuozzo_VZLSA-2017-0252.nasl - Type : ACT_GATHER_INFO
2017-07-06 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-3349-1.nasl - Type : ACT_GATHER_INFO
2017-05-12 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL55405388.nasl - Type : ACT_GATHER_INFO
2017-05-01 Name : The remote EulerOS host is missing multiple security updates.
File : EulerOS_SA-2017-1024.nasl - Type : ACT_GATHER_INFO
2017-05-01 Name : The remote EulerOS host is missing multiple security updates.
File : EulerOS_SA-2017-1023.nasl - Type : ACT_GATHER_INFO
2017-04-04 Name : The remote AIX host has a version of NTP installed that is affected by multip...
File : aix_ntp_v4_advisory8.nasl - Type : ACT_GATHER_INFO
2017-02-21 Name : The remote AIX host is missing a security patch.
File : aix_IV92194.nasl - Type : ACT_GATHER_INFO
2017-02-21 Name : The remote AIX host is missing a security patch.
File : aix_IV92193.nasl - Type : ACT_GATHER_INFO
2017-02-21 Name : The remote AIX host is missing a security patch.
File : aix_IV92067.nasl - Type : ACT_GATHER_INFO
2017-02-14 Name : The remote AIX host is missing a security patch.
File : aix_IV92192.nasl - Type : ACT_GATHER_INFO
2017-02-14 Name : The remote AIX host is missing a security patch.
File : aix_IV91951.nasl - Type : ACT_GATHER_INFO
2017-02-14 Name : The remote AIX host is missing a security patch.
File : aix_IV91803.nasl - Type : ACT_GATHER_INFO
2017-02-08 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2017-0038.nasl - Type : ACT_GATHER_INFO
2017-02-07 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20170206_ntp_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2017-02-07 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2017-0252.nasl - Type : ACT_GATHER_INFO
2017-02-07 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2017-0252.nasl - Type : ACT_GATHER_INFO
2017-02-06 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2017-0252.nasl - Type : ACT_GATHER_INFO
2017-01-24 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2017-0255-1.nasl - Type : ACT_GATHER_INFO
2017-01-05 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2017-781.nasl - Type : ACT_GATHER_INFO
2016-12-29 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-1525.nasl - Type : ACT_GATHER_INFO
2016-12-27 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_fcedcdbbc86e11e6b1cf14dae9d210b8.nasl - Type : ACT_GATHER_INFO
2016-12-21 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2016-3195-1.nasl - Type : ACT_GATHER_INFO
2016-12-21 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2016-3193-1.nasl - Type : ACT_GATHER_INFO
2016-12-21 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2016-3196-1.nasl - Type : ACT_GATHER_INFO
2016-12-20 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL51444934.nasl - Type : ACT_GATHER_INFO
2016-12-08 Name : The remote Fedora host is missing a security update.
File : fedora_2016-e8a8561ee7.nasl - Type : ACT_GATHER_INFO
2016-12-08 Name : The remote Fedora host is missing a security update.
File : fedora_2016-c198d15316.nasl - Type : ACT_GATHER_INFO
2016-12-08 Name : The remote Fedora host is missing a security update.
File : fedora_2016-7209ab4e02.nasl - Type : ACT_GATHER_INFO
2016-12-06 Name : The remote NTP server is affected by multiple vulnerabilities.
File : ntp_4_2_8p9.nasl - Type : ACT_GATHER_INFO
2016-11-29 Name : The remote NTP server is affected by a denial of service vulnerability.
File : ntp_cve-2016-7434.nasl - Type : ACT_ATTACK
2016-11-23 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_8db8d62ab08b11e68ebad050996490d0.nasl - Type : ACT_GATHER_INFO
2016-11-22 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2016-326-01.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
7
8
Date Informations
2017-08-04 13:25:03
  • Multiple Updates
2017-04-05 13:24:58
  • Multiple Updates
2017-01-17 21:23:23
  • Multiple Updates
2017-01-13 21:25:11
  • Multiple Updates
2016-12-07 13:25:37
  • Multiple Updates
2016-11-30 13:24:30
  • Multiple Updates
2016-11-24 13:26:07
  • Multiple Updates
2016-11-22 05:22:59
  • Multiple Updates
2016-11-21 21:19:09
  • First insertion