edit-icon download-icon

[Vulnerability notice] Multiple NTP DoS vulnerabilities

Last Updated: Apr 02, 2018

NTF’s Network Time Protocol (NTP) Project released ntp-4.2.8p9 on November 21, 2016. This version addresses 10 vulnerabilities, including 1 high severity, 2 medium severity, 2 medium/low severity, and 5 low severity. Some of them can cause remote DoS.

See the following for more information about the vulnerability.


CVE identifier

CVE-2016-9311, CVE-2016-9310, CVE-2016-7427, CVE-2016-7428, CVE-2016-9312, CVE-2016-7431, CVE-2016-7434, CVE-2016-7429, CVE-2016-7426, CVE-2016-7433

Vulnerability name

Multiple NTP DoS vulnerabilities

Vulnerability rating

High

Vulnerability description

CVE Severity Description
CVE-2016-9311 Medium The trap service is disabled for NTPD by default. If the trap service is enabled, an attacker can send a specially crafted packet to cause NULL pointer dereference, resulting in NTPD DoS.
CVE-2016-9310 Medium The control mode functionality in NTPD has an exploitable configuration modification vulnerability, which allows an attacker to cause information leakage and DoS by sending a specially crafted control packet.
CVE-2016-7427 Medium/Low An attacker with access to the NTP broadcast domain can periodically send specially crafted packets to the broadcast domain, thereby causing NPTD to send broadcast packets from legitimate NTP broadcast servers.
CVE-2016-7428 Medium/Low The broadcast mode poll interval enforcement functionality of NTPD has an exploitable DoS attack vulnerability. An attacker with access to the NTP broadcast domain can send specially crafted packets to the NTP broadcast domain, thereby causing NTPD to discard broadcast packets sent from legitimate NTP broadcast servers.
CVE-2016-9312 High If NTPD running on Windows receives an oversized UDP packet, NTPD stops running, resulting in DoS.
CVE-2016-7431 Low The zero origin time stamp bug (NTP Bug 2945) was fixed in ntp-4.2.8p6, but another problem was introduced in zero origin time stamp checks.
CVE-2016-7434 Low If NTPD is configured to receive MRUList query requests, an attacker can send a specially crafted MRUList query request packet. Upon receipt of the packet, NTPD crashes, resulting in DoS.
CVE-2016-7429 Low If NTPD is running on a host with multiple interfaces on different networks and the operating system does not check source addresses in received packets, an attacker can send a packet with a spoofed source address. As a result, NTPD cannot synchronize with the correct data source.
CVE-2016-7426 Low If rate limiting is enabled for NTPD, an attacker can periodically send packets with a spoofed source address to prevent NTPD from receiving valid NPTD response packets.
CVE-2016-7433 Low The fix for NTP Bug 2085 is incorrect (calculation is not performed properly). The problem caused by Bug 2085 is that the time base error is greater than the expected value.

By exploiting these vulnerabilities, hackers can cause NTP to exit. As a result, NTP cannot provide services.

Condition and method of exploitation

The high-severity vulnerability CVE-2016-9312 can be exploited remotely only in the Windows environment. Other vulnerabilities are not restricted by environments.

Affected scope

CVE Affected versions Unaffected versions
CVE-2016-9311 ntp-4.0.90 ≤ nptd version < ntp-4.2.8p9 ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94
CVE-2016-9310 ntp-4.0.90 ≤ nptd version < ntp-4.2.8p9 ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94
CVE-2016-7427 ntp-4.2.8p6 ≤ nptd version < ntp-4.2.8p9 ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94
CVE-2016-7428 ntp-4.2.8p6 ≤ nptd version < ntp-4.2.8p9 ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94
CVE-2016-9312 nptd version < ntp-4.2.8p9 ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94
CVE-2016-7431 ntp-4.2.8p8, ntp-4.3.93 ntp-4.2.8p9, ntp-4.3.94
CVE-2016-7434 ntp-4.2.7p22 ≤ nptd version < ntp-4.2.8p9 ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94
CVE-2016-7429 ntp-4.2.7p385 ≤ nptd version < ntp-4.2.8p9 ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94
CVE-2016-7426 ntp-4.2.5p203 ≤ nptd version < ntp-4.2.8p9 ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94
CVE-2016-7433 ntp-4.2.7p385 ≤ nptd version < ntp-4.2.8p9 ntp-4.2.8p9, ntp-4.3.0 ≤ nptd version ≤ ntp-4.3.94

Vulnerability detection

  • Manually check whether the NTP Port 123 is enabled and released to the Internet.

  • Run the following command to check the NTP version: ntpq -c version

    Note: The PoC test method is not recommended.

How to fix or mitigate

The version update has been officially released. We recommend that you upgrade the service to the latest version.

You can use yum upgrade. If the source image at mirror.aliyun.com is not updated, download the installation package from the following URLs and then perform an upgrade: http://support.ntp.org/bin/view/Main/SoftwareDownloads.

Reference

[1]. http://toutiao.secjia.com/ntp-multiple-denial-of-service-vulnerabilities-cve-2016-9311#
[2]. https://www.kb.cert.org/vuls/id/633847
[3]. http://bugs.ntp.org/show_bug.cgi?id=3082

Thank you! We've received your feedback.