CVE-2016-7434
published 2017-01-13CVE-2016-7434: The read_mru_list function in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (crash) via a crafted mrulist query.
PriorityP358high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EXPLOIT
EPSS
52.94%
98.8th percentile
The read_mru_list function in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (crash) via a crafted mrulist query.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ntp | < ntp 1:4.2.8p9+dfsg-1 (bullseye) | ntp 1:4.2.8p9+dfsg-1 (bullseye) |
| hpe | hpux-ntp | >= b.11.31 < c.4.2.8.2.0 | c.4.2.8.2.0 |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | >= 0 < 1:4.2.8p9+dfsg-1 | 1:4.2.8p9+dfsg-1 |
| ntp | ntp | >= 0 < 1:4.2.6.p5+dfsg-3ubuntu2.14.04.11 | 1:4.2.6.p5+dfsg-3ubuntu2.14.04.11 |
| ntp | ntp | >= 0 < 1:4.2.8p4+dfsg-3ubuntu5.5 | 1:4.2.8p4+dfsg-3ubuntu5.5 |
| ntp | ntp | >= 4.3.0 < 4.3.94 | 4.3.94 |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x16\x0a\x00\x10\x00\x00\x00\x00\x00\x00\x00\x36\x6e\x6f\x6e\x63\x65\x2c\x20\x6c\x61\x64\x64\x72\x3d\x5b\x5d\x3a\x48\x72\x61\x67\x73\x3d\x33\x32\x2c\x20\x6c\x61\x64\x64\x72\x3d\x5b\x5d\x3a\x57\x4f\x50\x00\x32\x2c\x20\x6c\x61\x64\x64\x72\x3d\x5b\x5d\x3a\x57\x4f\x50\x00\x00
- →The exploit sends a crafted mrulist query over UDP as a pre-authentication denial-of-service; detect by inspecting NTP control packets (mode 6) with malformed or empty IPv6 address fields (laddr=[]:) in the mrulist query payload. ↗
- →Vulnerability is only exploitable if ntpd is configured to allow mrulist query requests; audit ntpd configuration for mrulist access permissions as a prerequisite for exposure. ↗
- →The attack is unauthenticated and remote (pre-auth DoS); any inbound NTP control packet (mode 6) requesting mrulist from an untrusted source should be alerted on. ↗
- ·Red Hat Enterprise Linux 5, 6, and 7 ship NTP versions that do not include mrulist support and are therefore not affected; do not apply NTP-specific mrulist mitigations to these platforms. ↗
- ·Affected version range is ntp-4.2.7p22 up to (not including) ntp-4.2.8p9, and ntp-4.3.0 up to (not including) ntp-4.3.94; ensure version checks in detection rules cover this full range. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:N/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu5.9MEDIUM
vendor_cisco5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qf57-pg9f-mrmv: The read_mru_list function in NTP before 4
ghsa_unreviewed·2022-05-13
CVE-2016-7434 [HIGH] CWE-20 GHSA-qf57-pg9f-mrmv: The read_mru_list function in NTP before 4
The read_mru_list function in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (crash) via a crafted mrulist query.
OSV
ntp vulnerabilities
osv·2017-07-05·CVSS 5.9
CVE-2016-2519 [MEDIUM] ntp vulnerabilities
ntp vulnerabilities
Yihan Lian discovered that NTP incorrectly handled certain large request
data values. A remote attacker could possibly use this issue to cause NTP
to crash, resulting in a denial of service. This issue only affected
Ubuntu 16.04 LTS. (CVE-2016-2519)
Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed
addresses when performing rate limiting. A remote attacker could possibly
use this issue to perform a denial of service. This issue only affected
Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7426)
Matthew Van Gundy discovered that NTP incorrectly handled certain crafted
broadcast mode packets. A remote attacker could possibly use this issue to
perform a denial of service. This issue only affected Ubuntu 14.04 LTS,
Ubuntu 16.04 LTS,
OSV
CVE-2016-7434: The read_mru_list function in NTP before 4
osv·2017-01-13·CVSS 7.5
CVE-2016-7434 [HIGH] CVE-2016-7434: The read_mru_list function in NTP before 4
The read_mru_list function in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (crash) via a crafted mrulist query.
Ubuntu
NTP vulnerabilities
vendor_ubuntu·2017-07-05·CVSS 5.9
CVE-2016-2519 [MEDIUM] NTP vulnerabilities
Title: NTP vulnerabilities
Summary: Several security issues were fixed in NTP.
Yihan Lian discovered that NTP incorrectly handled certain large request
data values. A remote attacker could possibly use this issue to cause NTP
to crash, resulting in a denial of service. This issue only affected
Ubuntu 16.04 LTS. (CVE-2016-2519)
Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed
addresses when performing rate limiting. A remote attacker could possibly
use this issue to perform a denial of service. This issue only affected
Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7426)
Matthew Van Gundy discovered that NTP incorrectly handled certain crafted
broadcast mode packets. A remote attacker could possibly use this issue to
perform a denial of service.
BSD
FreeBSD-SA-16:39.ntp: Multiple vulnerabilities of ntp
bsd_advisories·2016-12-22·CVSS 7.5
CVE-2016-7426 [HIGH] FreeBSD-SA-16:39.ntp: Multiple vulnerabilities of ntp
FreeBSD-SA-16:39.ntp Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities of ntp
Category: contrib
Module: ntp
Announced: 2016-12-22
Credits: Network Time Foundation
Affects: All supported versions of FreeBSD.
Corrected: 2016-11-22 16:22:51 UTC (stable/11, 11.0-STABLE)
2016-12-22 16:19:05 UTC (releng/11.0, 11.0-RELEASE-p6)
2016-11-22 16:23:20 UTC (stable/10, 10.3-STABLE)
2016-12-22 16:19:05 UTC (releng/10.3, 10.3-RELEASE-p15)
2016-12-22 16:19:05 UTC (releng/10.2, 10.2-RELEASE-p28)
2016-12-22 16:19:05 UTC (releng/10.1, 10.1-RELEASE-p45)
2016-11-22 16:23:46 UTC (stable/9, 9.3-STABLE)
2016-12-22 16:19:05 UTC (releng/9.3, 9.3-RELEASE-p53)
CVE Name: CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7431,
CVE-2016-7433, CVE-2016-7434, CVE-2016-9310, CVE-2016-9311
For gene
Cisco
Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: November 2016
vendor_cisco·2016-11-23·CVSS 5.3
CVE-2015-8138 [MEDIUM] CWE-119 Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: November 2016
Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: November 2016
Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.
On November 21, 2016, the NTP Consortium of the Network Time Foundation released a security notice that details ten issues regarding DoS vulnerabilities and logic issues that may allow an attacker to shift a system's time.
The new vulnerabilities disclosed in this document are as follows:
Network Time Protocol Trap Service Denial of S
Red Hat
ntp: read_mru_list() does inadequate incoming packet checks
vendor_redhat·2016-11-21·CVSS 7.5
CVE-2016-7434 [HIGH] CWE-20 ntp: read_mru_list() does inadequate incoming packet checks
ntp: read_mru_list() does inadequate incoming packet checks
The read_mru_list function in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (crash) via a crafted mrulist query.
Statement: This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux 5, 6 and 7 as they did not include support for mrulist.
Package: ntp (Red Hat Enterprise Linux 5) - Not affected
Package: ntp (Red Hat Enterprise Linux 6) - Not affected
Package: ntp (Red Hat Enterprise Linux 7) - Not affected
Debian
CVE-2016-7434: ntp - The read_mru_list function in NTP before 4.2.8p9 allows remote attackers to caus...
vendor_debian·2016·CVSS 7.5
CVE-2016-7434 [HIGH] CVE-2016-7434: ntp - The read_mru_list function in NTP before 4.2.8p9 allows remote attackers to caus...
The read_mru_list function in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (crash) via a crafted mrulist query.
Scope: local
bullseye: resolved (fixed in 1:4.2.8p9+dfsg-1)
Cisco
Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: November 2016
vendor_cisco
CVE-2016-7434 Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: November 2016
CVE-2016-7434: Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: November 2016
Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server. On November 21, 2016, the NTP Consortium of the Network Time Foundation released a security notice that
CWE: CWE-119, CWE-20, CWE-399, CWE-119, CWE-20, CWE-399
Bug IDs: CSCvc22942, CSCvc23435, CSCvc23437, CSCvc22942, CSCvc23435
No detection rules found.
Bugzilla
CVE-2016-7434 ntp: read_mru_list() does inadequate incoming packet checks
bugzilla·2016-11-22·CVSS 7.5
CVE-2016-7434 [HIGH] CVE-2016-7434 ntp: read_mru_list() does inadequate incoming packet checks
CVE-2016-7434 ntp: read_mru_list() does inadequate incoming packet checks
If ntpd is configured to allow mrulist query requests from a server that sends a crafted malicious packet, ntpd will crash on receipt of that crafted malicious mrulist query packet.
External References:
http://support.ntp.org/bin/view/Main/NtpBug3102
Discussion:
Created ntp tracking bugs for this issue:
Affects: fedora-all [bug 1397351]
---
Statement:
This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux 5, 6 and 7 as they did not include support for mrulist.
Bugzilla
CVE-2016-7426 CVE-2016-7429 CVE-2016-7433 CVE-2016-9310 CVE-2016-9311 ntp: various flaws [fedora-all]
bugzilla·2016-11-22·CVSS 7.5
CVE-2016-7426 [HIGH] CVE-2016-7426 CVE-2016-7429 CVE-2016-7433 CVE-2016-9310 CVE-2016-9311 ntp: various flaws [fedora-all]
CVE-2016-7426 CVE-2016-7429 CVE-2016-7433 CVE-2016-9310 CVE-2016-9311 ntp: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multipl
http://nwtime.org/ntp428p9_release/http://support.ntp.org/bin/view/Main/NtpBug3082http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilitieshttp://www.securityfocus.com/bid/94448http://www.securitytracker.com/id/1037354https://bto.bluecoat.com/security-advisory/sa139https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03706en_ushttps://security.FreeBSD.org/advisories/FreeBSD-SA-16:39.ntp.aschttps://www.exploit-db.com/exploits/40806/https://www.kb.cert.org/vuls/id/633847http://nwtime.org/ntp428p9_release/http://support.ntp.org/bin/view/Main/NtpBug3082http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilitieshttp://www.securityfocus.com/bid/94448http://www.securitytracker.com/id/1037354https://bto.bluecoat.com/security-advisory/sa139https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03706en_ushttps://security.FreeBSD.org/advisories/FreeBSD-SA-16:39.ntp.aschttps://www.exploit-db.com/exploits/40806/https://www.kb.cert.org/vuls/id/633847
2017-01-13
Published