9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.873 High
EPSS
Percentile
98.6%
The NTP.org reference implementation of ntpd
contains multiple vulnerabilities.
NTP.org’s reference implementation of NTP server, ntpd
, contains multiple vulnerabilities.
CWE-294**: Authentication Bypass by Capture-replay -**CVE-2015-7973
An attacker on the network can record and replay authenticated broadcast mode packets. Also known as the “Deja Vu” attack.
CWE-20**: Improper Input Validation -**CVE-2015-7974
A missing key check allows impersonation between authenticated peers. Also known as the “Skeleton Key” attack.
CWE-20**: Improper Input Validation -**CVE-2015-7975
The nextvar()
function does not properly validate length.
CWE-20**: Improper Input Validation -**CVE-2015-7976
ntpq saveconfig
command allows dangerous characters in filenames
CWE-476**: NULL Pointer Dereference -**CVE-2015-7977
reslist
NULL pointer dereference
CWE-400**: Uncontrolled Resource Consumption (‘Resource Exhaustion’) -**CVE-2015-7978
Stack exhaustion in recursive traversal of restriction list
CWE-821**: Incorrect Synchronization -**CVE-2015-7979
Off-path Denial of Service (DoS) attack on authenticated broadcast and other pre-emptable modes
CWE-20**: Improper Input Validation -**CVE-2015-8138
Zero Origin Timestamp Bypass
CWE-200**: Information Exposure -**CVE-2015-8139
Network Time Protocol ntpq and ntpdc Origin Timestamp Disclosure Vulnerability
<http://support.ntp.org/bin/view/Main/NtpBug2946>
CWE-294**: Authentication Bypass by Capture-replay -**CVE-2015-8140
Network Time Protocol ntpq Control Protocol Replay Vulnerability
<http://support.ntp.org/bin/view/Main/NtpBug2947>
CWE-400**: Uncontrolled Resource Consumption (‘Resource Exhaustion’) -**CVE-2015-8158
Potential Infinite Loop in ntpq
<http://support.ntp.org/bin/view/Main/NtpBug2948>
CWE-821**: Incorrect Synchronization -**CVE-2016-1547
An off-path attacker can deny service to ntpd
clients by demobilizing preemptable associations using spoofed crypto-NAK packets. This vulnerability involves different code paths than those used by CVE-2015-7979.
CWE-290**: Authentication Bypass by Spoofing -**CVE-2016-1548
By spoofing packets from a legitimate server, an attacker can change the time of an ntpd
client or deny service to an ntpd
client by forcing it to change from basic client/server mode to interleaved symmetric mode.
CWE-362**: Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) -**CVE-2016-1549
ntpd does not prevent Sybil attacks from authenticated peers. An malicious authenticated peer can create any number of ephemeral associations in order to win ntpd’s clock selection algorithm and modify a victim’s clock.
CWE-20**: Improper Input Validation -**CVE-2016-1550
ntpd does not use a constant-time memory comparison function when validating the authentication digest on incoming packets. In some situations this may allow an attacker to conduct a timing attack to compute the value of the valid authentication digest causing forged packets to be accepted by ntpd
.
CWE-290**: Authentication Bypass by Spoofing -**CVE-2016-1551
ntpd does not filter IPv4 bogon packets received from the network. This allows unauthenticated network attackers to spoof refclock packets to ntpd processes on systems that do not implement bogon filtering.
CWE-20**: Improper Input Validation -**CVE-2016-2516, CVE-2016-2517
Duplicate IPs on unconfig
directives will cause an assertion botch in ntpd
. A regression caused by the patch for CVE-2016-2516 was fixed and identified as CVE-2016-2517.
CWE-125**: Out-of-bounds Read -**CVE-2016-2518
Using a crafted packet to create a peer association with hmode > 7 causes the MATCH_ASSOC() lookup to make an out-of-bounds reference.
CWE-119**: Improper Restriction of Operations within the Bounds of a Memory Buffer -**CVE-2016-2519
ntpq
and ntpdc
can be used to store and retrieve information in ntpd
. It is possible to store a data value that is larger than the size of the buffer that the ctl_getitem()
function of ntpd
uses to report the return value. If the length of the requested data value returned by ctl_getitem()
is too large, the value NULL is returned instead. There are 2 cases where the return value from ctl_getitem()
was not directly checked to make sure it’s not NULL, but there are subsequent INSIST() checks that make sure the return value is not NULL. There are no data values ordinarily stored in ntpd
that would exceed this buffer length. But if one has permission to store values and one stores a value that is “too large”, then ntpd
will abort if an attempt is made to read that oversized value.
CWE-20**: Improper Input Validation -CVE-2015-7704,**CVE-2015-7705
An ntpd client that honors Kiss-of-Death (KoD) responses will honor KoD messages that have been forged by an attacker, causing it to delay or stop querying its servers for time updates. Also, an attacker can forge packets that claim to be from the target and send them to servers often enough that a server that implements KoD rate limiting will send the target machine a KoD response to attempt to reduce the rate of incoming packets, or it may also trigger a firewall block at the server for packets from the target machine. For either of these attacks to succeed, the attacker must know what servers the target is communicating with. An attacker can be anywhere on the Internet and can frequently learn the identity of the target’s time source by sending the target a time query.
For more information on these vulnerabilities, please see NTP.org’s April 2016 security advisory as well as the January 2016 security advisory.
Unauthenticated remote attackers may be able to spoof packets to cause denial of service, authentication bypass on commands, or certain configuration changes. For more information on these vulnerabilities, please see NTP.org’s April 2016 security advisory as well as the January 2016 security advisory.
Apply an update
Partial patches for some of these issues were initially released in January 2016 as version 4.2.8p6. Complete patches for all of these issues are now available in version 4.2.8p7, released 2016-04-26. Affected users are encouraged to update as soon as possible.
718152
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: January 19, 2016 Updated: April 22, 2016
Statement Date: April 19, 2016
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: January 08, 2016 Updated: January 08, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: January 19, 2016 Updated: January 19, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
Notified: April 25, 2016 Updated: April 25, 2016
Unknown
We have not received a statement from the vendor.
View all 75 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P |
Temporal | 5.3 | E:POC/RL:OF/RC:C |
Environmental | 5.3 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
Thanks to Cisco TALOS for reporting many of these issues to us. The Network Time Foundation credits many researchers for these vulnerabilities; see NTP.org’s January 2016 and April 2016 security advisories for the complete list.
This document was written by Garret Wassermann.
CVE IDs: | CVE-2015-7704, CVE-2015-7705, CVE-2015-7973, CVE-2015-7974, CVE-2015-7975, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8138, CVE-2015-8139, CVE-2015-8140, CVE-2015-8158, CVE-2016-1547, CVE-2016-1548, CVE-2016-1549, CVE-2016-1550, CVE-2016-1551, CVE-2016-2516, CVE-2016-2517, CVE-2016-2518, CVE-2016-2519 |
---|---|
Date Public: | 2016-04-26 Date First Published: |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.873 High
EPSS
Percentile
98.6%