ID CVE-2017-6451
Summary The mx4200_send function in the legacy MX4200 refclock in NTP before 4.2.8p10 and 4.3.x before 4.3.94 does not properly handle the return value of the snprintf function, which allows local users to execute arbitrary code via unspecified vectors, which trigger an out-of-bounds memory write.
References
Vulnerable Configurations
  • NTP 4.2.8 Patch 9
    cpe:2.3:a:ntp:ntp:4.2.8:p9
  • NTP 4.3.0
    cpe:2.3:a:ntp:ntp:4.3.0
  • NTP 4.3.1
    cpe:2.3:a:ntp:ntp:4.3.1
  • NTP 4.3.2
    cpe:2.3:a:ntp:ntp:4.3.2
  • NTP 4.3.3
    cpe:2.3:a:ntp:ntp:4.3.3
  • NTP 4.3.4
    cpe:2.3:a:ntp:ntp:4.3.4
  • NTP 4.3.5
    cpe:2.3:a:ntp:ntp:4.3.5
  • NTP 4.3.6
    cpe:2.3:a:ntp:ntp:4.3.6
  • NTP 4.3.7
    cpe:2.3:a:ntp:ntp:4.3.7
  • NTP 4.3.8
    cpe:2.3:a:ntp:ntp:4.3.8
  • NTP 4.3.9
    cpe:2.3:a:ntp:ntp:4.3.9
  • NTP 4.3.10
    cpe:2.3:a:ntp:ntp:4.3.10
  • NTP 4.3.11
    cpe:2.3:a:ntp:ntp:4.3.11
  • NTP 4.3.12
    cpe:2.3:a:ntp:ntp:4.3.12
  • NTP 4.3.13
    cpe:2.3:a:ntp:ntp:4.3.13
  • NTP 4.3.14
    cpe:2.3:a:ntp:ntp:4.3.14
  • NTP 4.3.15
    cpe:2.3:a:ntp:ntp:4.3.15
  • NTP 4.3.16
    cpe:2.3:a:ntp:ntp:4.3.16
  • NTP 4.3.17
    cpe:2.3:a:ntp:ntp:4.3.17
  • NTP 4.3.18
    cpe:2.3:a:ntp:ntp:4.3.18
  • NTP 4.3.19
    cpe:2.3:a:ntp:ntp:4.3.19
  • NTP 4.3.20
    cpe:2.3:a:ntp:ntp:4.3.20
  • NTP 4.3.21
    cpe:2.3:a:ntp:ntp:4.3.21
  • NTP 4.3.22
    cpe:2.3:a:ntp:ntp:4.3.22
  • NTP 4.3.23
    cpe:2.3:a:ntp:ntp:4.3.23
  • NTP 4.3.24
    cpe:2.3:a:ntp:ntp:4.3.24
  • NTP 4.3.25
    cpe:2.3:a:ntp:ntp:4.3.25
  • NTP 4.3.26
    cpe:2.3:a:ntp:ntp:4.3.26
  • NTP 4.3.27
    cpe:2.3:a:ntp:ntp:4.3.27
  • NTP 4.3.28
    cpe:2.3:a:ntp:ntp:4.3.28
  • NTP 4.3.29
    cpe:2.3:a:ntp:ntp:4.3.29
  • NTP 4.3.30
    cpe:2.3:a:ntp:ntp:4.3.30
  • NTP 4.3.31
    cpe:2.3:a:ntp:ntp:4.3.31
  • NTP 4.3.32
    cpe:2.3:a:ntp:ntp:4.3.32
  • NTP 4.3.33
    cpe:2.3:a:ntp:ntp:4.3.33
  • NTP 4.3.34
    cpe:2.3:a:ntp:ntp:4.3.34
  • NTP 4.3.35
    cpe:2.3:a:ntp:ntp:4.3.35
  • NTP 4.3.36
    cpe:2.3:a:ntp:ntp:4.3.36
  • NTP 4.3.37
    cpe:2.3:a:ntp:ntp:4.3.37
  • NTP 4.3.38
    cpe:2.3:a:ntp:ntp:4.3.38
  • NTP 4.3.39
    cpe:2.3:a:ntp:ntp:4.3.39
  • NTP 4.3.40
    cpe:2.3:a:ntp:ntp:4.3.40
  • NTP 4.3.41
    cpe:2.3:a:ntp:ntp:4.3.41
  • NTP 4.3.42
    cpe:2.3:a:ntp:ntp:4.3.42
  • NTP 4.3.43
    cpe:2.3:a:ntp:ntp:4.3.43
  • NTP 4.3.44
    cpe:2.3:a:ntp:ntp:4.3.44
  • NTP 4.3.45
    cpe:2.3:a:ntp:ntp:4.3.45
  • NTP 4.3.46
    cpe:2.3:a:ntp:ntp:4.3.46
  • NTP 4.3.47
    cpe:2.3:a:ntp:ntp:4.3.47
  • NTP 4.3.48
    cpe:2.3:a:ntp:ntp:4.3.48
  • NTP 4.3.49
    cpe:2.3:a:ntp:ntp:4.3.49
  • NTP 4.3.50
    cpe:2.3:a:ntp:ntp:4.3.50
  • NTP 4.3.51
    cpe:2.3:a:ntp:ntp:4.3.51
  • NTP 4.3.52
    cpe:2.3:a:ntp:ntp:4.3.52
  • NTP 4.3.53
    cpe:2.3:a:ntp:ntp:4.3.53
  • NTP 4.3.54
    cpe:2.3:a:ntp:ntp:4.3.54
  • NTP 4.3.55
    cpe:2.3:a:ntp:ntp:4.3.55
  • NTP 4.3.56
    cpe:2.3:a:ntp:ntp:4.3.56
  • NTP 4.3.57
    cpe:2.3:a:ntp:ntp:4.3.57
  • NTP 4.3.58
    cpe:2.3:a:ntp:ntp:4.3.58
  • NTP 4.3.59
    cpe:2.3:a:ntp:ntp:4.3.59
  • NTP 4.3.60
    cpe:2.3:a:ntp:ntp:4.3.60
  • NTP 4.3.61
    cpe:2.3:a:ntp:ntp:4.3.61
  • NTP 4.3.62
    cpe:2.3:a:ntp:ntp:4.3.62
  • NTP 4.3.63
    cpe:2.3:a:ntp:ntp:4.3.63
  • NTP 4.3.64
    cpe:2.3:a:ntp:ntp:4.3.64
  • NTP 4.3.65
    cpe:2.3:a:ntp:ntp:4.3.65
  • NTP 4.3.66
    cpe:2.3:a:ntp:ntp:4.3.66
  • NTP 4.3.67
    cpe:2.3:a:ntp:ntp:4.3.67
  • NTP 4.3.68
    cpe:2.3:a:ntp:ntp:4.3.68
  • NTP 4.3.69
    cpe:2.3:a:ntp:ntp:4.3.69
  • NTP 4.3.70
    cpe:2.3:a:ntp:ntp:4.3.70
  • NTP 4.3.71
    cpe:2.3:a:ntp:ntp:4.3.71
  • NTP 4.3.72
    cpe:2.3:a:ntp:ntp:4.3.72
  • NTP 4.3.73
    cpe:2.3:a:ntp:ntp:4.3.73
  • NTP 4.3.74
    cpe:2.3:a:ntp:ntp:4.3.74
  • NTP 4.3.75
    cpe:2.3:a:ntp:ntp:4.3.75
  • NTP 4.3.76
    cpe:2.3:a:ntp:ntp:4.3.76
  • NTP 4.3.77
    cpe:2.3:a:ntp:ntp:4.3.77
  • NTP 4.3.78
    cpe:2.3:a:ntp:ntp:4.3.78
  • NTP 4.3.79
    cpe:2.3:a:ntp:ntp:4.3.79
  • NTP 4.3.80
    cpe:2.3:a:ntp:ntp:4.3.80
  • NTP 4.3.81
    cpe:2.3:a:ntp:ntp:4.3.81
  • NTP 4.3.82
    cpe:2.3:a:ntp:ntp:4.3.82
  • NTP 4.3.83
    cpe:2.3:a:ntp:ntp:4.3.83
  • NTP 4.3.84
    cpe:2.3:a:ntp:ntp:4.3.84
  • NTP 4.3.85
    cpe:2.3:a:ntp:ntp:4.3.85
  • NTP 4.3.86
    cpe:2.3:a:ntp:ntp:4.3.86
  • NTP 4.3.87
    cpe:2.3:a:ntp:ntp:4.3.87
  • NTP 4.3.88
    cpe:2.3:a:ntp:ntp:4.3.88
  • NTP 4.3.89
    cpe:2.3:a:ntp:ntp:4.3.89
  • NTP 4.3.90
    cpe:2.3:a:ntp:ntp:4.3.90
  • NTP 4.3.91
    cpe:2.3:a:ntp:ntp:4.3.91
  • NTP 4.3.92
    cpe:2.3:a:ntp:ntp:4.3.92
  • NTP 4.3.93
    cpe:2.3:a:ntp:ntp:4.3.93
CVSS
Base: 4.6 (as of 29-03-2017 - 21:53)
Impact:
Exploitability:
CWE CWE-787
CAPEC
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-20D54B2782.NASL
    description Security fix for CVE-2017-6464 CVE-2017-6462 CVE-2017-6463 CVE-2017-6458 CVE-2017-6451 CVE-2017-6460 CVE-2016-9042. ---- This update improves the default configuration file to use the pool directive. It also replaces the ntpstat program with a shell script that uses the ntpq program instead of implementing the mode 6 protocol. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2017-07-17
    plugin id 101588
    published 2017-07-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101588
    title Fedora 26 : ntp (2017-20d54b2782)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1052-1.NASL
    description This ntp update to version 4.2.8p10 fixes the following issues: Security issues fixed (bsc#1030050) : - CVE-2017-6464: Denial of Service via Malformed Config - CVE-2017-6462: Buffer Overflow in DPTS Clock - CVE-2017-6463: Authenticated DoS via Malicious Config Option - CVE-2017-6458: Potential Overflows in ctl_put() functions - CVE-2017-6451: Improper use of snprintf() in mx4200_send() - CVE-2017-6460: Buffer Overflow in ntpq when fetching reslist - CVE-2016-9042: 0rigin (zero origin) DoS. - ntpq_stripquotes() returns incorrect Value - ereallocarray()/eallocarray() underused - Copious amounts of Unused Code - Off-by-one in Oncore GPS Receiver - Makefile does not enforce Security Flags Bugfixes : - Remove spurious log messages (bsc#1014172). - Fixing ppc and ppc64 linker issue (bsc#1031085). - clang scan-build findings - Support for openssl-1.1.0 without compatibility modes - Bugfix 3072 breaks multicastclient - forking async worker: interrupted pipe I/O - (...) time_pps_create: Exec format error - Incorrect Logic for Peer Event Limiting - Change the process name of forked DNS worker - Trap Configuration Fail - Nothing happens if minsane - allow -4/-6 on restrict line with mask - out-of-bound pointers in ctl_putsys and decode_bitflags - Move ntp-kod to /var/lib/ntp, because /var/db is not a standard directory and causes problems for transactional updates. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-02
    plugin id 99469
    published 2017-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99469
    title SUSE SLES11 Security Update : ntp (SUSE-SU-2017:1052-1)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2017-112-02.NASL
    description New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen 2018-09-02
    modified 2018-01-26
    plugin id 99597
    published 2017-04-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99597
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : ntp (SSA:2017-112-02)
  • NASL family MacOS X Local Security Checks
    NASL id MACOS_10_13.NASL
    description The remote host is running a version of Mac OS X that is prior to 10.10.5, 10.11.x prior to 10.11.6, 10.12.x prior to 10.12.6, or is not macOS 10.13. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - AppSandbox - AppleScript - Application Firewall - ATS - Audio - CFNetwork - CFNetwork Proxies - CFString - Captive Network Assistant - CoreAudio - CoreText - DesktopServices - Directory Utility - file - Fonts - fsck_msdos - HFS - Heimdal - HelpViewer - IOFireWireFamily - ImageIO - Installer - Kernel - kext tools - libarchive - libc - libexpat - Mail - Mail Drafts - ntp - Open Scripting Architecture - PCRE - Postfix - Quick Look - QuickTime - Remote Management - SQLite - Sandbox - Screen Lock - Security - Spotlight - WebKit - zlib Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2018-09-01
    modified 2018-07-14
    plugin id 103598
    published 2017-10-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103598
    title macOS < 10.13 Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-72323A442F.NASL
    description Security fix for CVE-2017-6464 CVE-2017-6462 CVE-2017-6463 CVE-2017-6458 CVE-2017-6451. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2017-04-19
    plugin id 99445
    published 2017-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99445
    title Fedora 24 : ntp (2017-72323a442f)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0010.NASL
    description An update of [binutils,ntp,libarchive] packages for PhotonOS has been released.
    last seen 2018-09-01
    modified 2018-08-17
    plugin id 111859
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111859
    title Photon OS 1.0: Binutils / Libarchive / Ntp PHSA-2017-0010
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-816.NASL
    description Denial of Service via Malformed Config : A vulnerability was discovered in the NTP server's parsing of configuration directives. A remote, authenticated attacker could cause ntpd to crash by sending a crafted message.(CVE-2017-6464) Potential Overflows in ctl_put() functions : A vulnerability was found in NTP, in the building of response packets with custom fields. If custom fields were configured in ntp.conf with particularly long names, inclusion of these fields in the response packet could cause a buffer overflow, leading to a crash. (CVE-2017-6458) Improper use of snprintf() in mx4200_send() : A vulnerability was found in NTP, in the legacy MX4200 refclock implementation. If this refclock was compiled in and used, an attacker may be able to induce stack overflow, leading to a crash or potential code execution.(CVE-2017-6451) Authenticated DoS via Malicious Config Option : A vulnerability was discovered in the NTP server's parsing of configuration directives. A remote, authenticated attacker could cause ntpd to crash by sending a crafted message.(CVE-2017-6463) Buffer Overflow in DPTS Clock : A vulnerability was found in NTP, in the parsing of packets from the /dev/datum device. A malicious device could send crafted messages, causing ntpd to crash.(CVE-2017-6462)
    last seen 2018-09-02
    modified 2018-04-18
    plugin id 99529
    published 2017-04-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99529
    title Amazon Linux AMI : ntp (ALAS-2017-816)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1047-1.NASL
    description This ntp update to version 4.2.8p10 fixes serveral issues. This updated enables leap smearing. See /usr/share/doc/packages/ntp/README.leapsmear for details. Security issues fixed (bsc#1030050) : - CVE-2017-6464: Denial of Service via Malformed Config - CVE-2017-6462: Buffer Overflow in DPTS Clock - CVE-2017-6463: Authenticated DoS via Malicious Config Option - CVE-2017-6458: Potential Overflows in ctl_put() functions - CVE-2017-6451: Improper use of snprintf() in mx4200_send() - CVE-2017-6460: Buffer Overflow in ntpq when fetching reslist - CVE-2016-9042: 0rigin (zero origin) DoS. - ntpq_stripquotes() returns incorrect Value - ereallocarray()/eallocarray() underused - Copious amounts of Unused Code - Off-by-one in Oncore GPS Receiver - Makefile does not enforce Security Flags Bugfixes : - Remove spurious log messages (bsc#1014172). - clang scan-build findings - Support for openssl-1.1.0 without compatibility modes - Bugfix 3072 breaks multicastclient - forking async worker: interrupted pipe I/O - (...) time_pps_create: Exec format error - Incorrect Logic for Peer Event Limiting - Change the process name of forked DNS worker - Trap Configuration Fail - Nothing happens if minsane - allow -4/-6 on restrict line with mask - out-of-bound pointers in ctl_putsys and decode_bitflags - Move ntp-kod to /var/lib/ntp, because /var/db is not a standard directory and causes problems for transactional updates. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-02
    plugin id 99467
    published 2017-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99467
    title SUSE SLES12 Security Update : ntp (SUSE-SU-2017:1047-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-5EBAC1C112.NASL
    description Security fix for CVE-2017-6464 CVE-2017-6462 CVE-2017-6463 CVE-2017-6458 CVE-2017-6451. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2017-03-30
    plugin id 99053
    published 2017-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99053
    title Fedora 25 : ntp (2017-5ebac1c112)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-511.NASL
    description This ntp update to version 4.2.8p10 fixes serveral issues. This updated enables leap smearing. See /usr/share/doc/packages/ntp/README.leapsmear for details. Security issues fixed (bsc#1030050) : - CVE-2017-6464: Denial of Service via Malformed Config - CVE-2017-6462: Buffer Overflow in DPTS Clock - CVE-2017-6463: Authenticated DoS via Malicious Config Option - CVE-2017-6458: Potential Overflows in ctl_put() functions - CVE-2017-6451: Improper use of snprintf() in mx4200_send() - CVE-2017-6460: Buffer Overflow in ntpq when fetching reslist - CVE-2016-9042: 0rigin (zero origin) DoS. - ntpq_stripquotes() returns incorrect Value - ereallocarray()/eallocarray() underused - Copious amounts of Unused Code - Off-by-one in Oncore GPS Receiver - Makefile does not enforce Security Flags Bugfixes : - Remove spurious log messages (bsc#1014172). - clang scan-build findings - Support for openssl-1.1.0 without compatibility modes - Bugfix 3072 breaks multicastclient - forking async worker: interrupted pipe I/O - (...) time_pps_create: Exec format error - Incorrect Logic for Peer Event Limiting - Change the process name of forked DNS worker - Trap Configuration Fail - Nothing happens if minsane < maxclock < minclock - allow -4/-6 on restrict line with mask - out-of-bound pointers in ctl_putsys and decode_bitflags - Move ntp-kod to /var/lib/ntp, because /var/db is not a standard directory and causes problems for transactional updates. This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen 2018-09-02
    modified 2017-04-27
    plugin id 99700
    published 2017-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99700
    title openSUSE Security Update : ntp (openSUSE-2017-511)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1048-1.NASL
    description This ntp update to version 4.2.8p10 fixes serveral issues. This updated enables leap smearing. See /usr/share/doc/packages/ntp/README.leapsmear for details. Security issues fixed (bsc#1030050) : - CVE-2017-6464: Denial of Service via Malformed Config - CVE-2017-6462: Buffer Overflow in DPTS Clock - CVE-2017-6463: Authenticated DoS via Malicious Config Option - CVE-2017-6458: Potential Overflows in ctl_put() functions - CVE-2017-6451: Improper use of snprintf() in mx4200_send() - CVE-2017-6460: Buffer Overflow in ntpq when fetching reslist - CVE-2016-9042: 0rigin (zero origin) DoS. - ntpq_stripquotes() returns incorrect Value - ereallocarray()/eallocarray() underused - Copious amounts of Unused Code - Off-by-one in Oncore GPS Receiver - Makefile does not enforce Security Flags Bugfixes : - Remove spurious log messages (bsc#1014172). - clang scan-build findings - Support for openssl-1.1.0 without compatibility modes - Bugfix 3072 breaks multicastclient - forking async worker: interrupted pipe I/O - (...) time_pps_create: Exec format error - Incorrect Logic for Peer Event Limiting - Change the process name of forked DNS worker - Trap Configuration Fail - Nothing happens if minsane - allow -4/-6 on restrict line with mask - out-of-bound pointers in ctl_putsys and decode_bitflags - Move ntp-kod to /var/lib/ntp, because /var/db is not a standard directory and causes problems for transactional updates. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2018-08-02
    plugin id 99468
    published 2017-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99468
    title SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2017:1048-1)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL32262483.NASL
    description The mx4200_send function in the legacy MX4200 refclock in NTP before 4.2.8p10 and 4.3.x before 4.3.94 does not properly handle the return value of the snprintf function, which allows local users to execute arbitrary code via unspecified vectors, which trigger an out-of-bounds memory write. (CVE-2017-6451)
    last seen 2018-09-02
    modified 2018-07-11
    plugin id 105403
    published 2017-12-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105403
    title F5 Networks BIG-IP : NTP vulnerability (K32262483)
  • NASL family Misc.
    NASL id NTP_4_2_8P10.NASL
    description The version of the remote NTP server is 4.x prior to 4.2.8p10. It is, therefore, affected by the following vulnerabilities : - A denial of service vulnerability exists in the receive() function within file ntpd/ntp_proto.c due to the expected origin timestamp being cleared when a packet with a zero origin timestamp is received. An unauthenticated, remote attacker can exploit this issue, via specially crafted network packets, to reset the expected origin timestamp for a target peer, resulting in legitimate replies being dropped. (CVE-2016-9042) - An out-of-bounds write error exists in the mx4200_send() function within file ntpd/refclock_mx4200.c due to improper handling of the return value of the snprintf() and vsnprintf() functions. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or possibly the execution of arbitrary code. However, neither the researcher nor vendor could find any exploitable code path. (CVE-2017-6451) - A stack-based buffer overflow condition exists in the addSourceToRegistry() function within file ports/winnt/instsrv/instsrv.c due to improper validation of certain input when adding registry keys. A local attacker can exploit this to execute arbitrary code. (CVE-2017-6452) - A flaw exists due to dynamic link library (DLL) files being preloaded when they are defined in the inherited environment variable 'PPSAPI_DLLS'. A local attacker can exploit this, via specially crafted DLL files, to execute arbitrary code with elevated privileges. (CVE-2017-6455) - Multiple stack-based buffer overflow conditions exist in various wrappers around the ctl_putdata() function within file ntpd/ntp_control.c due to improper validation of certain input from the ntp.conf file. An unauthenticated, remote attacker can exploit these, by convincing a user into deploying a specially crafted ntp.conf file, to cause a denial of service condition or possibly the execution of arbitrary code. (CVE-2017-6458) - A flaw exists in the addKeysToRegistry() function within file ports/winnt/instsrv/instsrv.c when running the Windows installer due to improper termination of strings used for adding registry keys, which may cause malformed registry entries to be created. A local attacker can exploit this issue to possibly disclose sensitive memory contents. (CVE-2017-6459) - A stack-based buffer overflow condition exists in the reslist() function within file ntpq/ntpq-subs.c when handling server responses due to improper validation of certain input. An unauthenticated, remote attacker can exploit this, by convincing a user to connect to a malicious NTP server and by using a specially crafted server response, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-6460) - A stack-based buffer overflow condition exists in the datum_pts_receive() function within file ntpd/refclock_datum.c when handling handling packets from the '/dev/datum' device due to improper validation of certain input. A local attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-6462) - A denial of service vulnerability exists within file ntpd/ntp_config.c when handling 'unpeer' configuration options. An authenticated, remote attacker can exploit this issue, via an 'unpeer' option value of '0', to crash the ntpd daemon. (CVE-2017-6463) - A denial of service vulnerability exists when handling configuration directives. An authenticated, remote attacker can exploit this, via a malformed 'mode' configuration directive, to crash the ntpd daemon. (CVE-2017-6464) - A flaw exists in the ntpq_stripquotes() function within file ntpq/libntpq.c due to the function returning an incorrect value. An unauthenticated, remote attacker can possibly exploit this to have an unspecified impact. (VulnDB 154204) - An off-by-one overflow condition exists in the oncore_receive() function in file ntpd/refclock_oncore.c that possibly allows an unauthenticated, remote attacker to have an unspecified impact. (VulnDB 154208) - A flaw exists due to certain code locations not invoking the appropriate ereallocarray() and eallocarray() functions. An unauthenticated, remote attacker can possibly exploit this to have an unspecified impact. (VulnDB 154210) - A flaw exists due to the static inclusion of unused code from the libisc, libevent, and libopts libraries. An unauthenticated, remote attacker can possibly exploit this to have an unspecified impact. (VulnDB 154211) - A security weakness exists in the Makefile due to a failure to provide compile or link flags to offer hardened security options by default. (VulnDB 154458)
    last seen 2018-09-19
    modified 2018-09-17
    plugin id 97988
    published 2017-03-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97988
    title Network Time Protocol Daemon (ntpd) 4.x < 4.2.8p10 Multiple Vulnerabilities
  • NASL family AIX Local Security Checks
    NASL id AIX_NTP_V3_ADVISORY9.NASL
    description The version of NTP installed on the remote AIX host is affected by the following vulnerabilities : - An out-of-bounds write error exists in the mx4200_send() function within file ntpd/refclock_mx4200.c due to improper handling of the return value of the snprintf() and vsnprintf() functions. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or possibly the execution of arbitrary code. However, neither the researcher nor vendor could find any exploitable code path. (CVE-2017-6451) - Multiple stack-based buffer overflow conditions exist in various wrappers around the ctl_putdata() function within file ntpd/ntp_control.c due to improper validation of certain input from the ntp.conf file. An unauthenticated, remote attacker can exploit these, by convincing a user into deploying a specially crafted ntp.conf file, to cause a denial of service condition or possibly the execution of arbitrary code. (CVE-2017-6458) - A stack-based buffer overflow condition exists in the datum_pts_receive() function within file ntpd/refclock_datum.c when handling handling packets from the '/dev/datum' device due to improper validation of certain input. A local attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-6462) - A denial of service vulnerability exists when handling configuration directives. An authenticated, remote attacker can exploit this, via a malformed 'mode' configuration directive, to crash the ntpd daemon. (CVE-2017-6464)
    last seen 2018-09-02
    modified 2018-07-17
    plugin id 102130
    published 2017-08-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102130
    title AIX NTP v3 Advisory : ntp_advisory9.asc (IV96305) (IV96306) (IV96307) (IV96308) (IV96309) (IV96310)
refmap via4
bid 97058
confirm
sectrack
  • 1038123
  • 1039427
Last major update 30-03-2017 - 10:32
Published 27-03-2017 - 13:59
Last modified 23-10-2017 - 21:29
Back to Top