NTP Project ntpd reference implementation contains multiple vulnerabilities

2015-04-07T00:00:00
ID VU:374268
Type cert
Reporter CERT
Modified 2015-04-10T18:36:00

Description

Overview

NTP Project ntpd reference implementation accepts unauthenticated packets with symmetric key cryptography and does not protect symmetric associations against denial of service attacks.

Description

CVE-2015-1798, bug 2779:

In NTP4 installations utilizing symmetric key authentication, versions ntp-4.2.5p99 to ntp-4.2.8p1, packets with no message authentication code (MAC) are accepted as though they have a valid MAC. An attacker may be able to leverage this validation error to send packets that will be accepted by the client. The CVSS score reflects this issue.

CVE-2015-1799, bug 2781:

In NTP installations utilizing symmetric key authentication, including xntp3.3wy to version ntp-4.2.8p1, a denial of service condition is created when two peering hosts receive packets in which the originate and transmit timestamps do not match. An attacker who periodically sends such packets to both hosts can prevent synchronization.

For more information about these issues, visit NTP's security notice.


Impact

An unauthenticated attacker with network access may be able to inject packets or prevent peer synchronization among symmetrically authenticated hosts.


Solution

Apply an update

The NTP Project has released version ntp-4.2.8p2 to address these issues.


Vendor Information

374268

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Arista Networks, Inc. Affected

Updated: April 10, 2015

Statement Date: April 09, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD Project __ Affected

Notified: March 24, 2015 Updated: April 10, 2015

Statement Date: April 09, 2015

Status

Affected

Vendor Statement

`The vulnerabilities in 374268 (different from 852879) have been resolved by FreeBSD-SA-15:07.ntp.

<https://www.freebsd.org/security/advisories/FreeBSD-SA-15:07.ntp.asc>`

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <https://www.freebsd.org/security/advisories/FreeBSD-SA-15:07.ntp.asc>

NTP Project Affected

Notified: March 23, 2015 Updated: April 07, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <http://support.ntp.org/bin/view/Main/SecurityNotice>
  • <http://www.ntp.org/downloads.html>

EfficientIP Not Affected

Updated: April 10, 2015

Statement Date: April 09, 2015

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

AT&T Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Alcatel-Lucent Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Apple Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Arch Linux Unknown

Notified: March 30, 2015 Updated: March 30, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Avaya, Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Barracuda Networks Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Belkin, Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Blue Coat Systems Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Brocade Unknown

Notified: March 30, 2015 Updated: March 30, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CA Technologies Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CentOS Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Check Point Software Technologies Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Cisco Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Cray Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

D-Link Systems, Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Debian GNU/Linux Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DesktopBSD Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DragonFly BSD Project Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

EMC Corporation Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Enterasys Networks Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ericsson Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Extreme Networks Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

F5 Networks, Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Fedora Project Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Force10 Networks Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Fortinet, Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Fujitsu Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Gentoo Linux Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Global Technology Associates, Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hewlett-Packard Company Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hitachi Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Huawei Technologies Unknown

Notified: March 30, 2015 Updated: March 30, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM Corporation Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM eServer Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Infoblox Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Intel Corporation Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Intoto Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Juniper Networks Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Mandriva S. A. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

McAfee Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Microsemi Unknown

Notified: April 09, 2015 Updated: April 09, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Microsoft Corporation Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NEC Corporation Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NetBSD Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Nokia Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Novell, Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OmniTI Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OpenBSD Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Openwall GNU/*/Linux Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Oracle Corporation Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

PC-BSD Unknown

Notified: March 30, 2015 Updated: March 30, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Palo Alto Networks Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Peplink Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Process Software Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Q1 Labs Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

QNX Software Systems Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Quagga Unknown

Notified: March 30, 2015 Updated: March 30, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Red Hat, Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SUSE Linux Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SafeNet Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Slackware Linux Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SmoothWall Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Snort Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sony Corporation Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sourcefire Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Stonesoft Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Symantec Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

The SCO Group Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

TippingPoint Technologies Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Turbolinux Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ubuntu Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Unisys Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

VMware Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Vyatta Unknown

Notified: March 30, 2015 Updated: March 30, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Watchguard Technologies, Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Wind River Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

ZyXEL Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

eSoft, Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

m0n0wall Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

openSUSE project Unknown

Notified: March 30, 2015 Updated: March 30, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

View all 85 vendors View less vendors

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 5.4 | AV:A/AC:M/Au:N/C:P/I:P/A:P
Temporal | 4.2 | E:POC/RL:OF/RC:C
Environmental | 4.2 | CDP:N/TD:H/CR:ND/IR:ND/AR:ND

References

  • <http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities>
  • <http://bugs.ntp.org/show_bug.cgi?id=2781>
  • <http://bugs.ntp.org/show_bug.cgi?id=2779>
  • <http://www.ntp.org/downloads.html>

Acknowledgements

The NTP Project credits Miroslav Lichvar of Red Hat for reporting these issues.

This document was written by Joel Land.

Other Information

CVE IDs: | CVE-2015-1798, CVE-2015-1799
---|---
Date Public: | 2015-04-07
Date First Published: | 2015-04-07
Date Last Updated: | 2015-04-10 18:36 UTC
Document Revision: | 19