Lucene search

K
certCERTVU:633847
HistoryNov 21, 2016 - 12:00 a.m.

NTP.org ntpd contains multiple denial of service vulnerabilities

2016-11-2100:00:00
www.kb.cert.org
113

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.1 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

0.965 High

EPSS

Percentile

99.6%

Overview

NTP.org ntpd versions ntp-4.2.7p385 up to but not including ntp-4.2.8p9 and ntp-4.3.0 up to but not including ntp-4.3.94 contain multiple denial of service vulnerabilities.

Description

NTP.org’s ntpd, versions ntp-4.2.7p385 up to but not including ntp-4.2.8p9 and ntp-4.3.0 up to but not including ntp-4.3.94, contain multiple denial of service vulnerabilities.

CWE-476**: NULL Pointer Dereference -**CVE-2016-9311

According to NTP.org, “ntpd does not enable trap service by default. If trap service has been explicitly enabled, an attacker can send a specially crafted packet to cause a null pointer dereference that will crash ntpd, resulting in a denial of service. Affects Windows only.”

CWE-400**: Uncontrolled Resource Consumption (‘Resource Exhaustion’) -**CVE-2016-9310

According to NTP.org, “An exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. If, against long-standing BCP recommendations, “restrict default noquery …” is not specified, a specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, disabling legitimate monitoring. A remote, unauthenticated, network attacker can trigger this vulnerability.”

CWE-400**: Uncontrolled Resource Consumption (‘Resource Exhaustion’) -**CVE-2016-7427

According to NTP.org, “The broadcast mode of NTP is expected to only be used in a trusted network. If the broadcast network is accessible to an attacker, a potentially exploitable denial of service vulnerability in ntpd’s broadcast mode replay prevention functionality can be abused. An attacker with access to the NTP broadcast domain can periodically inject specially crafted broadcast mode NTP packets into the broadcast domain which, while being logged by ntpd, can cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers.”

CWE-400**: Uncontrolled Resource Consumption (‘Resource Exhaustion’) -**CVE-2016-7428

According to NTP.org, “The broadcast mode of NTP is expected to only be used in a trusted network. If the broadcast network is accessible to an attacker, a potentially exploitable denial of service vulnerability in ntpd’s broadcast mode poll interval enforcement functionality can be abused. To limit abuse, ntpd restricts the rate at which each broadcast association will process incoming packets. ntpd will reject broadcast mode packets that arrive before the poll interval specified in the preceding broadcast packet expires. An attacker with access to the NTP broadcast domain can send specially crafted broadcast mode NTP packets to the broadcast domain which, while being logged by ntpd, will cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers.”

CWE-410**: Insufficient Resource Pool -**CVE-2016-9312

According to NTP.org, “If a vulnerable instance of ntpd on Windows receives a crafted malicious packet that is “too big”, ntpd will stop working.”

CWE-20**: Improper Input Validation -**CVE-2016-7431

According to NTP.org, “Zero Origin timestamp problems were fixed by Bug 2945 in ntp-4.2.8p6. However, subsequent timestamp validation checks introduced a regression in the handling of some Zero origin timestamp checks.”

CWE-20**: Improper Input Validation -**CVE-2016-7434

According to NTP.org, “If ntpd is configured to allow mrulist query requests from a server that sends a crafted malicious packet, ntpd will crash on receipt of that crafted malicious mrulist query packet.”

CWE-605: Multiple Binds to the Same Port - CVE-2016-7429

According to NTP.org, “When ntpd receives a server response on a socket that corresponds to a different interface than was used for the request, the peer structure is updated to use the interface for new requests. If ntpd is running on a host with multiple interfaces in separate networks and the operating system doesn’t check source address in received packets (e.g. rp_filter on Linux is set to 0), an attacker that knows the address of the source can send a packet with spoofed source address which will cause ntpd to select wrong interface for the source and prevent it from sending new requests until the list of interfaces is refreshed, which happens on routing changes or every 5 minutes by default. If the attack is repeated often enough (once per second), ntpd will not be able to synchronize with the source.”

CWE-410**: Insufficient Resource Pool -**CVE-2016-7426

According to NTP.org, “When ntpd is configured with rate limiting for all associations (restrict default limited in ntp.conf), the limits are applied also to responses received from its configured sources. An attacker who knows the sources (e.g., from an IPv4 refid in server response) and knows the system is (mis)configured in this way can periodically send packets with spoofed source address to keep the rate limiting activated and prevent ntpd from accepting valid responses from its sources.”

CWE-682**: Incorrect Calculation -**CVE-2016-7433

According to NTP.org, “Bug 2085 described a condition where the root delay was included twice, causing the jitter value to be higher than expected. Due to a misinterpretation of a small-print variable in The Book, the fix for this problem was incorrect, resulting in a root distance that did not include the peer dispersion. The calculations and formulae have been reviewed and reconciled, and the code has been updated accordingly.”

For more information, please see NTP.org’s security advisory.

The CVSS score below is based on CVE-2016-9312.


Impact

A remote unauthenticated attacker may be able to perform a denial of service on ntpd.


Solution

Implement BCP-38.

Use “restrict default noquery ...” in your ntp.conf file. Only allow mode 6 queries from trusted networks and hosts.

Apply an update

Upgrade to 4.2.8p9, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page.

Monitor ntpd

Properly monitor your ntpd instances, and auto-restart ntpd (without -g) if it stops running.


Vendor Information

633847

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

NTP Project Affected

Updated: November 18, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CoreOS __ Not Affected

Notified: November 21, 2016 Updated: November 21, 2016

Statement Date: November 21, 2016

Status

Not Affected

Vendor Statement

CoreOS Container Linux, by default, is not affected by this since ntpd is disabled.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

AT&T Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Alcatel-Lucent Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Apple Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Arch Linux Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Arista Networks, Inc. Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Aruba Networks Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Avaya, Inc. Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Barracuda Networks Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Belkin, Inc. Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Blue Coat Systems Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Brocade Communication Systems Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CA Technologies Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CMX Systems Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CentOS Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Check Point Software Technologies Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Cisco Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Contiki OS Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

D-Link Systems, Inc. Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Debian GNU/Linux Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DesktopBSD Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DragonFly BSD Project Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

EMC Corporation Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

EfficientIP SAS Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Enterasys Networks Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ericsson Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

European Registry for Internet Domains Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Extreme Networks Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

F5 Networks, Inc. Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Fedora Project Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Force10 Networks Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Fortinet, Inc. Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Foundry Brocade Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

FreeBSD Project Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

GNU adns Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

GNU glibc Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Gentoo Linux Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Google Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hardened BSD Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hewlett Packard Enterprise Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hitachi Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Huawei Technologies Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM Corporation Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Infoblox Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Intel Corporation Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Internet Systems Consortium Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Internet Systems Consortium - DHCP Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

JH Software Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Juniper Networks Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Lenovo Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Lynx Software Technologies Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

McAfee Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Microchip Technology Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Microsoft Corporation Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NEC Corporation Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NLnet Labs Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NetBSD Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Nokia Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Nominum Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OmniTI Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OpenBSD Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OpenDNS Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Openwall GNU/*/Linux Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Oracle Corporation Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Oryx Embedded Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Peplink Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

PowerDNS Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Q1 Labs Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

QNX Software Systems Inc. Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Quadros Systems Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Red Hat, Inc. Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Rocket RTOS Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SUSE Linux Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SafeNet Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Secure64 Software Corporation Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Slackware Linux Inc. Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SmoothWall Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Snort Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sony Corporation Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sourcefire Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Symantec Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

TCPWave Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

TippingPoint Technologies Inc. Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Tizen Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

TrueOS Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Turbolinux Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ubuntu Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Unisys Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

VMware Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Wind River Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

WizNET Technology Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Xilinx Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Zephyr Project Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

ZyXEL Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

dnsmasq Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

gdnsd Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

m0n0wall Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

openSUSE project Unknown

Notified: November 21, 2016 Updated: November 21, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

View all 100 vendors __View less vendors __

CVSS Metrics

Group Score Vector
Base 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C
Temporal 6.1 E:POC/RL:OF/RC:C
Environmental 6.1 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Acknowledgements

NTP.org thanks Matthew Van Gundy of Cisco, Robert Pajak, Sharon Goldberg and Aanchal Malhotra of Boston University, Magnus Stubman, Miroslav Lichvar of Red Hat, and Brian Utterback of Oracle for reporting these vulnerabilities.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7429, CVE-2016-7431, CVE-2016-7433, CVE-2016-7434, CVE-2016-9310, CVE-2016-9312
Date Public: 2016-11-21 Date First Published:

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.1 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

0.965 High

EPSS

Percentile

99.6%