SOL00329831 - Multiple NTP vulnerabilities CVE-2015-8139 and CVE-2015-8140
2016-02-29T00:00:00
ID SOL00329831 Type f5 Reporter f5 Modified 2016-02-29T00:00:00
Description
Vulnerability Recommended Actions
If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.
F5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.
To mitigate this vulnerability, you can perform one of the following recommended modifications to the NTP service:
Configure the NTP service to use multiple time sources
Configure the NTP service to restrict the use of ntpq queries with the restrict noquery directive
Configure restrict network access to the NTP service
Configure the NTP service to use multiple time sources
To add multiple time sources for the NTP service using the Configuration Utility, perform the following procedure:
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
Log in to the Configuration utility.
Navigate to System > Configuration > Device > NTP.
In the Address box, type the IP address of the NTP server you want.
In the Time Server List box, click Add to include the desired NTP server.
Repeat step 3 and step 4 for each NTP server you want.
To save the changes, click Update.
Configure the NTP service to restrict the use of ntpq queries with the restrict noquery directive
To configure the NTP service to restrict the use of ntpq with noquery directive, perform the following procedure.
Impact of procedure: Performing the following procedure should not have a negative impact on your system.
Log in to the tmsh utility.
Depending on your existing configuration, choose one of the following:
If you already have an access restriction configured, but the noquery directive is disabled, use the following command syntax:
For example, to modify an existing access restriction name called ntp_restriction to enable noquery, type the following command:
modify sys ntp restrict modify { ntp_restriction { no-query enabled } }
* If you do not have an existing access restriction configured, use the following command syntax:
For example, to configure an access restriction named ntp_restriction, for the 192.168.1.0/24 subnet, with notrap, nomodify, and noquery enabled, type the following command:
modify sys ntp restrict add { ntp_restriction { address 192.168.1.0 mask 255.255.255.0 no-trap enabled no-modify enabled no-query enabled }
3. Save the configuration by typing the following command:
save /sys config
Configure restrict network access to the NTP service
For information about restricting network access to the NTP service, refer to SOL13092: Overview of securing access to the BIG-IP system.
Supplemental Information
SOL9970: Subscribing to email notifications regarding F5 products
SOL9957: Creating a custom RSS feed to view new and updated documents
SOL4918: Overview of the F5 critical issue hotfix policy
{"published": "2016-02-29T00:00:00", "id": "SOL00329831", "cvss": {"score": 0.0, "vector": "NONE"}, "enchantments": {"score": {"value": 5.6, "vector": "NONE", "modified": "2016-09-26T17:23:29", "rev": 2}, "dependencies": {"references": [{"type": "f5", "idList": ["F5:K00329831"]}, {"type": "cve", "idList": ["CVE-2015-8140", "CVE-2015-8139"]}, {"type": "nessus", "idList": ["F5_BIGIP_SOL00329831.NASL", "AIX_IV83984.NASL", "NTP_4_2_8P6.NASL", "FREEBSD_PKG_5237F5D7C02011E5B397D050996490D0.NASL", "AIX_IV83995.NASL", "AIX_IV83993.NASL", "AIX_IV84269.NASL", "AIX_IV83994.NASL", "AIX_NTP_V4_ADVISORY6.NASL", "AIX_NTP_V3_ADVISORY6.NASL"]}, {"type": "aix", "idList": ["NTP_ADVISORY6.ASC"]}, {"type": "talos", "idList": ["TALOS-2016-0078", "TALOS-2016-0203", "TALOS-2016-0079"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105666", "OPENVAS:1361412562310105726", "OPENVAS:1361412562310808467", "OPENVAS:1361412562310851310", "OPENVAS:1361412562310120716", "OPENVAS:1361412562311220171125", "OPENVAS:1361412562310807567", "OPENVAS:1361412562310808568", "OPENVAS:1361412562311220171124", "OPENVAS:1361412562310808563"]}, {"type": "cisco", "idList": ["CISCO-SA-20160127-NTPD"]}, {"type": "freebsd", "idList": ["5237F5D7-C020-11E5-B397-D050996490D0"]}, {"type": "suse", "idList": ["SUSE-SU-2016:1177-1", "SUSE-SU-2016:1175-1", "SUSE-SU-2016:1247-1", "SUSE-SU-2016:1311-1", "OPENSUSE-SU-2016:1292-1"]}, {"type": "symantec", "idList": ["SMNTC-1350"]}, {"type": "seebug", "idList": ["SSV:96647"]}, {"type": "amazon", "idList": ["ALAS-2016-727"]}, {"type": "fedora", "idList": ["FEDORA:43935602185E", "FEDORA:4007460D633E", "FEDORA:3A6FF60779A2"]}, {"type": "cert", "idList": ["VU:718152"]}, {"type": "gentoo", "idList": ["GLSA-201607-15"]}], "modified": "2016-09-26T17:23:29", "rev": 2}, "vulnersScore": 5.6}, "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the** Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity **values published in the previous table. The **Severity **values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nTo mitigate this vulnerability, you can perform one of the following recommended modifications to the NTP service:\n\n * Configure the NTP service to use multiple time sources\n * Configure the NTP service to restrict the use of **ntpq** queries with the restrict **noquery** directive\n * Configure restrict network access to the NTP service\n\nConfigure the NTP service to use multiple time sources\n\nTo add multiple time sources for the NTP service using the Configuration Utility, perform the following procedure:\n\n**Impact of procedure**: Performing the following procedure should not have a negative impact on your system.\n\n 1. Log in to the Configuration utility.\n 2. Navigate to **System** > **Configuration** > **Device** > **NTP.**\n 3. In the **Address **box, type the IP address of the NTP server you want.\n 4. In the **Time Server List** box, click **Add** to include the desired NTP server.\n 5. Repeat step 3 and step 4 for each NTP server you want.\n 6. To save the changes, click **Update**.\n\nConfigure the NTP service to restrict the use of ntpq queries with the restrict noquery directive\n\nTo configure the NTP service to restrict the use of **ntpq** with **noquery** directive, perform the following procedure.\n\n**Impact of procedure**: Performing the following procedure should not have a negative impact on your system.\n\n 1. Log in to the **tmsh** utility.\n 2. Depending on your existing configuration, choose one of the following: \n * If you already have an access restriction configured, but the **noquery** directive is disabled, use the following command syntax: \n \nmodify sys ntp restrict modify { <Name> { no-query enabled } } \n \nFor example, to modify an existing access restriction name called **ntp_restriction** to enable **noquery**, type the following command: \n \nmodify sys ntp restrict modify { ntp_restriction { no-query enabled } }\n * If you do not have an existing access restriction configured, use the following command syntax: \n \nmodify sys ntp restrict add { <Name> { address <Network> mask <Mask> no-trap enabled no-modify enabled no-query enabled } \n \nFor example, to configure an access restriction named **ntp_restriction,** for the 192.168.1.0/24 subnet, with **notrap**, **nomodify,** and **noquery** enabled, type the following command: \n \nmodify sys ntp restrict add { ntp_restriction { address 192.168.1.0 mask 255.255.255.0 no-trap enabled no-modify enabled no-query enabled }\n 3. Save the configuration by typing the following command: \nsave /sys config\n\nConfigure restrict network access to the NTP service\n\nFor information about restricting network access to the NTP service, refer to SOL13092: Overview of securing access to the BIG-IP system.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n * SOL10025: Managing BIG-IP product hotfixes (10.x)\n * SOL9502: BIG-IP hotfix matrix\n * SOL15106: Managing BIG-IQ product hotfixes\n * SOL15113: BIG-IQ hotfix matrix\n", "type": "f5", "lastseen": "2016-09-26T17:23:29", "edition": 1, "title": "SOL00329831 - Multiple NTP vulnerabilities CVE-2015-8139 and CVE-2015-8140", "href": "http://support.f5.com/kb/en-us/solutions/public/k/00/sol00329831.html", "modified": "2016-02-29T00:00:00", "bulletinFamily": "software", "viewCount": 23, "cvelist": ["CVE-2015-8140", "CVE-2015-8139"], "affectedSoftware": [{"version": "11.2.1", "name": "BIG-IP LTM", "operator": "le"}, {"version": "10.2.4", "name": "BIG-IP PSM", "operator": "le"}, {"version": "12.0.0", "name": "BIG-IP AAM", "operator": "le"}, {"version": "12.0.0", "name": "BIG-IP AFM", "operator": "le"}, {"version": "11.2.1", "name": "BIG-IP AAM", "operator": "le"}, {"version": "11.2.1", "name": "BIG-IP Edge Gateway", "operator": "le"}, {"version": "11.2.1", "name": "BIG-IP Analytics", "operator": "le"}, {"version": "12.0.0", "name": "BIG-IP APM", "operator": "le"}, {"version": "11.6.0", "name": "BIG-IP Link Controller", "operator": "le"}, {"version": "4.5.0", "name": "BIG-IQ Device", "operator": "le"}, {"version": "11.6.0", "name": "BIG-IP GTM", "operator": "le"}, {"version": "11.6.0", "name": "BIG-IP PEM", "operator": "le"}, {"version": "3.1.1", "name": "Enterprise Manager", "operator": "le"}, {"version": "10.2.4", "name": "BIG-IP APM", "operator": "le"}, {"version": "11.6.0", "name": "BIG-IP Analytics", "operator": "le"}, {"version": "11.2.1", "name": "BIG-IP PSM", "operator": "le"}, {"version": "11.2.1", "name": "BIG-IP PEM", "operator": "le"}, {"version": "12.0.0", "name": "BIG-IP Analytics", "operator": "le"}, {"version": "11.2.1", "name": "BIG-IP Link Controller", "operator": "le"}, {"version": "11.2.1", "name": "BIG-IP GTM", "operator": "le"}, {"version": "11.6.0", "name": "BIG-IP ASM", "operator": "le"}, {"version": "4.4.0", "name": "Traffix SDC", "operator": "le"}, {"version": "10.2.4", "name": "BIG-IP LTM", "operator": "le"}, {"version": "11.4.1", "name": "BIG-IP PSM", "operator": "le"}, {"version": "1.0.0", "name": "BIG-IQ Cloud and Orchestration", "operator": "le"}, {"version": "11.6.0", "name": "BIG-IP LTM", "operator": "le"}, {"version": "11.6.0", "name": "BIG-IP AAM", "operator": "le"}, {"version": "4.6.0", "name": "BIG-IQ Centralized Management", "operator": "le"}, {"version": "11.2.1", "name": "BIG-IP WebAccelerator", "operator": "le"}, {"version": "10.2.4", "name": "BIG-IP ASM", "operator": "le"}, {"version": "10.2.4", "name": "BIG-IP WebAccelerator", "operator": "le"}, {"version": "12.0.0", "name": "BIG-IP PEM", "operator": "le"}, {"version": "12.0.0", "name": "BIG-IP DNS", "operator": "le"}, {"version": "10.2.4", "name": "BIG-IP Link Controller", "operator": "le"}, {"version": "11.2.1", "name": "BIG-IP APM", "operator": "le"}, {"version": "11.6.0", "name": "BIG-IP AFM", "operator": "le"}, {"version": "4.5.0", "name": "BIG-IQ Cloud", "operator": "le"}, {"version": "10.2.4", "name": "BIG-IP Edge Gateway", "operator": "le"}, {"version": "11.6.0", "name": "BIG-IP APM", "operator": "le"}, {"version": "12.0.0", "name": "BIG-IP Link Controller", "operator": "le"}, {"version": "10.2.4", "name": "BIG-IP WOM", "operator": "le"}, {"version": "4.5.0", "name": "BIG-IQ Security", "operator": "le"}, {"version": "10.2.4", "name": "BIG-IP GTM", "operator": "le"}, {"version": "12.0.0", "name": "BIG-IP LTM", "operator": "le"}, {"version": "4.5.0", "name": "BIG-IQ ADC", "operator": "le"}, {"version": "3.5.1", "name": "Traffix SDC", "operator": "le"}, {"version": "11.2.1", "name": "BIG-IP ASM", "operator": "le"}, {"version": "12.0.0", "name": "BIG-IP ASM", "operator": "le"}, {"version": "11.2.1", "name": "BIG-IP WOM", "operator": "le"}], "references": ["https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15106.html", "https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13123.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html", "https://support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html", "https://support.f5.com/kb/en-us/solutions/public/9000/500/sol9502.html", "https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15113.html", "https://support.f5.com/kb/en-us/solutions/public/10000/000/sol10025.html", "https://support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html"], "reporter": "f5"}
{"f5": [{"lastseen": "2019-08-22T03:35:05", "bulletinFamily": "software", "cvelist": ["CVE-2015-8140", "CVE-2015-8139"], "description": "\nF5 Product Development has assigned ID 575629 (BIG-IP), ID 575702 (BIG-IQ), ID 575704 (Enterprise Manager), and INSTALLER-2226 (Traffix SDC) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H00329831 on the **Diagnostics** > **Identified** > **Low** screen.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, PSM, WebAccelerator, WOM, WebSafe) | 13.x | None | 13.0.0 | Low | [6.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>) (CVE-2015-8139) \n[5.0](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L>) (CVE-2015-8140) | NTP Package \n12.x | 12.0.0 - 12.1.1 | 12.1.2 \n11.x | 11.6.0 - 11.6.3 \n11.5.1 - 11.5.5 \n11.2.1 | None \nARX | 6.x | None | Not applicable | Not vulnerable | None | None \nEnterprise Manager | 3.x | 3.1.1 | None | Low | [6.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>) (CVE-2015-8139) \n[5.0](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L>) (CVE-2015-8140) \n | NTP Package \nBIG-IQ Centralized Management | 5.x | 5.0.0 - 5.4.0 | None | Low | [6.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>) (CVE-2015-8139) \n[5.0](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L>) (CVE-2015-8140) | NTP Package \n4.x | 4.6.0 | None \nBIG-IQ Cloud and Orchestration | 1.x | 1.0.0 | None | Low | [6.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>) (CVE-2015-8139) \n[5.0](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L>) (CVE-2015-8140) | NTP Package \nLineRate | 2.x | None | Not applicable | Not vulnerable | None | None \nTraffix SDC | 5.x | 5.0.0 - 5.1.0 | None | Low | None | NTP Package \n4.x | 4.0.5 - 4.4.0 | None \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the** Fixes introduced in** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\n**Note**: For details about how Security Advisory articles are versioned, and what versions are listed in the table, refer to [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>).\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nTo mitigate this vulnerability, you can perform one of the following recommended modifications to the NTP service:\n\n * [Configure the NTP service to use multiple time sources](<https://support.f5.com/csp/article/K00329831#p1>)\n * [Configure the NTP service to restrict the use of **ntpq** queries with the restrict **noquery** directive](<https://support.f5.com/csp/article/K00329831#p2>)\n * [Configure restrict network access to the NTP service](<https://support.f5.com/csp/article/K00329831#p3>)\n\nConfigure the NTP service to use multiple time sources\n\nTo add multiple time sources for the NTP service using the Configuration utility, perform the following procedure:\n\n**Impact of procedure**: Performing the following procedure should not have a negative impact on your system.\n\n 1. Log in to the Configuration utility.\n 2. Navigate to **System** > **Configuration** > **Device** > **NTP.**\n 3. In the **Address **box, type the IP address of the NTP server you want.\n 4. In the **Time Server List** box, click **Add** to include the desired NTP server.\n 5. Repeat step 3 and step 4 for each NTP server you want.\n 6. To save the changes, click **Update**.\n\nConfigure the NTP service to restrict the use of ntpq queries with the restrict noquery directive\n\n**Impact of procedure**: Performing the following procedure should not have a negative impact on your system.\n\n 1. Log in to the Traffic Management Shell (**tmsh**) by typing the following command: \n\ntmsh\n\n 2. Depending on your existing configuration, choose one of the following: \n * If you already have an access restriction configured, but the **noquery** directive is disabled, use the following command syntax: \n\nmodify sys ntp restrict modify { <Name> { no-query enabled } }\n\nFor example, to modify an existing access restriction name called **ntp_restriction** to enable **noquery**, type the following command:\n\nmodify sys ntp restrict modify { ntp_restriction { no-query enabled } }\n\n * If you do not have an existing access restriction configured, use the following command syntax: \n\nmodify sys ntp restrict add { <Name> { address <Network> mask <Mask> no-trap enabled no-modify enabled no-query enabled }\n\nFor example, to configure an access restriction named **ntp_restriction,** for the 192.168.1.0/24 subnet, with **notrap**, **nomodify,** and **noquery** enabled, type the following command:\n\nmodify sys ntp restrict add { ntp_restriction { address 192.168.1.0 mask 255.255.255.0 no-trap enabled no-modify enabled no-query enabled }\n\n 3. Save the configuration by typing the following command: \n\nsave /sys config\n\nConfigure restrict network access to the NTP service\n\nFor information about restricting network access to the NTP service, refer to [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K10025: Managing BIG-IP product hotfixes (10.x)](<https://support.f5.com/csp/article/K10025>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n * [K15106: Managing BIG-IQ product hotfixes](<https://support.f5.com/csp/article/K15106>)\n * [K15113: BIG-IQ hotfix matrix](<https://support.f5.com/csp/article/K15113>)\n", "edition": 1, "modified": "2018-03-01T21:15:00", "published": "2016-02-29T23:10:00", "id": "F5:K00329831", "href": "https://support.f5.com/csp/article/K00329831", "title": "NTP vulnerabilities CVE-2015-8139 and CVE-2015-8140", "type": "f5", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "cve": [{"lastseen": "2020-12-09T20:03:08", "description": "The ntpq protocol in NTP before 4.2.8p7 allows remote attackers to conduct replay attacks by sniffing the network.", "edition": 6, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 4.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 2.5}, "published": "2017-01-30T21:59:00", "title": "CVE-2015-8140", "type": "cve", "cwe": ["CWE-284"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8140"], "modified": "2017-11-21T02:29:00", "cpe": ["cpe:/a:ntp:ntp:4.2.8"], "id": "CVE-2015-8140", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8140", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ntp:ntp:4.2.8:p6:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:03:08", "description": "ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2017-01-30T21:59:00", "title": "CVE-2015-8139", "type": "cve", "cwe": ["CWE-284"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8139"], "modified": "2017-11-21T02:29:00", "cpe": ["cpe:/a:ntp:ntp:4.2.8"], "id": "CVE-2015-8139", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8139", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:ntp:ntp:4.2.8:p6:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-01-01T01:57:39", "description": "CVE-2015-8139 ntpq in NTP before 4.2.8p7 allows remote attackers to\nobtain origin timestamps and then impersonate peers via unspecified\nvectors.\n\nCVE-2015-8140 The ntpq protocol in NTP before 4.2.8p7 allows remote\nattackers to conduct replay attacks by sniffing the network.", "edition": 27, "cvss3": {"score": 5.3, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}, "published": "2017-03-03T00:00:00", "title": "F5 Networks BIG-IP : NTP vulnerabilities (K00329831)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8140", "CVE-2015-8139"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/h:f5:big-ip_protocol_security_manager", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/a:f5:big-ip_access_policy_manager"], "id": "F5_BIGIP_SOL00329831.NASL", "href": "https://www.tenable.com/plugins/nessus/97499", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K00329831.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97499);\n script_version(\"3.6\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2015-8139\", \"CVE-2015-8140\");\n\n script_name(english:\"F5 Networks BIG-IP : NTP vulnerabilities (K00329831)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"CVE-2015-8139 ntpq in NTP before 4.2.8p7 allows remote attackers to\nobtain origin timestamps and then impersonate peers via unspecified\nvectors.\n\nCVE-2015-8140 The ntpq protocol in NTP before 4.2.8p7 allows remote\nattackers to conduct replay attacks by sniffing the network.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K00329831\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K00329831.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/02/29\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/03\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K00329831\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.6.0-11.6.3\",\"11.5.1-11.5.5\",\"11.2.1\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.6.0-11.6.3\",\"11.5.1-11.5.5\",\"11.2.1\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.6.0-11.6.3\",\"11.5.1-11.5.5\",\"11.2.1\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.6.0-11.6.3\",\"11.5.1-11.5.5\",\"11.2.1\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.6.0-11.6.3\",\"11.5.1-11.5.5\",\"11.2.1\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.6.0-11.6.3\",\"11.5.1-11.5.5\",\"11.2.1\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.6.0-11.6.3\",\"11.5.1-11.5.5\",\"11.2.1\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.6.0-11.6.3\",\"11.5.1-11.5.5\",\"11.2.1\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.6.0-11.6.3\",\"11.5.1-11.5.5\",\"11.2.1\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.6.0-11.6.3\",\"11.5.1-11.5.5\",\"11.2.1\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2\");\n\n# WAM\nvmatrix[\"WAM\"] = make_array();\nvmatrix[\"WAM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.6.0-11.6.3\",\"11.5.1-11.5.5\",\"11.2.1\");\nvmatrix[\"WAM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2\");\n\n# WOM\nvmatrix[\"WOM\"] = make_array();\nvmatrix[\"WOM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.6.0-11.6.3\",\"11.5.1-11.5.5\",\"11.2.1\");\nvmatrix[\"WOM\"][\"unaffected\"] = make_list(\"13.0.0\",\"12.1.2\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2017-10-29T13:42:45", "edition": 4, "description": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop.\n\nThis plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.", "published": "2016-06-09T00:00:00", "type": "nessus", "title": "AIX 7.2 TL 0 : ntp (IV83995) (deprecated)", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8140", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-8139"], "cpe": ["cpe:/o:ibm:aix:7.2"], "modified": "2017-01-19T00:00:00", "id": "AIX_IV83995.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=91519", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory ntp_advisory6.asc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2017/01/20. Deprecated by aix_ntp_v3_advisory6.nasl.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91519);\n script_version(\"$Revision: 2.4 $\");\n script_cvs_date(\"$Date: 2017/01/19 19:35:23 $\");\n\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7977\", \"CVE-2015-7979\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n\n script_name(english:\"AIX 7.2 TL 0 : ntp (IV83995) (deprecated)\");\n script_summary(english:\"Check for APAR IV83995\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could\nallow a remote attacker to launch a replay attack. An attacker could\nexploit this vulnerability using authenticated broadcast mode packets\nto conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by a NULL pointer\ndereference. By sending a specially crafted ntpdc reslist command, an\nattacker could exploit this vulnerability to cause a segmentation\nfault. NTP could allow a remote attacker to bypass security\nrestrictions. By sending specially crafted broadcast packets with bad\nauthentication, an attacker could exploit this vulnerability to cause\nthe target broadcast client to tear down the association with the\nbroadcast server. NTP could allow a remote attacker to obtain\nsensitive information, caused by an origin leak in ntpq and ntpdc. An\nattacker could exploit this vulnerability to obtain sensitive\ninformation. NTP could allow a remote attacker to launch a replay\nattack. An attacker could exploit this vulnerability using ntpq to\nconduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by the improper\nprocessing of incoming packets by ntpq. By sending specially crafted\ndata, an attacker could exploit this vulnerability to cause the\napplication to enter into an infinite loop.\n\nThis plugin has been deprecated due to manual logic changes and\nadvisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356)\ninstead.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"n/a\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:7.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"7.2\", ml:\"00\", sp:\"00\", patch:\"IV83995m0a\", package:\"bos.net.tcp.ntp\", minfilesetver:\"7.2.0.0\", maxfilesetver:\"7.2.0.2\") < 0) flag++;\nif (aix_check_ifix(release:\"7.2\", ml:\"00\", sp:\"00\", patch:\"IV83995m0a\", package:\"bos.net.tcp.ntpd\", minfilesetver:\"7.2.0.0\", maxfilesetver:\"7.2.0.2\") < 0) flag++;\nif (aix_check_ifix(release:\"7.2\", ml:\"00\", sp:\"01\", patch:\"IV83995m1a\", package:\"bos.net.tcp.ntp\", minfilesetver:\"7.2.0.0\", maxfilesetver:\"7.2.0.2\") < 0) flag++;\nif (aix_check_ifix(release:\"7.2\", ml:\"00\", sp:\"01\", patch:\"IV83995m1a\", package:\"bos.net.tcp.ntpd\", minfilesetver:\"7.2.0.0\", maxfilesetver:\"7.2.0.2\") < 0) flag++;\nif (aix_check_ifix(release:\"7.2\", ml:\"00\", sp:\"02\", patch:\"IV83995s2b\", package:\"bos.net.tcp.ntp\", minfilesetver:\"7.2.0.0\", maxfilesetver:\"7.2.0.2\") < 0) flag++;\nif (aix_check_ifix(release:\"7.2\", ml:\"00\", sp:\"02\", patch:\"IV83995s2b\", package:\"bos.net.tcp.ntpd\", minfilesetver:\"7.2.0.0\", maxfilesetver:\"7.2.0.2\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-10-29T13:38:29", "edition": 4, "description": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop.\n\nThis plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.", "published": "2016-06-09T00:00:00", "type": "nessus", "title": "AIX 5.3 TL 12 : ntp (IV84269) (deprecated)", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8140", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-8139"], "cpe": ["cpe:/o:ibm:aix:5.3"], "modified": "2017-01-19T00:00:00", "id": "AIX_IV84269.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=91520", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory ntp_advisory6.asc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2017/01/20. Deprecated by aix_ntp_v3_advisory6.nasl.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91520);\n script_version(\"$Revision: 2.3 $\");\n script_cvs_date(\"$Date: 2017/01/19 19:35:23 $\");\n\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7977\", \"CVE-2015-7979\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n\n script_name(english:\"AIX 5.3 TL 12 : ntp (IV84269) (deprecated)\");\n script_summary(english:\"Check for APAR IV84269\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could\nallow a remote attacker to launch a replay attack. An attacker could\nexploit this vulnerability using authenticated broadcast mode packets\nto conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by a NULL pointer\ndereference. By sending a specially crafted ntpdc reslist command, an\nattacker could exploit this vulnerability to cause a segmentation\nfault. NTP could allow a remote attacker to bypass security\nrestrictions. By sending specially crafted broadcast packets with bad\nauthentication, an attacker could exploit this vulnerability to cause\nthe target broadcast client to tear down the association with the\nbroadcast server. NTP could allow a remote attacker to obtain\nsensitive information, caused by an origin leak in ntpq and ntpdc. An\nattacker could exploit this vulnerability to obtain sensitive\ninformation. NTP could allow a remote attacker to launch a replay\nattack. An attacker could exploit this vulnerability using ntpq to\nconduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by the improper\nprocessing of incoming packets by ntpq. By sending specially crafted\ndata, an attacker could exploit this vulnerability to cause the\napplication to enter into an infinite loop.\n\nThis plugin has been deprecated due to manual logic changes and\nadvisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356)\ninstead.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"n/a\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:5.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"5.3\", ml:\"12\", sp:\"09\", patch:\"IV84269m9a\", package:\"bos.net.tcp.client\", minfilesetver:\"5.3.12.0\", maxfilesetver:\"5.3.12.10\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-01-06T09:18:34", "description": "The version of NTP installed on the remote AIX host is affected by\nthe following vulnerabilities :\n\n - A flaw exists in the receive() function due to the use\n of authenticated broadcast mode. A man-in-the-middle\n attacker can exploit this to conduct a replay attack.\n (CVE-2015-7973)\n\n - A NULL pointer dereference flaw exists in ntp_request.c\n that is triggered when handling ntpdc relist commands.\n A remote attacker can exploit this, via a specially\n crafted request, to crash the service, resulting in a\n denial of service condition. (CVE-2015-7977)\n\n - An unspecified flaw exists in authenticated broadcast\n mode. A remote attacker can exploit this, via specially\n crafted packets, to cause a denial of service condition.\n (CVE-2015-7979)\n\n - A flaw exists in ntpq and ntpdc that allows a remote\n attacker to disclose sensitive information in\n timestamps. (CVE-2015-8139)\n\n - A flaw exists in the ntpq protocol that is triggered\n during the handling of an improper sequence of numbers.\n A man-in-the-middle attacker can exploit this to conduct\n a replay attack. (CVE-2015-8140)\n\n - A flaw exists in the ntpq client that is triggered when\n handling packets that cause a loop in the getresponse()\n function. A remote attacker can exploit this to cause an\n infinite loop, resulting in a denial of service\n condition. (CVE-2015-8158)", "edition": 36, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-07-18T00:00:00", "title": "AIX NTP v4 Advisory : ntp_advisory6.asc (IV83983) (IV83992)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8140", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-8139"], "modified": "2016-07-18T00:00:00", "cpe": ["cpe:/a:ntp:ntp", "cpe:/o:ibm:aix"], "id": "AIX_NTP_V4_ADVISORY6.NASL", "href": "https://www.tenable.com/plugins/nessus/92357", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92357);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2015-7973\",\n \"CVE-2015-7977\",\n \"CVE-2015-7979\",\n \"CVE-2015-8139\",\n \"CVE-2015-8140\",\n \"CVE-2015-8158\"\n );\n script_bugtraq_id(\n 81814,\n 81815,\n 81816,\n 81963,\n 82102,\n 82105\n );\n script_xref(name:\"CERT\", value:\"718152\");\n\n script_name(english:\"AIX NTP v4 Advisory : ntp_advisory6.asc (IV83983) (IV83992)\");\n script_summary(english:\"Checks the version of the ntp packages for appropriate iFixes.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote AIX host has a version of NTP installed that is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of NTP installed on the remote AIX host is affected by\nthe following vulnerabilities :\n\n - A flaw exists in the receive() function due to the use\n of authenticated broadcast mode. A man-in-the-middle\n attacker can exploit this to conduct a replay attack.\n (CVE-2015-7973)\n\n - A NULL pointer dereference flaw exists in ntp_request.c\n that is triggered when handling ntpdc relist commands.\n A remote attacker can exploit this, via a specially\n crafted request, to crash the service, resulting in a\n denial of service condition. (CVE-2015-7977)\n\n - An unspecified flaw exists in authenticated broadcast\n mode. A remote attacker can exploit this, via specially\n crafted packets, to cause a denial of service condition.\n (CVE-2015-7979)\n\n - A flaw exists in ntpq and ntpdc that allows a remote\n attacker to disclose sensitive information in\n timestamps. (CVE-2015-8139)\n\n - A flaw exists in the ntpq protocol that is triggered\n during the handling of an improper sequence of numbers.\n A man-in-the-middle attacker can exploit this to conduct\n a replay attack. (CVE-2015-8140)\n\n - A flaw exists in the ntpq client that is triggered when\n handling packets that cause a loop in the getresponse()\n function. A remote attacker can exploit this to cause an\n infinite loop, resulting in a denial of service\n condition. (CVE-2015-8158)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc\");\n script_set_attribute(attribute:\"solution\", value:\n\"A fix is available and can be downloaded from the IBM AIX website.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ntp:ntp\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"AIX Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\ninclude(\"aix.inc\");\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\noslevel = get_kb_item(\"Host/AIX/version\");\nif (isnull(oslevel)) audit(AUDIT_UNKNOWN_APP_VER, \"AIX\");\noslevel = oslevel - \"AIX-\";\n\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This AIX package check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\naix_ntp_vulns = {\n \"6.1\": {\n \"minfilesetver\":\"6.1.6.0\",\n \"maxfilesetver\":\"6.1.6.5\",\n \"patch\":\"(IV83992s5a|IV87278s7a|IV92287m5a|IV96311m5a)\"\n },\n \"7.1\": {\n \"minfilesetver\":\"7.1.0.0\",\n \"maxfilesetver\":\"7.1.0.5\",\n \"patch\":\"(IV83983s5a|IV87279s7a|IV92287m5a|IV96312m5a)\"\n },\n \"7.2\": {\n \"minfilesetver\":\"7.1.0.0\",\n \"maxfilesetver\":\"7.1.0.5\",\n \"patch\":\"(IV83983s5a|IV87279s7a|IV92126m3a|IV96312m5a)\"\n }\n};\n\nversion_report = \"AIX \" + oslevel;\nif ( empty_or_null(aix_ntp_vulns[oslevel]) ) {\n os_options = join( sort( keys(aix_ntp_vulns) ), sep:' / ' );\n audit(AUDIT_OS_NOT, os_options, version_report);\n}\n\nforeach oslevel ( keys(aix_ntp_vulns) ) {\n package_info = aix_ntp_vulns[oslevel];\n minfilesetver = package_info[\"minfilesetver\"];\n maxfilesetver = package_info[\"maxfilesetver\"];\n patch = package_info[\"patch\"];\n if (aix_check_ifix(release:oslevel, patch:patch, package:\"ntp.rte\", minfilesetver:minfilesetver, maxfilesetver:maxfilesetver) < 0) flag++;\n}\n\nif (flag)\n{\n aix_report_extra = ereg_replace(string:aix_report_get(), pattern:\"[()]\", replace:\"\");\n aix_report_extra = ereg_replace(string:aix_report_extra, pattern:\"[|]\", replace:\" or \");\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : aix_report_extra\n );\n}\nelse\n{\n tested = aix_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp.rte\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-06T09:18:33", "description": "The version of NTP installed on the remote AIX host is affected by\nthe following vulnerabilities :\n\n - A flaw exists in the receive() function due to the use\n of authenticated broadcast mode. A man-in-the-middle\n attacker can exploit this to conduct a replay attack.\n (CVE-2015-7973)\n\n - A NULL pointer dereference flaw exists in ntp_request.c\n that is triggered when handling ntpdc relist commands.\n A remote attacker can exploit this, via a specially\n crafted request, to crash the service, resulting in a\n denial of service condition. (CVE-2015-7977)\n\n - An unspecified flaw exists in authenticated broadcast\n mode. A remote attacker can exploit this, via specially\n crafted packets, to cause a denial of service condition.\n (CVE-2015-7979)\n\n - A flaw exists in ntpq and ntpdc that allows a remote\n attacker to disclose sensitive information in\n timestamps. (CVE-2015-8139)\n\n - A flaw exists in the ntpq protocol that is triggered\n during the handling of an improper sequence of numbers.\n A man-in-the-middle attacker can exploit this to conduct\n a replay attack. (CVE-2015-8140)\n\n - A flaw exists in the ntpq client that is triggered when\n handling packets that cause a loop in the getresponse()\n function. A remote attacker can exploit this to cause an\n infinite loop, resulting in a denial of service\n condition. (CVE-2015-8158)", "edition": 36, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-07-18T00:00:00", "title": "AIX NTP v3 Advisory : ntp_advisory6.asc (IV83984) (IV83993) (IV83994) (IV83995) (IV84269)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8140", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-8139"], "modified": "2016-07-18T00:00:00", "cpe": ["cpe:/a:ntp:ntp", "cpe:/o:ibm:aix"], "id": "AIX_NTP_V3_ADVISORY6.NASL", "href": "https://www.tenable.com/plugins/nessus/92356", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(92356);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2015-7973\",\n \"CVE-2015-7977\",\n \"CVE-2015-7979\",\n \"CVE-2015-8139\",\n \"CVE-2015-8140\",\n \"CVE-2015-8158\"\n );\n script_bugtraq_id(\n 81814,\n 81815,\n 81816,\n 81963,\n 82102,\n 82105\n );\n script_xref(name:\"CERT\", value:\"718152\");\n\n script_name(english:\"AIX NTP v3 Advisory : ntp_advisory6.asc (IV83984) (IV83993) (IV83994) (IV83995) (IV84269)\");\n script_summary(english:\"Checks the version of the ntp packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote AIX host has a version of NTP installed that is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of NTP installed on the remote AIX host is affected by\nthe following vulnerabilities :\n\n - A flaw exists in the receive() function due to the use\n of authenticated broadcast mode. A man-in-the-middle\n attacker can exploit this to conduct a replay attack.\n (CVE-2015-7973)\n\n - A NULL pointer dereference flaw exists in ntp_request.c\n that is triggered when handling ntpdc relist commands.\n A remote attacker can exploit this, via a specially\n crafted request, to crash the service, resulting in a\n denial of service condition. (CVE-2015-7977)\n\n - An unspecified flaw exists in authenticated broadcast\n mode. A remote attacker can exploit this, via specially\n crafted packets, to cause a denial of service condition.\n (CVE-2015-7979)\n\n - A flaw exists in ntpq and ntpdc that allows a remote\n attacker to disclose sensitive information in\n timestamps. (CVE-2015-8139)\n\n - A flaw exists in the ntpq protocol that is triggered\n during the handling of an improper sequence of numbers.\n A man-in-the-middle attacker can exploit this to conduct\n a replay attack. (CVE-2015-8140)\n\n - A flaw exists in the ntpq client that is triggered when\n handling packets that cause a loop in the getresponse()\n function. A remote attacker can exploit this to cause an\n infinite loop, resulting in a denial of service\n condition. (CVE-2015-8158)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc\");\n script_set_attribute(attribute:\"solution\", value:\n\"A fix is available and can be downloaded from the IBM AIX website.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ntp:ntp\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"AIX Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\ninclude(\"aix.inc\");\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\noslevel = get_kb_item(\"Host/AIX/version\");\nif (isnull(oslevel)) audit(AUDIT_UNKNOWN_APP_VER, \"AIX\");\noslevel = oslevel - \"AIX-\";\n\noslevelcomplete = chomp(get_kb_item(\"Host/AIX/oslevelsp\"));\nif (isnull(oslevelcomplete)) audit(AUDIT_UNKNOWN_APP_VER, \"AIX\");\noslevelparts = split(oslevelcomplete, sep:'-', keep:0);\nif ( max_index(oslevelparts) != 4 ) audit(AUDIT_UNKNOWN_APP_VER, \"AIX\");\nml = oslevelparts[1];\nsp = oslevelparts[2];\n\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This AIX package check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\naix_ntp_vulns = {\n \"5.3\": {\n \"12\": {\n \"09\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"5.3.12.0\",\n \"maxfilesetver\":\"5.3.12.10\",\n \"patch\":\"(IV84269m9a|IV87614m9a|IV92194m9a|IV96305m9a)\"\n }\n }\n }\n },\n \"6.1\": {\n \"09\": {\n \"04\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"6.1.9.0\",\n \"maxfilesetver\":\"6.1.9.102\",\n \"patch\":\"(IV83984m4a)\"\n }\n },\n \"05\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"6.1.9.0\",\n \"maxfilesetver\":\"6.1.9.102\",\n \"patch\":\"(IV83984m5a|IV87419m5d)\"\n }\n },\n \"06\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"6.1.9.0\",\n \"maxfilesetver\":\"6.1.9.102\",\n \"patch\":\"(IV83984m6a|IV87419m6a|IV91803m6a)\"\n }\n },\n \"07\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"6.1.9.0\",\n \"maxfilesetver\":\"6.1.9.102\",\n \"patch\":\"(IV83984s7a|IV87419m7a|IV91803m6a|IV96306m9a)\"\n }\n }\n }\n },\n \"7.1\": {\n \"03\": {\n \"04\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"7.1.3.0\",\n \"maxfilesetver\":\"7.1.3.30\",\n \"patch\":\"(IV83993m4b)\"\n }\n },\n \"05\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"7.1.3.0\",\n \"maxfilesetver\":\"7.1.3.45\",\n \"patch\":\"(IV83993m5a|IV87615m5a|IV92193m5a)\"\n }\n },\n \"06\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"7.1.3.0\",\n \"maxfilesetver\":\"7.1.3.46\",\n \"patch\":\"(IV83993m6a|IV87615m6a|IV92193m5a)\"\n }\n },\n \"07\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"7.1.3.0\",\n \"maxfilesetver\":\"7.1.3.47\",\n \"patch\":\"(IV83993s7a|IV87615m7a|IV92193m5a|IV96307m9a)\"\n }\n }\n },\n \"04\": {\n \"00\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"7.1.4.0\",\n \"maxfilesetver\":\"7.1.4.1\",\n \"patch\":\"(IV83994m1a|IV87420m0a)\"\n }\n },\n \"01\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"7.1.4.0\",\n \"maxfilesetver\":\"7.1.4.1\",\n \"patch\":\"(IV83994m1a|IV87420m0a|IV91951m3a)\"\n }\n },\n \"02\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"7.1.4.0\",\n \"maxfilesetver\":\"7.1.4.1\",\n \"patch\":\"(IV83994s2a|IV87420m2a|IV91951m3a|IV96308m4a)\"\n }\n }\n }\n },\n \"7.2\": {\n \"00\": {\n \"00\": {\n \"bos.net.tcp.ntp\": {\n \"minfilesetver\":\"7.2.0.0\",\n \"maxfilesetver\":\"7.2.0.2\",\n \"patch\":\"(IV83995m0a|IV87939m0b|IV92192m2a)\"\n },\n \"bos.net.tcp.ntpd\": {\n \"minfilesetver\":\"7.2.0.0\",\n \"maxfilesetver\":\"7.2.0.2\",\n \"patch\":\"(IV83995m0a|IV87939m0b|IV92192m2a)\"\n }\n },\n \"01\": {\n \"bos.net.tcp.ntp\": {\n \"minfilesetver\":\"7.2.0.0\",\n \"maxfilesetver\":\"7.2.0.2\",\n \"patch\":\"(IV83995m1a|IV87939m0b|IV92192m2a)\"\n },\n \"bos.net.tcp.ntpd\": {\n \"minfilesetver\":\"7.2.0.0\",\n \"maxfilesetver\":\"7.2.0.2\",\n \"patch\":\"(IV83995m1a|IV87939m0b|IV92192m2a)\"\n }\n },\n \"02\": {\n \"bos.net.tcp.ntp\": {\n \"minfilesetver\":\"7.2.0.0\",\n \"maxfilesetver\":\"7.2.0.2\",\n \"patch\":\"(IV83995s2b|IV87939m2a|IV92192m2a|IV96309m4a)\"\n },\n \"bos.net.tcp.ntpd\": {\n \"minfilesetver\":\"7.2.0.0\",\n \"maxfilesetver\":\"7.2.0.2\",\n \"patch\":\"(IV83995s2b|IV87939m2a|IV92192m2a|IV96309m4a)\"\n }\n }\n }\n }\n};\n\nversion_report = \"AIX \" + oslevel;\nif ( empty_or_null(aix_ntp_vulns[oslevel]) ) {\n os_options = join( sort( keys(aix_ntp_vulns) ), sep:' / ' );\n audit(AUDIT_OS_NOT, os_options, version_report);\n}\n\nversion_report = version_report + \" ML \" + ml;\nif ( empty_or_null(aix_ntp_vulns[oslevel][ml]) ) {\n ml_options = join( sort( keys(aix_ntp_vulns[oslevel]) ), sep:' / ' );\n audit(AUDIT_OS_NOT, \"ML \" + ml_options, version_report);\n}\n\nversion_report = version_report + \" SP \" + sp;\nif ( empty_or_null(aix_ntp_vulns[oslevel][ml][sp]) ) {\n sp_options = join( sort( keys(aix_ntp_vulns[oslevel][ml]) ), sep:' / ' );\n audit(AUDIT_OS_NOT, \"SP \" + sp_options, version_report);\n}\n\nforeach package ( keys(aix_ntp_vulns[oslevel][ml][sp]) ) {\n package_info = aix_ntp_vulns[oslevel][ml][sp][package];\n minfilesetver = package_info[\"minfilesetver\"];\n maxfilesetver = package_info[\"maxfilesetver\"];\n patch = package_info[\"patch\"];\n if (aix_check_ifix(release:oslevel, ml:ml, sp:sp, patch:patch, package:package, minfilesetver:minfilesetver, maxfilesetver:maxfilesetver) < 0) flag++;\n}\n\nif (flag)\n{\n aix_report_extra = ereg_replace(string:aix_report_get(), pattern:\"[()]\", replace:\"\");\n aix_report_extra = ereg_replace(string:aix_report_extra, pattern:\"[|]\", replace:\" or \");\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : aix_report_extra\n );\n}\nelse\n{\n tested = aix_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bos.net.tcp.ntp / bos.net.tcp.ntpd / bos.net.tcp.client\");\n}\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-10-29T13:34:46", "edition": 4, "description": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop.\n\nThis plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.", "published": "2016-06-09T00:00:00", "type": "nessus", "title": "AIX 7.1 TL 3 : ntp (IV83993) (deprecated)", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8140", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-8139"], "cpe": ["cpe:/o:ibm:aix:7.1"], "modified": "2017-01-19T00:00:00", "id": "AIX_IV83993.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=91517", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory ntp_advisory6.asc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2017/01/20. Deprecated by aix_ntp_v3_advisory6.nasl.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91517);\n script_version(\"$Revision: 2.4 $\");\n script_cvs_date(\"$Date: 2017/01/19 19:35:23 $\");\n\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7977\", \"CVE-2015-7979\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n\n script_name(english:\"AIX 7.1 TL 3 : ntp (IV83993) (deprecated)\");\n script_summary(english:\"Check for APAR IV83993\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could\nallow a remote attacker to launch a replay attack. An attacker could\nexploit this vulnerability using authenticated broadcast mode packets\nto conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by a NULL pointer\ndereference. By sending a specially crafted ntpdc reslist command, an\nattacker could exploit this vulnerability to cause a segmentation\nfault. NTP could allow a remote attacker to bypass security\nrestrictions. By sending specially crafted broadcast packets with bad\nauthentication, an attacker could exploit this vulnerability to cause\nthe target broadcast client to tear down the association with the\nbroadcast server. NTP could allow a remote attacker to obtain\nsensitive information, caused by an origin leak in ntpq and ntpdc. An\nattacker could exploit this vulnerability to obtain sensitive\ninformation. NTP could allow a remote attacker to launch a replay\nattack. An attacker could exploit this vulnerability using ntpq to\nconduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by the improper\nprocessing of incoming packets by ntpq. By sending specially crafted\ndata, an attacker could exploit this vulnerability to cause the\napplication to enter into an infinite loop.\n\nThis plugin has been deprecated due to manual logic changes and\nadvisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356)\ninstead.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"n/a\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:7.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"7.1\", ml:\"03\", sp:\"04\", patch:\"IV83993m4b\", package:\"bos.net.tcp.client\", minfilesetver:\"7.1.3.0\", maxfilesetver:\"7.1.3.47\") < 0) flag++;\nif (aix_check_ifix(release:\"7.1\", ml:\"03\", sp:\"05\", patch:\"IV83993m5a\", package:\"bos.net.tcp.client\", minfilesetver:\"7.1.3.0\", maxfilesetver:\"7.1.3.47\") < 0) flag++;\nif (aix_check_ifix(release:\"7.1\", ml:\"03\", sp:\"06\", patch:\"IV83993m6a\", package:\"bos.net.tcp.client\", minfilesetver:\"7.1.3.0\", maxfilesetver:\"7.1.3.47\") < 0) flag++;\nif (aix_check_ifix(release:\"7.1\", ml:\"03\", sp:\"07\", patch:\"IV83993s7a\", package:\"bos.net.tcp.client\", minfilesetver:\"7.1.3.0\", maxfilesetver:\"7.1.3.47\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-10-29T13:45:11", "edition": 4, "description": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop.\n\nThis plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.", "published": "2016-06-09T00:00:00", "type": "nessus", "title": "AIX 6.1 TL 9 : ntp (IV83984) (deprecated)", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8140", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-8139"], "cpe": ["cpe:/o:ibm:aix:6.1"], "modified": "2017-01-19T00:00:00", "id": "AIX_IV83984.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=91516", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory ntp_advisory6.asc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2017/01/20. Deprecated by aix_ntp_v3_advisory6.nasl.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91516);\n script_version(\"$Revision: 2.4 $\");\n script_cvs_date(\"$Date: 2017/01/19 19:35:23 $\");\n\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7977\", \"CVE-2015-7979\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n\n script_name(english:\"AIX 6.1 TL 9 : ntp (IV83984) (deprecated)\");\n script_summary(english:\"Check for APAR IV83984\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could\nallow a remote attacker to launch a replay attack. An attacker could\nexploit this vulnerability using authenticated broadcast mode packets\nto conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by a NULL pointer\ndereference. By sending a specially crafted ntpdc reslist command, an\nattacker could exploit this vulnerability to cause a segmentation\nfault. NTP could allow a remote attacker to bypass security\nrestrictions. By sending specially crafted broadcast packets with bad\nauthentication, an attacker could exploit this vulnerability to cause\nthe target broadcast client to tear down the association with the\nbroadcast server. NTP could allow a remote attacker to obtain\nsensitive information, caused by an origin leak in ntpq and ntpdc. An\nattacker could exploit this vulnerability to obtain sensitive\ninformation. NTP could allow a remote attacker to launch a replay\nattack. An attacker could exploit this vulnerability using ntpq to\nconduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by the improper\nprocessing of incoming packets by ntpq. By sending specially crafted\ndata, an attacker could exploit this vulnerability to cause the\napplication to enter into an infinite loop.\n\nThis plugin has been deprecated due to manual logic changes and\nadvisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356)\ninstead.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"n/a\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:6.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"6.1\", ml:\"09\", sp:\"04\", patch:\"IV83984m4a\", package:\"bos.net.tcp.client\", minfilesetver:\"6.1.9.0\", maxfilesetver:\"6.1.9.102\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"09\", sp:\"05\", patch:\"IV83984m5a\", package:\"bos.net.tcp.client\", minfilesetver:\"6.1.9.0\", maxfilesetver:\"6.1.9.102\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"09\", sp:\"06\", patch:\"IV83984m6a\", package:\"bos.net.tcp.client\", minfilesetver:\"6.1.9.0\", maxfilesetver:\"6.1.9.102\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"09\", sp:\"07\", patch:\"IV83984s7a\", package:\"bos.net.tcp.client\", minfilesetver:\"6.1.9.0\", maxfilesetver:\"6.1.9.102\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-10-29T13:37:58", "edition": 4, "description": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop.\n\nThis plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.", "published": "2016-06-09T00:00:00", "type": "nessus", "title": "AIX 7.1 TL 4 : ntp (IV83994) (deprecated)", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8140", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-8139"], "cpe": ["cpe:/o:ibm:aix:7.1"], "modified": "2017-01-19T00:00:00", "id": "AIX_IV83994.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=91518", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory ntp_advisory6.asc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2017/01/20. Deprecated by aix_ntp_v3_advisory6.nasl.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91518);\n script_version(\"$Revision: 2.4 $\");\n script_cvs_date(\"$Date: 2017/01/19 19:35:23 $\");\n\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7977\", \"CVE-2015-7979\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n\n script_name(english:\"AIX 7.1 TL 4 : ntp (IV83994) (deprecated)\");\n script_summary(english:\"Check for APAR IV83994\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could\nallow a remote attacker to launch a replay attack. An attacker could\nexploit this vulnerability using authenticated broadcast mode packets\nto conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by a NULL pointer\ndereference. By sending a specially crafted ntpdc reslist command, an\nattacker could exploit this vulnerability to cause a segmentation\nfault. NTP could allow a remote attacker to bypass security\nrestrictions. By sending specially crafted broadcast packets with bad\nauthentication, an attacker could exploit this vulnerability to cause\nthe target broadcast client to tear down the association with the\nbroadcast server. NTP could allow a remote attacker to obtain\nsensitive information, caused by an origin leak in ntpq and ntpdc. An\nattacker could exploit this vulnerability to obtain sensitive\ninformation. NTP could allow a remote attacker to launch a replay\nattack. An attacker could exploit this vulnerability using ntpq to\nconduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by the improper\nprocessing of incoming packets by ntpq. By sending specially crafted\ndata, an attacker could exploit this vulnerability to cause the\napplication to enter into an infinite loop.\n\nThis plugin has been deprecated due to manual logic changes and\nadvisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356)\ninstead.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"n/a\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:7.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"7.1\", ml:\"04\", sp:\"00\", patch:\"IV83994m1a\", package:\"bos.net.tcp.client\", minfilesetver:\"7.1.4.0\", maxfilesetver:\"7.1.4.1\") < 0) flag++;\nif (aix_check_ifix(release:\"7.1\", ml:\"04\", sp:\"01\", patch:\"IV83994m1a\", package:\"bos.net.tcp.client\", minfilesetver:\"7.1.4.0\", maxfilesetver:\"7.1.4.1\") < 0) flag++;\nif (aix_check_ifix(release:\"7.1\", ml:\"04\", sp:\"02\", patch:\"IV83994s2a\", package:\"bos.net.tcp.client\", minfilesetver:\"7.1.4.0\", maxfilesetver:\"7.1.4.1\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-01-01T04:00:38", "description": "The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p6.\nIt is, therefore, affected by the following vulnerabilities :\n\n - A flaw exists in the receive() function due to the use\n of authenticated broadcast mode. A man-in-the-middle\n attacker can exploit this to conduct a replay attack.\n (CVE-2015-7973)\n\n - A time serving flaw exists in the trusted key system\n due to improper key checks. An authenticated, remote\n attacker can exploit this to perform impersonation\n attacks between authenticated peers. (CVE-2015-7974)\n\n - An overflow condition exists in the nextvar() function\n due to improper validation of user-supplied input. A\n local attacker can exploit this to cause a buffer\n overflow, resulting in a denial of service condition.\n (CVE-2015-7975)\n\n - A flaw exists in ntp_control.c due to improper filtering\n of special characters in filenames by the saveconfig\n command. An authenticated, remote attacker can exploit\n this to inject arbitrary content. (CVE-2015-7976)\n\n - A NULL pointer dereference flaw exists in ntp_request.c\n that is triggered when handling ntpdc relist commands.\n A remote attacker can exploit this, via a specially\n crafted request, to crash the service, resulting in a\n denial of service condition. (CVE-2015-7977)\n\n - A flaw exists in ntpdc that is triggered during the\n handling of the relist command. A remote attacker can\n exploit this, via recursive traversals of the\n restriction list, to exhaust available space on the call\n stack, resulting in a denial of service condition.\n CVE-2015-7978)\n\n - An unspecified flaw exists in authenticated broadcast\n mode. A remote attacker can exploit this, via specially\n crafted packets, to cause a denial of service condition.\n (CVE-2015-7979)\n\n - A flaw exists in the receive() function that allows\n packets with an origin timestamp of zero to bypass\n security checks. A remote attacker can exploit this to\n spoof arbitrary content. (CVE-2015-8138)\n\n - A flaw exists in ntpq and ntpdc that allows a remote\n attacker to disclose sensitive information in\n timestamps. (CVE-2015-8139)\n\n - A flaw exists in the ntpq protocol that is triggered\n during the handling of an improper sequence of numbers.\n A man-in-the-middle attacker can exploit this to conduct\n a replay attack. (CVE-2015-8140)\n\n - A flaw exists in the ntpq client that is triggered when\n handling packets that cause a loop in the getresponse()\n function. A remote attacker can exploit this to cause an\n infinite loop, resulting in a denial of service\n condition. (CVE-2015-8158)", "edition": 32, "cvss3": {"score": 4.8, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L"}, "published": "2016-01-21T00:00:00", "title": "Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p6 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:ntp:ntp"], "id": "NTP_4_2_8P6.NASL", "href": "https://www.tenable.com/plugins/nessus/88054", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88054);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2018/09/17 21:46:53\");\n\n script_cve_id(\n \"CVE-2015-7973\",\n \"CVE-2015-7974\",\n \"CVE-2015-7975\",\n \"CVE-2015-7976\",\n \"CVE-2015-7977\",\n \"CVE-2015-7978\",\n \"CVE-2015-7979\",\n \"CVE-2015-8138\",\n \"CVE-2015-8139\",\n \"CVE-2015-8140\",\n \"CVE-2015-8158\"\n );\n script_bugtraq_id(\n 81963,\n 81811,\n 81814,\n 81815,\n 81816,\n 81959,\n 81960,\n 81962,\n 82102,\n 82105\n );\n script_xref(name:\"CERT\", value:\"718152\");\n\n script_name(english:\"Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p6 Multiple Vulnerabilities\");\n script_summary(english:\"Checks for a vulnerable NTP server.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote NTP server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p6.\nIt is, therefore, affected by the following vulnerabilities :\n\n - A flaw exists in the receive() function due to the use\n of authenticated broadcast mode. A man-in-the-middle\n attacker can exploit this to conduct a replay attack.\n (CVE-2015-7973)\n\n - A time serving flaw exists in the trusted key system\n due to improper key checks. An authenticated, remote\n attacker can exploit this to perform impersonation\n attacks between authenticated peers. (CVE-2015-7974)\n\n - An overflow condition exists in the nextvar() function\n due to improper validation of user-supplied input. A\n local attacker can exploit this to cause a buffer\n overflow, resulting in a denial of service condition.\n (CVE-2015-7975)\n\n - A flaw exists in ntp_control.c due to improper filtering\n of special characters in filenames by the saveconfig\n command. An authenticated, remote attacker can exploit\n this to inject arbitrary content. (CVE-2015-7976)\n\n - A NULL pointer dereference flaw exists in ntp_request.c\n that is triggered when handling ntpdc relist commands.\n A remote attacker can exploit this, via a specially\n crafted request, to crash the service, resulting in a\n denial of service condition. (CVE-2015-7977)\n\n - A flaw exists in ntpdc that is triggered during the\n handling of the relist command. A remote attacker can\n exploit this, via recursive traversals of the\n restriction list, to exhaust available space on the call\n stack, resulting in a denial of service condition.\n CVE-2015-7978)\n\n - An unspecified flaw exists in authenticated broadcast\n mode. A remote attacker can exploit this, via specially\n crafted packets, to cause a denial of service condition.\n (CVE-2015-7979)\n\n - A flaw exists in the receive() function that allows\n packets with an origin timestamp of zero to bypass\n security checks. A remote attacker can exploit this to\n spoof arbitrary content. (CVE-2015-8138)\n\n - A flaw exists in ntpq and ntpdc that allows a remote\n attacker to disclose sensitive information in\n timestamps. (CVE-2015-8139)\n\n - A flaw exists in the ntpq protocol that is triggered\n during the handling of an improper sequence of numbers.\n A man-in-the-middle attacker can exploit this to conduct\n a replay attack. (CVE-2015-8140)\n\n - A flaw exists in the ntpq client that is triggered when\n handling packets that cause a loop in the getresponse()\n function. A remote attacker can exploit this to cause an\n infinite loop, resulting in a denial of service\n condition. (CVE-2015-8158)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.ntp.org/bin/view/Main/SecurityNotice\");\n # http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d42322ca\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to NTP version 4.2.8p6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-8140\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ntp:ntp\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ntp_open.nasl\");\n script_require_keys(\"NTP/Running\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Make sure NTP server is running\nget_kb_item_or_exit('NTP/Running');\n\napp_name = \"NTP Server\";\n\nport = get_kb_item(\"Services/udp/ntp\");\nif (!port) port = 123;\n\nversion = get_kb_item_or_exit(\"Services/ntp/version\");\nif (version == 'unknown') audit(AUDIT_UNKNOWN_APP_VER, app_name);\n\nmatch = eregmatch(string:version, pattern:\"([0-9a-z.]+)\");\nif (isnull(match) || empty_or_null(match[1])) exit(AUDIT_UNKNOWN_APP_VER, app_name);\n\n# Paranoia check\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nver = match[1];\nverfields = split(ver, sep:\".\", keep:FALSE);\nmajor = int(verfields[0]);\nminor = int(verfields[1]);\nif ('p' >< verfields[2])\n{\n revpatch = split(verfields[2], sep:\"p\", keep:FALSE);\n rev = int(revpatch[0]);\n patch = int(revpatch[1]);\n}\nelse\n{\n rev = verfields[2];\n patch = 0;\n}\n\n# This vulnerability affects NTP 3.x / 4.x < 4.2.8p6\nif (\n (major == 3) ||\n (major == 4 && minor < 2) ||\n (major == 4 && minor == 2 && rev < 8) ||\n (major == 4 && minor == 2 && rev == 8 && patch < 6)\n)\n{\n fix = \"4.2.8p6\";\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n\nreport =\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n\nsecurity_report_v4(\n port : port,\n proto : \"udp\",\n extra : report,\n severity : SECURITY_WARNING\n);\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-01-06T10:51:07", "description": "Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and\nmedium-severity vulnerabilities that are fixed in ntp-4.2.8p6,\nreleased on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported\nby Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on\nauthenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of\nrestriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported\nby Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous\ncharacters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported\nby Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows\nimpersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated\nbroadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\norigin. Reported by Cisco ASIG.", "edition": 25, "cvss3": {"score": 7.7, "vector": "AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N"}, "published": "2016-01-22T00:00:00", "title": "FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2016-01-22T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:ntp-devel", "p-cpe:/a:freebsd:freebsd:ntp"], "id": "FREEBSD_PKG_5237F5D7C02011E5B397D050996490D0.NASL", "href": "https://www.tenable.com/plugins/nessus/88068", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(88068);\n script_version(\"2.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n script_xref(name:\"FreeBSD\", value:\"SA-16:09.ntp\");\n\n script_name(english:\"FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and\nmedium-severity vulnerabilities that are fixed in ntp-4.2.8p6,\nreleased on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported\nby Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on\nauthenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of\nrestriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported\nby Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous\ncharacters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported\nby Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows\nimpersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated\nbroadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\norigin. Reported by Cisco ASIG.\"\n );\n # http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d42322ca\"\n );\n # https://vuxml.freebsd.org/freebsd/5237f5d7-c020-11e5-b397-d050996490d0.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ac5aee1a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"ntp<4.2.8p6\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ntp-devel<4.3.90\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "aix": [{"lastseen": "2020-04-22T00:52:05", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8140", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-8139"], "description": "ntp_advisory6.asc: Version 6\nVersion 6 Issued: Tue Aug 16 11:41:45 CDT 2016 \nVersion 6 Changes: Fix added for AIX 7.2.0.2 and is now included in the \n tar file, ntp_fix6.tar.\n AIX 7.2.0.2 iFix for NTPv3: IV83995s2b.160713.epkg.Z \n\nIBM SECURITY ADVISORY\n\nFirst Issued: Wed Jun 8 13:17:48 CDT 2016 \n|Updated: Tue Aug 16 11:41:45 CDT 2016 \n|Update: Added iFix for AIX 7.2.0.2. \n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc\nhttps://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc\nftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc\n\n\nSecurity Bulletin: Vulnerabilities in NTP affect AIX\n CVE-2015-7973 CVE-2015-7977 CVE-2015-7979 CVE-2015-8158 \n CVE-2015-8139 CVE-2015-8140\n\n===============================================================================\n\nSUMMARY:\n\n There are multiple vulnerabilities in NTP that impact AIX. \n\n\n===============================================================================\n\nVULNERABILITY DETAILS:\n\n CVEID: CVE-2015-7973\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 \n DESCRIPTION: NTP could allow a remote attacker to launch a replay attack.\n An attacker could exploit this vulnerability using authenticated\n broadcast mode packets to conduct a replay attack and gain\n unauthorized access to the system. \n CVSS Base Score: 5.4 \n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/110018 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)\n \n CVEID: CVE-2015-7977\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977\n DESCRIPTION: NTP is vulnerable to a denial of service, caused by a NULL\n pointer dereference. By sending a specially crafted ntpdc reslist\n command, an attacker could exploit this vulnerability to cause a\n segmentation fault.\n CVSS Base Score: 5.3\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/110022 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n CVEID: CVE-2015-7979\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979\n DESCRIPTION: NTP could allow a remote attacker to bypass security\n restrictions. By sending specially crafted broadcast packets with bad\n authentication, an attacker could exploit this vulnerability to cause\n the target broadcast client to tear down the association with the\n broadcast server.\n CVSS Base Score: 6.5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/110024 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n CVEID: CVE-2015-8139\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8139\n DESCRIPTION: NTP could allow a remote attacker to obtain sensitive\n information, caused by an origin leak in ntpq and ntpdc. An attacker\n could exploit this vulnerability to obtain sensitive information. \n CVSS Base Score: 5.3\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/110027 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n CVEID: CVE-2015-8140\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8140\n DESCRIPTION: NTP could allow a remote attacker to launch a replay attack.\n An attacker could exploit this vulnerability using ntpq to conduct a\n replay attack and gain unauthorized access to the system. \n CVSS Base Score: 5.3\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/110028 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n CVEID: CVE-2015-8158\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158\n DESCRIPTION: NTP is vulnerable to a denial of service, caused by the\n improper processing of incoming packets by ntpq. By sending specially\n crafted data, an attacker could exploit this vulnerability to cause\n the application to enter into an infinite loop.\n CVSS Base Score: 5.3\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/110026 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n \n\n AFFECTED PRODUCTS AND VERSIONS:\n \n AIX 5.3, 6.1, 7.1, 7.2\n VIOS 2.2.x\n\n The following fileset levels are vulnerable:\n \n key_fileset = aix\n \n For NTPv3:\n\n Fileset Lower Level Upper Level KEY PRODUCT(S)\n -----------------------------------------------------------------\n bos.net.tcp.client 5.3.12.0 5.3.12.10 key_w_fs NTPv3\n bos.net.tcp.client 6.1.9.0 6.1.9.102 key_w_fs NTPv3\n bos.net.tcp.client 7.1.3.0 7.1.3.47 key_w_fs NTPv3\n bos.net.tcp.client 7.1.4.0 7.1.4.1 key_w_fs NTPv3\n bos.net.tcp.ntp 7.2.0.0 7.2.0.2 key_w_fs NTPv3\n bos.net.tcp.ntpd 7.2.0.0 7.2.0.2 key_w_fs NTPv3\n\n\n For NTPv4:\n\n Fileset Lower Level Upper Level KEY PRODUCT(S)\n -----------------------------------------------------------------\n ntp.rte 6.1.6.0 6.1.6.5 key_w_fs NTPv4\n ntp.rte 7.1.0.0 7.1.0.5 key_w_fs NTPv4\n \n Note: to find out whether the affected filesets are installed \n on your systems, refer to the lslpp command found in AIX user's guide.\n\n Example: lslpp -L | grep -i ntp.rte \n\n\n REMEDIATION:\n\n A. APARS\n \n IBM has assigned the following APARs to this problem:\n\n For NTPv3:\n\n AIX Level APAR Availability SP KEY PRODUCT(S)\n ------------------------------------------------------------\n 5.3.12 IV84269 N/A key_w_apar NTPv3\n 6.1.9 IV83984 10/21/16 SP8 key_w_apar NTPv3\n 7.1.3 IV83993 1/27/17 SP8 key_w_apar NTPv3\n 7.1.4 IV83994 10/21/16 SP3 key_w_apar NTPv3\n 7.2.0 IV83995 1/27/17 SP3 key_w_apar NTPv3\n\n For NTPv4:\n\n AIX Level APAR Availability SP KEY PRODUCT(S)\n ------------------------------------------------------------\n 6.1.9 IV83992 10/21/16 SP8 key_w_apar NTPv4\n 7.1.3 IV83983 1/27/17 SP8 key_w_apar NTPv4\n 7.1.4 IV83983 10/21/16 SP3 key_w_apar NTPv4\n 7.2.0 IV83983 1/27/17 SP3 key_w_apar NTPv4\n\n Subscribe to the APARs here:\n\n http://www.ibm.com/support/docview.wss?uid=isg1IV83983\n http://www.ibm.com/support/docview.wss?uid=isg1IV83984\n http://www.ibm.com/support/docview.wss?uid=isg1IV83992\n http://www.ibm.com/support/docview.wss?uid=isg1IV83993\n http://www.ibm.com/support/docview.wss?uid=isg1IV83994\n http://www.ibm.com/support/docview.wss?uid=isg1IV83995\n http://www.ibm.com/support/docview.wss?uid=isg1IV84269\n\n By subscribing, you will receive periodic email alerting you\n to the status of the APAR, and a link to download the fix once\n it becomes available.\n\n B. FIXES\n\n Fixes are available.\n\n The fixes can be downloaded via ftp or http from:\n\n ftp://aix.software.ibm.com/aix/efixes/security/ntp_fix6.tar\n http://aix.software.ibm.com/aix/efixes/security/ntp_fix6.tar\n https://aix.software.ibm.com/aix/efixes/security/ntp_fix6.tar \n\n The link above is to a tar file containing this signed\n advisory, fix packages, and OpenSSL signatures for each package.\n The fixes below include prerequisite checking. This will\n enforce the correct mapping between the fixes and AIX\n Technology Levels.\n\n For NTPv3:\n\n AIX Level Interim Fix (*.Z) KEY PRODUCT(S)\n ----------------------------------------------------------\n 5.3.12.9 IV84269m9a.160522.epkg.Z key_w_fix NTPv3\n 6.1.9.4 IV83984m4a.160506.epkg.Z key_w_fix NTPv3\n 6.1.9.5 IV83984m5a.160510.epkg.Z key_w_fix NTPv3\n 6.1.9.6 IV83984m6a.160504.epkg.Z key_w_fix NTPv3\n 6.1.9.7 IV83984s7a.160622.epkg.Z key_w_fix NTPv3\n 7.1.3.4 IV83993m4b.160510.epkg.Z key_w_fix NTPv3\n 7.1.3.5 IV83993m5a.160510.epkg.Z key_w_fix NTPv3\n 7.1.3.6 IV83993m6a.160505.epkg.Z key_w_fix NTPv3\n 7.1.3.7 IV83993s7a.160714.epkg.Z key_w_fix NTPv3\n 7.1.4.0 IV83994m1a.160505.epkg.Z key_w_fix NTPv3\n 7.1.4.1 IV83994m1a.160505.epkg.Z key_w_fix NTPv3\n 7.1.4.2 IV83994s2a.160620.epkg.Z key_w_fix NTPv3\n 7.2.0.0 IV83995m0a.160510.epkg.Z key_w_fix NTPv3\n 7.2.0.1 IV83995m1a.160601.epkg.Z key_w_fix NTPv3\n| 7.2.0.2 IV83995s2b.160713.epkg.Z key_w_fix NTPv3\n\n VIOS Level Interim Fix (*.Z) KEY PRODUCT(S)\n -----------------------------------------------------------\n 2.2.4.0 IV83984m6a.160504.epkg.Z key_w_fix NTPv3\n 2.2.4.2x IV83984s7a.160622.epkg.Z key_w_fix NTPv3\n\n For NTPv4:\n\n AIX Level Interim Fix (*.Z) KEY PRODUCT(S)\n ----------------------------------------------------------\n 6.1.x IV83992s5a.160602.epkg.Z key_w_fix NTPv4\n 7.1.x IV83983s5a.160602.epkg.Z key_w_fix NTPv4\n 7.2.x IV83983s5a.160602.epkg.Z key_w_fix NTPv4\n \n VIOS Level Interim Fix (*.Z) KEY PRODUCT(S)\n -----------------------------------------------------------\n 2.2.x IV83992s5a.160602.epkg.Z key_w_fix NTPv4\n \n All fixes included are cumulative and address previously\n issued AIX NTP security bulletins with respect to SP and TL. \n\n To extract the fixes from the tar file:\n\n tar xvf ntp_fix6.tar\n cd ntp_fix6\n\n Verify you have retrieved the fixes intact:\n\n The checksums below were generated using the\n \"openssl dgst -sha256 file\" command as the followng:\n\n openssl dgst -sha256 filename KEY\n -----------------------------------------------------------------------------------------------------\n 1dde048eab83d5519a8331f2db377a010f6adccb24665eaebabf2d8fb55decda IV83983s5a.160602.epkg.Z key_w_csum\n afbe3f7603602dc81f7a55dd68f7e00f6d6c90672cc91dca6d647a5e9455f470 IV83984m4a.160506.epkg.Z key_w_csum\n 1df47de2dc201ac958da849a126b68f9c58c88ec4bd11ab0874465f25ba92878 IV83984m5a.160510.epkg.Z key_w_csum\n 7b26d3a1e5e420e2c93febbd87f73806cdef506793abe7508d189ef6ee2596a7 IV83984m6a.160504.epkg.Z key_w_csum\n 14ec9d1beab7335c197662ad57e112b17c25f2ffc13bb9b9767416b5dda9251b IV83984s7a.160622.epkg.Z key_w_csum\n 657a259c37c99aa990933f1ecd7719fcb07c7852acd3236bc33f932c45ad5bee IV83992s5a.160602.epkg.Z key_w_csum\n cb890c4c7d3a0ab09fe10da469721737d2a4cbd3baa4da5214e68ce467a6b1b0 IV83993m4b.160510.epkg.Z key_w_csum\n 3b78ac22352ec959be91a561f23b13912f7fbda00974d818c5a66bc332e85abc IV83993m5a.160510.epkg.Z key_w_csum\n 0c73bb6b7da724d29400c4398fb98bc3cfb45a88e9744879fcde6c421108bee6 IV83993m6a.160505.epkg.Z key_w_csum\n 86998a1cb16cc5d5f941fe737709cd210754d85449a4cb280662026f6ef5bf09 IV83993s7a.160714.epkg.Z key_w_csum\n c3abfb2272f6a6793f2ef9c4d5e8a54cf5d60c20d49b65414a9c5d2d28b9c964 IV83994m1a.160505.epkg.Z key_w_csum\n 540fcf0df555219d88619bac9e7de276010d26fad5957d5bac8decd19798bd93 IV83994s2a.160620.epkg.Z key_w_csum\n 7b214849e3d46c41498eef287497e7576f89fe274ca4305a6b3e5eb7e2be63dd IV83995m0a.160510.epkg.Z key_w_csum\n 97c9b857e023d89fdfc22730938ea4127c7efce25628d76abdc86337f64f7a03 IV83995m1a.160601.epkg.Z key_w_csum\n| ef7f0f4a205af86be406ed7b1258080f8e916e5e6fbc86a8b7cdd927f670cd29 IV83995s2b.160713.epkg.Z key_w_csum\n 732f0254ace2786f5e7ddadef10e1e64cc381ecf5d6ebb9131b64115f87e8d52 IV84269m9a.160522.epkg.Z key_w_csum\n\n\n These sums should match exactly. The OpenSSL signatures in the tar\n file and on this advisory can also be used to verify the\n integrity of the fixes. If the sums or signatures cannot be\n confirmed, contact IBM AIX Security at\n security-alert@austin.ibm.com and describe the discrepancy.\n \n openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>\n\n openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>\n\n Published advisory OpenSSL signature file location:\n \n http://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc.sig \n\n C. FIX AND INTERIM FIX INSTALLATION\n\n IMPORTANT: If possible, it is recommended that a mksysb backup\n of the system be created. Verify it is both bootable and\n readable before proceeding.\n\n The fix will not take affect until any running xntpd servers\n have been stopped and restarted with the following commands:\n\n stopsrc -s xntpd\n startsrc -s xntpd\n\n To preview a fix installation:\n\n installp -a -d fix_name -p all # where fix_name is the name of the\n # fix package being previewed.\n To install a fix package:\n\n installp -a -d fix_name -X all # where fix_name is the name of the\n # fix package being installed.\n\n After installation the ntp daemon must be restarted:\n\n stopsrc -s xntpd\n\n startsrc -s xntpd\n\n Interim fixes have had limited functional and regression\n testing but not the full regression testing that takes place\n for Service Packs; however, IBM does fully support them.\n\n Interim fix management documentation can be found at:\n\n http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html\n\n To preview an interim fix installation:\n\n emgr -e ipkg_name -p # where ipkg_name is the name of the\n # interim fix package being previewed.\n\n To install an interim fix package:\n\n emgr -e ipkg_name -X # where ipkg_name is the name of the\n # interim fix package being installed.\n\n WORKAROUNDS AND MITIGATIONS:\n\n For CVE-2015-8139 and CVE-2015-8140:\n Monitor your ntpd instances.\n If this sort of attack is an active problem for you, you have deeper\n problems to investigate. Also consider having smaller NTP broadcast \n domains. \n If you must enable mode 7: \n configure the use of a requestkey to control who can issue mode 7\n requests. \n configure restrict noquery to further limit mode 7 requests to\n trusted sources.\n Don't use broadcast mode if you cannot monitor your client servers. \n\n\n===============================================================================\n\nCONTACT US:\n\n Note: Keywords labeled as KEY in this document are used for parsing\n purposes.\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n To obtain the PGP public key that can be used to communicate\n securely with the AIX Security Team via security-alert@austin.ibm.com you\n can either:\n\n A. Download the key from our web page:\n\nhttp://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n \n Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide\n On-line Calculator v3:\n http://www.first.org/cvss/calculator/3.0\n\n\nACKNOWLEDGEMENTS:\n\n None \n\n\nCHANGE HISTORY:\n\n First Issued: Wed Jun 8 13:17:48 CDT 2016 \n Updated: Thu Jun 9 11:04:06 CDT 2016\n Update: CVE-2015-8139 and CVE-2015-8140 added with clarified Workarounds\n and Mitigations section.\n Updated: Mon Jun 20 10:45:48 CDT 2016\n Update: Added iFix for AIX 7.1.4.2.\n Updated: Wed Jun 22 10:25:29 CDT 2016 \n Update: Added iFix for AIX 6.1.9.7 and VIOS 2.2.4.20.\n Updated: Tue Jul 19 11:47:37 CDT 2016\n Update: Added iFix for AIX 7.1.3.7.\n| Updated: Tue Aug 16 11:41:45 CDT 2016\n| Update: Added iFix for AIX 7.2.0.2.\n\n\n===============================================================================\n\n*The CVSS Environment Score is customer environment specific and will \nultimately impact the Overall CVSS Score. Customers can evaluate the impact \nof this vulnerability in their environments by accessing the links in the \nReference section of this Security Bulletin. \n\nDisclaimer\nAccording to the Forum of Incident Response and Security Teams (FIRST), the \nCommon Vulnerability Scoring System (CVSS) is an \"industry open standard \ndesigned to convey vulnerability severity and help to determine urgency and \npriority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY \nOF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS \nFOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT \nOF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n \n\n", "edition": 17, "modified": "2016-08-16T11:41:45", "published": "2016-06-08T13:17:48", "id": "NTP_ADVISORY6.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc", "title": "Vulnerabilities in NTP affect AIX,Vulnerabilities in NTP affect VIOS", "type": "aix", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "talos": [{"lastseen": "2020-07-01T21:25:08", "bulletinFamily": "info", "cvelist": ["CVE-2015-8140"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0079\n\n## Network Time Protocol ntpq Control Protocol Replay Vulnerability\n\n##### January 19, 2016\n\n##### CVE Number\n\nCVE-2015-8140\n\nCERT VU#357792\n\n### Summary\n\nThe ntpq protocol is vulnerable to replay attacks. The sequence number being included under the signature fails to prevent replay attacks for two reasons. Commands that don\u2019t require authentication can be used to move the sequence number forward, and NTP doesn\u2019t actually care what sequence number is used so a packet can be replayed at any time.\n\nA simple example of this being used against an NTP server is if an attacker at some point observed an ntpq command to configure a server address. This setting might be changed later due to problems with that server, such as being inaccurate or even a malicious server. A replay attack could reset the server address back to this malicious server.\n\nIt is recommended that users restrict ntpq to localhost and change the key it\u2019s using, the key change would prevent messages already recorded from being replayed with local access.\n\nA possible fix would be for the client to request a sequence number to be generated whenever it wants to start a session with the server, the server would create a large random nonce, store it for the session, and reply with it. The client would then include this sequence number in the signed portion of its authenticated messages, incrementing the sequence each message. The nonce must be large enough to make a repeated value sufficiently unlikely. The server must validate that the correct sequence value was included (the current sequence must be greater than the last sequence within some sort of window, such as 10, to allow for some missed packets). If too many packets are dropped the session must be restarted.\n\nA more involved fix would be implementing a secure channel, such as TLS. This would also provide the benifit of confidentiality.\n\n### Tested Versions\n\nNTP ntpd 4.2.8p3 \nNTPsec ntpd aa48d001683e5b791a743ec9c575aaf7d867a2b0c\n\n### Product URLs\n\n<http://www.ntp.org> \n<http://www.ntpsec.org/>\n\n### CVSS Score\n\nCVSSv2: 5.4 - AV:A/AC:M/Au:N/C:P/I:P/A:P \nCVSSv3: 5.0 - CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L\n\n### Mitigation (optional)\n\nThis defect can be mitigated by disabling ntpq in ntp.conf.\n\n### Timeline\n\n2015-10-16 - Vendor Disclosure \n2016-01-19 - Public Release\n\n##### Credit\n\nMatthew Street\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0080\n\nPrevious Report\n\nTALOS-2016-0078\n", "edition": 11, "modified": "2016-01-19T00:00:00", "published": "2016-01-19T00:00:00", "id": "TALOS-2016-0079", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0079", "title": "Network Time Protocol ntpq Control Protocol Replay Vulnerability", "type": "talos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-07-01T21:25:10", "bulletinFamily": "info", "cvelist": ["CVE-2015-8138", "CVE-2015-8139"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0078\n\n## Network Time Protocol ntpq and ntpdc Origin Timestamp Disclosure Vulnerability\n\n##### January 19, 2016\n\n##### CVE Number\n\nCVE-2015-8139\n\nCERT VU#357792\n\n### Summary\n\nTo prevent off-path attackers from impersonating legitimate peers, clients require that the origin timestamp in a received response packet match the transmit timestamp from its last request to a given peer. Under assumption that only the recipient of the request packet will know the value of the transmit timestamp, this prevents an attacker from forging replies.\n\nUnfortunately, ntpq and ntpdc will disclose the value of the origin timestamp expected in the next peer response to any clients that are authorized to make ntpq (respectively ntpdc) queries.\n\nThis vulnerability appears to have been present in ntpd since, at least, 4.0.94 of May 1999. It appears in the earliest commit in the NTP project git repository.\n\n### Tested Versions\n\nntp 4.2.8p3 \nNTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92\n\n### Product URLs\n\n<http://www.ntp.org> \n<http://www.ntpsec.org/>\n\n### CVSS Score\n\nCVSSv2: 5.0 - AV:N/AC:L/Au:N/C:P/I:N/A:N \nCVSSv3: 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n\n### Details\n\nHere is an example from ntpq:\n \n \n ntpq> peer\n remote refid st t when poll reach delay offset jitter\n ==============================================================================\n *server .LOCL. 1 u 69 64 76 0.525 35.063 23.483\n ntpq> as\n \n ind assid status conf reach auth condition last_event cnt\n ===========================================================\n 1 43286 965a yes yes none sys.peer sys_peer 5\n ntpq> rv 43286 org\n org=d9c79a63.b05e631b Tue, Oct 13 2015 14:57:39.688\n \n\nHere is an example from ntpdc:\n \n \n ntpdc> showpeer 192.168.33.10\n remote 192.168.33.10, local 192.168.33.11\n ...\n reference time: d9c79a0e.1ef70a98 Tue, Oct 13 2015 14:56:14.120\n originate timestamp: d9c79a63.b05e631b Tue, Oct 13 2015 14:57:39.688\n receive timestamp: d9c79a20.b9d5ee3d Tue, Oct 13 2015 14:56:32.725\n transmit timestamp: d9c79a20.b9d5ee3d Tue, Oct 13 2015 14:56:32.725\n \n\nFor associations that do not employ authentication, response packets are only authenticated using the packet source address and the expected origin timestamp. The necessary ntpq and ntpdc commands do not require authentication. As a result, an unauthenticated off-path attacker that can spoof the source address of a remote peer can forge responses from that peer using this vulnerability.\n\nThere is an interplay between this vulnerability and the 0rigin (zero origin) vulnerability (CVE-2015-8138). Because the 0rigin vulnerability resets the expected origin timestamp from live servers to zero when a response with the correct origin timestamp is received, forging responses from live servers is trivial. This vulnerability gives attackers the additional power to forge responses from unreachable peers and symmetric peers.\n\n### Mitigation\n\nThe peer origin variable is read via ntpq (mode 6) packets with a non-zero association id, opcode equal to READVAR (2), and the variable name \u201corg\u201d.\n\nIt can also be read with ntpdc (mode 7) packets with a request code of PEER_INFO (2).\n\nThis vulnerability can be mitigated by adding the `noquery` option to all restrict entries as in:\n \n \n restrict -4 default noquery ...\n restrict -6 default noquery ...\n restrict 127.0.0.1 noquery ...\n restrict ::1 noquery ...\n \n\nWARNING: Common configurations allow local users to send ntpq and ntpdc requests to the local ntpd using permissive restrict entries. This will allow malicious, unprivileged, local users to discover the value of the origin timestamp necessary to spoof responses from ntpd peers. Therefore, we DO NOT recommend the common practice of allowing queries from localhost.\n\nUnfortunately, despite the impression given by NTP\u2019s documentation, the `notrust` restrict option CANNOT be used to mitigate this vulnerability because it DOES NOT have any effect on ntpq and ntpdc requests.\n\n### Timeline\n\n2015-10-16 - Vendor Disclosure \n2016-01-19 - Public Release\n\n##### Credit\n\nMatthew Van Gundy\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0079\n\nPrevious Report\n\nTALOS-2016-0077\n", "edition": 11, "modified": "2016-01-19T00:00:00", "published": "2016-01-19T00:00:00", "id": "TALOS-2016-0078", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0078", "title": "Network Time Protocol ntpq and ntpdc Origin Timestamp Disclosure Vulnerability", "type": "talos", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-07-01T21:25:14", "bulletinFamily": "info", "cvelist": ["CVE-2016-1548", "CVE-2015-8138", "CVE-2015-8139", "CVE-2016-9310"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0203\n\n## Network Time Protocol Control Mode Unauthenticated Trap Information Disclosure and DDoS Amplification Vulnerability\n\n##### November 21, 2016\n\n##### CVE Number\n\nCVE-2016-9310\n\n### Summary\n\nAn exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. A specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, preventing legitimate monitoring. A remote, unauthenticated, network attacker can trigger this vulnerability.\n\n### Tested Versions\n\nNTP 4.2.8p3 \nNTP 4.2.8p8 \nNTPsec 0.9.1 \nNTPsec 0.9.3\n\n### Product URLs\n\nhttp://www.ntp.org \nhttp://www.ntpsec.org/\n\n### CVSS Scores\n\nCVSSv2: 6.4 - (AV:N/AC:L/Au:N/C:P/I:P/A:N) \nCVSSv3: 6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\n\n### Details\n\nntpd provides a `trap` functionality that sends asynchronous notifications to a number of `trap receivers` whenever an event of interest occurs. Example events of interest include: association mobilization and demobilization, authentication failures, reachability changes, etc.\n\nSince at least ntp-4.0.94 (July 21, 1999), ntpd has allowed traps to be configured via control (mode 6) and private (mode 7) NTP modes. Though private mode requires messages modifying trap settings to be be authenticated, control mode allows unauthenticated packets to modify trap settings using the `SETTRAP` and `UNSETTRAP` control messages.\n\nThis vulnerability can be used to achieve several goals:\n\n * Time Shifting: If an attacker controls a host that is allowed to receive traps (i.e. not restricted by `restrict noquery` or `restrict notrap`), the attacker can instruct a victim ntpd instance to send traps to the attacker\u2019s host. Whenever a reportable event occurs for some peer, the victim ntpd will send a trap to the attacker leaking all the peer variables associated with that peer. The information leaked includes the peer\u2019s org and rec variables allowing the attacker to bypass TEST2 and impersonate said peer in a manner similar to CVE-2015-8139 and CVE-2016-1548.\n\nThe attacker can force the victim ntpd to leak the information for any peer at any time by triggering a reportable event for said peer. There are multiple methods to trigger a reportable event for a peer, among them spoofing an invalid crypto-NAK or incorrectly authenticated packet from the peer.\n\nNOTE: With ntp-4.2.8p8 and earlier the 0rigin attack (CVE-2015-8138) [1] already allows impersonation of reachable peers. In those ntpd versions, this vulnerability provides another method for impersonating unreachable peers.\n\n * DDoS Amplification: An attacker can use an ntpd instance as a DDoS amplifier to DDoS hosts that are allowed to receive traps from the ntpd instance using the following technique. The amplification factor is 12-13x.\n\nThe attacker forges a `SETTRAP` packet from the `victim` to the `amplifier`, causing the `amplifier` to set a trap for the `victim`. The attacker then repeatedly triggers reportable events causing trap messages to be sent to the victim. E.g. the attacker rapidly forges invalid crypto-NAKs and/or bad_auth packets from the `victim`\u2019s `sys_peer`.\n\nntpd attempts to limit the number of consecutive traps sent for events of a single type. To maximize effect, the attacker can alternate between events of different types.\n\nntpd will periodically time out old traps when a new one is set. Therefore, for a long-term attack, the attacker may need to periodically refresh the trap on the `amplifier`.\n\n * Evading Monitoring: In an environment where dynamically configured traps are used to modify an ntpd instance, an unauthenticated attacker can remove traps set by legitimate monitoring systems by spoofing the source address of the `trap receiver` in an `UNSETTRAP` message.\n\nAuthentication should be required in order to modify trap configuration.\n\n### Mitigation\n\nSeveral mitigations can lessen the impact of this vulnerability.\n\n 1. Unauthorized hosts can be prevented from receiving traps using the `restrict default notrap` restriction. This setting is the default on many modern Linux systems.\n\nThis mitigation has no effect on the \u201cEvading Monitoring\u201d impact described above because the alleged sender of the packet is an authorized trap receiver.\n\n 2. Block NTP control mode trap configuration commands using a firewall or IPS. It does not appear that support for configuring control mode traps was ever implemented in ntpq, the reference NTP control mode client. As such, on most networks blocking control mode trap configuration commands should have no effect on legitimate traffic. Specifically, firewalls should block packets with the following characteristics:\n\n * UDP Destination Port: 123\n * NTP Mode: 6\n * NTP Control Operation Code: 6 (SETTRAP) or 31 (UNSETTRAP)\n\nTraps specified in ntp.conf cannot be modified using this vulnerability.\n\n[1] http://www.talosintelligence.com/reports/TALOS-2016-0077/\n\n### Timeline\n\n2016-09-20 - Vendor Disclosure \n2016-11-21 - Public Release\n\n##### Credit\n\nDiscovered by Matthew Van Gundy of Cisco ASIG.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0131\n\nPrevious Report\n\nTALOS-2016-0204\n", "edition": 11, "modified": "2016-11-21T00:00:00", "published": "2016-11-21T00:00:00", "id": "TALOS-2016-0203", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0203", "title": "Network Time Protocol Control Mode Unauthenticated Trap Information Disclosure and DDoS Amplification Vulnerability", "type": "talos", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}], "openvas": [{"lastseen": "2019-10-09T15:19:57", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "description": "Multiple Cisco products incorporate a version of the Network Time Protocol\n daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow\n an unauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time being\n advertised by a device acting as a Network Time Protocol (NTP) server.\n\n On January 19, 2016, NTP Consortium at Network Time Foundation released a security advisory detailing\n 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities,\n and logic issues that may allow an attacker to shift a client", "modified": "2019-10-09T00:00:00", "published": "2016-05-09T00:00:00", "id": "OPENVAS:1361412562310105666", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105666", "type": "openvas", "title": "Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/o:cisco:ios_xe\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105666\");\n script_cve_id(\"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7978\", \"CVE-2015-7977\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\", \"CVE-2015-7973\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_version(\"2019-10-09T06:43:33+0000\");\n\n script_name(\"Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016\");\n\n script_xref(name:\"URL\", value:\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n script_tag(name:\"summary\", value:\"Multiple Cisco products incorporate a version of the Network Time Protocol\n daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow\n an unauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time being\n advertised by a device acting as a Network Time Protocol (NTP) server.\n\n On January 19, 2016, NTP Consortium at Network Time Foundation released a security advisory detailing\n 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities,\n and logic issues that may allow an attacker to shift a client's time. The vulnerabilities covered in this document are as follows:\n\n - CVE-2015-7973: Network Time Protocol Replay Attack on Authenticated Broadcast Mode Vulnerability\n\n - CVE-2015-7974: Network Time Protocol Missing Trusted Key Check\n\n - CVE-2015-7975: Standard Network Time Protocol Query Program nextvar() Missing Length Check\n\n - CVE-2015-7976: Standard Network Time Protocol Query Program saveconfig Command Allows Dangerous Characters in Filenames\n\n - CVE-2015-7978: Network Time Protocol Daemon reslist NULL Pointer Deference Denial of Service Vulnerability\n\n - CVE-2015-7977: Network Time Protocol Stack Exhaustion Denial of Service\n\n - CVE-2015-7979: Network Time Protocol Off-Path Broadcast Mode Denial of Service\n\n - CVE-2015-8138: Network Time Protocol Zero Origin Timestamp Bypass\n\n - CVE-2015-8139: Network Time Protocol Information Disclosure of Origin Timestamp\n\n - CVE-2015-8140: Standard Network Time Protocol Query Program Replay Attack\n\n - CVE-2015-8158: Standard and Special Network Time Protocol Query Program Infinite loop\n\n\n Cisco has released software updates that address these vulnerabilities.\n\n Workarounds that address some of these vulnerabilities may be available. Available workarounds will be documented in the corresponding Cisco bug for each affected product.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2019-10-09 06:43:33 +0000 (Wed, 09 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-05-09 17:40:21 +0200 (Mon, 09 May 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_ios_xe_version.nasl\");\n script_mandatory_keys(\"cisco_ios_xe/version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) ) exit( 0 );\n\naffected = make_list(\n '2.1.0',\n '2.1.1',\n '2.1.2',\n '2.2.1',\n '2.2.2',\n '2.2.3',\n '2.3.0',\n '2.3.0t',\n '2.3.1t',\n '2.3.2',\n '2.4.0',\n '2.4.1',\n '2.5.0',\n '2.5.1',\n '2.5.2',\n '2.6.0',\n '2.6.1',\n '2.6.2',\n '3.1.0S',\n '3.1.1S',\n '3.1.2S',\n '3.1.3S',\n '3.1.4S',\n '3.1.5S',\n '3.1.6S',\n '3.1.0SG',\n '3.1.1SG',\n '3.2.0S',\n '3.2.1S',\n '3.2.2S',\n '3.2.3S',\n '3.2.0SE',\n '3.2.1SE',\n '3.2.2SE',\n '3.2.3SE',\n '3.2.0SG',\n '3.2.1SG',\n '3.2.2SG',\n '3.2.3SG',\n '3.2.4SG',\n '3.2.5SG',\n '3.2.6SG',\n '3.2.7SG',\n '3.2.8SG',\n '3.2.9SG',\n '3.2.0XO',\n '3.2.1XO',\n '3.3.0S',\n '3.3.1S',\n '3.3.2S',\n '3.3.0SE',\n '3.3.1SE',\n '3.3.2SE',\n '3.3.3SE',\n '3.3.4SE',\n '3.3.5SE',\n '3.3.0SG',\n '3.3.1SG',\n '3.3.2SG',\n '3.3.0SQ',\n '3.3.1SQ',\n '3.3.0XO',\n '3.3.1XO',\n '3.3.2XO',\n '3.4.0S',\n '3.4.1S',\n '3.4.2S',\n '3.4.3S',\n '3.4.4S',\n '3.4.5S',\n '3.4.6S',\n '3.4.0SG',\n '3.4.1SG',\n '3.4.2SG',\n '3.4.3SG',\n '3.4.4SG',\n '3.4.5SG',\n '3.4.0SQ',\n '3.4.1SQ',\n '3.5.0E',\n '3.5.1E',\n '3.5.2E',\n '3.5.3E',\n '3.5.0S',\n '3.5.1S',\n '3.5.2S',\n '3.6.0E',\n '3.6.1E',\n '3.6.0S',\n '3.6.1S',\n '3.6.2S',\n '3.7.0E',\n '3.7.0S',\n '3.7.1S',\n '3.7.2S',\n '3.7.3S',\n '3.7.4S',\n '3.7.5S',\n '3.7.6S',\n '3.7.7S',\n '3.8.0S',\n '3.8.1S',\n '3.8.2S',\n '3.9.0S',\n '3.9.1S',\n '3.9.2S',\n '3.10.0S',\n '3.10.0a.S',\n '3.10.1S',\n '3.10.2S',\n '3.10.3S',\n '3.10.4S',\n '3.10.5S',\n '3.10.6S',\n '3.11.0S',\n '3.11.1S',\n '3.11.2S',\n '3.11.3S',\n '3.11.4S',\n '3.12.0S',\n '3.12.1S',\n '3.12.2S',\n '3.12.3S',\n '3.13.0S',\n '3.13.1S',\n '3.13.2S',\n '3.14.0S',\n '3.14.1S',\n '3.14.2S',\n '3.14.3S',\n '3.14.4S',\n '3.15.0S' );\n\nforeach af ( affected )\n{\n if( version == af )\n {\n report = report_fixed_ver( installed_version:version, fixed_version: \"See advisory\" );\n security_message( port:0, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-10-09T15:20:12", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "description": "Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package.\n Versions of this package are affected by one or more vulnerabilities that could allow an\n unauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time\n being advertised by a device acting as a Network Time Protocol (NTP) server.\n\n On January 19, 2016, NTP Consortium at Network Time Foundation released a security advisory\n detailing 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities,\n and logic issues that may allow an attacker to shift a client", "modified": "2019-10-09T00:00:00", "published": "2016-05-18T00:00:00", "id": "OPENVAS:1361412562310105726", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105726", "type": "openvas", "title": "Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:ip_interoperability_and_collaboration_system\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105726\");\n script_cve_id(\"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7978\", \"CVE-2015-7977\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\", \"CVE-2015-7973\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_version(\"2019-10-09T06:43:33+0000\");\n\n script_name(\"Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016\");\n\n script_xref(name:\"URL\", value:\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n script_tag(name:\"summary\", value:\"Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package.\n Versions of this package are affected by one or more vulnerabilities that could allow an\n unauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time\n being advertised by a device acting as a Network Time Protocol (NTP) server.\n\n On January 19, 2016, NTP Consortium at Network Time Foundation released a security advisory\n detailing 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities,\n and logic issues that may allow an attacker to shift a client's time. The vulnerabilities covered in\n this document are as follows: CVE-2015-7973: Network Time Protocol Replay Attack on Authenticated\n Broadcast Mode Vulnerability CVE-2015-7974: Network Time Protocol Missing Trusted Key Check CVE-2015-\n 7975: Standard Network Time Protocol Query Program nextvar() Missing Length Check CVE-2015-7976:\n Standard Network Time Protocol Query Program saveconfig Command Allows Dangerous Characters in\n Filenames CVE-2015-7978: Network Time Protocol Daemon reslist NULL Pointer Deference Denial of\n Service Vulnerability CVE-2015-7977: Network Time Protocol Stack Exhaustion Denial of Service CVE-2015-\n 7979: Network Time Protocol Off-Path Broadcast Mode Denial of Service CVE-2015-8138: Network Time\n Protocol Zero Origin Timestamp Bypass CVE-2015-8139: Network Time Protocol Information Disclosure of\n Origin Timestamp CVE-2015-8140: Standard Network Time Protocol Query Program Replay Attack CVE-2015-\n 8158: Standard and Special Network Time Protocol Query Program Infinite loop\n\n Cisco has released software updates that address these vulnerabilities.\n\n Workarounds that address some of these vulnerabilities may be available. Available workarounds will\n be documented in the corresponding Cisco bug for each affected product.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"2019-10-09 06:43:33 +0000 (Wed, 09 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-05-18 10:53:18 +0200 (Wed, 18 May 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_ipics_version.nasl\");\n script_mandatory_keys(\"cisco/ipics/version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) ) exit( 0 );\n\naffected = make_list(\n '1.0(1.1)',\n '4.0(1)',\n '4.5(1)',\n '4.6(1)',\n '4.7(1)',\n '4.8(2)' );\n\nforeach af ( affected )\n{\n if( version == af )\n {\n report = report_fixed_ver( installed_version:version, fixed_version: \"See advisory\" );\n security_message( port:0, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-01-31T18:36:08", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2016-05-17T00:00:00", "id": "OPENVAS:1361412562310851310", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851310", "type": "openvas", "title": "openSUSE: Security Advisory for ntp (openSUSE-SU-2016:1292-1)", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851310\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-05-17 13:40:09 +0200 (Tue, 17 May 2016)\");\n script_cve_id(\"CVE-2015-5300\", \"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\",\n \"CVE-2015-7976\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\",\n \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for ntp (openSUSE-SU-2016:1292-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ntp'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n These security issues were fixed:\n\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n\n These non-security issues were fixed:\n\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n\n - bsc#782060: Speedup ntpq.\n\n - bsc#916617: Add /var/db/ntp-kod.\n\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n\n - bsc#951559, bsc#975496: Fix the TZ offset output of sntp during DST.\n\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n\n This update was imported from the SUSE:SLE-12-SP1:Update update project.\");\n\n script_tag(name:\"affected\", value:\"ntp on openSUSE Leap 42.1\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2016:1292-1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.1\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.1\") {\n if(!isnull(res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.8p6~15.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp-debuginfo\", rpm:\"ntp-debuginfo~4.2.8p6~15.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp-debugsource\", rpm:\"ntp-debugsource~4.2.8p6~15.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp-doc\", rpm:\"ntp-doc~4.2.8p6~15.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"yast2-ntp-client\", rpm:\"yast2-ntp-client~3.1.22~6.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"yast2-ntp-client-devel-doc\", rpm:\"yast2-ntp-client-devel-doc~3.1.22~6.1\", rls:\"openSUSELeap42.1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1548", "CVE-2016-4956", "CVE-2016-4955", "CVE-2016-4954", "CVE-2015-8139"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-07-10T00:00:00", "id": "OPENVAS:1361412562310808568", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808568", "type": "openvas", "title": "Fedora Update for ntp FEDORA-2016-89e0874533", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for ntp FEDORA-2016-89e0874533\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808568\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-07-10 07:20:08 +0200 (Sun, 10 Jul 2016)\");\n script_cve_id(\"CVE-2015-8139\", \"CVE-2016-4954\", \"CVE-2016-4955\", \"CVE-2016-4956\", \"CVE-2016-1548\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for ntp FEDORA-2016-89e0874533\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ntp'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"ntp on Fedora 23\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-89e0874533\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ORAMN3Q7TVJ54MBYF75XCJOE3DP7LYHT\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC23\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~41.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-05-29T18:35:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1548", "CVE-2016-4956", "CVE-2016-4955", "CVE-2016-4954", "CVE-2015-8139"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-06-19T00:00:00", "id": "OPENVAS:1361412562310808467", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808467", "type": "openvas", "title": "Fedora Update for ntp FEDORA-2016-50b0066b7f", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for ntp FEDORA-2016-50b0066b7f\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808467\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-06-19 05:26:03 +0200 (Sun, 19 Jun 2016)\");\n script_cve_id(\"CVE-2015-8139\", \"CVE-2016-4954\", \"CVE-2016-4955\", \"CVE-2016-4956\", \"CVE-2016-1548\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for ntp FEDORA-2016-50b0066b7f\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ntp'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"ntp on Fedora 24\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-50b0066b7f\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/K3EYJQHJZ2KTVQ7ICEFHXTLZ36MRASWX\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC24\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC24\")\n{\n\n if ((res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~41.fc24\", rls:\"FC24\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-05-29T18:34:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1548", "CVE-2016-4956", "CVE-2016-4955", "CVE-2016-4954", "CVE-2015-8139"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-07-10T00:00:00", "id": "OPENVAS:1361412562310808563", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310808563", "type": "openvas", "title": "Fedora Update for ntp FEDORA-2016-c3bd6a3496", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for ntp FEDORA-2016-c3bd6a3496\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.808563\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-07-10 07:19:08 +0200 (Sun, 10 Jul 2016)\");\n script_cve_id(\"CVE-2015-8139\", \"CVE-2016-4954\", \"CVE-2016-4955\", \"CVE-2016-4956\", \"CVE-2016-1548\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for ntp FEDORA-2016-c3bd6a3496\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ntp'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"ntp on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2016-c3bd6a3496\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNWGCQLW2VY72NIUYMJOCAKJKTXHDUK2\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~41.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-03-17T22:56:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1548", "CVE-2016-4956", "CVE-2016-4955", "CVE-2016-4954", "CVE-2015-8139", "CVE-2015-4954"], "description": "The remote host is missing an update announced via the referenced Security Advisory.", "modified": "2020-03-13T00:00:00", "published": "2016-10-26T00:00:00", "id": "OPENVAS:1361412562310120716", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120716", "type": "openvas", "title": "Amazon Linux: Security Advisory (ALAS-2016-727)", "sourceData": "# Copyright (C) 2016 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120716\");\n script_version(\"2020-03-13T13:19:50+0000\");\n script_tag(name:\"creation_date\", value:\"2016-10-26 15:38:17 +0300 (Wed, 26 Oct 2016)\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 13:19:50 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Amazon Linux: Security Advisory (ALAS-2016-727)\");\n script_tag(name:\"insight\", value:\"Multiple flaws were found in NTP. Please see the references for more information.\");\n script_tag(name:\"solution\", value:\"Run yum update ntp to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2016-727.html\");\n script_cve_id(\"CVE-2015-8139\", \"CVE-2016-4954\", \"CVE-2016-4955\", \"CVE-2016-4956\", \"CVE-2015-4954\", \"CVE-2016-1548\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"The remote host is missing an update announced via the referenced Security Advisory.\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"AMAZON\") {\n if(!isnull(res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~41.32.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~41.32.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp-debuginfo\", rpm:\"ntp-debuginfo~4.2.6p5~41.32.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp-doc\", rpm:\"ntp-doc~4.2.6p5~41.32.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp-perl\", rpm:\"ntp-perl~4.2.6p5~41.32.amzn1\", rls:\"AMAZON\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-06-11T17:39:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7704", "CVE-2016-1551", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2016-1547", "CVE-2016-2519", "CVE-2016-2517", "CVE-2015-7705", "CVE-2015-7974", "CVE-2015-7978"], "description": "The host is running NTP.org", "modified": "2020-06-09T00:00:00", "published": "2016-04-28T00:00:00", "id": "OPENVAS:1361412562310807567", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807567", "type": "openvas", "title": "NTP.org 'ntpd' Multiple Vulnerabilities - Apr16", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# NTP.org 'ntpd' Multiple Vulnerabilities\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:ntp:ntp\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807567\");\n script_version(\"2020-06-09T14:44:58+0000\");\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\",\n \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\",\n \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\", \"CVE-2016-1547\",\n \"CVE-2016-1548\", \"CVE-2015-7705\", \"CVE-2016-1550\", \"CVE-2016-1551\",\n \"CVE-2016-2516\", \"CVE-2016-2517\", \"CVE-2016-2518\", \"CVE-2016-2519\",\n \"CVE-2015-7704\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-06-09 14:44:58 +0000 (Tue, 09 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-04-28 15:41:24 +0530 (Thu, 28 Apr 2016)\");\n script_name(\"NTP.org 'ntpd' Multiple Vulnerabilities - Apr16\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_ntp_detect_lin.nasl\");\n script_mandatory_keys(\"ntpd/version/detected\");\n\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/718152\");\n\n script_tag(name:\"summary\", value:\"The host is running NTP.org's reference\n implementation of NTP server, ntpd and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - The ntpd does not filter IPv4 bogon packets received from the network.\n\n - The duplicate IPs on unconfig directives will cause an assertion botch.\n\n - Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC.\n\n - An improper Restriction of Operations within the Bounds of a Memory Buffer.\n\n - Replay attack on authenticated broadcast mode.\n\n - The nextvar() function does not properly validate length.\n\n - The ntpq saveconfig command allows dangerous characters in filenames.\n\n - Restriction list NULL pointer dereference.\n\n - Uncontrolled Resource Consumption in recursive traversal of restriction list.\n\n - An off-path attacker can send broadcast packets with bad authentication to\n broadcast clients.\n\n - An improper sanity check for the origin timestamp.\n\n - Origin Leak: ntpq and ntpdc Disclose Origin Timestamp to Unauthenticated Clients.\n\n - The sequence number being included under the signature fails to prevent\n replay attacks in ntpq protocol.\n\n - An uncontrolled Resource Consumption in ntpq.\n\n - An off-path attacker can deny service to ntpd clients by demobilizing\n preemptible associations using spoofed crypto-NAK packets.\n\n - Multiple input validation errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n unauthenticated remote attackers to spoof packets to cause denial of service,\n authentication bypass, or certain configuration changes.\");\n\n script_tag(name:\"affected\", value:\"NTP.org's ntpd versions before 4.2.8p7.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to NTP.org's ntpd version 4.2.8p7 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"revisions-lib.inc\");\ninclude(\"host_details.inc\");\n\nif(isnull(port = get_app_port(cpe:CPE)))\n exit(0);\n\nif(!infos = get_app_full(cpe:CPE, port:port))\n exit(0);\n\nif(!version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif(revcomp(a:version, b:\"4.2.8p7\") < 0) {\n report = report_fixed_ver(installed_version:version, fixed_version:\"4.2.8p7\", install_path:location);\n security_message(port:port, proto:proto, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:37:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1548", "CVE-2016-4956", "CVE-2016-4955", "CVE-2016-2516", "CVE-2016-4954", "CVE-2015-8139", "CVE-2017-6462", "CVE-2017-6463", "CVE-2017-6464"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171124", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171124", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2017-1124)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1124\");\n script_version(\"2020-01-23T10:52:03+0000\");\n script_cve_id(\"CVE-2015-8139\", \"CVE-2016-2516\", \"CVE-2016-4954\", \"CVE-2016-4955\", \"CVE-2016-4956\", \"CVE-2017-6462\", \"CVE-2017-6463\", \"CVE-2017-6464\");\n script_tag(name:\"cvss_base\", value:\"7.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 10:52:03 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:52:03 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2017-1124)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP1\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1124\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1124\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ntp' package(s) announced via the EulerOS-SA-2017-1124 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors.CVE-2015-8139\n\nNTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7 is enabled, allows remote attackers to cause a denial of service (ntpd abort) by using the same IP address multiple times in an unconfig directive.CVE-2016-2516\n\nThe process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.CVE-2016-4954\n\nntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time.CVE-2016-4955\n\nntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548.CVE-2016-4956\n\nBuffer overflow in the legacy Datum Programmable Time Server (DPTS) refclock driver in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows local users to have unspecified impact via a crafted /dev/datum device.CVE-2017-6462\n\nNTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote authenticated users to cause a denial of service (daemon crash) via an invalid setting in a :config directive, related to the unpeer option.CVE-2017-6463\n\nNTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote attackers to cause a denial of service (ntpd crash) via a malformed mode configuration directive.CVE-2017-6464\");\n\n script_tag(name:\"affected\", value:\"'ntp' package(s) on Huawei EulerOS V2.0SP1.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP1\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~25.0.1.h13\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~25.0.1.h13\", rls:\"EULEROS-2.0SP1\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-01-27T18:36:40", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1548", "CVE-2016-4956", "CVE-2016-4955", "CVE-2016-2516", "CVE-2016-4954", "CVE-2015-8139", "CVE-2017-6462", "CVE-2017-6463", "CVE-2017-6464"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220171125", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220171125", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2017-1125)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2017.1125\");\n script_version(\"2020-01-23T10:52:12+0000\");\n script_cve_id(\"CVE-2015-8139\", \"CVE-2016-2516\", \"CVE-2016-4954\", \"CVE-2016-4955\", \"CVE-2016-4956\", \"CVE-2017-6462\", \"CVE-2017-6463\", \"CVE-2017-6464\");\n script_tag(name:\"cvss_base\", value:\"7.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 10:52:12 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 10:52:12 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2017-1125)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2017-1125\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1125\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ntp' package(s) announced via the EulerOS-SA-2017-1125 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors.(CVE-2015-8139)\n\nNTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7 is enabled, allows remote attackers to cause a denial of service (ntpd abort) by using the same IP address multiple times in an unconfig directive.(CVE-2016-2516)\n\nThe process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.(CVE-2016-4954)\n\nntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time.(CVE-2016-4955)\n\nntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548.(CVE-2016-4956)\n\nBuffer overflow in the legacy Datum Programmable Time Server (DPTS) refclock driver in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows local users to have unspecified impact via a crafted /dev/datum device.(CVE-2017-6462)\n\nNTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote authenticated users to cause a denial of service (daemon crash) via an invalid setting in a :config directive, related to the unpeer option.(CVE-2017-6463)\n\nNTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote attackers to cause a denial of service (ntpd crash) via a malformed mode configuration directive.(CVE-2017-6464)\");\n\n script_tag(name:\"affected\", value:\"'ntp' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~25.0.1.h6\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~25.0.1.h6\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:52", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "description": "\nNetwork Time Foundation reports:\n\nNTF's NTP Project has been notified of the following low-\n\t and medium-severity vulnerabilities that are fixed in\n\t ntp-4.2.8p6, released on Tuesday, 19 January 2016:\n\nBug 2948 / CVE-2015-8158: Potential Infinite Loop\n\t in ntpq. Reported by Cisco ASIG.\nBug 2945 / CVE-2015-8138: origin: Zero Origin\n\t Timestamp Bypass. Reported by Cisco ASIG.\nBug 2942 / CVE-2015-7979: Off-path Denial of\n\t Service (DoS) attack on authenticated broadcast\n\t mode. Reported by Cisco ASIG.\nBug 2940 / CVE-2015-7978: Stack exhaustion in\n\t recursive traversal of restriction list.\n\t Reported by Cisco ASIG.\nBug 2939 / CVE-2015-7977: reslist NULL pointer\n\t dereference. Reported by Cisco ASIG.\nBug 2938 / CVE-2015-7976: ntpq saveconfig command\n\t allows dangerous characters in filenames.\n\t Reported by Cisco ASIG.\nBug 2937 / CVE-2015-7975: nextvar() missing length\n\t check. Reported by Cisco ASIG.\nBug 2936 / CVE-2015-7974: Skeleton Key: Missing\n\t key check allows impersonation between authenticated\n\t peers. Reported by Cisco ASIG.\nBug 2935 / CVE-2015-7973: Deja Vu: Replay attack on\n\t authenticated broadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following\n\t two issues:\n\nBug 2947 / CVE-2015-8140: ntpq vulnerable to replay\n\t attacks. Reported by Cisco ASIG.\nBug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc,\n\t disclose origin. Reported by Cisco ASIG.\n\n\n", "edition": 5, "modified": "2016-08-09T00:00:00", "published": "2016-01-20T00:00:00", "id": "5237F5D7-C020-11E5-B397-D050996490D0", "href": "https://vuxml.freebsd.org/freebsd/5237f5d7-c020-11e5-b397-d050996490d0.html", "title": "ntp -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "cisco": [{"lastseen": "2020-12-24T11:41:24", "bulletinFamily": "software", "cvelist": ["CVE-2015-7973", "CVE-2015-7974", "CVE-2015-7975", "CVE-2015-7976", "CVE-2015-7977", "CVE-2015-7978", "CVE-2015-7979", "CVE-2015-8138", "CVE-2015-8139", "CVE-2015-8140", "CVE-2015-8158"], "description": "A vulnerability in the Network Time Protocol daemon (ntpd) could allow an authenticated, remote attacker to leverage any trusted key, not just the trusted key for its address.\n\nThe vulnerability is exists because ntpd does not properly verify that the key being used matches the proper servers' key. An attacker could exploit this vulnerability by sending packets with any trusted key, as long as the keyid references another key the systems share and that key is used to compute the message authentication code (MAC). An exploit could allow the attacker to masquerade as another configured trusted association.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow an unauthenticated, adjacent attacker to replay broadcast server packets.\n\nThe vulnerability is due to no replay protection on NTP broadcast packets. An attacker could exploit this vulnerability by capturing and retransmiting NTP broadcast packets to a targeted system. An exploit could allow the attacker to cause time settings on a targeted system to stop updating and maintain a particular time value.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow an unauthenticated, remote attacker to modify time settings on a targeted system.\n\nThe vulnerability is due to incorrect processing of NTP update packets. An attacker could exploit this vulnerability by sending crafted updates that contain an a zero-origin timestamp to the clients' peer server. An exploit could allow the attacker to modify the time values received by the client, preventing client systems from receiving further updates from its legitimately configured time server.\n\nA vulnerability in the Standard Network Time Protocol query program (ntpq) could allow an unauthenticated, remote attacker to replay a previously captured ntpq command.\n\nThe vulnerability is due to an invalid checking of the sequence number. An attacker could exploit this vulnerability by capturing an authenticated ntpq command that was executed and then replaying back the command at a later stage. An exploit could allow the attacker to replay previously captured ntpq commands.\n\nA vulnerability in the list_restrict4() and list_restrict6() routines of the Network Time Protocol daemon (ntpd) could allow an authenticated, remote attacker to cause the ntpd to crash.\n\nThe vulnerability is due to a null pointer dereference in the list_restrict4() and list_restrict6() routines. An attacker could exploit this vulnerability by performing an ntpdc reslist command against a device that has a large number of NTP restrictions in place. An exploit could allow the attacker to cause the ntpd to crash.\n\nA vulnerability in the standard Network Time Protocol query program (ntpq) could allow a unauthenticated, local attacker to execute a buffer overflow attack.\n\nThe vulnerability is due to the function nextvar() executing a memcpy() into the name buffer without a proper length check. An attacker could exploit this vulnerability by calling ntpq to read variable names from an untrusted source, such as a user or environment variable. An exploit could allow the attacker to trigger a buffer overflow.\n\nA vulnerability in the standard and special Network Time Protocol query program (ntpq and ntpdc) could allow an unauthenticated, remote attacker to cause the ntpq or ntpdc program to remain in a processing loop.\n\nThe vulnerability is due to a loop that is not exited under certain conditions in the ntpq and ntpdc processes. An attacker could exploit this vulnerability by sending malicious packets to an ntpq or ntpdc client from a malicious NTP server or from a privileged network position by conducting a man-in-the-middle attack between a targeted client and the NTP server. An exploit could allow the attacker to cause the ntpq or ntpdc process to enter an infinite loop, resulting in a denial of service (DoS) condition.\n\nA vulnerability in the standard and the special Network Time Protocol query program (ntpq and ntpdc) could allow an unauthenticated, remote attacker to obtain the value of the origin timestamp expected in the next peer response.\n\nThe vulnerability is due to ntpq and ntpdc providing this information without requiring authentication. An attacker could exploit this issue by querying the client with the appropriate ntpq or ntpdc commands. An exploit could allow the attacker to obtain the next peer response origin timestamp, which could be leveraged in further attacks.\n\nA vulnerability of the Network Time Protocol daemon (ntpd) could allow an authenticated, remote attacker to cause the ntpd to crash by exhausting the call stack.\n\nThe vulnerability exists because function calls to list_restrict4() or list_restrict6() can be made to exhaust space on the call stack. An attacker could exploit this vulnerability by performing an ntpdc reslist command against a device that has a large number of NTP restrictions in place. An exploit could allow the attacker to cause the ntpd to crash.\n\nA vulnerability the Network Time Protocol daemon (ntpd) could allow an unauthenticated, remote attacker to prevent clients from synchronizing to a time server.\n\nThe vulnerability is due to the improper handling of malicious packets by the broadcast server. An attacker could exploit this vulnerability by sending malicious, authenticated packets to the broadcast network. An exploit could allow the attacker to prevent the broadcast clients from synchronizing with configured time servers.\n\nAn issue in the standard Network Time Protocol query program (ntpq) could allow an authenticated, remote attacker to create files on the system with dangerous characters in the filename.\n\nThe issue is due to to improper validation of characters within filenames. An attacker could exploit this issue by saving a filename with the saveconfig command. An exploit could allow the attacker to write filenames to the system that may contain potentially dangerous character sequences.\n\nMultiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.\n\nOn January 19, 2016, NTP Consortium at Network Time Foundation released a security advisory detailing 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities, and logic issues that may allow an attacker to shift a client's time. The vulnerabilities covered in this document are as follows:\n\nCVE-2015-7973: Network Time Protocol Replay Attack on Authenticated Broadcast Mode Vulnerability\nCVE-2015-7974: Network Time Protocol Missing Trusted Key Check\nCVE-2015-7975: Standard Network Time Protocol Query Program nextvar() Missing Length Check\nCVE-2015-7976: Standard Network Time Protocol Query Program saveconfig Command Allows Dangerous Characters in Filenames\nCVE-2015-7978: Network Time Protocol Daemon reslist NULL Pointer Deference Denial of Service Vulnerability\nCVE-2015-7977: Network Time Protocol Stack Exhaustion Denial of Service\nCVE-2015-7979: Network Time Protocol Off-Path Broadcast Mode Denial of Service\nCVE-2015-8138: Network Time Protocol Zero Origin Timestamp Bypass\nCVE-2015-8139: Network Time Protocol Information Disclosure of Origin Timestamp\nCVE-2015-8140: Standard Network Time Protocol Query Program Replay Attack\nCVE-2015-8158: Standard and Special Network Time Protocol Query Program Infinite loop\n Additional details on each of the vulnerabilities are in the official security advisory from the NTP Consortium at Network Time Foundation at the following link: Security Notice [\"http://nwtime.org/security-policy/\"]\n\nCisco has released software updates that address these vulnerabilities.\n\nWorkarounds that address some of these vulnerabilities may be available. Available workarounds will be documented in the corresponding Cisco bug for each affected product.\n\nThis advisory is available at the following link:\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd", "modified": "2016-03-07T14:02:40", "published": "2016-01-27T20:00:00", "id": "CISCO-SA-20160127-NTPD", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd", "type": "cisco", "title": "Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "symantec": [{"lastseen": "2020-12-24T10:41:55", "bulletinFamily": "software", "cvelist": ["CVE-2015-5300", "CVE-2015-7973", "CVE-2015-7974", "CVE-2015-7975", "CVE-2015-7976", "CVE-2015-7977", "CVE-2015-7978", "CVE-2015-7979", "CVE-2015-8138", "CVE-2015-8139", "CVE-2015-8140", "CVE-2015-8158"], "description": "### SUMMARY\n\nBlue Coat products using affected versions of the NTP software distribution from ntp.org are susceptible to multiple vulnerabilities. A remote attacker may exploit these vulnerabilities to set the victim's system time to an arbitrary value or cause it to become out of sync. The attacker can also cause denial of service through application crashes and perform unauthorized modifications to the victim's NTP daemon configuration and other files on the local file system. \n \n\n\n### AFFECTED PRODUCTS\n\nThe following products are vulnerable:\n\n**Advanced Secure Gateway (ASG)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-8158 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1 \n6.6 | Upgrade to 6.6.5.4. \nAll CVEs except CVE-2015-8139, \nCVE-2015-8140, CVE-2015-8158 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1 \n6.6 (not vulnerable to known vectors of attack) | Upgrade to 6.6.5.4. \nCVE-2015-8139, CVE-2015-8140 | 6.6 and later (not vulnerable to known vectors of attack) | A fix will not be provided. ASG does not enable remote NTP configuration. \n \n \n\n**Content Analysis System (CAS)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs except CVE-2015-8139, \nCVE-2015-8140 | 2.1 and later | Not vulnerable, fixed in 2.1.1.1 \n1.2 | Upgrade to later release with fixes. \nCVE-2015-8138 | 1.3 | Upgrade to 1.3.6.1. \nCVE-2015-5300 | 1.3 (not vulnerable to known vectors of attack) | Upgrade to 1.3.6.1. \nCVE-2015-8158 | 1.3 | Upgrade to 1.3.7.3. \nCVE-2015-7973, CVE-2015-7974, \nCVE-2015-7975, CVE-2015-7976, \nCVE-2015-7977, CVE-2015-7978, \nCVE-2015-7979 | 1.3 (not vulnerable to known vectors of attack) | Upgrade to 1.3.7.3. \nCVE-2015-8139, CVE-2015-8140 | 1.2 and later (not vulnerable to known vectors of attack) | A fix will not be provided. ASG does not enable remote NTP configuration. \n \n \n\n**Director** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs except for CVE-2015-7975, \nCVE-2015-8138, CVE-2015-8139, \nCVE-2015-8140 | 6.1 | Upgrade to 6.1.22.1. \nCVE-2015-8139, CVE-2015-8140 | 6.1 | A fix will not be provided. Director by default does not enable remote NTP configuration. \n \n \n\n**Mail Threat Defense (MTD)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-8158 | 1.1 | Upgrade to a version of CAS and SMG with the fixes. \n \n \n\n**Management Center (MC)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-5300, CVE-2015-8138 | 1.6 and later | Not vulnerable, fixed in 1.6.1.1 \n1.5 | Upgrade to 1.5.3.1. \nCVE-2015-8158 | 1.8 and later | Not vulnerable, fixed in 1.8.1.1 \n1.7 | Upgrade to 1.7.2.1. \n1.5, 1.6 | Upgrade to later release with fixes. \nAll CVEs except CVE-2015-5300, \nCVE-2015-8138, CVE-2015-8139, \nCVE-2015-8140, CVE-2015-8158 | 1.8 and later | Not vulnerable, fixed in 1.8.1.1 \n1.7 | Upgrade to 1.7.2.1. \n1.5, 1.6 | Upgrade to later release with fixes. \nCVE-2015-8139, CVE-2015-8140 | 1.8 and later | Not vulnerable, fixed in 1.8.1.1 \n1.7 (not vulnerable to known vectors of attack) | Upgrade to 1.7.2.1 \n1.5, 1.6 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes. \n \n \n\n**Reporter** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-5300, CVE-2015-8138 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1 \n10.1 | Upgrade to 10.1.4.1. \nCVE-2015-7973, CVE-2015-7976 | 10.5 and later | Not vulnerable, fixed in 10.5.1.1 \n10.3, 10.4 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes. \n10.2 | Not vulnerable, fixed in 10.2.1.1 \n10.1 (not vulnerable to known vectors of attack) | Upgrade to 10.1.5.1 \nCVE-2015-8158 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1 \n10.1 | Upgrade to 10.1.5.1. \nCVE-2015-8139, CVE-2015-8140 | 10.1 and later | A fix will not be provided. Reporter does not enable remote NTP configuration. \nCVE-2015-7974, CVE-2015-7977, \nCVE-2015-7978, CVE-2015-7979 | 10.1 (not vulnerable to known vectors of attack) | Upgrade to 10.1.5.1. \nAll CVEs | 9.4, 9.5 | Not vulnerable \n \n \n\n**Security Analytics** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs except CVE-2015-7973, CVE-2015-7976, CVE-2015-8139 and CVE-2015-8140 | 7.3 and later | Not vulnerable, fixed in 7.3.1. \n7.2 | Upgrade to 7.2.2. \nCVE-2015-8139, CVE-2015-8140 | 7.2 and later | A fix will not be provided. SA by default does not enable NTP remote configuration. \nCVE-2015-7973, CVE-2015-7976 | 8.1, 8.2 | Not available at this time \n8.0, 7.3 starting with 7.3.2 | Upgrade to later release with fixes. \n7.2, 7.3.1 | Not vulnerable, fixed in 7.2.1. \nAll CVEs except CVE-2015-7973, and CVE-2015-7976 | 7.2 | Not vulnerable, fixed in 7.2.1. \nCVE-2015-5300, CVE-2015-8138 | 7.1 | Upgrade to 7.1.11. \n7.0 | Upgrade to later release with fixes. \n6.6 | Upgrade to 6.6.12. \nCVE-2015-7973, CVE-2015-7974, \nCVE-2015-7976, CVE-2015-7977, \nCVE-2015-7978, CVE-2015-7979, \nCVE-2015-8139, \nCVE-2015-8158 | 7.1 | Apply patch RPM from customer support. \n7.0 | Upgrade to later release with fixes. \n6.6 | Apply patch RPM from customer support. \nCVE-2015-8140 | 6.6, 7.0, 7.1 | A fix will not be provided. SA by default does not enable NTP remote configuration. \n \n \n\n**SSL Visibility (SSLV)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 3.11 and later | Not vulnerable, fixed in 3.11.1.1 \nCVE-2015-5300 | 3.10 | Upgrade to 3.10.2.1. \n3.9 | Upgrade to 3.9.3.1. \n3.8, 3.8.4FC | Upgrade to later release with fixes. \nCVE-2015-7974, CVE-2015-8138 | 3.10 | Upgrade to 3.10.2.1. \n3.9 | Upgrade to 3.9.7.1. \n3.8, 3.8.4FC | Upgrade to later release with fixes. \n \n \n\nWeb Isolation (WI) \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2015-8139, CVE-2015-8140 | 1.12 and later (not vulnerable to known vectors of attack) | A fix will not be provided. WI by default does not enable NTP remote querying and configuration. \n \n \n\n**X-Series XOS** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs except CVE-2015-7975 | 9.7, 10.0, 11.0 | A fix will not be provided. \n \n### \nADDITIONAL PRODUCT INFORMATION\n\nIn SSL Visibility, the NTP vulnerabilities can be exploited only through the same physical network port that is used by the product's management interfaces (web UI, CLD). Limiting the machines, IP addresses and subnets able to reach this physical network port reduces the threat. The reduced threat reduces the CVSS v2 scores for each CVE. The adjusted CVSS v2 base scores and severity are:\n\n * CVE-2015-5300 - 2.9 (LOW) (AV:A/AC:M/Au:N/C:N/I:P/A:N)\n * CVE-2015-7974 - 1.4 (LOW) (AV:A/AC:H/Au:S/C:N/I:P/A:N)\n * CVE-2015-8138 - 4.8 (MEDIUM) (AV:A/AC:L/Au:N/C:N/I:P/A:P)\n\nBlue Coat products do not enable or use all functionality within the NTP software distribution from ntp.org. Products listed below do not utilize the functionality described in the CVEs below, and are thus not known to be vulnerable to them. However, fixes for those CVEs will be included in the patches that are provided.\n\n * **ASG 6.6:** CVE-2015-5300, CVE-2015-7973, CVE-2015-7974, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8138, CVE-2015-8139, and CVE-2015-8140.\n * **ASG 6.7:** CVE-2015-8139 and CVE-2015-8140\n * **CAS:** CVE-2015-7973, CVE-2015-7974, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, and CVE-2015-8140.\n * **MTD:** CVE-2015-7973, CVE-2015-7974, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, and CVE-2015-8140.\n * **MC:** CVE-2015-7973, CVE-2015-7974, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, and CVE-2015-8140.\n * **Reporter 10.1:** CVE-2015-7973, CVE-2015-7974, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, and CVE-2015-8140.\n * **SSLV 3x:** CVE-2015-7973, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, CVE-2015-8140, and CVE-2015-8158.\n * **SSLV 4.x:** CVE-2015-8139, CVE-2015-8140\n\nThe following products are not vulnerable: \n**Android Mobile Agent \nAuthConnector \nBCAAA \nBlue Coat HSM Agent for the Luna SP \nCacheFlow \nClient Connector \nCloud Data Protection for Salesforce \nCloud Data Protection for Salesforce Analytics \nCloud Data Protection for ServiceNow \nCloud Data Protection for Oracle CRM On Demand \nCloud Data Protection for Oracle Field Service Cloud \nCloud Data Protection for Oracle Sales Cloud \nCloud Data Protection Integration Server \nCloud Data Protection Communication Server \nCloud Data Protection Policy Builder \nGeneral Auth Connector Login Application \nIntelligenceCenter \nIntelligenceCenter Data Collector \nK9 \nMalware Analysis Appliance \nNorman Shark Industrial Control System Protection \nNorman Shark Network Protection \nNorman Shark SCADA Protection \nPacketShaper \nPacketShaper S-Series \nPolicyCenter \nPolicyCenter S-Series \nProxyAV \nProxyAV ConLog and ConLogXP \nProxyClient \nProxySG \nUnified Agent**\n\nBlue Coat no longer provides vulnerability information for the following products:\n\n**DLP** \nPlease, contact Digital Guardian technical support regarding vulnerability information for DLP. \n \n\n\n### ISSUES\n\n**CVE-2015-5300** \n--- \n**Severity / CVSSv2** | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n**References** | SecurityFocus: [BID 77312](<https://www.securityfocus.com/bid/77312>) / NVD: [CVE-2015-5300](<https://nvd.nist.gov/vuln/detail/CVE-2015-5300>) \n**Impact** | Unauthorized modification of system time \n**Description** | A flaw in ntpd allows a remote attacker to adjust the victim's system time by an offset larger than the ntpd panic threshold. The attacker can effectively set the victim's system time to an arbitrary value. \n \n \n\n**CVE-2015-7973** \n--- \n**Severity / CVSSv2** | Medium / 4.3 (AV:A/AC:M/Au:N/C:N/I:P/A:P) \n**References** | SecurityFocus: [BID 81963](<https://www.securityfocus.com/bid/81963>) / NVD: [CVE-2015-7973](<https://nvd.nist.gov/vuln/detail/CVE-2015-7973>) \n**Impact** | Unauthorized modification of system time \n**Description** | A flaw in the NTP protocol broadcast mode allows a man-in-the-middle or a malicious broadcast client to replay time packets to broadcast clients. This attack can cause the victim's system time to become out of sync. \n \n \n\n**CVE-2015-7974** \n--- \n**Severity / CVSSv2** | Low / 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N) \n**References** | SecurityFocus: [BID 81960](<https://www.securityfocus.com/bid/81960>) / NVD: [CVE-2015-7974](<https://nvd.nist.gov/vuln/detail/CVE-2015-7974>) \n**Impact** | Unauthorized modification of system time \n**Description** | A flaw in ntpd allows a remote malicious trusted NTP client or server to impersonate a different trusted NTP client or server and modify time packets. This attack can cause the victim's system time to become out of sync. \n \n \n\n**CVE-2015-7975** \n--- \n**Severity / CVSSv2** | Low / 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 81959](<https://www.securityfocus.com/bid/81959>) / NVD: [CVE-2015-7975](<https://nvd.nist.gov/vuln/detail/CVE-2015-7975>) \n**Impact** | Denial of service \n**Description** | A flaw in ntpq allows a remote attacker to send a crafted response to ntpq and cause it to crash, resulting in denial of service. \n \n \n\n**CVE-2015-7976** \n--- \n**Severity / CVSSv2** | Medium / 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N) \n**References** | SecurityFocus: NVD: [CVE-2015-7976](<https://nvd.nist.gov/vuln/detail/CVE-2015-7976>) \n**Impact** | Unauthorized modification of data \n**Description** | A flaw in ntpd allows a remote attacker to send a crafted \"saveconfig\" command to ntpd, causing it to modify files on the local filesystem. \n \n \n\n**CVE-2015-7977** \n--- \n**Severity / CVSSv2** | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 81815](<https://www.securityfocus.com/bid/81815>) / NVD: [CVE-2015-7977](<https://nvd.nist.gov/vuln/detail/CVE-2015-7977>) \n**Impact** | Denial of service \n**Description** | A flaw in ntpd allows a remote attacker to send a crafted \"ntpdc reslist\" command to ntpd. This attack causes ntpd to dereference a NULL pointer and crash, resulting in denial of service. \n \n \n\n**CVE-2015-7978** \n--- \n**Severity / CVSSv2** | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 81962](<https://www.securityfocus.com/bid/81962>) / NVD: [CVE-2015-7978](<https://nvd.nist.gov/vuln/detail/CVE-2015-7978>) \n**Impact** | Denial of service \n**Description** | A flaw in ntpd allows a remote attacker to send a crafted \"ntpdc reslist\" command to ntpd. This attack causes ntpd to exhaust its call stack and crash, resulting in denial of service. \n \n \n\n**CVE-2015-7979** \n--- \n**Severity / CVSSv2** | Medium / 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P) \n**References** | SecurityFocus: [BID 81816](<https://www.securityfocus.com/bid/81816>) / NVD: [CVE-2015-7979](<https://nvd.nist.gov/vuln/detail/CVE-2015-7979>) \n**Impact** | Denial of service \n**Description** | A flaw in the NTP protocol broadcast mode allows a remote attacker to send bad authentication packets to broadcast clients. This attack causes the clients to stop synchronizing their system time from the broadcast server, which causes their time to become out of sync and results in denial of service. \n \n \n\n**CVE-2015-8138** \n--- \n**Severity / CVSSv2** | Medium / 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P) \n**References** | SecurityFocus: [BID 81811](<https://www.securityfocus.com/bid/81811>) / NVD: [CVE-2015-8138](<https://nvd.nist.gov/vuln/detail/CVE-2015-8138>) \n**Impact** | Denial of service, unauthorized modification of system time \n**Description** | A flaw in ntpd allows a remote attacker to send a forged time packet to an NTP client. This attack causes the client to set its system time to an arbitrary value or stop synchonizing its time from the NTP server. \n \n \n\n**CVE-2015-8139** \n--- \n**Severity / CVSSv2** | Medium / 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) \n**References** | SecurityFocus: [BID 82105](<https://www.securityfocus.com/bid/82105>) / NVD: [CVE-2015-8139](<https://nvd.nist.gov/vuln/detail/CVE-2015-8139>) \n**Impact** | Unauthorized modification of system time \n**Description** | A flaw in ntpd allows a remote attacker to obtain timestamp information from an NTP client and use the information to send a forged time packet to the client. This attack can cause the client to set its system time to an arbitrary value. \n \n \n\n**CVE-2015-8140** \n--- \n**Severity / CVSSv2** | Medium / 5.4 (AV:A/AC:M/Au:N/C:P/I:P/A:P) \n**References** | SecurityFocus: [BID 82102](<https://www.securityfocus.com/bid/82102>) / NVD: [CVE-2015-8140](<https://nvd.nist.gov/vuln/detail/CVE-2015-8140>) \n**Impact** | Unauthorized modification of data \n**Description** | A flaw in the ntpq protocol that allows replay attacks allows a remote attacker can sniff an ntpq configuration command and replay it at a later time, modifying the victim's ntpd configuration in an unexpected way. \n \n \n\n**CVE-2015-8158** \n--- \n**Severity / CVSSv2** | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 81814](<https://www.securityfocus.com/bid/81814>) / NVD: [CVE-2015-8158](<https://nvd.nist.gov/vuln/detail/CVE-2015-8158>) \n**Impact** | Denial of service \n**Description** | A flaw in ntpq and ntpdc allows an attacker to send a crafted response to ntpq or ntpdc and force them to enter an infinite loop. This attack results in denial of service. \n \n### \nMITIGATION\n\nThese vulnerabilities can be exploited only through the management network port for CAS, Director, MC, and XOS. Allowing only machines, IP addresses and subnets from a trusted network to access to the management network port reduces the threat of exploiting the vulnerabilities.\n\nBy default, Director, Security Analytics and XOS do not run ntpd with the -g command line option, and do not enable NTP broadcast mode, symmetric authentication, remote querying, and remote configuration. Customers who leave these NTP features disabled prevent attacks against these products using the following vulnerabilities:\n\n * **Director and Security Analytics:** CVE-2015-5300, CVE-2015-7973, CVE-2015-7974, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, CVE-2015-8140.\n * **XOS:** CVE-2015-7973, CVE-2015-7974, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, CVE-2015-8140.\n\n### REFERENCES\n\nNTP Project Security Notice - <https://support.ntp.org/bin/view/Main/SecurityNotice> \nAttacking the Network Time Protocol (technical paper) - <https://www.cs.bu.edu/~goldbe/NTPattack.html> \nAttacking NTP's Authenticated Broadcast Mode - <https://www.cs.bu.edu/~goldbe/papers/NTPbroadcast.html> \n \n\n\n### REVISION\n\n2020-11-17 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for XOS 9.7, 10.0, and 11.0 will not be provided. \n2020-04-23 A fix for CVE-2015-7973 and CVE-2015-7976 in Reporter 10.3 will not be provided. Please upgrade to a larger release with the vulnerability fixes. Reporter 10.5 is not vulnerable to CVE-2015-7973 and CVE-2015-7976 because a fix is available in 10.5.1.1. \n2019-10-07 WI 1.12 and 1.13 have vulnerable versions of the NTP software distribution from ntp.org for CVE-2015-8139 and CVE-2015-8140, but do not enable remote querying and configuration in ntpd, so they are not vulnerable to known vectors of attack. Fixes will not be provided. \n2019-08-28 Reporter 10.3 and 10.4 have vulnerable versions of the NTP software distribution from ntp.org, but are not vulnerable to known vectors of attack. \n2019-01-21 SA 7.3 starting with 7.3.2 and 8.0 are vulnerable to CVE-2015-7973 and CVE-2015-7976. SA 8.0 is vulnerable to CVE-2015-8139 and CVE-2015-8140. By default, SA 8.0 does not enable NTP remote configuration. \n2019-01-18 SSLV 4.x is not vulnerable to CVE-2015-8139 and CVE-2015-8140 because a fix is available in 4.0.2.1. \n2018-04-22 CAS 2.3 has a vulnerable version of the NTP software distribution from ntp.org, but is not vulnerable to known vectors of attack. A fix for CVE-2015-8139 and CVE-2015-8140 will not be provided. CAS 2.3 does not enable remote configuration in the NTP reference implementation and is not vulnerable to known vectors of attack for CVE-2015-8139 and CVE-2015-8140. \n2017-11-08 CAS 2.2 has a vulnerable version of the NTP software distribution from ntp.org, but is not vulnerable to known vectors of attack. A fix for CVE-2015-8139 and CVE-2015-8140 will not be provided. CAS 2.2 does not enable remote configuration in the NTP reference implementation and is not vulnerable to known vectors of attack for CVE-2015-8139 and CVE-2015-8140. \n2017-11-07 MC 1.8 and later releases have a vulnerable version of the NTP software distribution from ntp.org for CVE-2015-8139 and CVE-2015-8140. A fix will not be provided. MC does not enable remote configuration in the NTP. reference implementation and is not vulnerable to known vectors of attack for CVE-2015-8139 and CVE-2015-8140 \n2017-11-06 ASG 6.7 has a vulnerable version of the NTP software distribution from ntp.org for CVE-2015-8139 and CVE-2015-8140. A fix will not be provided. ASG 6.7 does not enable remote configuration in the NTP reference implementation and is not vulnerable to known vectors of attack for CVE-2015-8139 and CVE-2015-8140. \n2017-11-04 It was previously reported that SSLV 4.0 and 4.1 are not vulnerable. Futher investigtion indicates that SSLV 4.x has a vulnerable version of the NTP software distribution from ntp.org for CVE-2015-8139 and CVE-2015-8140. Fixes will not be provided. SSLV 4.x does not enable remote configuration and is not vulnerable to known vectors of attack. \n2017-08-02 SSLV 4.1 is not vulnerable. \n2017-07-20 MC 1.10 has a vulnerable version of the NTP software distribution from ntp.org, but is not vulnerable to known vectors of attack. A fix for CVE-2015-8139 and CVE-2015-8140 in MC 1.9 will not be provided. MC 1.9 does not enable remote configuration in the NTP. reference implementation and is not vulnerable to known vectors of attack for CVE-2015-8139 and CVE-2015-8140. \n2017-07-18 A fix for CVE-2015-8139 and CVE-2015-8140 will not be provided for ASG, CA, Director, MC, Reporter, and Security Analytics. These products do not enable remote configuration in the NTP reference implementation and are not vulnerable to known vectors of attack. \n2017-06-22 Security Analytics 7.3 is vulnerable to CVE-2015-8139 and CVE-2015-8140. \n2017-05-17 CAS 2.1 has a vulnerable version of the NTP software distribution from ntp.org, but is not vulnerable to known vectors of attack. \n2017-03-30 MC 1.8 and 1.9 have a vulnerable version of the NTP software distribution from ntp.org, but are not vulnerable to known vectors of attack. \n2017-03-29 A fix for all CVEs except CVE-2015-8139 and CVE-2015-8140 in ASG 6.6 is available in 6.6.5.4. \n2017-03-16 A fix for all CVEs in SSLV 3.10 is available in 3.10.2.1. \n2017-03-08 A fix for all CVEs except CVE-2015-8139 and CVE-2015-8140 in Director is available in 6.1.22.1. \n2017-03-06 MC 1.8 is not vulnerable. SSLV 4.0 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support. \n2017-01-25 A fix for all CVEs except CVE-2015-8139 and CVE-2015-8140 in SA 7.2 is available in 7.2.2. \n2017-01-24 A fix for all CVEs except CVE-2015-8139 and CVE-2015-8140 in CAS 1.3 is available in 1.3.7.3. \n2017-01-13 A fix for all CVEs in SSLV 3.9 is available in 3.9.7.1. \n2017-01-10 A fix for all CVEs except for CVE-2015-8139 and CVE-2015-8140 in Reporter 10.1 is available in 10.1.5.1. \n2016-12-04 A fix is available in SSLV 3.11.1.1. \n2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable. \n2016-11-14 A fix for all CVEs except CVE-2015-8139 and CVE-2015-8140 is available in MC 1.7.2.1. \n2016-11-11 SSLV 3.10 is vulnerable to CVE-2015-7974 and CVE-2015-8138. A fix is not available at this time. \n2016-11-08 A fix for all CVEs except CVE-2015-8140 in Security Analytics 6.6 and 7.1 is available through a patch RPM from Blue Coat Support. SA 7.2 is vulnerable to CVE-2015-7973, CVE-2015-7976, and CVE-2015-8140. \n2016-10-26 MC 1.6 and 1.7 are vulnerable to CVE-2015-8158. They also have vulnerable code for multiple CVEs, but are not vulnerable to known vectors of attack. See Advisory Details section for a list of CVEs. A fix will not be provided for MC 1.6. Please, upgrade to a later version with the vulnerability fixes. \n2016-07-18 A fix for CVE-2015-7974, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, and CVE-2015-8158 in Security Analytics 6.6 and 7.1 is available through a patch RPM from customer support. A fix for the other CVEs is not available at this time. \n2016-06-23 A fix for CVE-2015-5300 and CVE-2015-8138 is available in ASG 6.6.4.1. \n2016-05-17 A fix for CVE-2015-5300 and CVE-2015-8138 is available in Security Analytics 6.6.12 and 7.1.11. \n2016-05-11 No Cloud Data Protection products are vulnerable. \n2016-04-24 MTD 1.1 is vulnerable to CVE-2015-8158. It also have vulnerable code for a number of CVEs, but is not vulnerable to known vectors of attack. \n2016-04-01 A fix for CVE-2015-5300 and CVE-2015-8138 in Reporter 10.1 is available in 10.1.4.1. \n2016-03-28 Previously it was reported that SSLV has vulnerable code for CVE-2015-7975. Further investigation has shown that SSLV is not vulnerable to this CVE. \n2016-03-14 A fix for CVE-2015-5300 and CVE-2015-8138 in CAS 1.3 is available in 1.3.6.1. A fix for CVE-2015-5300 and CVE-2015-8138 in MC 1.5 is available in 1.5.3.1. \n2016-03-03 initial public release\n", "modified": "2020-12-22T05:06:10", "published": "2016-03-03T08:00:00", "id": "SMNTC-1350", "href": "", "type": "symantec", "title": "SA113 : January 2016 NTP Security Vulnerabilities", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "suse": [{"lastseen": "2016-09-04T12:22:35", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "edition": 1, "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n\n This update was imported from the SUSE:SLE-12-SP1:Update update project.\n\n", "modified": "2016-05-12T21:07:47", "published": "2016-05-12T21:07:47", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00038.html", "id": "OPENSUSE-SU-2016:1292-1", "title": "Security update for ntp (important)", "type": "suse", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T12:46:49", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "edition": 1, "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n\n", "modified": "2016-04-28T19:13:09", "published": "2016-04-28T19:13:09", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00060.html", "id": "SUSE-SU-2016:1177-1", "title": "Security update for ntp (important)", "type": "suse", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T11:47:01", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "edition": 1, "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n - bsc#784760: Remove local clock from default configuration\n\n", "modified": "2016-04-28T19:09:34", "published": "2016-04-28T19:09:34", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00059.html", "id": "SUSE-SU-2016:1175-1", "title": "Security update for ntp (important)", "type": "suse", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T12:27:22", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7703", "CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7855", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7704", "CVE-2015-7979", "CVE-2015-7701", "CVE-2015-7976", "CVE-2015-7848", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7692", "CVE-2015-7851", "CVE-2015-7702", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7849", "CVE-2015-7691", "CVE-2015-7705", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7850", "CVE-2015-7854", "CVE-2015-7978", "CVE-2015-7853"], "description": "ntp was updated to version 4.2.8p6 to fix 28 security issues.\n\n Major functional changes:\n - The "sntp" commandline tool changed its option handling in a major way,\n some options have been renamed or dropped.\n - "controlkey 1" is added during update to ntp.conf to allow sntp to work.\n - The local clock is being disabled during update.\n - ntpd is no longer running chrooted.\n\n Other functional changes:\n - ntp-signd is installed.\n - "enable mode7" can be added to the configuration to allow ntdpc to work\n as compatibility mode option.\n - "kod" was removed from the default restrictions.\n - SHA1 keys are used by default instead of MD5 keys.\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n - CVE-2015-7871: NAK to the Future: Symmetric association authentication\n bypass via crypto-NAK (bsc#951608).\n - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning\n FAIL on some bogus values (bsc#951608).\n - CVE-2015-7854: Password Length Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7853: Invalid length data provided by a custom refclock driver\n could cause a buffer overflow (bsc#951608).\n - CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#951608).\n - CVE-2015-7850: remote config logfile-keyfile (bsc#951608).\n - CVE-2015-7849: trusted key use-after-free (bsc#951608).\n - CVE-2015-7848: mode 7 loop counter underrun (bsc#951608).\n - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#951608).\n - CVE-2015-7703: configuration directives "pidfile" and "driftfile" should\n only be allowed locally (bsc#951608).\n - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD should validate\n the origin timestamp field (bsc#951608).\n - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete autokey data\n packet length checks (bsc#951608).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n - Add a controlkey line to /etc/ntp.conf if one does not already exist to\n allow runtime configuuration via ntpq.\n - bsc#946386: Temporarily disable memlock to avoid problems due to high\n memory usage during name resolution.\n - bsc#905885: Use SHA1 instead of MD5 for symmetric keys.\n - Improve runtime configuration:\n * Read keytype from ntp.conf\n * Don't write ntp keys to syslog.\n - Fix legacy action scripts to pass on command line arguments.\n - bsc#944300: Remove "kod" from the restrict line in ntp.conf.\n - bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.\n - Add a controlkey to ntp.conf to make the above work.\n - Don't let "keysdir" lines in ntp.conf trigger the "keys" parser.\n - Disable mode 7 (ntpdc) again, now that we don't use it anymore.\n - Add "addserver" as a new legacy action.\n - bsc#910063: Fix the comment regarding addserver in ntp.conf.\n - bsc#926510: Disable chroot by default.\n - bsc#920238: Enable ntpdc for backwards compatibility.\n\n", "edition": 1, "modified": "2016-05-06T13:07:50", "published": "2016-05-06T13:07:50", "id": "SUSE-SU-2016:1247-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00020.html", "title": "Security update for ntp (important)", "type": "suse", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T12:46:49", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7703", "CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7855", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-5219", "CVE-2015-7704", "CVE-2015-7979", "CVE-2015-7701", "CVE-2015-7976", "CVE-2015-7848", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7692", "CVE-2015-7851", "CVE-2015-7702", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7849", "CVE-2015-7691", "CVE-2015-7705", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7850", "CVE-2015-7854", "CVE-2015-7978", "CVE-2015-7853"], "description": "This network time protocol server ntp was updated to 4.2.8p6 to fix the\n following issues:\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n Major functional changes:\n - The "sntp" commandline tool changed its option handling in a major way.\n - "controlkey 1" is added during update to ntp.conf to allow sntp to work.\n - The local clock is being disabled during update.\n - ntpd is no longer running chrooted.\n\n\n Other functional changes:\n - ntp-signd is installed.\n - "enable mode7" can be added to the configuration to allow ntdpc to work\n as compatibility mode option.\n - "kod" was removed from the default restrictions.\n - SHA1 keys are used by default instead of MD5 keys.\n\n These security issues were fixed:\n - CVE-2015-5219: An endless loop due to incorrect precision to double\n conversion (bsc#943216).\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n - CVE-2015-7871: NAK to the Future: Symmetric association authentication\n bypass via crypto-NAK (bsc#951608).\n - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning\n FAIL on some bogus values (bsc#951608).\n - CVE-2015-7854: Password Length Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7853: Invalid length data provided by a custom refclock driver\n could cause a buffer overflow (bsc#951608).\n - CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#951608).\n - CVE-2015-7850: remote config logfile-keyfile (bsc#951608).\n - CVE-2015-7849: trusted key use-after-free (bsc#951608).\n - CVE-2015-7848: mode 7 loop counter underrun (bsc#951608).\n - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#951608).\n - CVE-2015-7703: configuration directives "pidfile" and "driftfile" should\n only be allowed locally (bsc#951608).\n - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD should validate\n the origin timestamp field (bsc#951608).\n - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete autokey data\n packet length checks (bsc#951608).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n - Add a controlkey line to /etc/ntp.conf if one does not already exist to\n allow runtime configuuration via ntpq.\n - bsc#946386: Temporarily disable memlock to avoid problems due to high\n memory usage during name resolution.\n - bsc#905885: Use SHA1 instead of MD5 for symmetric keys.\n - Improve runtime configuration:\n * Read keytype from ntp.conf\n * Don't write ntp keys to syslog.\n - Fix legacy action scripts to pass on command line arguments.\n - bsc#944300: Remove "kod" from the restrict line in ntp.conf.\n - bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.\n - Don't let "keysdir" lines in ntp.conf trigger the "keys" parser.\n - Disable mode 7 (ntpdc) again, now that we don't use it anymore.\n - Add "addserver" as a new legacy action.\n - bsc#910063: Fix the comment regarding addserver in ntp.conf.\n - bsc#926510: Disable chroot by default.\n - bsc#920238: Enable ntpdc for backwards compatibility.\n - bsc#784760: Remove local clock from default configuration.\n - bsc#942441/fate#319496: Require perl-Socket6.\n - Improve runtime configuration:\n * Read keytype from ntp.conf\n * Don't write ntp keys to syslog.\n - bsc#920183: Allow -4 and -6 address qualifiers in "server" directives.\n - Use upstream ntp-wait, because our version is incompatible with the new\n ntpq command line syntax.\n\n", "edition": 1, "modified": "2016-05-17T15:09:17", "published": "2016-05-17T15:09:17", "id": "SUSE-SU-2016:1311-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00048.html", "type": "suse", "title": "Security update for ntp (important)", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}], "seebug": [{"lastseen": "2017-11-19T12:15:06", "description": "### Summary\r\nAn exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. A specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, preventing legitimate monitoring. A remote, unauthenticated, network attacker can trigger this vulnerability.\r\n\r\n### Tested Versions\r\n* NTP 4.2.8p3\r\n* NTP 4.2.8p8\r\n* NTPsec 0.9.1\r\n* NTPsec 0.9.3\r\n\r\n### Product URLs\r\n* http://www.ntp.org\r\n* http://www.ntpsec.org/\r\n\r\n### CVSS Scores\r\n* CVSSv2: 6.4 - (AV:N/AC:L/Au:N/C:P/I:P/A:N)\r\n* CVSSv3: 6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\r\n\r\n### Details\r\nntpd provides a `trap` functionality that sends asynchronous notifications to a number of `trap receivers` whenever an event of interest occurs. Example events of interest include: association mobilization and demobilization, authentication failures, reachability changes, etc.\r\n\r\nSince at least ntp-4.0.94 (July 21, 1999), ntpd has allowed traps to be configured via control (mode 6) and private (mode 7) NTP modes. Though private mode requires messages modifying trap settings to be be authenticated, control mode allows unauthenticated packets to modify trap settings using the `SETTRAP` and `UNSETTRAP` control messages.\r\n\r\nThis vulnerability can be used to achieve several goals:\r\n\r\n* Time Shifting: If an attacker controls a host that is allowed to receive traps (i.e. not restricted by `restrict noquery` or `restrict notrap`), the attacker can instruct a victim ntpd instance to send traps to the attacker's host. Whenever a reportable event occurs for some peer, the victim ntpd will send a trap to the attacker leaking all the peer variables associated with that peer. The information leaked includes the peer's org and rec variables allowing the attacker to bypass TEST2 and impersonate said peer in a manner similar to CVE-2015-8139 and CVE-2016-1548.\r\nThe attacker can force the victim ntpd to leak the information for any peer at any time by triggering a reportable event for said peer. There are multiple methods to trigger a reportable event for a peer, among them spoofing an invalid crypto-NAK or incorrectly authenticated packet from the peer.\r\nNOTE: With ntp-4.2.8p8 and earlier the 0rigin attack (CVE-2015-8138) [1] already allows impersonation of reachable peers. In those ntpd versions, this vulnerability provides another method for impersonating unreachable peers.\r\n\r\n* DDoS Amplification: An attacker can use an ntpd instance as a DDoS amplifier to DDoS hosts that are allowed to receive traps from the ntpd instance using the following technique. The amplification factor is 12-13x.\r\n\r\nThe attacker forges a `SETTRAP` packet from the `victim` to the `amplifier`, causing the `amplifier` to set a trap for the `victim`. The attacker then repeatedly triggers reportable events causing trap messages to be sent to the victim. E.g. the attacker rapidly forges invalid crypto-NAKs and/or bad_auth packets from the `victim`'s `sys_peer`.\r\nntpd attempts to limit the number of consecutive traps sent for events of a single type. To maximize effect, the attacker can alternate between events of different types.\r\nntpd will periodically time out old traps when a new one is set. Therefore, for a long-term attack, the attacker may need to periodically refresh the trap on the `amplifier`.\r\nEvading Monitoring: In an environment where dynamically configured traps are used to modify an ntpd instance, an unauthenticated attacker can remove traps set by legitimate monitoring systems by spoofing the source address of the `trap receiver` in an `UNSETTRAP` message.\r\n\r\nAuthentication should be required in order to modify trap configuration.\r\n\r\n### Mitigation\r\nSeveral mitigations can lessen the impact of this vulnerability.\r\n\r\n1. Unauthorized hosts can be prevented from receiving traps using the `restrict default notrap` restriction. This setting is the default on many modern Linux systems.\r\nThis mitigation has no effect on the \"Evading Monitoring\" impact described above because the alleged sender of the packet is an authorized trap receiver.\r\n2. Block NTP control mode trap configuration commands using a firewall or IPS. It does not appear that support for configuring control mode traps was ever implemented in ntpq, the reference NTP control mode client. As such, on most networks blocking control mode trap configuration commands should have no effect on legitimate traffic. Specifically, firewalls should block packets with the following characteristics:\r\n\t* UDP Destination Port: 123\r\n\t* NTP Mode: 6\r\n\t* NTP Control Operation Code: 6 (SETTRAP) or 31 (UNSETTRAP)\r\n\r\nTraps specified in ntp.conf cannot be modified using this vulnerability.\r\n[1] http://www.talosintelligence.com/reports/TALOS-2016-0077/\r\n\r\n### Timeline\r\n* 2016-09-20 - Vendor Disclosure\r\n* 2016-11-21 - Public Release", "published": "2017-10-11T00:00:00", "type": "seebug", "title": "Network Time Protocol Control Mode Unauthenticated Trap Information Disclosure and DDoS Amplification Vulnerability(CVE-2016-9310)", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-8138", "CVE-2015-8139", "CVE-2016-1548", "CVE-2016-9310"], "modified": "2017-10-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96647", "id": "SSV:96647", "sourceData": "", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "amazon": [{"lastseen": "2020-11-10T12:37:31", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1548", "CVE-2016-4956", "CVE-2016-4955", "CVE-2016-4954", "CVE-2015-8139"], "description": "**Issue Overview:**\n\nIt was discovered that ntpq and ntpdc disclosed the origin timestamp to unauthenticated clients, which could permit such clients to forge the server's replies. ([CVE-2015-8139 __](<https://access.redhat.com/security/cve/CVE-2015-8139>))\n\nThe process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication. ([CVE-2016-4954 __](<https://access.redhat.com/security/cve/CVE-2016-4954>))\n\nntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time. ([CVE-2016-4955 __](<https://access.redhat.com/security/cve/CVE-2016-4955>))\n\nntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. This vulnerability exists because of an incomplete fix for [CVE-2016-1548 __](<https://access.redhat.com/security/cve/CVE-2016-1548>). ([CVE-2016-4956 __](<https://access.redhat.com/security/cve/CVE-2016-4956>))\n\n \n**Affected Packages:** \n\n\nntp\n\n \n**Issue Correction:** \nRun _yum update ntp_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n ntpdate-4.2.6p5-41.32.amzn1.i686 \n ntp-4.2.6p5-41.32.amzn1.i686 \n ntp-debuginfo-4.2.6p5-41.32.amzn1.i686 \n \n noarch: \n ntp-doc-4.2.6p5-41.32.amzn1.noarch \n ntp-perl-4.2.6p5-41.32.amzn1.noarch \n \n src: \n ntp-4.2.6p5-41.32.amzn1.src \n \n x86_64: \n ntp-4.2.6p5-41.32.amzn1.x86_64 \n ntp-debuginfo-4.2.6p5-41.32.amzn1.x86_64 \n ntpdate-4.2.6p5-41.32.amzn1.x86_64 \n \n \n", "edition": 4, "modified": "2016-08-01T13:30:00", "published": "2016-08-01T13:30:00", "id": "ALAS-2016-727", "href": "https://alas.aws.amazon.com/ALAS-2016-727.html", "title": "Medium: ntp", "type": "amazon", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8139", "CVE-2016-1548", "CVE-2016-4954", "CVE-2016-4955", "CVE-2016-4956"], "description": "The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. This package includes ntpd (a daemon which continuously adjusts system time) and utilities used to query and configure the ntpd daemon. Perl scripts ntp-wait and ntptrace are in the ntp-perl package, ntpdate is in the ntpdate package and sntp is in the sntp package. The documentation is in the ntp-doc package. ", "modified": "2016-06-18T19:39:53", "published": "2016-06-18T19:39:53", "id": "FEDORA:4007460D633E", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 24 Update: ntp-4.2.6p5-41.fc24", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8139", "CVE-2016-1548", "CVE-2016-4954", "CVE-2016-4955", "CVE-2016-4956"], "description": "The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. This package includes ntpd (a daemon which continuously adjusts system time) and utilities used to query and configure the ntpd daemon. Perl scripts ntp-wait and ntptrace are in the ntp-perl package, ntpdate is in the ntpdate package and sntp is in the sntp package. The documentation is in the ntp-doc package. ", "modified": "2016-07-02T19:36:52", "published": "2016-07-02T19:36:52", "id": "FEDORA:43935602185E", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: ntp-4.2.6p5-41.fc23", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8139", "CVE-2016-1548", "CVE-2016-4954", "CVE-2016-4955", "CVE-2016-4956"], "description": "The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. This package includes ntpd (a daemon which continuously adjusts system time) and utilities used to query and configure the ntpd daemon. Perl scripts ntp-wait and ntptrace are in the ntp-perl package, ntpdate is in the ntpdate package and sntp is in the sntp package. The documentation is in the ntp-doc package. ", "modified": "2016-07-02T19:29:35", "published": "2016-07-02T19:29:35", "id": "FEDORA:3A6FF60779A2", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 22 Update: ntp-4.2.6p5-41.fc22", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:P"}}], "cert": [{"lastseen": "2020-09-18T20:41:39", "bulletinFamily": "info", "cvelist": ["CVE-2015-7704", "CVE-2015-7705", "CVE-2015-7973", "CVE-2015-7974", "CVE-2015-7975", "CVE-2015-7976", "CVE-2015-7977", "CVE-2015-7978", "CVE-2015-7979", "CVE-2015-8138", "CVE-2015-8139", "CVE-2015-8140", "CVE-2015-8158", "CVE-2016-1547", "CVE-2016-1548", "CVE-2016-1549", "CVE-2016-1550", "CVE-2016-1551", "CVE-2016-2516", "CVE-2016-2517", "CVE-2016-2518", "CVE-2016-2519"], "description": "### Overview \n\nThe NTP.org reference implementation of `ntpd` contains multiple vulnerabilities.\n\n### Description \n\nNTP.org's reference implementation of NTP server, `ntpd`, contains multiple vulnerabilities.\n\n[**CWE-294**](<http://cwe.mitre.org/data/definitions/294.html>)**: Authentication Bypass by Capture-replay - **CVE-2015-7973 \n \nAn attacker on the network can record and replay authenticated broadcast mode packets. Also known as the \"Deja Vu\" attack. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7974 \n \nA missing key check allows impersonation between authenticated peers. Also known as the \"Skeleton Key\" attack. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7975 \n \nThe `nextvar()` function does not properly validate length. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7976 \n \n`ntpq saveconfig` command allows dangerous characters in filenames \n \n[**CWE-476**](<http://cwe.mitre.org/data/definitions/476.html>)**: NULL Pointer Dereference - **CVE-2015-7977 \n \n`reslist` NULL pointer dereference \n \n[**CWE-400**](<http://cwe.mitre.org/data/definitions/400.html>)**: Uncontrolled Resource Consumption ('Resource Exhaustion') - **CVE-2015-7978 \n \nStack exhaustion in recursive traversal of restriction list \n \n[**CWE-821**](<http://cwe.mitre.org/data/definitions/821.html>)**: Incorrect Synchronization - **CVE-2015-7979 \n \nOff-path Denial of Service (DoS) attack on authenticated broadcast and other pre-emptable modes \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-8138 \n \nZero Origin Timestamp Bypass \n \n[**CWE-200**](<http://cwe.mitre.org/data/definitions/200.html>)**: Information Exposure - **CVE-2015-8139 \n \nNetwork Time Protocol ntpq and ntpdc Origin Timestamp Disclosure Vulnerability \n<http://support.ntp.org/bin/view/Main/NtpBug2946> \n \n[**CWE-294**](<http://cwe.mitre.org/data/definitions/294.html>)**: Authentication Bypass by Capture-replay - **CVE-2015-8140 \n \nNetwork Time Protocol ntpq Control Protocol Replay Vulnerability \n<http://support.ntp.org/bin/view/Main/NtpBug2947> \n \n[**CWE-400**](<http://cwe.mitre.org/data/definitions/400.html>)**: Uncontrolled Resource Consumption ('Resource Exhaustion') - **CVE-2015-8158 \n \nPotential Infinite Loop in ntpq \n<http://support.ntp.org/bin/view/Main/NtpBug2948> \n \n[**CWE-821**](<http://cwe.mitre.org/data/definitions/821.html>)**: Incorrect Synchronization - **CVE-2016-1547 \n \nAn off-path attacker can deny service to `ntpd` clients by demobilizing preemptable associations using spoofed crypto-NAK packets. This vulnerability involves different code paths than those used by CVE-2015-7979. \n \n[**CWE-290**](<http://cwe.mitre.org/data/definitions/290.html>)**: Authentication Bypass by Spoofing - **CVE-2016-1548 \n \nBy spoofing packets from a legitimate server, an attacker can change the time of an` ntpd` client or deny service to an `ntpd` client by forcing it to change from basic client/server mode to interleaved symmetric mode. \n \n[**CWE-362**](<http://cwe.mitre.org/data/definitions/362.html>)**: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') - **CVE-2016-1549 \n \nntpd does not prevent Sybil attacks from authenticated peers. An malicious authenticated peer can create any number of ephemeral associations in order to win ntpd's clock selection algorithm and modify a victim's clock. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2016-1550 \n \nntpd does not use a constant-time memory comparison function when validating the authentication digest on incoming packets. In some situations this may allow an attacker to conduct a timing attack to compute the value of the valid authentication digest causing forged packets to be accepted by `ntpd`. \n \n[**CWE-290**](<http://cwe.mitre.org/data/definitions/290.html>)**: Authentication Bypass by Spoofing - **CVE-2016-1551 \n \nntpd does not filter IPv4 bogon packets received from the network. This allows unauthenticated network attackers to spoof refclock packets to ntpd processes on systems that do not implement bogon filtering. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2016-2516, CVE-2016-2517 \n \nDuplicate IPs on `unconfig` directives will cause an assertion botch in `ntpd`. A regression caused by the patch for CVE-2016-2516 was fixed and identified as CVE-2016-2517. \n \n[**CWE-125**](<http://cwe.mitre.org/data/definitions/125.html>)**: Out-of-bounds Read - **CVE-2016-2518 \n \nUsing a crafted packet to create a peer association with hmode > 7 causes the MATCH_ASSOC() lookup to make an out-of-bounds reference. \n \n[**CWE-119**](<http://cwe.mitre.org/data/definitions/119.html>)**: Improper Restriction of Operations within the Bounds of a Memory Buffer - **CVE-2016-2519 \n \n`ntpq` and `ntpdc` can be used to store and retrieve information in `ntpd`. It is possible to store a data value that is larger than the size of the buffer that the `ctl_getitem()` function of `ntpd` uses to report the return value. If the length of the requested data value returned by `ctl_getitem()` is too large, the value NULL is returned instead. There are 2 cases where the return value from `ctl_getitem()` was not directly checked to make sure it's not NULL, but there are subsequent INSIST() checks that make sure the return value is not NULL. There are no data values ordinarily stored in `ntpd` that would exceed this buffer length. But if one has permission to store values and one stores a value that is \"too large\", then `ntpd` will abort if an attempt is made to read that oversized value. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7704**, **CVE-2015-7705 \n \nAn ntpd client that honors Kiss-of-Death (KoD) responses will honor KoD messages that have been forged by an attacker, causing it to delay or stop querying its servers for time updates. Also, an attacker can forge packets that claim to be from the target and send them to servers often enough that a server that implements KoD rate limiting will send the target machine a KoD response to attempt to reduce the rate of incoming packets, or it may also trigger a firewall block at the server for packets from the target machine. For either of these attacks to succeed, the attacker must know what servers the target is communicating with. An attacker can be anywhere on the Internet and can frequently learn the identity of the target's time source by sending the target a time query. \n \nFor more information on these vulnerabilities, please see NTP.org's [April 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security>) as well as the [January 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit>). \n \n--- \n \n### Impact \n\nUnauthenticated remote attackers may be able to spoof packets to cause denial of service, authentication bypass on commands, or certain configuration changes. For more information on these vulnerabilities, please see NTP.org's [April 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security>) as well as the [January 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit>). \n \n--- \n \n### Solution \n\n**Apply an update** \n \nPartial patches for some of these issues were initially released in January 2016 as version 4.2.8p6. Complete patches for all of these issues are now available in version [4.2.8p7](<http://www.ntp.org/downloads.html>), released 2016-04-26. Affected users are encouraged to update as soon as possible. \n \n--- \n \n### Vendor Information\n\n718152\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### NTP Project Affected\n\nNotified: January 19, 2016 Updated: April 22, 2016 \n\n**Statement Date: April 19, 2016**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### ACCESS Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### AT&T Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Alcatel-Lucent Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Apple Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Arista Networks, Inc. Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Aruba Networks Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Avaya, Inc. Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Belkin, Inc. Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Blue Coat Systems Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### CA Technologies Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### CentOS Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Check Point Software Technologies Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Cisco Unknown\n\nNotified: January 08, 2016 Updated: January 08, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### CoreOS Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### D-Link Systems, Inc. Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Debian GNU/Linux Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### DesktopBSD Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### DragonFly BSD Project Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### EMC Corporation Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### EfficientIP SAS Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Enterasys Networks Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Ericsson Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Extreme Networks Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### F5 Networks, Inc. Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Fedora Project Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Force10 Networks Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### FreeBSD Project Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Gentoo Linux Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Google Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Hardened BSD Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Hewlett Packard Enterprise Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Hitachi Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Huawei Technologies Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### IBM Corporation Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### IBM eServer Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Infoblox Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Intel Corporation Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Internet Systems Consortium Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Internet Systems Consortium - DHCP Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Juniper Networks Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### McAfee Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Microsoft Corporation Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### NEC Corporation Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### NTPsec Unknown\n\nNotified: January 19, 2016 Updated: January 19, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### NetBSD Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Nokia Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Nominum Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### OmniTI Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### OpenBSD Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### OpenDNS Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Openwall GNU/*/Linux Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Oracle Corporation Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Peplink Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Q1 Labs Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### QNX Software Systems Inc. Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Red Hat, Inc. Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### SUSE Linux Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### SafeNet Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Secure64 Software Corporation Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Slackware Linux Inc. Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### SmoothWall Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Snort Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Sony Corporation Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Sourcefire Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Symantec Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### TippingPoint Technologies Inc. Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Turbolinux Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Ubuntu Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Unisys Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### VMware Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Wind River Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### dnsmasq Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### m0n0wall Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### openSUSE project Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\nView all 75 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P \nTemporal | 5.3 | E:POC/RL:OF/RC:C \nEnvironmental | 5.3 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security>\n * <http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit>\n\n### Acknowledgements\n\nThanks to Cisco TALOS for reporting many of these issues to us. The Network Time Foundation credits many researchers for these vulnerabilities; see NTP.org's January 2016 and April 2016 security advisories for the complete list.\n\nThis document was written by Garret Wassermann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2015-7704](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-7704>), [CVE-2015-7705](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-7705>), [CVE-2015-7973](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-7973>), [CVE-2015-7974](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-7974>), [CVE-2015-7975](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-7975>), [CVE-2015-7976](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-7976>), [CVE-2015-7977](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-7977>), [CVE-2015-7978](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-7978>), [CVE-2015-7979](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-7979>), [CVE-2015-8138](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-8138>), [CVE-2015-8139](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-8139>), [CVE-2015-8140](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-8140>), [CVE-2015-8158](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-8158>), [CVE-2016-1547](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-1547>), [CVE-2016-1548](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-1548>), [CVE-2016-1549](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-1549>), [CVE-2016-1550](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-1550>), [CVE-2016-1551](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-1551>), [CVE-2016-2516](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-2516>), [CVE-2016-2517](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-2517>), [CVE-2016-2518](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-2518>), [CVE-2016-2519](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-2519>) \n---|--- \n**Date Public:** | 2016-04-26 \n**Date First Published:** | 2016-04-27 \n**Date Last Updated: ** | 2016-04-28 15:15 UTC \n**Document Revision: ** | 49 \n", "modified": "2016-04-28T15:15:00", "published": "2016-04-27T00:00:00", "id": "VU:718152", "href": "https://www.kb.cert.org/vuls/id/718152", "type": "cert", "title": "NTP.org ntpd contains multiple vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2016-09-06T19:47:00", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-7703", "CVE-2016-4956", "CVE-2015-8140", "CVE-2016-4955", "CVE-2015-8138", "CVE-2015-7855", "CVE-2016-4953", "CVE-2015-7973", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7704", "CVE-2016-1551", "CVE-2015-7979", "CVE-2016-4954", "CVE-2015-7701", "CVE-2015-7976", "CVE-2015-7848", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7692", "CVE-2016-1547", "CVE-2015-7851", "CVE-2015-7702", "CVE-2016-4957", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7849", "CVE-2015-7691", "CVE-2016-2519", "CVE-2016-2517", "CVE-2015-7705", "CVE-2015-7974", "CVE-2015-7850", "CVE-2016-1549", "CVE-2015-7854", "CVE-2015-7978", "CVE-2015-7853"], "description": "### Background\n\nNTP contains software for the Network Time Protocol.\n\n### Description\n\nMultiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly cause a Denial of Service condition.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll NTP users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/ntp-4.2.8_p8\"", "edition": 1, "modified": "2016-07-20T00:00:00", "published": "2016-07-20T00:00:00", "id": "GLSA-201607-15", "href": "https://security.gentoo.org/glsa/201607-15", "type": "gentoo", "title": "NTP: Multiple vulnerabilities", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}]}
