Threat Research

Analysis of Vulnerability CVE-2016-4957 in NTPD

By Dehui Yin | June 20, 2016

The Network Time Protocol Daemon (NTPD) by NTP.org, runs on *nix operation systems. It sets and maintains system time in synchronization with internet standard time servers or local reference clocks. NTPD is shipped with many major server operating systems, routers, and infrastructure devices.

CVE-2016-4957 is a high severity vulnerability targeted at the NTPD. It causes a segfault event that causes NTPD to close. If the NTP service stops, it can affect many time-sensitive programs, such as database operations and server groups which need NTP to synchronize time with each other.

The ntp-4.2.8p8 update was released on Jun 02, 2016 to address this vulnerability, along with several other low severity vulnerabilities. The details of our investigation of vulnerability CVE-2016-4957, along with how we were able to protect our customers by widely deploying our detection, are outlined below.

NTP has three protocol variants: client/server, symmetric, and broadcast. In the symmetric mode, two NTP peers set up an association to exchange time synchronization information. An association can be setup with an incoming symmetric active NTP packet, to which a peer responds with a symmetric passive NTP packet. Mutual authentication is performed during this message exchange. A Crypto-NAK packet is sent when a peer receives an NTP packet that fails to authenticate.

Vulnerability CVE-2016-4957 was introduced with the fix of NTP bug 3007 (vulnerability CVE-2016-1547) in ntp-4.2.8p7. NTPD uses the valid_NAK() function to process the crypto_NAK packet. This function does not validate the peer pointer before dereferencing it.

The following code snippet was taken from NTPD version 4.2.8p7:

valid_NAK(

              struct peer *peer,

              struct recvbuf *rbufp,

              u_char hismode

              )

{

[...Truncated for readability...]

            if (peer->keyid > 0 || peer->flags & FLAG_SKEY) {

                        return (VALIDNAK);

}

The peer pointer is null if two peers do not have an association already set up. The valid_NAK() function will cause a segfault when processing a crypto_NAK packet from such a peer. Following is a stack trace of ntpd when it aborted.

Please note that authentication is NOT required to exploit this vulnerability.

From our analysis, we also confirm that this vulnerability could not be escalated to perform remote code execution.

What You Can Do

During this attack, a malicious crypto_NAK packet is sent to the target running NTPD. Fortinet has released IPS signature Network.Time.Protocol.Daemon.crypto-NAK.Packet.Handling.DoS to block this malicious packet in order to protect our customers and their devices from this vulnerability.