| VID |
23247 |
| Severity |
30 |
| Port |
123 |
| Protocol |
UDP |
| Class |
NTPD |
| Detailed Description |
The NTP daemon, according its version number, is vulnerable to multiple vulnerabilities. Network Time Protocol (NTP) daemon is responsible for providing accurate time reports used for synchronizing the clocks on installed systems. The remote NTP daemon is affected by the following vulnerabilities :
- A denial of service vulnerability exists due to improper validation of the origin timestamp field when handling a Kiss-of-Death (KoD) packet. An unauthenticated, remote attacker can exploit this to cause a client to stop querying its servers, preventing the client from updating its clock. (CVE-2015-7704)
- A flaw exists in the receive() function in ntp_proto.c that allows packets with an origin timestamp of zero to bypass security checks. An unauthenticated, remote attacker can exploit this to spoof arbitrary content. (CVE-2015-8138)
- A denial of service vulnerability exists due to improper handling of a crafted Crypto NAK Packet with a source address spoofed to match that of an existing associated peer. An unauthenticated, remote attacker can exploit this to demobilize a client association. (CVE-2016-1547)
- A denial of service vulnerability exists due to improper handling of packets spoofed to appear to be from a valid ntpd server. An unauthenticated, remote attacker can exploit this to cause NTP to switch from basic client/server mode to interleaved symmetric mode, causing the client to reject future legitimate responses. (CVE-2016-1548)
- A race condition exists that is triggered during the handling of a saturation of ephemeral associations. An authenticated, remote attacker can exploit this to defeat NTP's clock selection algorithm and modify a user's clock. (CVE-2016-1549)
- An information disclosure vulnerability exists in the message authentication functionality in libntp that is triggered during the handling of a series of specially crafted messages. An adjacent attacker can exploit this to partially recover the message digest key. (CVE-2016-1550)
- A flaw exists due to improper filtering of IPv4 'bogon' packets received from a network. An unauthenticated, remote attacker can exploit this to spoof packets to appear to come from a specific reference clock. (CVE-2016-1551)
- A denial of service vulnerability exists that allows an authenticated, remote attacker that has knowledge of the controlkey for ntpq or the requestkey for ntpdc to create a session with the same IP twice on an unconfigured directive line, causing ntpd to abort. (CVE-2016-2516)
- A denial of service vulnerability exists that allows an authenticated, remote attacker to manipulate the value of the trustedkey, controlkey, or requestkey via a crafted packet, preventing authentication with ntpd until the daemon has been restarted. (CVE-2016-2517)
- An out-of-bounds read error exists in the MATCH_ASSOC() function that occurs during the creation of peer associations with hmode greater than 7. An authenticated, remote attacker can exploit this, via a specially crafted packet, to cause a denial of service. (CVE-2016-2518)
- An overflow condition exists in the ctl_getitem() function in ntpd due to improper validation of user-supplied input when reporting return values. An authenticated, remote attacker can exploit this to cause ntpd to abort. (CVE-2016-2519)
* Note: This check solely relied on the version number of the remote NTP daemon to assess this vulnerability, so this might be a false positive.
* References:
http://support.ntp.org/bin/view/Main/SecurityNotice
* Platforms Affected:
NTPD versions prior to 4.2.8p7
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of NTP (4.2.8p7 or later), available from the NTP Software Downloads Web page at http://ntp.isc.org/bin/view/Main/SoftwareDownloads |
| Related URL |
CVE-2015-7704,CVE-2015-8138,CVE-2016-1547,CVE-2016-1548,CVE-2016-1549,CVE-2016-1550,CVE-2016-1551,CVE-2016-2516,CVE-2016-2517,CVE-2016-2518 (CVE) |
| Related URL |
88180,88189,88200,88204,88219,88226,88261,88264,88276 (SecurityFocus) |
| Related URL |
(ISS) |
|
