NTF’s Network Time Protocol (NTP) Project released ntp-4.2.8p9 on November 21, 2016. This version addresses 10 vulnerabilities, including 1 high severity, 2 medium severity, 2 medium/low severity, and 5 low severity. Some of them can cause remote DoS.
See the following for more information about the vulnerability.
CVE-2016-9311, CVE-2016-9310, CVE-2016-7427, CVE-2016-7428, CVE-2016-9312, CVE-2016-7431, CVE-2016-7434, CVE-2016-7429, CVE-2016-7426, CVE-2016-7433
Multiple NTP DoS vulnerabilities
|CVE-2016-9311||Medium||The trap service is disabled for NTPD by default. If the trap service is enabled, an attacker can send a specially crafted packet to cause NULL pointer dereference, resulting in NTPD DoS.|
|CVE-2016-9310||Medium||The control mode functionality in NTPD has an exploitable configuration modification vulnerability, which allows an attacker to cause information leakage and DoS by sending a specially crafted control packet.|
|CVE-2016-7427||Medium/Low||An attacker with access to the NTP broadcast domain can periodically send specially crafted packets to the broadcast domain, thereby causing NPTD to send broadcast packets from legitimate NTP broadcast servers.|
|CVE-2016-7428||Medium/Low||The broadcast mode poll interval enforcement functionality of NTPD has an exploitable DoS attack vulnerability. An attacker with access to the NTP broadcast domain can send specially crafted packets to the NTP broadcast domain, thereby causing NTPD to discard broadcast packets sent from legitimate NTP broadcast servers.|
|CVE-2016-9312||High||If NTPD running on Windows receives an oversized UDP packet, NTPD stops running, resulting in DoS.|
|CVE-2016-7431||Low||The zero origin time stamp bug (NTP Bug 2945) was fixed in ntp-4.2.8p6, but another problem was introduced in zero origin time stamp checks.|
|CVE-2016-7434||Low||If NTPD is configured to receive MRUList query requests, an attacker can send a specially crafted MRUList query request packet. Upon receipt of the packet, NTPD crashes, resulting in DoS.|
|CVE-2016-7429||Low||If NTPD is running on a host with multiple interfaces on different networks and the operating system does not check source addresses in received packets, an attacker can send a packet with a spoofed source address. As a result, NTPD cannot synchronize with the correct data source.|
|CVE-2016-7426||Low||If rate limiting is enabled for NTPD, an attacker can periodically send packets with a spoofed source address to prevent NTPD from receiving valid NPTD response packets.|
|CVE-2016-7433||Low||The fix for NTP Bug 2085 is incorrect (calculation is not performed properly). The problem caused by Bug 2085 is that the time base error is greater than the expected value.|
By exploiting these vulnerabilities, hackers can cause NTP to exit. As a result, NTP cannot provide services.
Condition and method of exploitation
The high-severity vulnerability CVE-2016-9312 can be exploited remotely only in the Windows environment. Other vulnerabilities are not restricted by environments.
|CVE||Affected versions||Unaffected versions|
|CVE-2016-9311||ntp-4.0.90 ≤ nptd version < ntp-4.2.8p9||ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94|
|CVE-2016-9310||ntp-4.0.90 ≤ nptd version < ntp-4.2.8p9||ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94|
|CVE-2016-7427||ntp-4.2.8p6 ≤ nptd version < ntp-4.2.8p9||ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94|
|CVE-2016-7428||ntp-4.2.8p6 ≤ nptd version < ntp-4.2.8p9||ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94|
|CVE-2016-9312||nptd version < ntp-4.2.8p9||ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94|
|CVE-2016-7431||ntp-4.2.8p8, ntp-4.3.93||ntp-4.2.8p9, ntp-4.3.94|
|CVE-2016-7434||ntp-4.2.7p22 ≤ nptd version < ntp-4.2.8p9||ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94|
|CVE-2016-7429||ntp-4.2.7p385 ≤ nptd version < ntp-4.2.8p9||ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94|
|CVE-2016-7426||ntp-4.2.5p203 ≤ nptd version < ntp-4.2.8p9||ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94|
|CVE-2016-7433||ntp-4.2.7p385 ≤ nptd version < ntp-4.2.8p9||ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94|
Manually check whether the NTP Port 123 is enabled and released to the Internet.
Run the following command to check the NTP version:
ntpq -c version
Note: The PoC test method is not recommended.
How to fix or mitigate
The version update has been officially released. We recommend that you upgrade the service to the latest version.
You can use yum upgrade. If the source image at mirror.aliyun.com is not updated, download the installation package from the following URLs and then perform an upgrade: http://support.ntp.org/bin/view/Main/SoftwareDownloads.