Network Time Protocol is prone to a local buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.
An attacker may exploit this issue to execute arbitrary code within the context of the application. Failed exploit attempts will likely cause denial-of-service conditions.
Versions prior to NTP 4.2.8p4 and 4.3.x prior to 4.3.77 are vulnerable.
Information
Slackware Linux x86_64 -current
Slackware Linux 14.1 x86_64
Slackware Linux 14.0 x86_64
Slackware Linux 14.0
Slackware Linux 13.37 x86_64
Slackware Linux 13.37
Slackware Linux 13.1 x86_64
Slackware Linux 13.1
Slackware Linux 13.0 x86_64
Slackware Linux 13.0
Slackware Linux -current
Rockwell Automation Stratix 5900 0
NTP NTPd 4.2.1
NTP NTPd 4.2
NTP NTP 4.3.25
NTP NTP 4.3
NTP NTP 4.2.8
NTP NTP 4.2.6
NTP NTP 4.2.5 p74
NTP NTP 4.2.5 p153
NTP NTP 4.2.5 p150
NTP NTP 4.2.4 p8
NTP NTP 4.2.4 p7
NTP NTP 4.2.4 p6
NTP NTP 4.2.4 p5
NTP NTP 4.2.4 p4
NTP NTP 4.2.2 p4
NTP NTP 4.2.2 p1
NTP NTP 4.3.70
NTP NTP 4.2.8p3
NTP NTP 4.2.8p2
NTP NTP 4.2.7p366
NTP NTP 4.2.7p111
NTP NTP 4.2.7p11
NTP NTP 4.2.5p3
NTP NTP 4.2.5p186
NTP NTP 4.2.0.a
Juniper Junos OS 0
IBM Vios 2.2.1 4
IBM Vios 2.2
IBM Vios 2.2.4.0
IBM Vios 2.2.3.50
IBM Vios 2.2.3.4
IBM Vios 2.2.3.3
IBM Vios 2.2.3.2
IBM Vios 2.2.3.0
IBM Vios 2.2.2.6
IBM Vios 2.2.2.5
IBM Vios 2.2.2.4
IBM Vios 2.2.2.0
IBM Vios 2.2.1.9
IBM Vios 2.2.1.8
IBM Vios 2.2.1.3
IBM Vios 2.2.1.1
IBM Vios 2.2.1.0
IBM Vios 2.2.0.13
IBM Vios 2.2.0.12
IBM Vios 2.2.0.11
IBM Vios 2.2.0.10
IBM QLogic Virtual Fabric Extension Module for IBM BladeCenter 9.0
IBM QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module 7.10
IBM IB6131 8 Gb Infiniband Switch 3.4
IBM IB6131 8 Gb Infiniband Switch 3.2
IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru 9.1.0.00
IBM Flex System EN6131 40Gb Ethernet Switch 3.4
IBM Flex System EN6131 40Gb Ethernet Switch 3.2
IBM Aix 7.2
IBM Aix 7.1.4
IBM Aix 7.1.3
IBM AIX 7.1.2
IBM AIX 7.1.1
IBM AIX 7.1 6
IBM AIX 7.1
IBM Aix 6.1.9
IBM AIX 6.1.8
IBM AIX 6.1.7 5
IBM AIX 6.1.6 8
IBM AIX 6.1.6
IBM AIX 6.1.5
IBM AIX 6.1.4
IBM AIX 6.1.3
IBM AIX 6.1.2
IBM AIX 6.1.1
IBM AIX 5.3.12 6
IBM AIX 5.3.10
IBM AIX 5.3.9
IBM AIX 5.3.8
IBM AIX 5.3.7
IBM Aix 7.2.0.1
IBM Aix 7.1.4.1
IBM Aix 7.1.3.5
IBM Aix 7.1.2.6
IBM AIX 7.1.2.15
IBM AIX 7.1.1.5
IBM AIX 7.1.1.16
IBM Aix 6.1.9.6
IBM Aix 6.1.9.5
IBM Aix 6.1.8.7
IBM Aix 6.1.8.6
IBM AIX 6.1.8.15
IBM AIX 6.1.7.16
IBM Aix 5.3.12.9
IBM AIX 5.3.12
IBM AIX 5.3.11
FreeBSD Freebsd 9.3-RELEASE-p9
FreeBSD FreeBSD 9.3-RELEASE-p6
FreeBSD FreeBSD 9.3-RELEASE-p5
FreeBSD FreeBSD 9.3-RELEASE-p3
FreeBSD Freebsd 9.3-RELEASE-p25
FreeBSD Freebsd 9.3-RELEASE-p24
FreeBSD Freebsd 9.3-RELEASE-p22
FreeBSD Freebsd 9.3-RELEASE-p21
FreeBSD FreeBSD 9.3-RELEASE-p2
FreeBSD Freebsd 9.3-RELEASE-p13
FreeBSD Freebsd 9.3-RELEASE-p10
FreeBSD FreeBSD 9.3-RELEASE-p1
FreeBSD FreeBSD 9.3-RC3-p1
FreeBSD FreeBSD 9.3-RC2-p1
FreeBSD FreeBSD 9.3-RC2
FreeBSD FreeBSD 9.3-RC1-p2
FreeBSD FreeBSD 9.3-RC
FreeBSD FreeBSD 9.3-PRERELEASE
FreeBSD FreeBSD 9.3-BETA3-p2
FreeBSD FreeBSD 9.3-BETA1-p2
FreeBSD FreeBSD 9.3-BETA1-p1
FreeBSD FreeBSD 9.3-BETA1
FreeBSD FreeBSD 9.3
FreeBSD Freebsd 10.2-RC2-p1
FreeBSD Freebsd 10.2-RC1-p2
FreeBSD Freebsd 10.2-RC1-p1
FreeBSD Freebsd 10.2-PRERELEASE
FreeBSD Freebsd 10.2-BETA2-p3
FreeBSD Freebsd 10.2-BETA2-p2
FreeBSD Freebsd 10.2
FreeBSD FreeBSD 10.1-STABLE
FreeBSD Freebsd 10.1-RELENG
FreeBSD Freebsd 10.1-RELEASE-p9
FreeBSD Freebsd 10.1-RELEASE-p6
FreeBSD Freebsd 10.1-RELEASE-p5
FreeBSD Freebsd 10.1-RELEASE-p19
FreeBSD Freebsd 10.1-RELEASE-p17
FreeBSD Freebsd 10.1-RELEASE-p16
FreeBSD FreeBSD 10.1-RELEASE-p1
FreeBSD Freebsd 10.1-RELEASE
FreeBSD FreeBSD 10.1-RC4-p1
FreeBSD FreeBSD 10.1-RC3-p1
FreeBSD FreeBSD 10.1-RC2-p3
FreeBSD FreeBSD 10.1-RC2-p1
FreeBSD FreeBSD 10.1-RC1-p1
FreeBSD FreeBSD 10.1-PRERELEASE
FreeBSD FreeBSD 10.1-BETA3-p1
FreeBSD FreeBSD 10.1-BETA1-p1
FreeBSD FreeBSD 10.1
Extremenetworks Summit WM3000 Series 0
Extremenetworks Purview Appliance 6.3
Extremenetworks Purview Appliance 6.0
Extremenetworks NetSight Appliance 6.3
Extremenetworks NetSight Appliance 6.0
Extremenetworks NAC Appliance 6.3
Extremenetworks NAC Appliance 6.0
Extremenetworks ExtremeXOS 16.1.2
Extremenetworks ExtremeXOS 15.7.4
Extremenetworks ExtremeXOS 15.7.3 Patch 8
Extremenetworks ExtremeXOS 15.7.3 Patch 1
Extremenetworks ExtremeXOS 15.7.2
Extremenetworks ExtremeXOS 15.7
Extremenetworks ExtremeXOS 15.6.4
Extremenetworks ExtremeXOS 16.1
Extremenetworks ExtremeXOS 15.4.1.3-patch1-10
Extremenetworks ExtremeXOS 15.4.1.0
Extremenetworks ExtremeXOS 15.3
NTP NTP 4.3.77
NTP NTP 4.2.8p4
IBM QLogic Virtual Fabric Extension Module for IBM BladeCenter 9.0.3.14.0
IBM QLogic 8Gb Intelligent Pass-thru Module and SAN Switch Module 7.10.1.37.00
IBM IB6131 8 Gb Infiniband Switch 3.5.1000
IBM Flex System FC3171 8Gb SAN Switch and SAN Pass-thru 9.1.7.03.00
IBM Flex System EN6131 40Gb Ethernet Switch 3.5.1000
FreeBSD FreeBSD 9.3-STABLE
FreeBSD Freebsd 9.3-RELEASE-p29
FreeBSD Freebsd 10.2-STABLE
FreeBSD Freebsd 10.2-RELEASE-p6
FreeBSD Freebsd 10.1-RELEASE-p23
Extremenetworks Purview Appliance 6.4
Extremenetworks NetSight Appliance 6.4
Extremenetworks NAC Appliance 6.4
Extremenetworks ExtremeXOS 21.1
Extremenetworks ExtremeXOS 16.2
Exploit
An attacker can exploit this issue using readily available tools.
References:
- NTP Homepage (ntp.org)
- October 2015 NTP Security Vulnerability Announcement (Medium) (NTP)
- Vulnerability Alert: Network Time Protocol Reference Clock Memory Corruption Vul (Cisco)
- 2015-10 Out of Cycle Security Bulletin: NTP.org announcement of multiple vulnera (Juniper)
- Advisory (ICSA-17-094-04)Rockwell Automation Stratix 5900 (CERT)
- cisco-sa-20151021-ntp: Multiple Vulnerabilities in ntpd Affecting Cisco Products (Cisco)
- Extreme Networks - Multiple NTP Vulnerabilities (Extreme Networks)
- FreeBSD Security Advisory FreeBSD-SA-15:25.ntp (FreeBSD)
- IBM SECURITY ADVISORY (IBM)
- Security Bulletin: Vulnerabilities in NTP affect IBM Flex System FC3171 8Gb SAN (IBM)
- Security Bulletin: Vulnerabilities in NTP and GNU C Library (glibc) affect IBM F (IBM)
- TALOS-2015-0064: Network Time Protocol Reference Clock Memory Corruption Vulnera (Cisco)