Bug 1011377 - (CVE-2016-9310) VUL-0: CVE-2016-9310, CVE-2016-9311 : ntp: Mode 6 unauthenticated trap information disclosure and DDoS vector
(CVE-2016-9310)
VUL-0: CVE-2016-9310, CVE-2016-9311 : ntp: Mode 6 unauthenticated trap infor...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:SUSE:CVE-2016-9311:7.8:(AV:N/A...
:
Depends on:
Blocks: 1011421
  Show dependency treegraph
 
Reported: 2016-11-21 16:24 UTC by Matthias Gerstner
Modified: 2017-06-14 06:37 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2016-11-21 16:24:12 UTC
Summary: ntpd does not enable trap service by default. If trap service has been explicitly enabled, an attacker can send a specially crafted packet to cause a null pointer dereference that will crash ntpd, resulting in a denial of service.

Mitigation:

- Implement BCP-38.
- Use "restrict default noquery ..." in your ntp.conf file. Only allow mode 6 queries from trusted networks and hosts.
- Upgrade to 4.2.8p9, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page
- Properly monitor your ntpd instances, and auto-restart ntpd (without -g) if it stops running.

Credit: This weakness was discovered by Matthew Van Gundy of Cisco.
Comment 1 Matthias Gerstner 2016-11-21 17:26:58 UTC
http://support.ntp.org/bin/view/Main/NtpBug3118
Comment 2 Matthias Gerstner 2016-11-21 17:37:09 UTC
http://support.ntp.org/bin/view/Main/NtpBug3119
Comment 3 Swamp Workflow Management 2016-11-21 23:01:48 UTC
bugbot adjusting priority
Comment 4 Matthias Gerstner 2016-11-22 09:53:02 UTC
This ticket covers two related CVEs. The description above is for CVE-2016-9311. The other CVE-2016-9310 has got the following description:

Summary:

An exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. If, against long-standing BCP recommendations, "restrict default noquery ..." is not specified, a specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, disabling legitimate monitoring. A remote, unauthenticated, network attacker can trigger this vulnerability.
Comment 5 Swamp Workflow Management 2016-11-24 15:31:28 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-12-08.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63222
Comment 6 Reinhard Max 2016-11-24 15:57:03 UTC
Packages submitted.
Comment 8 Swamp Workflow Management 2016-12-19 20:07:42 UTC
SUSE-SU-2016:3193-1: An update that solves 12 vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1009434,1011377,1011390,1011395,1011398,1011404,1011406,1011411,1011417,943216,956365,981252,988028,992038,992606
CVE References: CVE-2015-5219,CVE-2015-8139,CVE-2015-8140,CVE-2016-7426,CVE-2016-7427,CVE-2016-7428,CVE-2016-7429,CVE-2016-7431,CVE-2016-7433,CVE-2016-7434,CVE-2016-9310,CVE-2016-9311
Sources used:
SUSE Linux Enterprise Server 11-SP4 (src):    ntp-4.2.8p9-57.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    ntp-4.2.8p9-57.2
Comment 9 Swamp Workflow Management 2016-12-19 20:10:56 UTC
SUSE-SU-2016:3195-1: An update that solves 10 vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1009434,1011377,1011390,1011395,1011398,1011404,1011406,1011411,1011417,943216,956365,981252,988028,992038,992606
CVE References: CVE-2015-5219,CVE-2016-7426,CVE-2016-7427,CVE-2016-7428,CVE-2016-7429,CVE-2016-7431,CVE-2016-7433,CVE-2016-7434,CVE-2016-9310,CVE-2016-9311
Sources used:
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    ntp-4.2.8p9-55.1
SUSE Linux Enterprise Server 12-SP2 (src):    ntp-4.2.8p9-55.1
SUSE Linux Enterprise Server 12-SP1 (src):    ntp-4.2.8p9-55.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    ntp-4.2.8p9-55.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    ntp-4.2.8p9-55.1
Comment 10 Swamp Workflow Management 2016-12-19 20:13:28 UTC
SUSE-SU-2016:3196-1: An update that solves 10 vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1009434,1011377,1011390,1011395,1011398,1011404,1011406,1011411,1011417,943216,956365,981252,988028,992038,992606
CVE References: CVE-2015-5219,CVE-2016-7426,CVE-2016-7427,CVE-2016-7428,CVE-2016-7429,CVE-2016-7431,CVE-2016-7433,CVE-2016-7434,CVE-2016-9310,CVE-2016-9311
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    ntp-4.2.8p9-46.18.1
SUSE Linux Enterprise Server 12-LTSS (src):    ntp-4.2.8p9-46.18.1
Comment 11 Swamp Workflow Management 2016-12-28 15:07:23 UTC
openSUSE-SU-2016:3280-1: An update that solves 10 vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1009434,1011377,1011390,1011395,1011398,1011404,1011406,1011411,1011417,943216,956365,981252,988028,992038,992606
CVE References: CVE-2015-5219,CVE-2016-7426,CVE-2016-7427,CVE-2016-7428,CVE-2016-7429,CVE-2016-7431,CVE-2016-7433,CVE-2016-7434,CVE-2016-9310,CVE-2016-9311
Sources used:
openSUSE Leap 42.2 (src):    ntp-4.2.8p9-27.1
openSUSE Leap 42.1 (src):    ntp-4.2.8p9-27.1
Comment 12 Swamp Workflow Management 2017-01-23 15:09:16 UTC
SUSE-SU-2017:0255-1: An update that solves 12 vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1009434,1011377,1011390,1011395,1011398,1011404,1011406,1011411,1011417,943216,956365,981252,988028,992038,992606
CVE References: CVE-2015-5219,CVE-2015-8139,CVE-2015-8140,CVE-2016-7426,CVE-2016-7427,CVE-2016-7428,CVE-2016-7429,CVE-2016-7431,CVE-2016-7433,CVE-2016-7434,CVE-2016-9310,CVE-2016-9311
Sources used:
SUSE OpenStack Cloud 5 (src):    ntp-4.2.8p9-48.9.1
SUSE Manager Proxy 2.1 (src):    ntp-4.2.8p9-48.9.1
SUSE Manager 2.1 (src):    ntp-4.2.8p9-48.9.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    ntp-4.2.8p9-48.9.1
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    ntp-4.2.8p9-48.9.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    ntp-4.2.8p9-48.9.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    ntp-4.2.8p9-48.9.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    ntp-4.2.8p9-48.9.1
Comment 13 Marcus Meissner 2017-02-15 09:15:02 UTC
all reeased