Network Time Protocol Daemon (NTPD) DoS Vulnerability (Dec 2, 2016)

The Network Time Protocol daemon (NTPD) is prone to a DoS vulnerability CVE-2016-7434. A remote, authenticated attacker can exploit this vulnerability by sending a crafted packet to the target service. A successful attack could cause NTPD service to crash.

The NTP protocol is designed to synchronize the clocks of computers over a network. It is maintained by ntp.org, and widely used in server operating systems, routers and infrastructure devices.

To perform routine NTP control and monitoring functions in comprehensive network-management environments, the NTP control message is introduced. The NTP control message has the following format:

• NTP Control Message header
• Version Number: 3-bit integer indicating the NTP version number, currently (3).
• Mode: 3-bit integer indicating the mode. It must have the value 6, indicating an NTP control message.
• Response Bit: Set to zero for commands, one for responses.
• Error Bit: Set to zero for normal response, one for error response.
• More Bit: Set to zero for last fragment, one for all others.
• Operation Code: 5-bit integer specifying the command function.
• Sequence: 16-bit Sequence number of the command or response
• Status: 16-bit Status of the system
• Association ID: 16-bit ID of a valid association
• Offset: 16-bit Offset of the first byte in the Data field (Must be 0x0 for requests)
• Count: 16-bit Length of the Data field (N)
• Data: Message data for the command or response
• Padding: Zero padding
• Authenticator: Optional authenticator information

The OP code is represented by a 5-bits integer. To be more specified, the values are:

0 = reserved
1 = read status command/response
2 = read variables command/response
3 = write variables command/response
4 = read clock variables command/response
5 = write clock variables command/response
6 = set trap address/port command/response
7 = trap response
8-31 = reserved

The vulnerability could be triggered on a certain type of message, the “MRU List” request. When the OPCode is set to 0x0A, the data section should be in a key-value format containing the information for the request.

When handling this kind request, a function read_mru_list() will be called in order to parse the key-value format Data section. And in this function, a sub function ctl_getitem() will be called to get value for corresponding key. If the key has no value, this function will return NULL.

However, in the read_mru_list() function, the return value is assigned to be a char* pointer, and will be parsed to other functions as a parameter. Afterwards, a NULL pointer exception will occur, causing the service crash.

The PoC exploit is already in the wild at http://dumpco.re/cve-2016-7434/ .The official patch is issued in the ntp-4.2.8p9 update.

SonicWALL provides protection against this threat via the following signatures:

• 12506 EXPLOIT Network Time Protocol Daemon read_mru_list Denial of Service

Security News

The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.