NTP mode 7 denial-of-service vulnerability

2009-12-08T00:00:00
ID VU:568372
Type cert
Reporter CERT
Modified 2011-07-22T12:47:00

Description

Overview

NTP contains a vulnerability in the handling of mode 7 requests, which can result in a denial-of-service condition.

Description

NTP mode 7 (MODE_PRIVATE) is used by the ntpdc query and control utility. In contrast, ntpq uses NTP mode 6 (MODE_CONTROL), while routine NTP time transfers use modes 1 through 5. Upon receipt of an incorrect mode 7 request or a mode 7 error response from an address that is not listed in a "restrict ... noquery" or "restrict ... ignore" segment, ntpd will reply with a mode 7 error response and log a message.

If an attacker spoofs the source address of ntpd host A in a mode 7 response packet sent to ntpd host B, both A and B will continuously send each other error responses, for as long as those packets get through.

If an attacker spoofs an address of ntpd host A in a mode 7 response packet sent to ntpd host A, then host A will respond to itself endlessly, consuming CPU and logging excessively.


Impact

A remote, unauthenticated attacker may be able to cause a denial-of-service condition on a vulnerable NTP server.


Solution

Apply an update
This issue is addressed in NTP 4.2.4p8. Please check with your vendor for an update, or you may download NTP 4.2.4p8 from ntp.org.


Configure NTP to limit source addresses

By using "restrict ... noquery" or "restrict ... ignore" entries in the ntp.conf file, ntpd can be configured to limit the source addresses to which it will respond.

Filter NTP mode 7 packets that specify source and destination port 123

In most cases, ntpdc mode 7 requests will have either a source or destination port of 123, but not both.

Use anti-spoofing IP address filters

RFC 2827 (BCP 38) describes network ingress filtering, which can prevent UDP traffic claiming to be from a local address from entering your network from an outside source. Some ISPs may employ unicast reverse path filtering (uRPF) to limit the spoofed traffic that can enter your network.


Vendor Information

568372

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.

__ Apple Inc.

Notified: October 26, 2009 Updated: October 27, 2009

Statement Date: October 27, 2009

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cisco Systems, Inc.

Notified: October 26, 2009 Updated: December 13, 2009

Statement Date: December 02, 2009

Status

__ Vulnerable

Vendor Statement

Please find below our bug id details:

Cisco IOS and Cisco IOS XE Software (Cisco Bug ID: CSCtd75033)
Cisco Nexus Series Switches (Cisco Bug IDs: CSCsz81239, CSCtd15613, CSCtd15613)
Cisco Application Control Engine appliance (Cisco Bug ID: CSCsz93757)
Cisco Unified Communications Manager - Linux (Cisco Bug ID: CSCtc99277)
Cisco Telepresence Systems (Cisco Bug ID: CSCtc99290)
Cisco Wide Area Application Services (WAAS) (Cisco Bug ID: CSCtc99299)
Cisco Meeting Place Server (Cisco Bug ID: CSCtc99306)
Cisco Mobility Services Engine (Location Appliance) (Cisco Bug ID: CSCtc99318)
Cisco ACE XML Gateways (Cisco Bug ID: CSCtd15631)
Cisco IP Interoperability and Communications System (IPICS) (Cisco Bug ID: CSCtd15623)
Cisco MDS 9500 Series (Cisco Bug ID: CSCtd15595)
Cisco Digital Media Players (Cisco Bug ID: CSCtd15641)

Vendor Information

Please see Cisco Vulnerability Alert 19540.

Vendor References

<http://tools.cisco.com/security/center/viewAlert.x?alertId=19540>

__ Debian GNU/Linux

Notified: October 26, 2009 Updated: December 08, 2009

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see <http://security-tracker.debian.org/tracker/CVE-2009-3563>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux

Notified: October 26, 2009 Updated: December 10, 2009

Statement Date: December 10, 2009

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see: <http://bugs.gentoo.org/show_bug.cgi?id=290881>.

Vendor References

<http://bugs.gentoo.org/show_bug.cgi?id=290881>

Meinberg Funkuhren GmbH & Co. KG

Updated: December 16, 2009

Statement Date: December 15, 2009

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

we announced on Friday that our LANTIME NTP Time Server Appliances are affected as well:

<http://www.meinberg.de/english/news/lantime-firmware-update-ntp-security-problem-with-mode-7-packets.htm>

Additionally, Meinberg provides an easy-to-use Windows installer for the reference implementation of NTP, i.e. we created an installer that installs the original ntpd from ntp.org on Windows machines. We also updated this installer to include 4.2.4p8 and nicknamed it "lennon" (in memory of the death of John Lennon, wo died on December 8th - the day when this vulnerability has been announced.

<http://www.meinberg.de/english/news/software-new-ntp-version-for-windows-4-2-4p8-security-update.htm>

QNX Software Systems Inc.

Notified: October 26, 2009 Updated: December 07, 2009

Statement Date: December 07, 2009

Status

__ Vulnerable

Vendor Statement

The NTP feature of the Neutrino operating system (version 6.4.1 and earlier) is vulnerable. This issue will be corrected in the upcoming Neutrino 6.4.2 operating system release. Please contact your QNX representative regarding earlier OS product releases.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Red Hat, Inc.

Notified: October 26, 2009 Updated: December 08, 2009

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc.

Notified: October 26, 2009 Updated: January 22, 2010

Statement Date: January 22, 2010

Status

__ Vulnerable

Vendor Statement

Solaris is impacted by CERT Vulnerability Note VU#568372: 'NTP mode 7 denial-of-service vulnerability'. We have published Sun Alert 275590 for this issue.

<http://sunsolve.sun.com/search/document.do?assetkey=1-66-275590-1>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

<http://sunsolve.sun.com/search/document.do?assetkey=1-66-275590-1>

__ The SCO Group

Notified: October 26, 2009 Updated: October 29, 2009

Statement Date: October 29, 2009

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ubuntu

Notified: October 26, 2009 Updated: December 09, 2009

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Please see <http://www.ubuntu.com/usn/USN-867-1>.

Vendor References

<http://www.ubuntu.com/usn/USN-867-1>

Computer Associates

Notified: October 26, 2009 Updated: April 27, 2010

Statement Date: March 23, 2010

Status

__ Not Vulnerable

Vendor Statement

CA has reviewed the VU#568372 information you have provided, and we have determined that CA products are NOT VULNERABLE.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Extreme Networks

Notified: October 26, 2009 Updated: February 03, 2010

Statement Date: November 30, 2009

Status

__ Not Vulnerable

Vendor Statement

Extreme Products dont provide NTPD service. The devices only have NTP clients. Hence, the vulnerability VU#568372 is not applicable to Extreme Networks products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Force10 Networks, Inc.

Notified: October 26, 2009 Updated: July 22, 2011

Status

__ Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation

Notified: October 26, 2009 Updated: April 05, 2010

Statement Date: March 29, 2010

Status

__ Not Vulnerable

Vendor Statement

The Microsoft W32time implementation does not use Mode 7.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

PePLink

Notified: October 26, 2009 Updated: December 04, 2009

Statement Date: October 27, 2009

Status

__ Not Vulnerable

Vendor Statement

Peplink products are not vulnerable to this attack for the following reason:

  • Peplink products do not use ntpd.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SafeNet

Notified: October 26, 2009 Updated: October 28, 2009

Statement Date: October 28, 2009

Status

__ Not Vulnerable

Vendor Statement

We have confirmed that no SafeNet products are affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ 3com Inc

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ ACCESS

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ AT&T

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Alcatel-Lucent

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Avaya, Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Barracuda Networks

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Belkin, Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Borderware Technologies

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Charlotte's Web Networks

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Check Point Software Technologies

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Clavister

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Conectiva Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Cray Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ D-Link Systems, Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ EMC Corporation

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Engarde Secure Linux

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Enterasys Networks

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Ericsson

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ F5 Networks, Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Fedora Project

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Fortinet, Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Foundry Networks, Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ FreeBSD, Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Fujitsu

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Global Technology Associates

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Hewlett-Packard Company

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Hitachi

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ IBM Corporation

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ IBM eServer

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ IP Filter

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ IP Infusion, Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Infoblox

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Intel Corporation

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Internet Security Systems, Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Intoto

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Juniper Networks, Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Luminous Networks

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Mandriva S. A.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ McAfee

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ MontaVista Software, Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Multitech, Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ NEC Corporation

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ NetApp

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ NetBSD

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Nokia

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Nortel Networks, Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Novell, Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Openwall GNU/*/Linux

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Process Software

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Q1 Labs

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Quagga

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ RadWare, Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Redback Networks, Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ SUSE Linux

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Secureworx, Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Silicon Graphics, Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Slackware Linux Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ SmoothWall

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Snort

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Soapstone Networks

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Sony Corporation

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Sourcefire

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Stonesoft

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Symantec

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ TippingPoint Technologies Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Turbolinux

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ U4EA Technologies, Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Unisys

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ VMware

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Vyatta

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Watchguard Technologies, Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ Wind River Systems, Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ ZyXEL

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ eSoft, Inc.

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ m0n0wall

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

__ netfilter

Notified: October 26, 2009 Updated: October 26, 2009

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A

References

  • <https://support.ntp.org/bugs/show_bug.cgi?id=1331>
  • <http://tools.ietf.org/html/rfc2827>
  • <http://tools.ietf.org/html/rfc3704>
  • <http://www.ntp.org/downloads.html>
  • <http://www.ubuntu.com/usn/USN-867-1>
  • <http://security-tracker.debian.org/tracker/CVE-2009-3563>
  • <http://tools.cisco.com/security/center/viewAlert.x?alertId=19540>

Credit

Thanks to Harlan Stenn for reporting this vulnerability.

This document was written by Will Dormann, based on information provided by Harlan Stenn.

Other Information

CVE IDs: | CVE-2009-3563
---|---
Date Public: | 2009-12-08
Date First Published: | 2009-12-08
Date Last Updated: | 2011-07-22 12:47 UTC
Document Revision: | 31