NTP.org ntpd is vulnerable to denial of service and other vulnerabilities

Overview

NTP.org’s reference implementation of NTP server, ntpd, contains multiple vulnerabilities.

Description

NTP.org’s reference implementation of NTP server, ntpd, contains multiple vulnerabilities. A brief overview follows, but details may be found in NTP’s security advisory listing and in the individual links below.

CRYPTO-NAK denial of service introduced in Sec 3007 patch. See Sec 3046, CVE-2016-4957. The CVSS score below describes this vulnerability.

Bad authentication demobilizes ephemeral associations. See Sec 3045, CVE-2016-4953.

Processing of spoofed server packets affects peer variables. See Sec 3044, CVE-2016-4954.

Autokey associations may be reset when repeatedly receiving spoofed packets. See Sec 3043, CVE-2016-4955.

Broadcast associations are not covered in Sec 2978 patch, which may be leveraged to flip broadcast clients into interleave mode. See Sec 3042, CVE-2016-4956.

---

Impact

Unauthenticated, remote attackers may be able to spoof or send specially crafted packets to create denial of service conditions.

---

Solution

Apply an update

The vendor has released version 4.2.8p8 to address these issues. Users are encouraged to update to the latest release. Those unable to update should consider mitigations listed in NTP’s security advisory listing.

---

Vendor Information

321640

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

FreeBSD Project __ Affected

Notified: May 27, 2016 Updated: June 06, 2016

Statement Date: June 04, 2016

Status

Affected

Vendor Statement

As of 2016-06-04 05:46:52 UTC, we published fix for all supported FreeBSD releases. We have published a security advisory for this at <https://www.freebsd.org/security/advisories/FreeBSD-SA-16:24.ntp.asc&gt; .

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

• <https://www.freebsd.org/security/advisories/FreeBSD-SA-16:24.ntp.asc&gt;

NTP Project Affected

Notified: May 25, 2016 Updated: June 02, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

AT&T Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Alcatel-Lucent Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Apple Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Arista Networks, Inc. Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Aruba Networks Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Avaya, Inc. Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Belkin, Inc. Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Blue Coat Systems Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CA Technologies Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CentOS Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Check Point Software Technologies Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Cisco Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CoreOS Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

D-Link Systems, Inc. Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Debian GNU/Linux Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DesktopBSD Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DragonFly BSD Project Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

EMC Corporation Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

EfficientIP SAS Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Enterasys Networks Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ericsson Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Extreme Networks Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

F5 Networks, Inc. Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Fedora Project Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Force10 Networks Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Gentoo Linux Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Google Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hardened BSD Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hewlett Packard Enterprise Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hitachi Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Huawei Technologies Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM Corporation Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Infoblox Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Intel Corporation Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Internet Systems Consortium Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Internet Systems Consortium - DHCP Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Juniper Networks Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Lenovo Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

McAfee Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Microsoft Corporation Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NEC Corporation Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NTPsec Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NetBSD Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Nokia Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Nominum Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OmniTI Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OpenBSD Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OpenDNS Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Openwall GNU/*/Linux Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Oracle Corporation Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Peplink Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Q1 Labs Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

QNX Software Systems Inc. Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Red Hat, Inc. Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SUSE Linux Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SafeNet Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Secure64 Software Corporation Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Slackware Linux Inc. Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SmoothWall Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Snort Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sony Corporation Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sourcefire Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Symantec Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

TippingPoint Technologies Inc. Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Turbolinux Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ubuntu Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Unisys Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

VMware Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Wind River Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

dnsmasq Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

m0n0wall Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

openSUSE project Unknown

Notified: May 27, 2016 Updated: May 27, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

View all 75 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base	7.8	AV:N/AC:L/Au:N/C:N/I:N/A:C
Temporal	6.4	E:F/RL:OF/RC:C
Environmental	6.4	CDP:N/TD:H/CR:ND/IR:ND/AR:ND

References

• <http://support.ntp.org/bin/view/Main/NtpBug3007&gt;
• <http://support.ntp.org/bin/view/Main/NtpBug3046&gt;
• <http://support.ntp.org/bin/view/Main/NtpBug3045&gt;
• <http://support.ntp.org/bin/view/Main/NtpBug3044&gt;
• <http://support.ntp.org/bin/view/Main/NtpBug3043&gt;
• <http://support.ntp.org/bin/view/Main/NtpBug2978&gt;
• <http://support.ntp.org/bin/view/Main/NtpBug3042&gt;

Acknowledgements

The NTP Project credits Nicolas Edet of Cisco, Miroslav Lichvar of Red Hat, and Jakub Prokes of Red Hat for reporting these vulnerabilities.

This document was written by Joel Land.

Other Information

CVE IDs:	CVE-2016-4953, CVE-2016-4954, CVE-2016-4955, CVE-2016-4956, CVE-2016-4957
Date Public:	2016-06-02 Date First Published: