following X high- and Y low-severity vulnerabilities:
* Trap crash
- Date Resolved: xx October 2016; Dev (4.3.94) XX October 2016
- X References: Sec 3119 / CVE-2016-XXXX / VU#XXXXX
- X Affects: ntp-4.2.8p7, and ntp-4.3.92.
- X CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
- X CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- X Summary:
- X Mitigation:
+ Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
+ References: Sec 3119 / CVE-2016-XXXX / VU#XXXXX
+ Affects: ntp-4.0.90 (21 July 1999) uo to but not including 4.2.8p9,
+ and ntp-4.3.0 up to but not including ntp-4.3.94.
+ CVSS2: MED 4.9 (AV:N/AC:H/Au:N/C:N/I:N/A:C)
+ CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H
+ Summary:
+ ntpd does not enable trap service by default. If trap service
+ has been explicitly enabled, an attacker can send a specially
+ crafted packet to cause a null pointer dereference that will
+ crash ntpd, resulting in a denial of service.
+ Mitigation:
Implement BCP-38.
- Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
+ Use "restrict default noquery ..." in your ntp.conf file. Only
+ allow mode 6 queries from trusted networks and hosts.
+ Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
- If you cannot upgrade from 4.2.8p7, the only other alternatives
- are to patch your code or filter CRYPTO_NAK packets.
Properly monitor your ntpd instances, and auto-restart ntpd
(without -g) if it stops running.
- X Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
+ Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
* Mode 6 information disclosure and DDoS vector
- Date Resolved: xx October 2016; Dev (4.3.94) XX October 2016
- X References: Sec 3118 / CVE-2016-XXXX / VU#XXXXX
- X Affects: ntp-4.2.8p7, and ntp-4.3.92.
- X CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
- X CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- X Summary:
- X Mitigation:
+ Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
+ References: Sec 3118 / CVE-2016-XXXX / VU#XXXXX
+ Affects: ntp-4.0.90 (21 July 1999) uo to but not including 4.2.8p9,
+ and ntp-4.3.0 up to but not including ntp-4.3.94.
+ CVSS2: MED 6.4 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
+ CVSS3: MED 6.5 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+ Summary:
+ An exploitable configuration modification vulnerability exists
+ in the control mode (mode 6) functionality of ntpd. If, against
+ long-standing BCP recommendations, "restrict default noquery ..."
+ is not specified, a specially crafted control mode packet can set
+ ntpd traps, providing information disclosure and DDoS
+ amplification, and unset ntpd traps, disabling legitimate
+ monitoring. A remote, unauthenticated, network attacker can
+ trigger this vulnerability.
+ Mitigation:
Implement BCP-38.
- Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
+ Use "restrict default noquery ..." in your ntp.conf file.
+ Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
- If you cannot upgrade from 4.2.8p7, the only other alternatives
- are to patch your code or filter CRYPTO_NAK packets.
Properly monitor your ntpd instances, and auto-restart ntpd
(without -g) if it stops running.
- X Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
+ Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
+
+ * Broadcast Mode Replay Prevention DoS
+ Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
+ References: Sec 3114 / CVE-2016-7427 / VU#XXXXX
+ Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
+ ntp-4.3.90 up to, but not including ntp-4.3.94.
+ CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
+ CVSS3: MED 4.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+ Summary:
+ The broadcast mode of NTP is expected to only be used in a
+ trusted network. If the broadcast network is accessible to an
+ attacker, a potentially exploitable denial of service
+ vulnerability in ntpd's broadcast mode replay prevention
+ functionality can be abused. An attacker with access to the NTP
+ broadcast domain can periodically inject specially crafted
+ broadcast mode NTP packets into the broadcast domain which,
+ while being logged by ntpd, can cause ntpd to reject broadcast
+ mode packets from legitimate NTP broadcast servers.
+ Mitigation:
+ Implement BCP-38.
+ Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
+ or the NTP Public Services Project Download Page
+ Properly monitor your ntpd instances, and auto-restart ntpd
+ (without -g) if it stops running.
+ Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
+* Broadcast Mode Replay Prevention DoS
+ Date Resolved: xx October 2016; Dev (4.3.94) XX October 2016
+X References: Sec 3114 / CVE-2016-XXXX / VU#XXXXX
+X Affects: ntp-4.2.8p7, and ntp-4.3.92.
+X CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
+X CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+X Summary:
+X Mitigation:
+ Implement BCP-38.
+ Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
+ or the NTP Public Services Project Download Page
+ If you cannot upgrade from 4.2.8p7, the only other alternatives
+ are to patch your code or filter CRYPTO_NAK packets.
+ Properly monitor your ntpd instances, and auto-restart ntpd
+ (without -g) if it stops running.
+X Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
+
* Broadcast Mode Poll Interval Enforcement DoS
- Date Resolved: xx October 2016; Dev (4.3.94) XX October 2016
- X References: Sec 3113 / CVE-2016-XXXX / VU#XXXXX
- X Affects: ntp-4.2.8p7, and ntp-4.3.92.
- X CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
- X CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- X Summary:
- X Mitigation:
+ Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
+ References: Sec 3113 / CVE-2016-7428 / VU#XXXXX
+ Affects: ntp-4.2.8p6, up to but not including ntp-4.2.8p9, and
+ ntp-4.3.90 up to, but not including ntp-4.3.94
+ CVSS2: LOW 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P)
+ CVSS3: MED 4.3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
+ Summary:
+ The broadcast mode of NTP is expected to only be used in a
+ trusted network. If the broadcast network is accessible to an
+ attacker, a potentially exploitable denial of service
+ vulnerability in ntpd's broadcast mode poll interval enforcement
+ functionality can be abused. To limit abuse, ntpd restricts the
+ rate at which each broadcast association will process incoming
+ packets. ntpd will reject broadcast mode packets that arrive
+ before the poll interval specified in the preceding broadcast
+ packet expires. An attacker with access to the NTP broadcast
+ domain can send specially crafted broadcast mode NTP packets to
+ the broadcast domain which, while being logged by ntpd, will
+ cause ntpd to reject broadcast mode packets from legitimate NTP
+ broadcast servers.
+ Mitigation:
Implement BCP-38.
- Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
+ Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
- If you cannot upgrade from 4.2.8p7, the only other alternatives
- are to patch your code or filter CRYPTO_NAK packets.
Properly monitor your ntpd instances, and auto-restart ntpd
(without -g) if it stops running.
- X Credit: This weakness was discovered by Miroslav Lichvar of Red Hat.
+ Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
* Windows: ntpd DoS by oversized UDP packet
- Date Resolved: xx October 2016; Dev (4.3.94) XX October 2016
- X References: Sec 3110 / CVE-2016-XXXX / VU#XXXXX
- X Affects: ntp-4.2.8p7, and ntp-4.3.92.
- X CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
- X CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- X Summary:
- X Mitigation:
+ Date Resolved: 21 November 2016; Dev (4.3.94) 21 November 2016
+ References: Sec 3110 / CVE-2016-XXXX / VU#XXXXX
+ Affects Windows only: ntp-4.?.?, up to but not including ntp-4.2.8p9,
+ and ntp-4.3.0 up to, but not including ntp-4.3.94.
+ CVSS2: HIGH 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
+ CVSS3: HIGH 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
+ Summary:
+ If a vulnerable instance of ntpd on Windows receives a crafted
+ malicious packet that is "too big", ntpd will stop working.
+ Mitigation:
Implement BCP-38.
- Upgrade to 4.2.8p8, or later, from the NTP Project Download Page
+ Upgrade to 4.2.8p9, or later, from the NTP Project Download Page
or the NTP Public Services Project Download Page
- If you cannot upgrade from 4.2.8p7, the only other alternatives
- are to patch your code or filter CRYPTO_NAK packets.
Properly monitor your ntpd instances, and auto-restart ntpd
(without -g) if it stops running.
Credit: This weakness was discovered by Robert Pajak
projects / thirdparty / ntp.git / commitdiff
