cbcvebase.
CVE-2016-7434
published 2017-01-13

CVE-2016-7434: The read_mru_list function in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (crash) via a crafted mrulist query.

PriorityP358high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
52.94%
98.8th percentile
The read_mru_list function in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (crash) via a crafted mrulist query.

Affected

8 ranges
VendorProductVersion rangeFixed in
debianntp< ntp 1:4.2.8p9+dfsg-1 (bullseye)ntp 1:4.2.8p9+dfsg-1 (bullseye)
hpehpux-ntp>= b.11.31 < c.4.2.8.2.0c.4.2.8.2.0
ntpntp
ntpntp
ntpntp>= 0 < 1:4.2.8p9+dfsg-11:4.2.8p9+dfsg-1
ntpntp>= 0 < 1:4.2.6.p5+dfsg-3ubuntu2.14.04.111:4.2.6.p5+dfsg-3ubuntu2.14.04.11
ntpntp>= 0 < 1:4.2.8p4+dfsg-3ubuntu5.51:4.2.8p4+dfsg-3ubuntu5.5
ntpntp>= 4.3.0 < 4.3.944.3.94

Detection & IOCsextracted from sources · hover to see the quote

portUDP/123
bytes
\x16\x0a\x00\x10\x00\x00\x00\x00\x00\x00\x00\x36\x6e\x6f\x6e\x63\x65\x2c\x20\x6c\x61\x64\x64\x72\x3d\x5b\x5d\x3a\x48\x72\x61\x67\x73\x3d\x33\x32\x2c\x20\x6c\x61\x64\x64\x72\x3d\x5b\x5d\x3a\x57\x4f\x50\x00\x32\x2c\x20\x6c\x61\x64\x64\x72\x3d\x5b\x5d\x3a\x57\x4f\x50\x00\x00
  • The exploit sends a crafted mrulist query over UDP as a pre-authentication denial-of-service; detect by inspecting NTP control packets (mode 6) with malformed or empty IPv6 address fields (laddr=[]:) in the mrulist query payload.
  • Vulnerability is only exploitable if ntpd is configured to allow mrulist query requests; audit ntpd configuration for mrulist access permissions as a prerequisite for exposure.
  • The attack is unauthenticated and remote (pre-auth DoS); any inbound NTP control packet (mode 6) requesting mrulist from an untrusted source should be alerted on.
  • ·Red Hat Enterprise Linux 5, 6, and 7 ship NTP versions that do not include mrulist support and are therefore not affected; do not apply NTP-specific mrulist mitigations to these platforms.
  • ·Affected version range is ntp-4.2.7p22 up to (not including) ntp-4.2.8p9, and ntp-4.3.0 up to (not including) ntp-4.3.94; ensure version checks in detection rules cover this full range.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu5.9MEDIUM
vendor_cisco5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.