{"id":68770,"date":"2017-02-02T16:06:59","date_gmt":"2017-02-03T00:06:59","guid":{"rendered":"https:\/\/securingtomorrow.mcafee.com\/?p=68770"},"modified":"2025-05-27T20:20:16","modified_gmt":"2025-05-28T03:20:16","slug":"analyzing-cve-2016-9311-ntpd-vulnerability-can-lead-denial-service","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/analyzing-cve-2016-9311-ntpd-vulnerability-can-lead-denial-service\/","title":{"rendered":"Analyzing CVE-2016-9311: NTPD Vulnerability Can Lead to Denial of Service"},"content":{"rendered":"

The network time protocol synchronizes time across various devices on a network. The network time protocol daemon (NTPD) is an open-source implementation of this protocol. In the last couple of months, a number of vulnerabilities have been reported in NTPD. One is CVE-2016-9311, which can cause a crash leading to a denial of service. We have analyzed this vulnerability and provided detection for our customers. In this post we take a detailed look at this vulnerability.<\/p>\n

Finding the changes<\/strong><\/h2>\n

Examining the patch, we found that the function \u201creport_event\u201d in ntp_control.c holds the fix for this vulnerability. The patch diff tool gives us the following screen (taken from http:\/\/bugs.ntp.org\/attachment.cgi?id=1460&action=diff<\/a>):<\/p>\n

\"\"<\/a><\/p>\n

 <\/p>\n

The left side of the preceding image shows the unpatched code, while right side has the patched code.<\/p>\n

In the vulnerable version of code there is one assert statement:<\/p>\n

INSIST(peer!=NULL)<\/p>\n

INSIST is defined in ntp_assert.h. If peer==NULL, then the assertion will fail and NTPD will crash.<\/p>\n

In the fixed version, we can see that the INSIST(peer!=NULL) statement is replaced by a simple \u201cif\u201d check:<\/p>\n

if ((err & PEER_EVENT) && !peer)<\/p>\n

return<\/p>\n

This if statement checks whether the value of \u201cpeer\u201d is null. If so, it will simply return and prevent a crash.<\/p>\n

Analyzing the root cause<\/strong><\/h2>\n

To trigger this vulnerability, program flow needs to reach the \u201creport_event\u201d function with a parameter such that the INSIST assertion check fails. (The variable \u201cpeer\u201d should be null.)<\/p>\n

When NTPD receives a packet, it goes to the function \u201creceive\u201d in ntp_proto.c. The \u201creceive\u201d function performs various checks on the received packet; one checks for valid or invalid crypto-negative acknowledgement (crypto-NAK) packets:<\/p>\n

\"\"<\/a><\/p>\n

If NTPD receives an invalid NAK packet, it will call the vulnerable function \u201creport_event.\u201d In this vulnerable function, a check looks for the number of traps. If no traps are configured on NTPD, then the function will simply return and the vulnerable code path will not be taken.<\/p>\n

\"\"<\/a><\/p>\n

This vulnerability can be exploited only if traps are enabled in NTPD. To check for invalid NAK packets, the function \u201cvalid_NAK\u201d is present in ntp_proto.c:<\/p>\n

\"\"<\/a><\/p>\n

As we see in the preceding image, the following conditions will mark a packet as an invalid NAK:<\/p>\n