Problem Description:
Multiple vulnerabilities have been discovered in the NTP
suite:
CVE-2016-9311: Trap crash, Reported by Matthew Van Gundy
of Cisco ASIG.
CVE-2016-9310: Mode 6 unauthenticated trap information
disclosure and DDoS vector. Reported by Matthew Van Gundy
of Cisco ASIG.
CVE-2016-7427: Broadcast Mode Replay Prevention DoS.
Reported by Matthew Van Gundy of Cisco ASIG.
CVE-2016-7428: Broadcast Mode Poll Interval Enforcement
DoS. Reported by Matthew Van Gundy of Cisco ASIG.
CVE-2016-7431: Regression: 010-origin: Zero Origin
Timestamp Bypass. Reported by Sharon Goldberg and Aanchal
Malhotra of Boston University.
CVE-2016-7434: Null pointer dereference in
_IO_str_init_static_internal(). Reported by Magnus Stubman.
CVE-2016-7426: Client rate limiting and server responses.
Reported by Miroslav Lichvar of Red Hat.
CVE-2016-7433: Reboot sync calculation problem. Reported
independently by Brian Utterback of Oracle, and by Sharon
Goldberg and Aanchal Malhotra of Boston University.
Impact:
A remote attacker who can send a specially crafted packet
to cause a NULL pointer dereference that will crash ntpd,
resulting in a Denial of Service. [CVE-2016-9311]
An exploitable configuration modification vulnerability
exists in the control mode (mode 6) functionality of ntpd.
If, against long-standing BCP recommendations, "restrict
default noquery ..." is not specified, a specially crafted
control mode packet can set ntpd traps, providing information
disclosure and DDoS amplification, and unset ntpd traps,
disabling legitimate monitoring by an attacker from remote.
[CVE-2016-9310]
An attacker with access to the NTP broadcast domain can
periodically inject specially crafted broadcast mode NTP
packets into the broadcast domain which, while being logged
by ntpd, can cause ntpd to reject broadcast mode packets
from legitimate NTP broadcast servers. [CVE-2016-7427]
An attacker with access to the NTP broadcast domain can
send specially crafted broadcast mode NTP packets to the
broadcast domain which, while being logged by ntpd, will
cause ntpd to reject broadcast mode packets from legitimate
NTP broadcast servers. [CVE-2016-7428]
Origin timestamp problems were fixed in ntp 4.2.8p6.
However, subsequent timestamp validation checks introduced
a regression in the handling of some Zero origin timestamp
checks. [CVE-2016-7431]
If ntpd is configured to allow mrulist query requests
from a server that sends a crafted malicious packet, ntpd
will crash on receipt of that crafted malicious mrulist
query packet. [CVE-2016-7434]
An attacker who knows the sources (e.g., from an IPv4
refid in server response) and knows the system is (mis)configured
in this way can periodically send packets with spoofed
source address to keep the rate limiting activated and
prevent ntpd from accepting valid responses from its sources.
[CVE-2016-7426]
Ntp Bug 2085 described a condition where the root delay
was included twice, causing the jitter value to be higher
than expected. Due to a misinterpretation of a small-print
variable in The Book, the fix for this problem was incorrect,
resulting in a root distance that did not include the peer
dispersion. The calculations and formulas have been reviewed
and reconciled, and the code has been updated accordingly.
[CVE-2016-7433]