CERTVU:374268NTP Project ntpd reference implementation contains multiple vulnerabilities
4.3 Medium
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:M/Au:N/C:N/I:P/A:P
0.008 Low
EPSS
Percentile
81.4%
Overview
NTP Project ntpd reference implementation accepts unauthenticated packets with symmetric key cryptography and does not protect symmetric associations against denial of service attacks.
Description
CVE-2015-1798, bug 2779:
In NTP4 installations utilizing symmetric key authentication, versions ntp-4.2.5p99 to ntp-4.2.8p1, packets with no message authentication code (MAC) are accepted as though they have a valid MAC. An attacker may be able to leverage this validation error to send packets that will be accepted by the client. The CVSS score reflects this issue.
CVE-2015-1799, bug 2781:
In NTP installations utilizing symmetric key authentication, including xntp3.3wy to version ntp-4.2.8p1, a denial of service condition is created when two peering hosts receive packets in which the originate and transmit timestamps do not match. An attacker who periodically sends such packets to both hosts can prevent synchronization.
For more information about these issues, visit NTP’s security notice.
Impact
An unauthenticated attacker with network access may be able to inject packets or prevent peer synchronization among symmetrically authenticated hosts.
Solution
Apply an update
The NTP Project has released version ntp-4.2.8p2 to address these issues.
Vendor Information
374268
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Arista Networks, Inc. Affected
Updated: April 10, 2015
Statement Date: April 09, 2015
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
FreeBSD Project __ Affected
Notified: March 24, 2015 Updated: April 10, 2015
Statement Date: April 09, 2015
Status
Affected
Vendor Statement
`The vulnerabilities in 374268 (different from 852879) have been resolved by FreeBSD-SA-15:07.ntp.
<https://www.freebsd.org/security/advisories/FreeBSD-SA-15:07.ntp.asc>`
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
NTP Project Affected
Notified: March 23, 2015 Updated: April 07, 2015
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
EfficientIP Not Affected
Updated: April 10, 2015
Statement Date: April 09, 2015
Status
Not Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
ACCESS Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
AT&T Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Alcatel-Lucent Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Apple Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Arch Linux Unknown
Notified: March 30, 2015 Updated: March 30, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Avaya, Inc. Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Barracuda Networks Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Belkin, Inc. Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Blue Coat Systems Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Brocade Unknown
Notified: March 30, 2015 Updated: March 30, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CA Technologies Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CentOS Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Check Point Software Technologies Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Cisco Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Cray Inc. Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
D-Link Systems, Inc. Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Debian GNU/Linux Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
DesktopBSD Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
DragonFly BSD Project Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
EMC Corporation Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Enterasys Networks Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Ericsson Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Extreme Networks Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
F5 Networks, Inc. Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Fedora Project Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Force10 Networks Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Fortinet, Inc. Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Fujitsu Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Gentoo Linux Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Global Technology Associates, Inc. Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hewlett-Packard Company Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hitachi Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Huawei Technologies Unknown
Notified: March 30, 2015 Updated: March 30, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
IBM Corporation Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
IBM eServer Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Infoblox Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Intel Corporation Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Intoto Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Juniper Networks Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Mandriva S. A. Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
McAfee Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Microsemi Unknown
Notified: April 09, 2015 Updated: April 09, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Microsoft Corporation Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
NEC Corporation Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
NetBSD Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Nokia Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Novell, Inc. Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
OmniTI Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
OpenBSD Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Openwall GNU/*/Linux Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Oracle Corporation Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
PC-BSD Unknown
Notified: March 30, 2015 Updated: March 30, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Palo Alto Networks Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Peplink Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Process Software Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Q1 Labs Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
QNX Software Systems Inc. Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Quagga Unknown
Notified: March 30, 2015 Updated: March 30, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Red Hat, Inc. Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SUSE Linux Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SafeNet Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Slackware Linux Inc. Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SmoothWall Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Snort Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Sony Corporation Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Sourcefire Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Stonesoft Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Symantec Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
The SCO Group Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
TippingPoint Technologies Inc. Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Turbolinux Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Ubuntu Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Unisys Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
VMware Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Vyatta Unknown
Notified: March 30, 2015 Updated: March 30, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Watchguard Technologies, Inc. Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Wind River Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
ZyXEL Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
eSoft, Inc. Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
m0n0wall Unknown
Notified: March 24, 2015 Updated: March 24, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
openSUSE project Unknown
Notified: March 30, 2015 Updated: March 30, 2015
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
View all 85 vendors __View less vendors __
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 5.4 | AV:A/AC:M/Au:N/C:P/I:P/A:P |
| Temporal | 4.2 | E:POC/RL:OF/RC:C |
| Environmental | 4.2 | CDP:N/TD:H/CR:ND/IR:ND/AR:ND |
References
- <http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities>
- <http://bugs.ntp.org/show_bug.cgi?id=2781>
- <http://bugs.ntp.org/show_bug.cgi?id=2779>
- <http://www.ntp.org/downloads.html>
Acknowledgements
The NTP Project credits Miroslav Lichvar of Red Hat for reporting these issues.
This document was written by Joel Land.
Other Information
| CVE IDs: | CVE-2015-1798, CVE-2015-1799 |
|---|---|
| Date Public: | 2015-04-07 Date First Published: |
Related
4.3 Medium
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:M/Au:N/C:N/I:P/A:P
0.008 Low
EPSS
Percentile
81.4%