ID SOL17516 Type f5 Reporter f5 Modified 2016-07-25T00:00:00
Description
Vulnerability Recommended Actions
If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.
To mitigate this vulnerability, ensure that established peer connections are trusted and avoid running instances of ntpq in interactive mode. In addition, running ntpq in interactive mode with raw mode enabled does not expose this issue. Raw mode can be enabled within ntpq interactive mode by using the raw keyword.
Supplemental Information
SOL9970: Subscribing to email notifications regarding F5 products
SOL9957: Creating a custom RSS feed to view new and updated documents
SOL4918: Overview of the F5 critical issue hotfix policy
SOL4602: Overview of the F5 security vulnerability response policy
{"cve": [{"lastseen": "2018-05-18T11:12:19", "bulletinFamily": "NVD", "description": "ntpq in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash) via crafted mode 6 response packets.", "modified": "2018-05-17T21:29:02", "published": "2017-08-07T16:29:00", "id": "CVE-2015-7852", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7852", "title": "CVE-2015-7852", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "f5": [{"lastseen": "2019-02-20T21:07:30", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 553902 (BIG-IP), ID 555233 (BIG-IQ), ID 555235 (Enterprise Manager), and ID 507785 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<https://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H553914-4 on the **Diagnostics** > **Identified** > **Medium** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 12.0.0 \n11.6.0 \n11.0.0 - 11.5.3 \n10.1.0 - 10.2.4| 12.1.0 \n12.0.0 HF3 \n11.6.1 \n11.5.4 \n11.4.1 HF10| Low| ntpq \nBIG-IP AAM| 12.0.0 \n11.6.0 \n11.4.0 - 11.5.3| 12.1.0 \n12.0.0 HF3 \n11.6.1 \n11.5.4 \n11.4.1 HF10| Low| ntpq \nBIG-IP AFM| 12.0.0 \n11.6.0 \n11.3.0 - 11.5.3| 12.1.0 \n12.0.0 HF3 \n11.6.1 \n11.5.4 \n11.4.1 HF10| Low| ntpq \nBIG-IP Analytics| 12.0.0 \n11.6.0 \n11.0.0 - 11.5.3| 12.1.0 \n12.0.0 HF3 \n11.6.1 \n11.5.4 \n11.4.1 HF10| Low| ntpq \nBIG-IP APM| 12.0.0 \n11.6.0 \n11.0.0 - 11.5.3 \n10.1.0 - 10.2.4| 12.1.0 \n12.0.0 HF3 \n11.6.1 \n11.5.4 \n11.4.1 HF10| Low| ntpq \nBIG-IP ASM| 12.0.0 \n11.6.0 \n11.0.0 - 11.5.3 \n10.1.0 - 10.2.4| 12.1.0 \n12.0.0 HF3 \n11.6.1 \n11.5.4 \n11.4.1 HF10| Low| ntpq \nBIG-IP DNS| 12.0.0| 12.1.0 \n12.0.0 HF3| Low| ntpq \nBIG-IP Edge Gateway| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpq \nBIG-IP GTM| 11.6.0 \n11.0.0 - 11.5.3 \n10.1.0 - 10.2.4| 11.6.1 \n11.5.4 \n11.4.1 HF10| Low| ntpq \nBIG-IP Link Controller| 12.0.0 \n11.6.0 \n11.0.0 - 11.5.3 \n10.1.0 - 10.2.4| 12.1.0 \n12.0.0 HF3 \n11.6.1 \n11.5.4 \n11.4.1 HF10| Low| ntpq \nBIG-IP PEM| 12.0.0 \n11.6.0 \n11.3.0 - 11.5.3| 12.1.0 \n12.0.0 HF3 \n11.6.1 \n11.5.4 \n11.4.1 HF10| Low| ntpq \nBIG-IP PSM| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| 11.4.1 HF10| Low| ntpq \nBIG-IP WebAccelerator| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpq \nBIG-IP WOM| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpq \nARX| 6.0.0 - 6.4.0| None| Low| ntpq \nEnterprise Manager| 3.0.0 - 3.1.1 HF5| 3.1.1 HF6| Low| ntpq \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Low| ntpq \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Low| ntpq \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Low| ntpq \nBIG-IQ ADC| 4.5.0| None| Low| ntpq \nBIG-IQ Centralized Management| 4.6.0| 5.0.0| Low| ntpq \nBIG-IQ Cloud and Orchestration| 1.0.0| None| Low| ntpq \nF5 iWorkflow| None| 2.0.0| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| None| Low| ntpq\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nTo mitigate this vulnerability, ensure that established peer connections are trusted and avoid running instances of** ntpq** in interactive mode. In addition, running **ntpq** in interactive mode with raw mode enabled does not expose this issue. Raw mode can be enabled within** ntpq** interactive mode by using the **raw** keyword.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n", "modified": "2017-09-21T21:39:00", "published": "2015-11-02T23:10:00", "id": "F5:K17516", "href": "https://support.f5.com/csp/article/K17516", "title": "NTP vulnerability CVE-2015-7852", "type": "f5", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "talos": [{"lastseen": "2018-08-31T00:36:30", "bulletinFamily": "info", "description": "# Talos Vulnerability Report\n\n### TALOS-2015-0063\n\n## Network Time Protocol ntpq atoascii Memory Corruption Vulnerability\n\n##### October 21, 2015\n\n##### CVE Number\n\nCVE-2015-7852\n\n##### Description\n\nA potential off by one vulnerability exists in the cookedprint functionality of ntpq. A specially crafted buffer could cause a buffer overflow potentially resulting in null byte being written out of bounds.\n\n##### Tested Versions\n\nntp 4.2.8p2\n\n##### Product URLs\n\n<http://www.ntp.org>\n\n##### Details\n\nAt line 3330 in ntpq.c, the atoascii function will be called to transform data into printable ascii (i.e. characters below 127):\n \n \n atoascii( value, MAXVALLEN, bv, sizeof(bv));\n if (output_raw != '*') {\n len = strlen(bv);\n bv[len] = output_raw;\n bv[len+1] = '\\0';\n }\n \n\nThe function atoascii won\u2019t write more than sizeof(bv) bytes into bv and will ensure NULL termination if it runs out of space in bv. Depending on the specific character in the value parameter, it will write between 1 and 2 characters to bv. If bv is filled in atoascii, it will be NULL terminated at its final byte. This means that len = strlen(bv) will return the size of the buffer-1. Accessing the buffer via len will overwrite the NULL byte with output_raw. However if the buffer is full because it ran out of space during the atoascii function, then len+1 will equal 4096, resulting in an off by on the buffer.\n\n##### Credit\n\nYves Younan and Aleksander Nikolich of Cisco Talos\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2015-0064\n\nPrevious Report\n\nTALOS-2015-0062\n", "modified": "2015-10-21T00:00:00", "published": "2015-10-21T00:00:00", "id": "TALOS-2015-0063", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2015-0063", "title": "Network Time Protocol ntpq atoascii Memory Corruption Vulnerability", "type": "talos", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:26:05", "bulletinFamily": "scanner", "description": "ntpq in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash) via crafted mode 6 response packets. (CVE-2015-7852)\n\nImpact\n\nWhile the scope of the impact is limited, an attacker may be able to craft response packets that cause ntpq to exit. There is no data plane exposure for the BIG-IP system, and this issue can only be exposed when an instance of ntpq is running in interactive mode.", "modified": "2019-01-04T00:00:00", "id": "F5_BIGIP_SOL17516.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=88815", "published": "2016-02-18T00:00:00", "title": "F5 Networks BIG-IP : NTP vulnerability (K17516)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K17516.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88815);\n script_version(\"2.11\");\n script_cvs_date(\"Date: 2019/01/04 10:03:40\");\n\n script_cve_id(\"CVE-2015-7852\");\n\n script_name(english:\"F5 Networks BIG-IP : NTP vulnerability (K17516)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"ntpq in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows\nremote attackers to cause a denial of service (crash) via crafted mode\n6 response packets. (CVE-2015-7852)\n\nImpact\n\nWhile the scope of the impact is limited, an attacker may be able to\ncraft response packets that cause ntpq to exit. There is no data plane\nexposure for the BIG-IP system, and this issue can only be exposed\nwhen an instance of ntpq is running in interactive mode.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/article/K17516\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K17516.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/02\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K17516\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.6.0\",\"11.3.0-11.5.3\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0HF3\",\"11.6.1\",\"11.5.4\",\"11.4.1HF10\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.6.0\",\"11.4.0-11.5.3\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0HF3\",\"11.6.1\",\"11.5.4\",\"11.4.1HF10\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.6.0\",\"11.0.0-11.5.3\",\"10.1.0-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0HF3\",\"11.6.1\",\"11.5.4\",\"11.4.1HF10\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.6.0\",\"11.0.0-11.5.3\",\"10.1.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0HF3\",\"11.6.1\",\"11.5.4\",\"11.4.1HF10\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"12.0.0\",\"11.6.0\",\"11.0.0-11.5.3\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0HF3\",\"11.6.1\",\"11.5.4\",\"11.4.1HF10\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.6.0\",\"11.0.0-11.5.3\",\"10.1.0-10.2.4\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.6.1\",\"11.5.4\",\"11.4.1HF10\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"12.0.0\",\"11.6.0\",\"11.0.0-11.5.3\",\"10.1.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0HF3\",\"11.6.1\",\"11.5.4\",\"11.4.1HF10\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.6.0\",\"11.0.0-11.5.3\",\"10.1.0-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0HF3\",\"11.6.1\",\"11.5.4\",\"11.4.1HF10\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"12.0.0\",\"11.6.0\",\"11.3.0-11.5.3\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"12.1.0\",\"12.0.0HF3\",\"11.6.1\",\"11.5.4\",\"11.4.1HF10\");\n\n# PSM\nvmatrix[\"PSM\"] = make_array();\nvmatrix[\"PSM\"][\"affected\" ] = make_list(\"11.0.0-11.4.1\",\"10.1.0-10.2.4\");\nvmatrix[\"PSM\"][\"unaffected\"] = make_list(\"11.4.1HF10\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-02-21T01:26:16", "bulletinFamily": "scanner", "description": "Security fix for CVE-2015-7704, CVE-2015-5300, CVE-2015-7692, CVE-2015-7871, CVE-2015-7702, CVE-2015-7691, CVE-2015-7852, CVE-2015-7701\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-01-30T00:00:00", "id": "FEDORA_2015-F5F5EC7B6B.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=89461", "published": "2016-03-04T00:00:00", "title": "Fedora 23 : ntp-4.2.6p5-34.fc23 (2015-f5f5ec7b6b)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-f5f5ec7b6b.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(89461);\n script_version(\"$Revision: 1.7 $\");\n script_cvs_date(\"$Date: 2018/01/30 17:53:50 $\");\n\n script_cve_id(\"CVE-2015-5300\", \"CVE-2015-7691\", \"CVE-2015-7692\", \"CVE-2015-7701\", \"CVE-2015-7702\", \"CVE-2015-7704\", \"CVE-2015-7852\", \"CVE-2015-7871\");\n script_xref(name:\"FEDORA\", value:\"2015-f5f5ec7b6b\");\n script_xref(name:\"TRA\", value:\"TRA-2015-04\");\n\n script_name(english:\"Fedora 23 : ntp-4.2.6p5-34.fc23 (2015-f5f5ec7b6b)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2015-7704, CVE-2015-5300, CVE-2015-7692,\nCVE-2015-7871, CVE-2015-7702, CVE-2015-7691, CVE-2015-7852,\nCVE-2015-7701\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1271070\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1271076\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1274254\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1274255\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1274261\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1274265\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-November/170684.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0e14a9ad\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2015-04\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected ntp package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"ntp-4.2.6p5-34.fc23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:25:19", "bulletinFamily": "scanner", "description": "It was discovered that ntpd as a client did not correctly check timestamps in Kiss-of-Death packets. A remote attacker could use this flaw to send a crafted Kiss-of-Death packet to an ntpd client that would increase the client's polling interval value, and effectively disable synchronization with the server. (CVE-2015-7704)\n\nIt was found that ntpd did not correctly implement the threshold limitation for the '-g' option, which is used to set the time without any restrictions. A man-in-the-middle attacker able to intercept NTP traffic between a connecting client and an NTP server could use this flaw to force that client to make multiple steps larger than the panic threshold, effectively changing the time to an arbitrary value.\n(CVE-2015-5300)\n\nIt was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. Receipt of these packets can cause ntpd to crash. (CVE-2015-7691 , CVE-2015-7692 , CVE-2015-7702)\n\nA potential off by one vulnerability exists in the cookedprint functionality of ntpq. A specially crafted buffer could cause a buffer overflow potentially resulting in null byte being written out of bounds. (CVE-2015-7852)\n\nA memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd is configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)", "modified": "2018-04-18T00:00:00", "id": "ALA_ALAS-2015-607.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=86638", "published": "2015-10-29T00:00:00", "title": "Amazon Linux AMI : ntp (ALAS-2015-607)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2015-607.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86638);\n script_version(\"2.10\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2015-5300\", \"CVE-2015-7691\", \"CVE-2015-7692\", \"CVE-2015-7701\", \"CVE-2015-7702\", \"CVE-2015-7704\", \"CVE-2015-7852\", \"CVE-2015-7871\");\n script_xref(name:\"ALAS\", value:\"2015-607\");\n script_xref(name:\"RHSA\", value:\"2015:1930\");\n script_xref(name:\"TRA\", value:\"TRA-2015-04\");\n\n script_name(english:\"Amazon Linux AMI : ntp (ALAS-2015-607)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that ntpd as a client did not correctly check\ntimestamps in Kiss-of-Death packets. A remote attacker could use this\nflaw to send a crafted Kiss-of-Death packet to an ntpd client that\nwould increase the client's polling interval value, and effectively\ndisable synchronization with the server. (CVE-2015-7704)\n\nIt was found that ntpd did not correctly implement the threshold\nlimitation for the '-g' option, which is used to set the time without\nany restrictions. A man-in-the-middle attacker able to intercept NTP\ntraffic between a connecting client and an NTP server could use this\nflaw to force that client to make multiple steps larger than the panic\nthreshold, effectively changing the time to an arbitrary value.\n(CVE-2015-5300)\n\nIt was found that the fix for CVE-2014-9750 was incomplete: three\nissues were found in the value length checks in ntp_crypto.c, where a\npacket with particular autokey operations that contained malicious\ndata was not always being completely validated. Receipt of these\npackets can cause ntpd to crash. (CVE-2015-7691 , CVE-2015-7692 ,\nCVE-2015-7702)\n\nA potential off by one vulnerability exists in the cookedprint\nfunctionality of ntpq. A specially crafted buffer could cause a buffer\noverflow potentially resulting in null byte being written out of\nbounds. (CVE-2015-7852)\n\nA memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd is\nconfigured to use autokey authentication, an attacker could send\npackets to ntpd that would, after several days of ongoing attack,\ncause it to run out of memory. (CVE-2015-7701)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2015-607.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2015-04\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update ntp' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ntp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ntp-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ntp-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ntpdate\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"ntp-4.2.6p5-34.27.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ntp-debuginfo-4.2.6p5-34.27.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ntp-doc-4.2.6p5-34.27.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ntp-perl-4.2.6p5-34.27.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ntpdate-4.2.6p5-34.27.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp / ntp-debuginfo / ntp-doc / ntp-perl / ntpdate\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:26:58", "bulletinFamily": "scanner", "description": "An update for ntp is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.\n\nSecurity Fix(es) :\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd.\n(CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978)\n\n* It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands.\n(CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g.\ntimingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195)\n\n* It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)\n\n* It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals).\n(CVE-2015-7703)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichvar (Red Hat).\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 6.8 Release Notes and Red Hat Enterprise Linux 6.8 Technical Notes linked from the References section.", "modified": "2018-11-10T00:00:00", "id": "CENTOS_RHSA-2016-0780.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=91169", "published": "2016-05-17T00:00:00", "title": "CentOS 6 : ntp (CESA-2016:0780)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:0780 and \n# CentOS Errata and Security Advisory 2016:0780 respectively.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91169);\n script_version(\"2.12\");\n script_cvs_date(\"Date: 2018/11/10 11:49:32\");\n\n script_cve_id(\"CVE-2015-5194\", \"CVE-2015-5195\", \"CVE-2015-5219\", \"CVE-2015-7691\", \"CVE-2015-7692\", \"CVE-2015-7701\", \"CVE-2015-7702\", \"CVE-2015-7703\", \"CVE-2015-7852\", \"CVE-2015-7977\", \"CVE-2015-7978\");\n script_xref(name:\"RHSA\", value:\"2016:0780\");\n script_xref(name:\"TRA\", value:\"TRA-2015-04\");\n\n script_name(english:\"CentOS 6 : ntp (CESA-2016:0780)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for ntp is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe Network Time Protocol (NTP) is used to synchronize a computer's\ntime with another referenced time source. These packages include the\nntpd service which continuously adjusts system time and utilities used\nto query and configure the ntpd service.\n\nSecurity Fix(es) :\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three\nissues were found in the value length checks in NTP's ntp_crypto.c,\nwhere a packet with particular autokey operations that contained\nmalicious data was not always being completely validated. A remote\nattacker could use a specially crafted NTP packet to crash ntpd.\n(CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was\nconfigured to use autokey authentication, an attacker could send\npackets to ntpd that would, after several days of ongoing attack,\ncause it to run out of memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in\ncookedprint functionality of ntpq. A specially crafted NTP packet\ncould potentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed\n'ntpdc reslist' commands that queried restriction lists with a large\namount of entries. A remote attacker could potentially use this flaw\nto crash ntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd\nprocessed 'ntpdc reslist' commands that queried restriction lists with\na large amount of entries. A remote attacker could use this flaw to\ncrash ntpd. (CVE-2015-7978)\n\n* It was found that ntpd could crash due to an uninitialized variable\nwhen processing malformed logconfig configuration commands.\n(CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a\nstatistics type that was not enabled during compilation (e.g.\ntimingstats) was referenced by the statistics or filegen configuration\ncommand. (CVE-2015-5195)\n\n* It was discovered that the sntp utility could become unresponsive\ndue to being caught in an infinite loop when processing a crafted NTP\npacket. (CVE-2015-5219)\n\n* It was found that NTP's :config command could be used to set the\npidfile and driftfile paths without any restrictions. A remote\nattacker could use this flaw to overwrite a file on the file system\nwith a file containing the pid of the ntpd process (immediately) or\nthe current estimated drift of the system clock (in hourly intervals).\n(CVE-2015-7703)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav\nLichvar (Red Hat).\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 6.8 Release Notes and Red Hat Enterprise Linux 6.8\nTechnical Notes linked from the References section.\"\n );\n # https://lists.centos.org/pipermail/centos-cr-announce/2016-May/002927.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?39e3e41a\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2015-04\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected ntp packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:ntp-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:ntp-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:ntpdate\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/CentOS/release\")) audit(AUDIT_OS_NOT, \"CentOS\");\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-6\", reference:\"ntp-4.2.6p5-10.el6.centos\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"ntp-doc-4.2.6p5-10.el6.centos\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"ntp-perl-4.2.6p5-10.el6.centos\")) flag++;\nif (rpm_check(release:\"CentOS-6\", reference:\"ntpdate-4.2.6p5-10.el6.centos\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:26:57", "bulletinFamily": "scanner", "description": "From Red Hat Security Advisory 2016:0780 :\n\nAn update for ntp is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.\n\nSecurity Fix(es) :\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd.\n(CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978)\n\n* It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands.\n(CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g.\ntimingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195)\n\n* It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)\n\n* It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals).\n(CVE-2015-7703)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichvar (Red Hat).\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 6.8 Release Notes and Red Hat Enterprise Linux 6.8 Technical Notes linked from the References section.", "modified": "2018-07-24T00:00:00", "id": "ORACLELINUX_ELSA-2016-0780.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=91151", "published": "2016-05-16T00:00:00", "title": "Oracle Linux 6 : ntp (ELSA-2016-0780)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2016:0780 and \n# Oracle Linux Security Advisory ELSA-2016-0780 respectively.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91151);\n script_version(\"2.11\");\n script_cvs_date(\"Date: 2018/07/24 18:56:12\");\n\n script_cve_id(\"CVE-2015-5194\", \"CVE-2015-5195\", \"CVE-2015-5219\", \"CVE-2015-7691\", \"CVE-2015-7692\", \"CVE-2015-7701\", \"CVE-2015-7702\", \"CVE-2015-7703\", \"CVE-2015-7852\", \"CVE-2015-7977\", \"CVE-2015-7978\");\n script_xref(name:\"RHSA\", value:\"2016:0780\");\n script_xref(name:\"TRA\", value:\"TRA-2015-04\");\n\n script_name(english:\"Oracle Linux 6 : ntp (ELSA-2016-0780)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2016:0780 :\n\nAn update for ntp is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe Network Time Protocol (NTP) is used to synchronize a computer's\ntime with another referenced time source. These packages include the\nntpd service which continuously adjusts system time and utilities used\nto query and configure the ntpd service.\n\nSecurity Fix(es) :\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three\nissues were found in the value length checks in NTP's ntp_crypto.c,\nwhere a packet with particular autokey operations that contained\nmalicious data was not always being completely validated. A remote\nattacker could use a specially crafted NTP packet to crash ntpd.\n(CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was\nconfigured to use autokey authentication, an attacker could send\npackets to ntpd that would, after several days of ongoing attack,\ncause it to run out of memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in\ncookedprint functionality of ntpq. A specially crafted NTP packet\ncould potentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed\n'ntpdc reslist' commands that queried restriction lists with a large\namount of entries. A remote attacker could potentially use this flaw\nto crash ntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd\nprocessed 'ntpdc reslist' commands that queried restriction lists with\na large amount of entries. A remote attacker could use this flaw to\ncrash ntpd. (CVE-2015-7978)\n\n* It was found that ntpd could crash due to an uninitialized variable\nwhen processing malformed logconfig configuration commands.\n(CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a\nstatistics type that was not enabled during compilation (e.g.\ntimingstats) was referenced by the statistics or filegen configuration\ncommand. (CVE-2015-5195)\n\n* It was discovered that the sntp utility could become unresponsive\ndue to being caught in an infinite loop when processing a crafted NTP\npacket. (CVE-2015-5219)\n\n* It was found that NTP's :config command could be used to set the\npidfile and driftfile paths without any restrictions. A remote\nattacker could use this flaw to overwrite a file on the file system\nwith a file containing the pid of the ntpd process (immediately) or\nthe current estimated drift of the system clock (in hourly intervals).\n(CVE-2015-7703)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav\nLichvar (Red Hat).\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 6.8 Release Notes and Red Hat Enterprise Linux 6.8\nTechnical Notes linked from the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-May/006059.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2015-04\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected ntp packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ntp-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ntp-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ntpdate\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"ntp-4.2.6p5-10.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"ntp-doc-4.2.6p5-10.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"ntp-perl-4.2.6p5-10.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"ntpdate-4.2.6p5-10.el6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp / ntp-doc / ntp-perl / ntpdate\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:27:09", "bulletinFamily": "scanner", "description": "Security Fix(es) :\n\n - It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n - A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)\n\n - An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)\n\n - A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)\n\n - A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd.\n (CVE-2015-7978)\n\n - It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194)\n\n - It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command.\n (CVE-2015-5195)\n\n - It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)\n\n - It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-7703)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichvr (Red Hat).", "modified": "2018-12-28T00:00:00", "id": "SL_20160510_NTP_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=91539", "published": "2016-06-09T00:00:00", "title": "Scientific Linux Security Update : ntp on SL6.x i386/x86_64", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91539);\n script_version(\"2.4\");\n script_cvs_date(\"Date: 2018/12/28 10:10:36\");\n\n script_cve_id(\"CVE-2014-9750\", \"CVE-2015-5194\", \"CVE-2015-5195\", \"CVE-2015-5219\", \"CVE-2015-7691\", \"CVE-2015-7692\", \"CVE-2015-7701\", \"CVE-2015-7702\", \"CVE-2015-7703\", \"CVE-2015-7852\", \"CVE-2015-7977\", \"CVE-2015-7978\");\n script_xref(name:\"TRA\", value:\"TRA-2015-04\");\n\n script_name(english:\"Scientific Linux Security Update : ntp on SL6.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - It was found that the fix for CVE-2014-9750 was\n incomplete: three issues were found in the value length\n checks in NTP's ntp_crypto.c, where a packet with\n particular autokey operations that contained malicious\n data was not always being completely validated. A remote\n attacker could use a specially crafted NTP packet to\n crash ntpd. (CVE-2015-7691, CVE-2015-7692,\n CVE-2015-7702)\n\n - A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If\n ntpd was configured to use autokey authentication, an\n attacker could send packets to ntpd that would, after\n several days of ongoing attack, cause it to run out of\n memory. (CVE-2015-7701)\n\n - An off-by-one flaw, leading to a buffer overflow, was\n found in cookedprint functionality of ntpq. A specially\n crafted NTP packet could potentially cause ntpq to\n crash. (CVE-2015-7852)\n\n - A NULL pointer dereference flaw was found in the way\n ntpd processed 'ntpdc reslist' commands that queried\n restriction lists with a large amount of entries. A\n remote attacker could potentially use this flaw to crash\n ntpd. (CVE-2015-7977)\n\n - A stack-based buffer overflow flaw was found in the way\n ntpd processed 'ntpdc reslist' commands that queried\n restriction lists with a large amount of entries. A\n remote attacker could use this flaw to crash ntpd.\n (CVE-2015-7978)\n\n - It was found that ntpd could crash due to an\n uninitialized variable when processing malformed\n logconfig configuration commands. (CVE-2015-5194)\n\n - It was found that ntpd would exit with a segmentation\n fault when a statistics type that was not enabled during\n compilation (e.g. timingstats) was referenced by the\n statistics or filegen configuration command.\n (CVE-2015-5195)\n\n - It was discovered that the sntp utility could become\n unresponsive due to being caught in an infinite loop\n when processing a crafted NTP packet. (CVE-2015-5219)\n\n - It was found that NTP's :config command could be used to\n set the pidfile and driftfile paths without any\n restrictions. A remote attacker could use this flaw to\n overwrite a file on the file system with a file\n containing the pid of the ntpd process (immediately) or\n the current estimated drift of the system clock (in\n hourly intervals). (CVE-2015-7703)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav\nLichvr (Red Hat).\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1606&L=scientific-linux-errata&F=&S=&P=1297\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ef45218d\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2015-04\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"ntp-4.2.6p5-10.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"ntp-debuginfo-4.2.6p5-10.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"ntp-doc-4.2.6p5-10.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"ntp-perl-4.2.6p5-10.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"ntpdate-4.2.6p5-10.el6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:26:54", "bulletinFamily": "scanner", "description": "An update for ntp is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.\n\nSecurity Fix(es) :\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd.\n(CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978)\n\n* It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands.\n(CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g.\ntimingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195)\n\n* It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)\n\n* It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals).\n(CVE-2015-7703)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichvar (Red Hat).\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 6.8 Release Notes and Red Hat Enterprise Linux 6.8 Technical Notes linked from the References section.", "modified": "2018-11-10T00:00:00", "id": "REDHAT-RHSA-2016-0780.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=91076", "published": "2016-05-12T00:00:00", "title": "RHEL 6 : ntp (RHSA-2016:0780)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2016:0780. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91076);\n script_version(\"2.15\");\n script_cvs_date(\"Date: 2018/11/10 11:49:55\");\n\n script_cve_id(\"CVE-2015-5194\", \"CVE-2015-5195\", \"CVE-2015-5219\", \"CVE-2015-7691\", \"CVE-2015-7692\", \"CVE-2015-7701\", \"CVE-2015-7702\", \"CVE-2015-7703\", \"CVE-2015-7852\", \"CVE-2015-7977\", \"CVE-2015-7978\");\n script_xref(name:\"RHSA\", value:\"2016:0780\");\n script_xref(name:\"TRA\", value:\"TRA-2015-04\");\n\n script_name(english:\"RHEL 6 : ntp (RHSA-2016:0780)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for ntp is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe Network Time Protocol (NTP) is used to synchronize a computer's\ntime with another referenced time source. These packages include the\nntpd service which continuously adjusts system time and utilities used\nto query and configure the ntpd service.\n\nSecurity Fix(es) :\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three\nissues were found in the value length checks in NTP's ntp_crypto.c,\nwhere a packet with particular autokey operations that contained\nmalicious data was not always being completely validated. A remote\nattacker could use a specially crafted NTP packet to crash ntpd.\n(CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was\nconfigured to use autokey authentication, an attacker could send\npackets to ntpd that would, after several days of ongoing attack,\ncause it to run out of memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in\ncookedprint functionality of ntpq. A specially crafted NTP packet\ncould potentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed\n'ntpdc reslist' commands that queried restriction lists with a large\namount of entries. A remote attacker could potentially use this flaw\nto crash ntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd\nprocessed 'ntpdc reslist' commands that queried restriction lists with\na large amount of entries. A remote attacker could use this flaw to\ncrash ntpd. (CVE-2015-7978)\n\n* It was found that ntpd could crash due to an uninitialized variable\nwhen processing malformed logconfig configuration commands.\n(CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a\nstatistics type that was not enabled during compilation (e.g.\ntimingstats) was referenced by the statistics or filegen configuration\ncommand. (CVE-2015-5195)\n\n* It was discovered that the sntp utility could become unresponsive\ndue to being caught in an infinite loop when processing a crafted NTP\npacket. (CVE-2015-5219)\n\n* It was found that NTP's :config command could be used to set the\npidfile and driftfile paths without any restrictions. A remote\nattacker could use this flaw to overwrite a file on the file system\nwith a file containing the pid of the ntpd process (immediately) or\nthe current estimated drift of the system clock (in hourly intervals).\n(CVE-2015-7703)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav\nLichvar (Red Hat).\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 6.8 Release Notes and Red Hat Enterprise Linux 6.8\nTechnical Notes linked from the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2016:0780\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5194\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5195\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-5219\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-7691\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-7692\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-7701\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-7702\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-7703\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-7852\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-7977\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2015-7978\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2015-04\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ntp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ntp-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ntp-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ntpdate\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/12\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = eregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2016:0780\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"ntp-4.2.6p5-10.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"ntp-4.2.6p5-10.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"ntp-4.2.6p5-10.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"ntp-debuginfo-4.2.6p5-10.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"ntp-debuginfo-4.2.6p5-10.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"ntp-debuginfo-4.2.6p5-10.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ntp-doc-4.2.6p5-10.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"ntp-perl-4.2.6p5-10.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"ntp-perl-4.2.6p5-10.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"ntp-perl-4.2.6p5-10.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"ntpdate-4.2.6p5-10.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"s390x\", reference:\"ntpdate-4.2.6p5-10.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"ntpdate-4.2.6p5-10.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp / ntp-debuginfo / ntp-doc / ntp-perl / ntpdate\");\n }\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:25:20", "bulletinFamily": "scanner", "description": "New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.", "modified": "2018-01-26T00:00:00", "id": "SLACKWARE_SSA_2015-302-03.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=86664", "published": "2015-10-30T00:00:00", "title": "Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2015-302-03)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2015-302-03. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(86664);\n script_version(\"$Revision: 2.9 $\");\n script_cvs_date(\"$Date: 2018/01/26 17:50:31 $\");\n\n script_cve_id(\"CVE-2014-9750\", \"CVE-2015-5196\", \"CVE-2015-7691\", \"CVE-2015-7692\", \"CVE-2015-7701\", \"CVE-2015-7702\", \"CVE-2015-7704\", \"CVE-2015-7705\", \"CVE-2015-7848\", \"CVE-2015-7849\", \"CVE-2015-7850\", \"CVE-2015-7851\", \"CVE-2015-7852\", \"CVE-2015-7853\", \"CVE-2015-7854\", \"CVE-2015-7855\", \"CVE-2015-7871\");\n script_xref(name:\"SSA\", value:\"2015-302-03\");\n script_xref(name:\"TRA\", value:\"TRA-2015-04\");\n\n script_name(english:\"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2015-302-03)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0,\n14.1, and -current to fix security issues.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.581166\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?aacee7a6\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2015-04\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected ntp package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/10/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/10/30\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"13.0\", pkgname:\"ntp\", pkgver:\"4.2.8p4\", pkgarch:\"i486\", pkgnum:\"1_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", arch:\"x86_64\", pkgname:\"ntp\", pkgver:\"4.2.8p4\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.0\")) flag++;\n\nif (slackware_check(osver:\"13.1\", pkgname:\"ntp\", pkgver:\"4.2.8p4\", pkgarch:\"i486\", pkgnum:\"1_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"ntp\", pkgver:\"4.2.8p4\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.1\")) flag++;\n\nif (slackware_check(osver:\"13.37\", pkgname:\"ntp\", pkgver:\"4.2.8p4\", pkgarch:\"i486\", pkgnum:\"1_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"ntp\", pkgver:\"4.2.8p4\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.37\")) flag++;\n\nif (slackware_check(osver:\"14.0\", pkgname:\"ntp\", pkgver:\"4.2.8p4\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"ntp\", pkgver:\"4.2.8p4\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"ntp\", pkgver:\"4.2.8p4\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"ntp\", pkgver:\"4.2.8p4\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"ntp\", pkgver:\"4.2.8p4\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"ntp\", pkgver:\"4.2.8p4\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:slackware_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:26:14", "bulletinFamily": "scanner", "description": "Security fix for CVE-2015-7704, CVE-2015-5300, CVE-2015-7692, CVE-2015-7871, CVE-2015-7702, CVE-2015-7691, CVE-2015-7852, CVE-2015-7701 ---- Security fix for CVE-2015-5146, CVE-2015-5194, CVE-2015-5219, CVE-2015-5195, CVE-2015-5196\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-01-30T00:00:00", "id": "FEDORA_2015-77BFBC1BCD.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=89288", "published": "2016-03-04T00:00:00", "title": "Fedora 21 : ntp-4.2.6p5-34.fc21 (2015-77bfbc1bcd)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-77bfbc1bcd.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(89288);\n script_version(\"$Revision: 2.7 $\");\n script_cvs_date(\"$Date: 2018/01/30 17:53:50 $\");\n\n script_cve_id(\"CVE-2015-5146\", \"CVE-2015-5194\", \"CVE-2015-5195\", \"CVE-2015-5196\", \"CVE-2015-5219\", \"CVE-2015-5300\", \"CVE-2015-7691\", \"CVE-2015-7692\", \"CVE-2015-7701\", \"CVE-2015-7702\", \"CVE-2015-7703\", \"CVE-2015-7704\", \"CVE-2015-7852\", \"CVE-2015-7871\");\n script_xref(name:\"FEDORA\", value:\"2015-77bfbc1bcd\");\n script_xref(name:\"TRA\", value:\"TRA-2015-04\");\n\n script_name(english:\"Fedora 21 : ntp-4.2.6p5-34.fc21 (2015-77bfbc1bcd)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2015-7704, CVE-2015-5300, CVE-2015-7692,\nCVE-2015-7871, CVE-2015-7702, CVE-2015-7691, CVE-2015-7852,\nCVE-2015-7701 ---- Security fix for CVE-2015-5146, CVE-2015-5194,\nCVE-2015-5219, CVE-2015-5195, CVE-2015-5196\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1238136\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1254542\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1254544\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1254547\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1255118\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1271070\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1271076\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1274254\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1274255\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1274261\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1274265\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-November/170926.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?1a1795ec\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2015-04\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected ntp package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:21\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^21([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 21.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC21\", reference:\"ntp-4.2.6p5-34.fc21\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-21T01:25:28", "bulletinFamily": "scanner", "description": "This ntp update provides the following security and non security fixes :\n\n - Update to 4.2.8p4 to fix several security issues (bsc#951608) :\n\n - CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK\n\n - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values\n\n - CVE-2015-7854: Password Length Memory Corruption Vulnerability\n\n - CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow\n\n - CVE-2015-7852 ntpq atoascii() Memory Corruption Vulnerability\n\n - CVE-2015-7851 saveconfig Directory Traversal Vulnerability\n\n - CVE-2015-7850 remote config logfile-keyfile\n\n - CVE-2015-7849 trusted key use-after-free\n\n - CVE-2015-7848 mode 7 loop counter underrun\n\n - CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC\n\n - CVE-2015-7703 configuration directives 'pidfile' and 'driftfile' should only be allowed locally\n\n - CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should validate the origin timestamp field\n\n - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey data packet length checks\n\n - Use ntpq instead of deprecated ntpdc in start-ntpd (bnc#936327).\n\n - Add a controlkey to ntp.conf to make the above work.\n\n - Improve runtime configuration :\n\n - Read keytype from ntp.conf\n\n - Don't write ntp keys to syslog.\n\n - Don't let 'keysdir' lines in ntp.conf trigger the 'keys' parser.\n\n - Fix the comment regarding addserver in ntp.conf (bnc#910063).\n\n - Remove ntp.1.gz, it wasn't installed anymore.\n\n - Remove ntp-4.2.7-rh-manpages.tar.gz and only keep ntptime.8.gz. The rest is partially irrelevant, partially redundant and potentially outdated (bsc#942587).\n\n - Remove 'kod' from the restrict line in ntp.conf (bsc#944300).\n\n - Use SHA1 instead of MD5 for symmetric keys (bsc#905885).\n\n - Require perl-Socket6 (bsc#942441).\n\n - Fix incomplete backporting of 'rcntp ntptimemset'.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "modified": "2018-11-29T00:00:00", "id": "SUSE_SU-2015-2058-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=87010", "published": "2015-11-23T00:00:00", "title": "SUSE SLED11 / SLES11 Security Update : ntp (SUSE-SU-2015:2058-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2015:2058-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87010);\n script_version(\"2.16\");\n script_cvs_date(\"Date: 2018/11/29 12:03:38\");\n\n script_cve_id(\"CVE-2015-7691\", \"CVE-2015-7692\", \"CVE-2015-7701\", \"CVE-2015-7702\", \"CVE-2015-7703\", \"CVE-2015-7704\", \"CVE-2015-7705\", \"CVE-2015-7848\", \"CVE-2015-7849\", \"CVE-2015-7850\", \"CVE-2015-7851\", \"CVE-2015-7852\", \"CVE-2015-7853\", \"CVE-2015-7854\", \"CVE-2015-7855\", \"CVE-2015-7871\");\n script_xref(name:\"TRA\", value:\"TRA-2015-04\");\n\n script_name(english:\"SUSE SLED11 / SLES11 Security Update : ntp (SUSE-SU-2015:2058-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This ntp update provides the following security and non security \nfixes :\n\n - Update to 4.2.8p4 to fix several security issues\n (bsc#951608) :\n\n - CVE-2015-7871: NAK to the Future: Symmetric association\n authentication bypass via crypto-NAK\n\n - CVE-2015-7855: decodenetnum() will ASSERT botch instead\n of returning FAIL on some bogus values\n\n - CVE-2015-7854: Password Length Memory Corruption\n Vulnerability\n\n - CVE-2015-7853: Invalid length data provided by a custom\n refclock driver could cause a buffer overflow\n\n - CVE-2015-7852 ntpq atoascii() Memory Corruption\n Vulnerability\n\n - CVE-2015-7851 saveconfig Directory Traversal\n Vulnerability\n\n - CVE-2015-7850 remote config logfile-keyfile\n\n - CVE-2015-7849 trusted key use-after-free\n\n - CVE-2015-7848 mode 7 loop counter underrun\n\n - CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC\n\n - CVE-2015-7703 configuration directives 'pidfile' and\n 'driftfile' should only be allowed locally\n\n - CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD\n should validate the origin timestamp field\n\n - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete\n autokey data packet length checks\n\n - Use ntpq instead of deprecated ntpdc in start-ntpd\n (bnc#936327).\n\n - Add a controlkey to ntp.conf to make the above work.\n\n - Improve runtime configuration :\n\n - Read keytype from ntp.conf\n\n - Don't write ntp keys to syslog.\n\n - Don't let 'keysdir' lines in ntp.conf trigger the 'keys'\n parser.\n\n - Fix the comment regarding addserver in ntp.conf\n (bnc#910063).\n\n - Remove ntp.1.gz, it wasn't installed anymore.\n\n - Remove ntp-4.2.7-rh-manpages.tar.gz and only keep\n ntptime.8.gz. The rest is partially irrelevant,\n partially redundant and potentially outdated\n (bsc#942587).\n\n - Remove 'kod' from the restrict line in ntp.conf\n (bsc#944300).\n\n - Use SHA1 instead of MD5 for symmetric keys (bsc#905885).\n\n - Require perl-Socket6 (bsc#942441).\n\n - Fix incomplete backporting of 'rcntp ntptimemset'.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=905885\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=910063\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=936327\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=942441\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=942587\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=944300\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=951608\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7691/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7692/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7701/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7702/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7703/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7704/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7705/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7848/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7849/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7850/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7851/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7852/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7853/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7854/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7855/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7871/\"\n );\n # https://www.suse.com/support/update/announcement/2015/suse-su-20152058-1.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b9441511\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2015-04\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 11-SP4 :\n\nzypper in -t patch slessp4-ntp-12218=1\n\nSUSE Linux Enterprise Desktop 11-SP4 :\n\nzypper in -t patch sledsp4-ntp-12218=1\n\nSUSE Linux Enterprise Debuginfo 11-SP4 :\n\nzypper in -t patch dbgsp4-ntp-12218=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/11/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLED11|SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED11 / SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! ereg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED11\" && (! ereg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED11 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"ntp-4.2.8p4-5.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"ntp-doc-4.2.8p4-5.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"x86_64\", reference:\"ntp-4.2.8p4-5.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"x86_64\", reference:\"ntp-doc-4.2.8p4-5.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"i586\", reference:\"ntp-4.2.8p4-5.1\")) flag++;\nif (rpm_check(release:\"SLED11\", sp:\"4\", cpu:\"i586\", reference:\"ntp-doc-4.2.8p4-5.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2018-10-01T10:28:25", "bulletinFamily": "scanner", "description": "Mageia Linux Local Security Checks mgasa-2015-0413", "modified": "2018-09-28T00:00:00", "published": "2015-10-26T00:00:00", "id": "OPENVAS:1361412562310131100", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310131100", "title": "Mageia Linux Local Check: mgasa-2015-0413", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mgasa-2015-0413.nasl 11692 2018-09-28 16:55:19Z cfischer $\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://www.solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.131100\");\n script_version(\"$Revision: 11692 $\");\n script_tag(name:\"creation_date\", value:\"2015-10-26 09:35:58 +0200 (Mon, 26 Oct 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 18:55:19 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Mageia Linux Local Check: mgasa-2015-0413\");\n script_tag(name:\"insight\", value:\"It was found that ntpd did not correctly implement the threshold limitation for the '-g' option, which is used to set the time without any restrictions. A man-in-the-middle attacker able to intercept NTP traffic between a connecting client and an NTP server could use this flaw to force that client to make multiple steps larger than the panic threshold, effectively changing the time to an arbitrary value at any time (CVE-2015-5300). Slow memory leak in CRYPTO_ASSOC with autokey (CVE-2015-7701). Incomplete autokey data packet length checks could result in crash caused by a crafted packet (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702). Clients that receive a KoD should validate the origin timestamp field (CVE-2015-7704). ntpq atoascii() Memory Corruption Vulnerability could result in ntpd crash caused by a crafted packet (CVE-2015-7852). Symmetric association authentication bypass via crypto-NAK (CVE-2015-7871).\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2015-0413.html\");\n script_cve_id(\"CVE-2015-5300\", \"CVE-2015-7701\", \"CVE-2015-7691\", \"CVE-2015-7692\", \"CVE-2015-7702\", \"CVE-2015-7704\", \"CVE-2015-7852\", \"CVE-2015-7871\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2015-0413\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~24.2.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-10-02T14:31:29", "bulletinFamily": "scanner", "description": "Amazon Linux Local Security Checks", "modified": "2018-10-01T00:00:00", "published": "2015-11-08T00:00:00", "id": "OPENVAS:1361412562310120597", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120597", "title": "Amazon Linux Local Check: alas-2015-607", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: alas-2015-607.nasl 6959 2017-08-18 07:24:59Z asteins$\n#\n# Amazon Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@iki.fi>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120597\");\n script_version(\"$Revision: 11711 $\");\n script_tag(name:\"creation_date\", value:\"2015-11-08 13:10:59 +0200 (Sun, 08 Nov 2015)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 14:30:57 +0200 (Mon, 01 Oct 2018) $\");\n script_name(\"Amazon Linux Local Check: alas-2015-607\");\n script_tag(name:\"insight\", value:\"Multiple flaws were found in NTP. Please see the references for more information.\");\n script_tag(name:\"solution\", value:\"Run yum update ntp to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2015-607.html\");\n script_cve_id(\"CVE-2015-7692\", \"CVE-2015-7691\", \"CVE-2015-7852\", \"CVE-2015-7704\", \"CVE-2015-7701\", \"CVE-2015-7702\", \"CVE-2015-5300\", \"CVE-2015-7871\", \"CVE-2014-9750\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~34.27.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~34.27.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"ntp-debuginfo\", rpm:\"ntp-debuginfo~4.2.6p5~34.27.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"ntp-doc\", rpm:\"ntp-doc~4.2.6p5~34.27.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"ntp-perl\", rpm:\"ntp-perl~4.2.6p5~34.27.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-11-23T15:10:59", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2016-05-11T00:00:00", "id": "OPENVAS:1361412562310871612", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871612", "title": "RedHat Update for ntp RHSA-2016:0780-01", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for ntp RHSA-2016:0780-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871612\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-11 05:23:05 +0200 (Wed, 11 May 2016)\");\n script_cve_id(\"CVE-2015-5194\", \"CVE-2015-5195\", \"CVE-2015-5219\", \"CVE-2015-7691\", \"CVE-2015-7692\", \"CVE-2015-7701\", \"CVE-2015-7702\", \"CVE-2015-7703\", \"CVE-2015-7852\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2014-9750\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for ntp RHSA-2016:0780-01\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ntp'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The Network Time Protocol (NTP) is used to synchronize a computer's time\nwith another referenced time source. These packages include the ntpd\nservice which continuously adjusts system time and utilities used to query\nand configure the ntpd service.\n\nSecurity Fix(es):\n\n * It was found that the fix for CVE-2014-9750 was incomplete: three issues\nwere found in the value length checks in NTP's ntp_crypto.c, where a packet\nwith particular autokey operations that contained malicious data was not\nalways being completely validated. A remote attacker could use a specially\ncrafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692,\nCVE-2015-7702)\n\n * A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was\nconfigured to use autokey authentication, an attacker could send packets to\nntpd that would, after several days of ongoing attack, cause it to run out\nof memory. (CVE-2015-7701)\n\n * An off-by-one flaw, leading to a buffer overflow, was found in\ncookedprint functionality of ntpq. A specially crafted NTP packet could\npotentially cause ntpq to crash. (CVE-2015-7852)\n\n * A NULL pointer dereference flaw was found in the way ntpd processed\n'ntpdc reslist' commands that queried restriction lists with a large amount\nof entries. A remote attacker could potentially use this flaw to crash\nntpd. (CVE-2015-7977)\n\n * A stack-based buffer overflow flaw was found in the way ntpd processed\n'ntpdc reslist' commands that queried restriction lists with a large amount\nof entries. A remote attacker could use this flaw to crash ntpd.\n(CVE-2015-7978)\n\n * It was found that ntpd could crash due to an uninitialized variable when\nprocessing malformed logconfig configuration commands. (CVE-2015-5194)\n\n * It was found that ntpd would exit with a segmentation fault when a\nstatistics type that was not enabled during compilation (e.g. timingstats)\nwas referenced by the statistics or filegen configuration command.\n(CVE-2015-5195)\n\n * It was discovered that the sntp utility could become unresponsive due to\nbeing caught in an infinite loop when processing a crafted NTP packet.\n(CVE-2015-5219)\n\n * It was found that NTP's :config command could be used to set the pidfile\nand driftfile paths without any restrictions. A remote attacker could use\nthis flaw to overwrite a file on the file system with a file containing the\npid of the ntpd process (immediately) or the current estimated drift of the\nsystem clock (in hourly intervals). (CVE-2015-7703)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav\nLichvar (R ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"ntp on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:0780-01\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-May/msg00022.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_6\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~10.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ntp-debuginfo\", rpm:\"ntp-debuginfo~4.2.6p5~10.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~10.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:45:58", "bulletinFamily": "scanner", "description": "Check the version of ntp", "modified": "2017-08-18T00:00:00", "published": "2016-02-21T00:00:00", "id": "OPENVAS:1361412562310807293", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807293", "title": "Fedora Update for ntp FEDORA-2016-34", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for ntp FEDORA-2016-34\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807293\");\n script_version(\"$Revision: 6959 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-08-18 09:24:59 +0200 (Fri, 18 Aug 2017) $\");\n script_tag(name:\"creation_date\", value:\"2016-02-21 06:21:43 +0100 (Sun, 21 Feb 2016)\");\n script_cve_id(\"CVE-2015-7974\", \"CVE-2015-8138\", \"CVE-2015-7977\", \"CVE-2015-7978\",\n \"CVE-2015-7979\", \"CVE-2015-8158\", \"CVE-2015-7704\", \"CVE-2015-5300\",\n \"CVE-2015-7692\", \"CVE-2015-7871\", \"CVE-2015-7702\", \"CVE-2015-7691\",\n \"CVE-2015-7852\", \"CVE-2015-7701\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for ntp FEDORA-2016-34\");\n script_tag(name: \"summary\", value: \"Check the version of ntp\");\n\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help\n of detect NVT and check if the version is vulnerable or not.\");\n\n script_tag(name: \"insight\", value: \"The Network Time Protocol (NTP) is used\n to synchronize a computer's time with another reference time source. This\n package includes ntpd (a daemon which continuously adjusts system time) and\n utilities used to query and configure the ntpd daemon.\n\n Perl scripts ntp-wait and ntptrace are in the ntp-perl package, ntpdate is\n in the ntpdate package and sntp is in the sntp package. The documentation\n is in the ntp-doc package.\");\n\n script_tag(name: \"affected\", value: \"ntp on Fedora 22\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n\n script_xref(name: \"FEDORA\", value: \"2016-34\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2016-February/177507.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~36.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:51:29", "bulletinFamily": "scanner", "description": "Check the version of ntp", "modified": "2017-07-10T00:00:00", "published": "2015-11-05T00:00:00", "id": "OPENVAS:1361412562310806533", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806533", "title": "Fedora Update for ntp FEDORA-2015-77", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for ntp FEDORA-2015-77\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806533\");\n script_version(\"$Revision: 6630 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:34:32 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2015-11-05 06:14:19 +0100 (Thu, 05 Nov 2015)\");\n script_cve_id(\"CVE-2015-7704\", \"CVE-2015-5300\", \"CVE-2015-7692\", \"CVE-2015-7871\",\n \"CVE-2015-7702\", \"CVE-2015-7691\", \"CVE-2015-7852\", \"CVE-2015-7701\",\n \"CVE-2015-5146\", \"CVE-2015-5194\", \"CVE-2015-5219\", \"CVE-2015-5195\",\n \"CVE-2015-5196\", \"CVE-2015-7703\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for ntp FEDORA-2015-77\");\n script_tag(name: \"summary\", value: \"Check the version of ntp\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help\nof detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"The Network Time Protocol (NTP) is used to\nsynchronize a computer's time with another reference time source. This package\nincludes ntpd (a daemon which continuously adjusts system time) and utilities\nused to query and configure the ntpd daemon.\n\nPerl scripts ntp-wait and ntptrace are in the ntp-perl package, ntpdate is in\nthe ntpdate package and sntp is in the sntp package. The documentation is in\nthe ntp-doc package.\n\");\n script_tag(name: \"affected\", value: \"ntp on Fedora 21\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n script_xref(name: \"FEDORA\", value: \"2015-77\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2015-November/170926.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC21\")\n{\n\n if ((res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~34.fc21\", rls:\"FC21\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-09-14T12:10:35", "bulletinFamily": "scanner", "description": "Several vulnerabilities were discovered\nin the Network Time Protocol daemon and utility programs:\n\nCVE-2015-5146 \nA flaw was found in the way ntpd processed certain remote\nconfiguration packets. An attacker could use a specially crafted\npackage to cause ntpd to crash if:\n\nntpd enabled remote configurationThe attacker had the knowledge of the configuration\npassword...The attacker had access to a computer entrusted to perform remote\nconfiguration \nNote that remote configuration is disabled by default in NTP.\n\nCVE-2015-5194 \nIt was found that ntpd could crash due to an uninitialized\nvariable when processing malformed logconfig configuration\ncommands.\n\nCVE-2015-5195 \nIt was found that ntpd exits with a segmentation fault when a\nstatistics type that was not enabled during compilation (e.g.\ntimingstats) is referenced by the statistics or filegen\nconfiguration command.\n\nCVE-2015-5219 \nIt was discovered that sntp program would hang in an infinite loop\nwhen a crafted NTP packet was received, related to the conversion\nof the precision value in the packet to double.\n\nCVE-2015-5300 \nIt was found that ntpd did not correctly implement the -g option:\n\nNormally, ntpd exits with a message to the system log if the offset\nexceeds the panic threshold, which is 1000 s by default. This\noption allows the time to be set to any value without restriction;\nhowever, this can happen only once. If the threshold is exceeded\nafter that, ntpd will exit with a message to the system log. This\noption can be used with the -q and -x options.\n\nntpd could actually step the clock multiple times by more than the\npanic threshold if its clock discipline doesn", "modified": "2017-09-12T00:00:00", "published": "2016-05-06T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703388", "id": "OPENVAS:703388", "title": "Debian Security Advisory DSA 3388-1 (ntp - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3388.nasl 7101 2017-09-12 06:15:03Z asteins $\n# Auto-generated from advisory DSA 3388-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703388);\n script_version(\"$Revision: 7101 $\");\n script_cve_id(\"CVE-2014-9750\", \"CVE-2014-9751\", \"CVE-2015-3405\", \"CVE-2015-5146\",\n \"CVE-2015-5194\", \"CVE-2015-5195\", \"CVE-2015-5219\", \"CVE-2015-5300\",\n \"CVE-2015-7691\", \"CVE-2015-7692\", \"CVE-2015-7701\", \"CVE-2015-7702\",\n \"CVE-2015-7703\", \"CVE-2015-7704\", \"CVE-2015-7850\", \"CVE-2015-7852\",\n \"CVE-2015-7855\", \"CVE-2015-7871\");\n script_name(\"Debian Security Advisory DSA 3388-1 (ntp - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-09-12 08:15:03 +0200 (Tue, 12 Sep 2017) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-06 15:29:25 +0530 (Fri, 06 May 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2015/dsa-3388.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"ntp on Debian Linux\");\n script_tag(name: \"insight\", value: \"NTP, the Network Time Protocol,\nis used to keep computer clocks accurate by synchronizing them over the Internet or\na local network, or by following an accurate hardware receiver that interprets GPS,\nDCF-77, NIST or similar time signals.\");\n script_tag(name: \"solution\", value: \"For the oldstable distribution (wheezy),\nthese problems have been fixed in version 1:4.2.6.p5+dfsg-2+deb7u6.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 1:4.2.6.p5+dfsg-7+deb8u1.\n\nFor the testing distribution (stretch), these problems have been fixed\nin version 1:4.2.8p4+dfsg-3.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1:4.2.8p4+dfsg-3.\n\nWe recommend that you upgrade your ntp packages.\");\n script_tag(name: \"summary\", value: \"Several vulnerabilities were discovered\nin the Network Time Protocol daemon and utility programs:\n\nCVE-2015-5146 \nA flaw was found in the way ntpd processed certain remote\nconfiguration packets. An attacker could use a specially crafted\npackage to cause ntpd to crash if:\n\nntpd enabled remote configurationThe attacker had the knowledge of the configuration\npassword...The attacker had access to a computer entrusted to perform remote\nconfiguration \nNote that remote configuration is disabled by default in NTP.\n\nCVE-2015-5194 \nIt was found that ntpd could crash due to an uninitialized\nvariable when processing malformed logconfig configuration\ncommands.\n\nCVE-2015-5195 \nIt was found that ntpd exits with a segmentation fault when a\nstatistics type that was not enabled during compilation (e.g.\ntimingstats) is referenced by the statistics or filegen\nconfiguration command.\n\nCVE-2015-5219 \nIt was discovered that sntp program would hang in an infinite loop\nwhen a crafted NTP packet was received, related to the conversion\nof the precision value in the packet to double.\n\nCVE-2015-5300 \nIt was found that ntpd did not correctly implement the -g option:\n\nNormally, ntpd exits with a message to the system log if the offset\nexceeds the panic threshold, which is 1000 s by default. This\noption allows the time to be set to any value without restriction;\nhowever, this can happen only once. If the threshold is exceeded\nafter that, ntpd will exit with a message to the system log. This\noption can be used with the -q and -x options.\n\nntpd could actually step the clock multiple times by more than the\npanic threshold if its clock discipline doesn't have enough time to\nreach the sync state and stay there for at least one update. If a\nman-in-the-middle attacker can control the NTP traffic since ntpd\nwas started (or maybe up to 15-30 minutes after that), they can\nprevent the client from reaching the sync state and force it to step\nits clock by any amount any number of times, which can be used by\nattackers to expire certificates, etc.\n\nThis is contrary to what the documentation says. Normally, the\nassumption is that an MITM attacker can step the clock more than the\npanic threshold only once when ntpd starts and to make a larger\nadjustment the attacker has to divide it into multiple smaller\nsteps, each taking 15 minutes, which is slow.\n\nCVE-2015-7691,\nCVE-2015-7692,\nCVE-2015-7702It was found that the fix for\nCVE-2014-9750 \n\nwas incomplete: three issues were found in the value length checks in\nntp_crypto.c, where a packet with particular autokey operations that\ncontained malicious data was not always being completely validated. Receipt\nof these packets can cause ntpd to crash.\n\nCVE-2015-7701 \nA memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd is\nconfigured to use autokey authentication, an attacker could send\npackets to ntpd that would, after several days of ongoing attack,\ncause it to run out of memory.\n\nCVE-2015-7703 \nMiroslav Lichvar of Red Hat found that the :config command can be\nused to set the pidfile and driftfile paths without any\nrestrictions. A remote attacker could use this flaw to overwrite a\nfile on the file system with a file containing the pid of the ntpd\nprocess (immediately) or the current estimated drift of the system\nclock (in hourly intervals). For example:\n\nntpq -c ':config pidfile /tmp/ntp.pid' ntpq -c ':config driftfile /tmp/ntp.drift' \nIn Debian ntpd is configured to drop root privileges, which limits\nthe impact of this issue.\n\nCVE-2015-7704 \nIf ntpd as an NTP client receives a Kiss-of-Death (KoD) packet\nfrom the server to reduce its polling rate, it doesn't check if the\noriginate timestamp in the reply matches the transmit timestamp from\nits request. An off-path attacker can send a crafted KoD packet to\nthe client, which will increase the client's polling interval to a\nlarge value and effectively disable synchronization with the server.\n\nCVE-2015-7850 \nAn exploitable denial of service vulnerability exists in the remote\nconfiguration functionality of the Network Time Protocol. A\nspecially crafted configuration file could cause an endless loop\nresulting in a denial of service. An attacker could provide a\nmalicious configuration file to trigger this vulnerability.\n\nCVE-2015-7852 \nA potential off by one vulnerability exists in the cookedprint\nfunctionality of ntpq. A specially crafted buffer could cause a\nbuffer overflow potentially resulting in null byte being written out\nof bounds.\n\nCVE-2015-7855 \nIt was found that NTP's decodenetnum() would abort with an assertion\nfailure when processing a mode 6 or mode 7 packet containing an\nunusually long data value where a network address was expected. This\ncould allow an authenticated attacker to crash ntpd.\n\nCVE-2015-7871 \nAn error handling logic error exists within ntpd that manifests due\nto improper error condition handling associated with certain\ncrypto-NAK packets. An unauthenticated, off-path attacker can force\nntpd processes on targeted servers to peer with time sources of the\nattacker's choosing by transmitting symmetric active crypto-NAK\npackets to ntpd. This attack bypasses the authentication typically\nrequired to establish a peer association and allows an attacker to\nmake arbitrary changes to system time.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed\nsoftware version using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.6.p5+dfsg-7+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntp-doc\", ver:\"1:4.2.6.p5+dfsg-7+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntpdate\", ver:\"1:4.2.6.p5+dfsg-7+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.8p4+dfsg-3\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntp-doc\", ver:\"1:4.2.8p4+dfsg-3\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntpdate\", ver:\"1:4.2.8p4+dfsg-3\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.6.p5+dfsg-2+deb7u6\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntp-doc\", ver:\"1:4.2.6.p5+dfsg-2+deb7u6\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntpdate\", ver:\"1:4.2.6.p5+dfsg-2+deb7u6\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-11-19T13:03:02", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2015-10-28T00:00:00", "id": "OPENVAS:1361412562310842504", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842504", "title": "Ubuntu Update for ntp USN-2783-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for ntp USN-2783-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842504\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2015-10-28 07:18:08 +0100 (Wed, 28 Oct 2015)\");\n script_cve_id(\"CVE-2015-5146\", \"CVE-2015-5194\", \"CVE-2015-5195\", \"CVE-2015-7703\", \"CVE-2015-5219\",\n \"CVE-2015-5300\", \"CVE-2015-7691\", \"CVE-2015-7692\", \"CVE-2015-7702\", \"CVE-2015-7701\",\n \"CVE-2015-7704\", \"CVE-2015-7705\", \"CVE-2015-7850\", \"CVE-2015-7852\", \"CVE-2015-7853\",\n \"CVE-2015-7855\", \"CVE-2015-7871\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for ntp USN-2783-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ntp'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Aleksis Kauppinen discovered that NTP\nincorrectly handled certain remote config packets. In a non-default configuration,\na remote authenticated attacker could possibly use this issue to cause NTP to crash,\nresulting in a denial of service. (CVE-2015-5146)\n\nMiroslav Lichvar discovered that NTP incorrectly handled logconfig\ndirectives. In a non-default configuration, a remote authenticated attacker\ncould possibly use this issue to cause NTP to crash, resulting in a denial\nof service. (CVE-2015-5194)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain statistics\ntypes. In a non-default configuration, a remote authenticated attacker\ncould possibly use this issue to cause NTP to crash, resulting in a denial\nof service. (CVE-2015-5195)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain file\npaths. In a non-default configuration, a remote authenticated attacker\ncould possibly use this issue to cause NTP to crash, resulting in a denial\nof service, or overwrite certain files. (CVE-2015-7703)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain packets.\nA remote attacker could possibly use this issue to cause NTP to hang,\nresulting in a denial of service. (CVE-2015-5219)\n\nAanchal Malhotra, Isaac E. Cohen, and Sharon Goldberg discovered that NTP\nincorrectly handled restarting after hitting a panic threshold. A remote\nattacker could possibly use this issue to alter the system time on clients.\n(CVE-2015-5300)\n\nIt was discovered that NTP incorrectly handled autokey data packets. A\nremote attacker could possibly use this issue to cause NTP to crash,\nresulting in a denial of service, or possibly execute arbitrary code.\n(CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\nIt was discovered that NTP incorrectly handled memory when processing\ncertain autokey messages. A remote attacker could possibly use this issue\nto cause NTP to consume memory, resulting in a denial of service.\n(CVE-2015-7701)\n\nAanchal Malhotra, Isaac E. Cohen, and Sharon Goldberg discovered that NTP\nincorrectly handled rate limiting. A remote attacker could possibly use\nthis issue to cause clients to stop updating their clock. (CVE-2015-7704,\nCVE-2015-7705)\n\nYves Younan discovered that NTP incorrectly handled logfile and keyfile\ndirectives. In a non-default configuration, a remote authenticated attacker\ncould possibly use this issue to cause NTP to enter a loop, resulting in a\ndenial of service. (CVE-2015-7850)\n\nYves Younan and Aleksander Nikolich discovered that NTP incorrectly handled\nascii conversion. A remote attacker could possibly ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"ntp on Ubuntu 15.10, Ubuntu 15.04, Ubuntu 14.04 LTS, Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n script_xref(name:\"USN\", value:\"2783-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-2783-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(15\\.04|14\\.04 LTS|12\\.04 LTS|15\\.10)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU15.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.6.p5+dfsg-3ubuntu6.2\", rls:\"UBUNTU15.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.6.p5+dfsg-3ubuntu2.14.04.5\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.6.p3+dfsg-1ubuntu3.6\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU15.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.6.p5+dfsg-3ubuntu8.1\", rls:\"UBUNTU15.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:50:25", "bulletinFamily": "scanner", "description": "Several vulnerabilities were discovered\nin the Network Time Protocol daemon and utility programs:\n\nCVE-2015-5146 \nA flaw was found in the way ntpd processed certain remote\nconfiguration packets. An attacker could use a specially crafted\npackage to cause ntpd to crash if:\n\nntpd enabled remote configurationThe attacker had the knowledge of the configuration\npassword...The attacker had access to a computer entrusted to perform remote\nconfiguration \nNote that remote configuration is disabled by default in NTP.\n\nCVE-2015-5194 \nIt was found that ntpd could crash due to an uninitialized\nvariable when processing malformed logconfig configuration\ncommands.\n\nCVE-2015-5195 \nIt was found that ntpd exits with a segmentation fault when a\nstatistics type that was not enabled during compilation (e.g.\ntimingstats) is referenced by the statistics or filegen\nconfiguration command.\n\nCVE-2015-5219 \nIt was discovered that sntp program would hang in an infinite loop\nwhen a crafted NTP packet was received, related to the conversion\nof the precision value in the packet to double.\n\nCVE-2015-5300 \nIt was found that ntpd did not correctly implement the -g option:\n\nNormally, ntpd exits with a message to the system log if the offset\nexceeds the panic threshold, which is 1000 s by default. This\noption allows the time to be set to any value without restriction;\nhowever, this can happen only once. If the threshold is exceeded\nafter that, ntpd will exit with a message to the system log. This\noption can be used with the -q and -x options.\n\nntpd could actually step the clock multiple times by more than the\npanic threshold if its clock discipline doesn", "modified": "2018-03-19T00:00:00", "published": "2016-05-06T00:00:00", "id": "OPENVAS:1361412562310703388", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703388", "title": "Debian Security Advisory DSA 3388-1 (ntp - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3388.nasl 9134 2018-03-19 12:26:43Z cfischer $\n# Auto-generated from advisory DSA 3388-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703388\");\n script_version(\"$Revision: 9134 $\");\n script_cve_id(\"CVE-2014-9750\", \"CVE-2014-9751\", \"CVE-2015-3405\", \"CVE-2015-5146\",\n \"CVE-2015-5194\", \"CVE-2015-5195\", \"CVE-2015-5219\", \"CVE-2015-5300\",\n \"CVE-2015-7691\", \"CVE-2015-7692\", \"CVE-2015-7701\", \"CVE-2015-7702\",\n \"CVE-2015-7703\", \"CVE-2015-7704\", \"CVE-2015-7850\", \"CVE-2015-7852\",\n \"CVE-2015-7855\", \"CVE-2015-7871\");\n script_name(\"Debian Security Advisory DSA 3388-1 (ntp - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2018-03-19 13:26:43 +0100 (Mon, 19 Mar 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-06 15:29:25 +0530 (Fri, 06 May 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2015/dsa-3388.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"ntp on Debian Linux\");\n script_tag(name: \"insight\", value: \"NTP, the Network Time Protocol,\nis used to keep computer clocks accurate by synchronizing them over the Internet or\na local network, or by following an accurate hardware receiver that interprets GPS,\nDCF-77, NIST or similar time signals.\");\n script_tag(name: \"solution\", value: \"For the oldstable distribution (wheezy),\nthese problems have been fixed in version 1:4.2.6.p5+dfsg-2+deb7u6.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 1:4.2.6.p5+dfsg-7+deb8u1.\n\nFor the testing distribution (stretch), these problems have been fixed\nin version 1:4.2.8p4+dfsg-3.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1:4.2.8p4+dfsg-3.\n\nWe recommend that you upgrade your ntp packages.\");\n script_tag(name: \"summary\", value: \"Several vulnerabilities were discovered\nin the Network Time Protocol daemon and utility programs:\n\nCVE-2015-5146 \nA flaw was found in the way ntpd processed certain remote\nconfiguration packets. An attacker could use a specially crafted\npackage to cause ntpd to crash if:\n\nntpd enabled remote configurationThe attacker had the knowledge of the configuration\npassword...The attacker had access to a computer entrusted to perform remote\nconfiguration \nNote that remote configuration is disabled by default in NTP.\n\nCVE-2015-5194 \nIt was found that ntpd could crash due to an uninitialized\nvariable when processing malformed logconfig configuration\ncommands.\n\nCVE-2015-5195 \nIt was found that ntpd exits with a segmentation fault when a\nstatistics type that was not enabled during compilation (e.g.\ntimingstats) is referenced by the statistics or filegen\nconfiguration command.\n\nCVE-2015-5219 \nIt was discovered that sntp program would hang in an infinite loop\nwhen a crafted NTP packet was received, related to the conversion\nof the precision value in the packet to double.\n\nCVE-2015-5300 \nIt was found that ntpd did not correctly implement the -g option:\n\nNormally, ntpd exits with a message to the system log if the offset\nexceeds the panic threshold, which is 1000 s by default. This\noption allows the time to be set to any value without restriction;\nhowever, this can happen only once. If the threshold is exceeded\nafter that, ntpd will exit with a message to the system log. This\noption can be used with the -q and -x options.\n\nntpd could actually step the clock multiple times by more than the\npanic threshold if its clock discipline doesn't have enough time to\nreach the sync state and stay there for at least one update. If a\nman-in-the-middle attacker can control the NTP traffic since ntpd\nwas started (or maybe up to 15-30 minutes after that), they can\nprevent the client from reaching the sync state and force it to step\nits clock by any amount any number of times, which can be used by\nattackers to expire certificates, etc.\n\nThis is contrary to what the documentation says. Normally, the\nassumption is that an MITM attacker can step the clock more than the\npanic threshold only once when ntpd starts and to make a larger\nadjustment the attacker has to divide it into multiple smaller\nsteps, each taking 15 minutes, which is slow.\n\nCVE-2015-7691,\nCVE-2015-7692,\nCVE-2015-7702It was found that the fix for\nCVE-2014-9750 \n\nwas incomplete: three issues were found in the value length checks in\nntp_crypto.c, where a packet with particular autokey operations that\ncontained malicious data was not always being completely validated. Receipt\nof these packets can cause ntpd to crash.\n\nCVE-2015-7701 \nA memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd is\nconfigured to use autokey authentication, an attacker could send\npackets to ntpd that would, after several days of ongoing attack,\ncause it to run out of memory.\n\nCVE-2015-7703 \nMiroslav Lichvar of Red Hat found that the :config command can be\nused to set the pidfile and driftfile paths without any\nrestrictions. A remote attacker could use this flaw to overwrite a\nfile on the file system with a file containing the pid of the ntpd\nprocess (immediately) or the current estimated drift of the system\nclock (in hourly intervals). For example:\n\nntpq -c ':config pidfile /tmp/ntp.pid' ntpq -c ':config driftfile /tmp/ntp.drift' \nIn Debian ntpd is configured to drop root privileges, which limits\nthe impact of this issue.\n\nCVE-2015-7704 \nIf ntpd as an NTP client receives a Kiss-of-Death (KoD) packet\nfrom the server to reduce its polling rate, it doesn't check if the\noriginate timestamp in the reply matches the transmit timestamp from\nits request. An off-path attacker can send a crafted KoD packet to\nthe client, which will increase the client's polling interval to a\nlarge value and effectively disable synchronization with the server.\n\nCVE-2015-7850 \nAn exploitable denial of service vulnerability exists in the remote\nconfiguration functionality of the Network Time Protocol. A\nspecially crafted configuration file could cause an endless loop\nresulting in a denial of service. An attacker could provide a\nmalicious configuration file to trigger this vulnerability.\n\nCVE-2015-7852 \nA potential off by one vulnerability exists in the cookedprint\nfunctionality of ntpq. A specially crafted buffer could cause a\nbuffer overflow potentially resulting in null byte being written out\nof bounds.\n\nCVE-2015-7855 \nIt was found that NTP's decodenetnum() would abort with an assertion\nfailure when processing a mode 6 or mode 7 packet containing an\nunusually long data value where a network address was expected. This\ncould allow an authenticated attacker to crash ntpd.\n\nCVE-2015-7871 \nAn error handling logic error exists within ntpd that manifests due\nto improper error condition handling associated with certain\ncrypto-NAK packets. An unauthenticated, off-path attacker can force\nntpd processes on targeted servers to peer with time sources of the\nattacker's choosing by transmitting symmetric active crypto-NAK\npackets to ntpd. This attack bypasses the authentication typically\nrequired to establish a peer association and allows an attacker to\nmake arbitrary changes to system time.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed\nsoftware version using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.6.p5+dfsg-7+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntp-doc\", ver:\"1:4.2.6.p5+dfsg-7+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntpdate\", ver:\"1:4.2.6.p5+dfsg-7+deb8u1\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.8p4+dfsg-3\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntp-doc\", ver:\"1:4.2.8p4+dfsg-3\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntpdate\", ver:\"1:4.2.8p4+dfsg-3\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.6.p5+dfsg-2+deb7u6\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntp-doc\", ver:\"1:4.2.6.p5+dfsg-2+deb7u6\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntpdate\", ver:\"1:4.2.6.p5+dfsg-2+deb7u6\", rls_regex:\"DEB7.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-10-22T16:37:39", "bulletinFamily": "scanner", "description": "Multiple Cisco products incorporate a version of the ntpd package.\n Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated,\n remote attacker to create a denial of service (DoS) condition or modify the time being advertised by a\n device acting as a network time protocol (NTP) server.\n\n On October 21st, 2015, NTP.org released a security advisory detailing 13 issues regarding multiple DoS\n vulnerabilities, information disclosure vulnerabilities, and logic issues that may result in an attacker\n gaining the ability to modify an NTP server", "modified": "2018-10-18T00:00:00", "published": "2016-05-09T00:00:00", "id": "OPENVAS:1361412562310105668", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105668", "title": "Multiple Vulnerabilities in ntpd Affecting Cisco Products - October 2015", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_ios_xe_cisco-sa-20151021-ntp.nasl 11961 2018-10-18 10:49:40Z asteins $\n#\n# Multiple Vulnerabilities in ntpd Affecting Cisco Products - October 2015\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/o:cisco:ios_xe\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105668\");\n script_cve_id(\"CVE-2015-7848\", \"CVE-2015-7849\", \"CVE-2015-7850\", \"CVE-2015-7851\", \"CVE-2015-7852\",\n \"CVE-2015-7853\", \"CVE-2015-7854\", \"CVE-2015-7871\", \"CVE-2015-7704\", \"CVE-2015-7705\", \"CVE-2015-7703\",\n \"CVE-2015-7701\", \"CVE-2015-7855\", \"CVE-2015-7691\", \"CVE-2015-7692\", \"CVE-2015-7702\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:P\");\n script_version(\"$Revision: 11961 $\");\n\n script_name(\"Multiple Vulnerabilities in ntpd Affecting Cisco Products - October 2015\");\n\n script_xref(name:\"URL\", value:\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151021-ntp\");\n script_xref(name:\"URL\", value:\"http://tools.cisco.com/security/center/viewAlert.x?alertId=41653\");\n script_xref(name:\"URL\", value:\"http://tools.cisco.com/security/center/viewAlert.x?alertId=41658\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n script_tag(name:\"summary\", value:\"Multiple Cisco products incorporate a version of the ntpd package.\n Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated,\n remote attacker to create a denial of service (DoS) condition or modify the time being advertised by a\n device acting as a network time protocol (NTP) server.\n\n On October 21st, 2015, NTP.org released a security advisory detailing 13 issues regarding multiple DoS\n vulnerabilities, information disclosure vulnerabilities, and logic issues that may result in an attacker\n gaining the ability to modify an NTP server's advertised time. The vulnerabilities covered in this document are as follows:\n\n - CVE-2015-7691 - Denial of Service AutoKey Malicious Message\n\n - CVE-2015-7692 - Denial of Service AutoKey Malicious Message\n\n - CVE-2015-7701 - Denial of Service CRYPTO_ASSOC Memory Leak\n\n - CVE-2015-7702 - Denial of Service AutoKey Malicious Message\n\n - CVE-2015-7703 - Configuration Directive File Overwrite Vulnerability\n\n - CVE-2015-7704 - Denial of Service by Spoofed Kiss-o'-Death\n\n - CVE-2015-7705 - Denial of Service by Priming the Pump\n\n - CVE-2015-7848 - Network Time Protocol ntpd Multiple Integer Overflow Read Access Violations\n\n - CVE-2015-7849 - Network Time Protocol Trusted Keys Memory Corruption Vulnerability\n\n - CVE-2015-7850 - Network Time Protocol Remote Configuration Denial of Service Vulnerability\n\n - CVE-2015-7851 - Network Time Protocol ntpd saveconfig Directory Traversal Vulnerability\n\n - CVE-2015-7852 - Network Time Protocol ntpq atoascii Memory Corruption Vulnerability\n\n - CVE-2015-7853 - Network Time Protocol Reference Clock Memory Corruption Vulnerability\n\n - CVE-2015-7854 - Network Time Protocol Password Length Memory Corruption Vulnerability\n\n - CVE-2015-7855 - Denial of Service Long Control Packet Message\n\n - CVE-2015-7871 - NAK to the Future: NTP Symmetric Association Authentication Bypass Vulnerability\n\n Cisco will release software updates that address these vulnerabilities.\n\n Workarounds that mitigate one or more of the vulnerabilities may be available for certain products, please see the individual Cisco Bug IDs for details.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-18 12:49:40 +0200 (Thu, 18 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-09 18:22:34 +0200 (Mon, 09 May 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_ios_xe_version.nasl\");\n script_mandatory_keys(\"cisco_ios_xe/version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) ) exit( 0 );\n\naffected = make_list(\n\t\t'2.1.0',\n\t\t'2.1.1',\n\t\t'2.1.2',\n\t\t'2.2.1',\n\t\t'2.2.2',\n\t\t'2.2.3',\n\t\t'2.3.0',\n\t\t'2.3.0t',\n\t\t'2.3.1t',\n\t\t'2.3.2',\n\t\t'2.4.0',\n\t\t'2.4.1',\n\t\t'2.5.0',\n\t\t'2.5.1',\n\t\t'2.5.2',\n\t\t'2.6.0',\n\t\t'2.6.1',\n\t\t'2.6.2',\n\t\t'3.1.0S',\n\t\t'3.1.1S',\n\t\t'3.1.2S',\n\t\t'3.1.3S',\n\t\t'3.1.4S',\n\t\t'3.1.5S',\n\t\t'3.1.6S',\n\t\t'3.1.0SG',\n\t\t'3.1.1SG',\n\t\t'3.2.0S',\n\t\t'3.2.1S',\n\t\t'3.2.2S',\n\t\t'3.2.3S',\n\t\t'3.2.0SE',\n\t\t'3.2.1SE',\n\t\t'3.2.2SE',\n\t\t'3.2.3SE',\n\t\t'3.2.0SG',\n\t\t'3.2.1SG',\n\t\t'3.2.2SG',\n\t\t'3.2.3SG',\n\t\t'3.2.4SG',\n\t\t'3.2.5SG',\n\t\t'3.2.6SG',\n\t\t'3.2.7SG',\n\t\t'3.2.8SG',\n\t\t'3.2.9SG',\n\t\t'3.2.0XO',\n\t\t'3.2.1XO',\n\t\t'3.3.0S',\n\t\t'3.3.1S',\n\t\t'3.3.2S',\n\t\t'3.3.0SE',\n\t\t'3.3.1SE',\n\t\t'3.3.2SE',\n\t\t'3.3.3SE',\n\t\t'3.3.4SE',\n\t\t'3.3.5SE',\n\t\t'3.3.0SG',\n\t\t'3.3.1SG',\n\t\t'3.3.2SG',\n\t\t'3.3.0SQ',\n\t\t'3.3.1SQ',\n\t\t'3.3.0XO',\n\t\t'3.3.1XO',\n\t\t'3.3.2XO',\n\t\t'3.4.0S',\n\t\t'3.4.1S',\n\t\t'3.4.2S',\n\t\t'3.4.3S',\n\t\t'3.4.4S',\n\t\t'3.4.5S',\n\t\t'3.4.6S',\n\t\t'3.4.0SG',\n\t\t'3.4.1SG',\n\t\t'3.4.2SG',\n\t\t'3.4.3SG',\n\t\t'3.4.4SG',\n\t\t'3.4.5SG',\n\t\t'3.4.0SQ',\n\t\t'3.4.1SQ',\n\t\t'3.5.0E',\n\t\t'3.5.1E',\n\t\t'3.5.2E',\n\t\t'3.5.3E',\n\t\t'3.5.0S',\n\t\t'3.5.1S',\n\t\t'3.5.2S',\n\t\t'3.6.0E',\n\t\t'3.6.1E',\n\t\t'3.6.0S',\n\t\t'3.6.1S',\n\t\t'3.6.2S',\n\t\t'3.7.0E',\n\t\t'3.7.0S',\n\t\t'3.7.1S',\n\t\t'3.7.2S',\n\t\t'3.7.3S',\n\t\t'3.7.4S',\n\t\t'3.7.5S',\n\t\t'3.7.6S',\n\t\t'3.7.7S',\n\t\t'3.8.0S',\n\t\t'3.8.1S',\n\t\t'3.8.2S',\n\t\t'3.9.0S',\n\t\t'3.9.1S',\n\t\t'3.9.2S',\n\t\t'3.10.0S',\n\t\t'3.10.0S',\n\t\t'3.10.1S',\n\t\t'3.10.2S',\n\t\t'3.10.3S',\n\t\t'3.10.4S',\n\t\t'3.10.5S',\n\t\t'3.10.6S',\n\t\t'3.11.0S',\n\t\t'3.11.1S',\n\t\t'3.11.2S',\n\t\t'3.11.3S',\n\t\t'3.11.4S',\n\t\t'3.12.0S',\n\t\t'3.12.1S',\n\t\t'3.12.2S',\n\t\t'3.12.3S',\n\t\t'3.13.0S',\n\t\t'3.13.1S',\n\t\t'3.13.2S',\n\t\t'3.14.0S',\n\t\t'3.14.1S',\n\t\t'3.14.2S',\n\t\t'3.14.3S',\n\t\t'3.14.4S',\n\t\t'3.15.0S' );\n\nforeach af ( affected )\n{\n if( version == af )\n {\n report = report_fixed_ver( installed_version:version, fixed_version: \"See advisory\" );\n security_message( port:0, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-11-23T15:11:07", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-23T00:00:00", "published": "2016-11-04T00:00:00", "id": "OPENVAS:1361412562310871685", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871685", "title": "RedHat Update for ntp RHSA-2016:2583-02", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for ntp RHSA-2016:2583-02\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871685\");\n script_version(\"$Revision: 12497 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-23 09:28:21 +0100 (Fri, 23 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-11-04 05:41:24 +0100 (Fri, 04 Nov 2016)\");\n script_cve_id(\"CVE-2015-5194\", \"CVE-2015-5195\", \"CVE-2015-5196\", \"CVE-2015-5219\",\n \"CVE-2015-7691\", \"CVE-2015-7692\", \"CVE-2015-7701\", \"CVE-2015-7702\",\n \"CVE-2015-7703\", \"CVE-2015-7852\", \"CVE-2015-7974\", \"CVE-2015-7977\",\n \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8158\", \"CVE-2014-9750\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for ntp RHSA-2016:2583-02\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ntp'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"The Network Time Protocol (NTP) is used to\nsynchronize a computer's time with another referenced time source. These packages\ninclude the ntpd service which continuously adjusts system time and utilities used\nto query and configure the ntpd service.\n\nSecurity Fix(es):\n\n * It was found that the fix for CVE-2014-9750 was incomplete: three issues\nwere found in the value length checks in NTP's ntp_crypto.c, where a packet\nwith particular autokey operations that contained malicious data was not\nalways being completely validated. A remote attacker could use a specially\ncrafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692,\nCVE-2015-7702)\n\n * A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was\nconfigured to use autokey authentication, an attacker could send packets to\nntpd that would, after several days of ongoing attack, cause it to run out\nof memory. (CVE-2015-7701)\n\n * An off-by-one flaw, leading to a buffer overflow, was found in\ncookedprint functionality of ntpq. A specially crafted NTP packet could\npotentially cause ntpq to crash. (CVE-2015-7852)\n\n * A NULL pointer dereference flaw was found in the way ntpd processed\n'ntpdc reslist' commands that queried restriction lists with a large amount\nof entries. A remote attacker could potentially use this flaw to crash\nntpd. (CVE-2015-7977)\n\n * A stack-based buffer overflow flaw was found in the way ntpd processed\n'ntpdc reslist' commands that queried restriction lists with a large amount\nof entries. A remote attacker could use this flaw to crash ntpd.\n(CVE-2015-7978)\n\n * It was found that when NTP was configured in broadcast mode, a remote\nattacker could broadcast packets with bad authentication to all clients.\nThe clients, upon receiving the malformed packets, would break the\nassociation with the broadcast server, causing them to become out of sync\nover a longer period of time. (CVE-2015-7979)\n\n * It was found that ntpd could crash due to an uninitialized variable when\nprocessing malformed logconfig configuration commands. (CVE-2015-5194)\n\n * It was found that ntpd would exit with a segmentation fault when a\nstatistics type that was not enabled during compilation (e.g. timingstats)\nwas referenced by the statistics or filegen configuration command.\n(CVE-2015-5195)\n\n * It was found that NTP's :config command could be used to set the pidfile\nand driftfile paths without any restrictions. A remote attacker could use\nthis flaw to overwrite a file on the file system with a file containing the\npid of the ntpd process (immediately) or the current estimated drift of the\nsystem clock (in hourly intervals). (CVE-2015-5196, CVE ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"ntp on Red Hat Enterprise Linux Server (v. 7)\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"RHSA\", value:\"2016:2583-02\");\n script_xref(name:\"URL\", value:\"https://www.redhat.com/archives/rhsa-announce/2016-November/msg00019.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\", re:\"ssh/login/release=RHENT_7\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"RHENT_7\")\n{\n\n if ((res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~25.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ntp-debuginfo\", rpm:\"ntp-debuginfo~4.2.6p5~25.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~25.el7\", rls:\"RHENT_7\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "amazon": [{"lastseen": "2018-10-02T16:55:04", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nIt was discovered that ntpd as a client did not correctly check timestamps in Kiss-of-Death packets. A remote attacker could use this flaw to send a crafted Kiss-of-Death packet to an ntpd client that would increase the client's polling interval value, and effectively disable synchronization with the server. ([CVE-2015-7704 __](<https://access.redhat.com/security/cve/CVE-2015-7704>))\n\nIt was found that ntpd did not correctly implement the threshold limitation for the '-g' option, which is used to set the time without any restrictions. A man-in-the-middle attacker able to intercept NTP traffic between a connecting client and an NTP server could use this flaw to force that client to make multiple steps larger than the panic threshold, effectively changing the time to an arbitrary value. ([CVE-2015-5300 __](<https://access.redhat.com/security/cve/CVE-2015-5300>))\n\nIt was found that the fix for [CVE-2014-9750 __](<https://access.redhat.com/security/cve/CVE-2014-9750>) was incomplete: three issues were found in the value length checks in ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. Receipt of these packets can cause ntpd to crash. ([CVE-2015-7691 __](<https://access.redhat.com/security/cve/CVE-2015-7691>), [CVE-2015-7692 __](<https://access.redhat.com/security/cve/CVE-2015-7692>), [CVE-2015-7702 __](<https://access.redhat.com/security/cve/CVE-2015-7702>))\n\nA potential off by one vulnerability exists in the cookedprint functionality of ntpq. A specially crafted buffer could cause a buffer overflow potentially resulting in null byte being written out of bounds. ([CVE-2015-7852 __](<https://access.redhat.com/security/cve/CVE-2015-7852>))\n\nA memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd is configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. ([CVE-2015-7701 __](<https://access.redhat.com/security/cve/CVE-2015-7701>))\n\n \n**Affected Packages:** \n\n\nntp\n\n \n**Issue Correction:** \nRun _yum update ntp_ to update your system.\n\n \n\n\n**New Packages:**\n \n \n i686: \n ntpdate-4.2.6p5-34.27.amzn1.i686 \n ntp-4.2.6p5-34.27.amzn1.i686 \n ntp-debuginfo-4.2.6p5-34.27.amzn1.i686 \n \n noarch: \n ntp-doc-4.2.6p5-34.27.amzn1.noarch \n ntp-perl-4.2.6p5-34.27.amzn1.noarch \n \n src: \n ntp-4.2.6p5-34.27.amzn1.src \n \n x86_64: \n ntp-4.2.6p5-34.27.amzn1.x86_64 \n ntpdate-4.2.6p5-34.27.amzn1.x86_64 \n ntp-debuginfo-4.2.6p5-34.27.amzn1.x86_64 \n \n \n", "modified": "2015-10-27T16:53:00", "published": "2015-10-27T16:53:00", "id": "ALAS-2015-607", "href": "https://alas.aws.amazon.com/ALAS-2015-607.html", "title": "Important: ntp", "type": "amazon", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2018-12-11T19:43:28", "bulletinFamily": "unix", "description": "The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.\n\nSecurity Fix(es):\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978)\n\n* It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195)\n\n* It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)\n\n* It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-7703)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichv\u00e1r (Red Hat).\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 6.8 Release Notes and Red Hat Enterprise Linux 6.8 Technical Notes linked from the References section.", "modified": "2018-06-06T20:24:20", "published": "2016-05-10T10:42:20", "id": "RHSA-2016:0780", "href": "https://access.redhat.com/errata/RHSA-2016:0780", "type": "redhat", "title": "(RHSA-2016:0780) Moderate: ntp security and bug fix update", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-12-11T17:45:05", "bulletinFamily": "unix", "description": "The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.\n\nSecurity Fix(es):\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978)\n\n* It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time. (CVE-2015-7979)\n\n* It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195)\n\n* It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-5196, CVE-2015-7703)\n\n* It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)\n\n* A flaw was found in the way NTP verified trusted keys during symmetric key authentication. An authenticated client (A) could use this flaw to modify a packet sent between a server (B) and a client (C) using a key that is different from the one known to the client (A). (CVE-2015-7974)\n\n* A flaw was found in the way the ntpq client processed certain incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance. (CVE-2015-8158)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichv\u00e1r (Red Hat).\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.", "modified": "2018-04-12T03:33:11", "published": "2016-11-03T10:07:15", "id": "RHSA-2016:2583", "href": "https://access.redhat.com/errata/RHSA-2016:2583", "type": "redhat", "title": "(RHSA-2016:2583) Moderate: ntp security and bug fix update", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "centos": [{"lastseen": "2017-10-03T18:26:08", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2016:0780\n\n\nThe Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.\n\nSecurity Fix(es):\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978)\n\n* It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195)\n\n* It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)\n\n* It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-7703)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichv\u00e1r (Red Hat).\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 6.8 Release Notes and Red Hat Enterprise Linux 6.8 Technical Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2016-May/002927.html\n\n**Affected packages:**\nntp\nntp-doc\nntp-perl\nntpdate\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-0780.html", "modified": "2016-05-16T10:19:19", "published": "2016-05-16T10:19:19", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2016-May/002927.html", "id": "CESA-2016:0780", "title": "ntp, ntpdate security update", "type": "centos", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-10-03T18:27:01", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2016:2583\n\n\nThe Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.\n\nSecurity Fix(es):\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978)\n\n* It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time. (CVE-2015-7979)\n\n* It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195)\n\n* It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-5196, CVE-2015-7703)\n\n* It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)\n\n* A flaw was found in the way NTP verified trusted keys during symmetric key authentication. An authenticated client (A) could use this flaw to modify a packet sent between a server (B) and a client (C) using a key that is different from the one known to the client (A). (CVE-2015-7974)\n\n* A flaw was found in the way the ntpq client processed certain incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance. (CVE-2015-8158)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichv\u00e1r (Red Hat).\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2016-November/003635.html\n\n**Affected packages:**\nntp\nntp-doc\nntp-perl\nntpdate\nsntp\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-2583.html", "modified": "2016-11-25T16:00:55", "published": "2016-11-25T16:00:55", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2016-November/003635.html", "id": "CESA-2016:2583", "title": "ntp, ntpdate, sntp security update", "type": "centos", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "archlinux": [{"lastseen": "2016-09-02T18:44:43", "bulletinFamily": "unix", "description": "- CVE-2015-7871 (authentication bypass) \nAn error handling logic error exists within ntpd that manifests due to improper\nerror condition handling associated with certain crypto-NAK packets. An\nunauthenticated, off­-path attacker can force ntpd processes on targeted servers\nto peer with time sources of the attacker's choosing by transmitting symmetric\nactive crypto­-NAK packets to ntpd. This attack bypasses the authentication\ntypically required to establish a peer association and allows an attacker to\nmake arbitrary changes to system time. Matthew Van Gundy of Cisco ASIG is\ncredited with discovering this vulnerability. [1] \n\n- CVE-2015-7855 (denial of service)\ndecodenetnum() will ASSERT botch instead of returning FAIL on some bogus values.\nThis can cause a denial of service.\n\n- CVE-2015-7854 (memory corruption)\nA potential buffer overflow vulnerability exists in the password management\nfunctionality of ntp. A specially crafted key file could cause a buffer overflow\npotentially resulting in memory being modified. An attacker could provide a\nmalicious password to trigger this vulnerability. [2]\n\n- CVE-2015-7849 (memory corruption)\nAn exploitable use-after-free vulnerability exists in the password management\nfunctionality of the Network Time Protocol. A specially crafted key file could\ncause a buffer overflow resulting in memory corruption. An attacker could\nprovide a malicious password file to trigger this vulnerability. [3]\n\n- CVE-2015-7852 (memory corruption)\nA potential off by one vulnerability exists in the cookedprint functionality of\nntpq. A specially crafted buffer could cause a buffer overflow potentially\nresulting in null byte being written out of bounds. [4]\n\n- CVE-2015-7853 (memory corruption)\nA potential buffer overflow vulnerability exists in the refclock of ntpd. An\ninvalid length provided by a hardware reference clock could cause a buffer\noverflow potentially resulting in memory being modified. A malicious reflock\ncould provide a negative length to trigger this vulnerability. [5]\n\n- CVE-2015-7848 (denial of service)\nWhen processing a specially crafted private mode packet, an integer overflow can\noccur leading to out of bounds memory copy operation. The crafted packet needs\nto have the correct message authentication code and a valid timestamp. When\nprocessed by the NTP daemon, it leads to an immediate crash. [6]\n\n- CVE-2015-7850 (denial of service)\nAn exploitable denial of service vulnerability exists in the remote\nconfiguration functionality of the Network Time Protocol. A specially crafted\nconfiguration file could cause an endless loop resulting in a denial of service.\nAn attacker could provide a the malicious configuration file to trigger this\nvulnerability. [7]\n\n- CVE-2015-7851 (directory traversal)\nA potential path traversal vulnerability exists in the config file saving of\nntpd on VMS. A specially crafted path could cause a path traversal potentially\nresulting in files being overwritten. An attacker could provide a malicious path\nto trigger this vulnerability. [8] \n\n- CVE-2015-7701 (memory leak)\nSlow memory leak in CRYPTO_ASSOC.\n\n- CVE-2015-7702 (denial of service).\nIncomplete autokey data packet length checks.\n\n- CVE-2015-7703 (directory traversal)\nconfiguration directives "pidfile" and "driftfile" should only be allowed\nlocally. \n\n- CVE-2015-7704 (denial of service)\nClients that receive a KoD should validate the origin timestamp field.\n\n- CVE-2015-7705 (denial of service)\nClients that receive a KoD should validate the origin timestamp field.\n\n- CVE-2015-7691 (denial of service)\nIncomplete autokey data packet length checks.\n\n- CVE-2015-7692 (denial of service \nIncomplete autokey data packet length checks.", "modified": "2015-10-22T00:00:00", "published": "2015-10-22T00:00:00", "href": "https://lists.archlinux.org/pipermail/arch-security/2015-October/000416.html", "id": "ASA-201510-14", "title": "ntp: multiple issues", "type": "archlinux", "cvss": {"score": 0.0, "vector": "NONE"}}], "securityvulns": [{"lastseen": "2018-08-31T11:11:02", "bulletinFamily": "software", "description": "\r\n\r\n==========================================================================\r\nUbuntu Security Notice USN-2783-1\r\nOctober 27, 2015\r\n\r\nntp vulnerabilities\r\n==========================================================================\r\n\r\nA security issue affects these releases of Ubuntu and its derivatives:\r\n\r\n- Ubuntu 15.10\r\n- Ubuntu 15.04\r\n- Ubuntu 14.04 LTS\r\n- Ubuntu 12.04 LTS\r\n\r\nSummary:\r\n\r\nSeveral security issues were fixed in NTP.\r\n\r\nSoftware Description:\r\n- ntp: Network Time Protocol daemon and utility programs\r\n\r\nDetails:\r\n\r\nAleksis Kauppinen discovered that NTP incorrectly handled certain remote\r\nconfig packets. In a non-default configuration, a remote authenticated\r\nattacker could possibly use this issue to cause NTP to crash, resulting in\r\na denial of service. (CVE-2015-5146)\r\n\r\nMiroslav Lichvar discovered that NTP incorrectly handled logconfig\r\ndirectives. In a non-default configuration, a remote authenticated attacker\r\ncould possibly use this issue to cause NTP to crash, resulting in a denial\r\nof service. (CVE-2015-5194)\r\n\r\nMiroslav Lichvar discovered that NTP incorrectly handled certain statistics\r\ntypes. In a non-default configuration, a remote authenticated attacker\r\ncould possibly use this issue to cause NTP to crash, resulting in a denial\r\nof service. (CVE-2015-5195)\r\n\r\nMiroslav Lichvar discovered that NTP incorrectly handled certain file\r\npaths. In a non-default configuration, a remote authenticated attacker\r\ncould possibly use this issue to cause NTP to crash, resulting in a denial\r\nof service, or overwrite certain files. (CVE-2015-5196, CVE-2015-7703)\r\n\r\nMiroslav Lichvar discovered that NTP incorrectly handled certain packets.\r\nA remote attacker could possibly use this issue to cause NTP to hang,\r\nresulting in a denial of service. (CVE-2015-5219)\r\n\r\nAanchal Malhotra, Isaac E. Cohen, and Sharon Goldberg discovered that NTP\r\nincorrectly handled restarting after hitting a panic threshold. A remote\r\nattacker could possibly use this issue to alter the system time on clients.\r\n(CVE-2015-5300)\r\n\r\nIt was discovered that NTP incorrectly handled autokey data packets. A\r\nremote attacker could possibly use this issue to cause NTP to crash,\r\nresulting in a denial of service, or possibly execute arbitrary code.\r\n(CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\r\n\r\nIt was discovered that NTP incorrectly handled memory when processing\r\ncertain autokey messages. A remote attacker could possibly use this issue\r\nto cause NTP to consume memory, resulting in a denial of service.\r\n(CVE-2015-7701)\r\n\r\nAanchal Malhotra, Isaac E. Cohen, and Sharon Goldberg discovered that NTP\r\nincorrectly handled rate limiting. A remote attacker could possibly use\r\nthis issue to cause clients to stop updating their clock. (CVE-2015-7704,\r\nCVE-2015-7705)\r\n\r\nYves Younan discovered that NTP incorrectly handled logfile and keyfile\r\ndirectives. In a non-default configuration, a remote authenticated attacker\r\ncould possibly use this issue to cause NTP to enter a loop, resulting in a\r\ndenial of service. (CVE-2015-7850)\r\n\r\nYves Younan and Aleksander Nikolich discovered that NTP incorrectly handled\r\nascii conversion. A remote attacker could possibly use this issue to cause\r\nNTP to crash, resulting in a denial of service, or possibly execute\r\narbitrary code. (CVE-2015-7852)\r\n\r\nYves Younan discovered that NTP incorrectly handled reference clock memory.\r\nA malicious refclock could possibly use this issue to cause NTP to crash,\r\nresulting in a denial of service, or possibly execute arbitrary code.\r\n(CVE-2015-7853)\r\n\r\nJohn D "Doug" Birdwell discovered that NTP incorrectly handled decoding\r\ncertain bogus values. An attacker could possibly use this issue to cause\r\nNTP to crash, resulting in a denial of service. (CVE-2015-7855)\r\n\r\nStephen Gray discovered that NTP incorrectly handled symmetric association\r\nauthentication. A remote attacker could use this issue to possibly bypass\r\nauthentication and alter the system clock. (CVE-2015-7871)\r\n\r\nIn the default installation, attackers would be isolated by the NTP\r\nAppArmor profile.\r\n\r\nUpdate instructions:\r\n\r\nThe problem can be corrected by updating your system to the following\r\npackage versions:\r\n\r\nUbuntu 15.10:\r\n ntp 1:4.2.6.p5+dfsg-3ubuntu8.1\r\n\r\nUbuntu 15.04:\r\n ntp 1:4.2.6.p5+dfsg-3ubuntu6.2\r\n\r\nUbuntu 14.04 LTS:\r\n ntp 1:4.2.6.p5+dfsg-3ubuntu2.14.04.5\r\n\r\nUbuntu 12.04 LTS:\r\n ntp 1:4.2.6.p3+dfsg-1ubuntu3.6\r\n\r\nIn general, a standard system update will make all the necessary changes.\r\n\r\nReferences:\r\n http://www.ubuntu.com/usn/usn-2783-1\r\n CVE-2015-5146, CVE-2015-5194, CVE-2015-5195, CVE-2015-5196,\r\n CVE-2015-5219, CVE-2015-5300, CVE-2015-7691, CVE-2015-7692,\r\n CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704,\r\n CVE-2015-7705, CVE-2015-7850, CVE-2015-7852, CVE-2015-7853,\r\n CVE-2015-7855, CVE-2015-7871\r\n\r\nPackage Information:\r\n https://launchpad.net/ubuntu/+source/ntp/1:4.2.6.p5+dfsg-3ubuntu8.1\r\n https://launchpad.net/ubuntu/+source/ntp/1:4.2.6.p5+dfsg-3ubuntu6.2\r\n https://launchpad.net/ubuntu/+source/ntp/1:4.2.6.p5+dfsg-3ubuntu2.14.04.5\r\n https://launchpad.net/ubuntu/+source/ntp/1:4.2.6.p3+dfsg-1ubuntu3.6\r\n\r\n\r\n\r\n\r\n-- \r\nubuntu-security-announce mailing list\r\nubuntu-security-announce@lists.ubuntu.com\r\nModify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce\r\n\r\n", "modified": "2015-11-01T00:00:00", "published": "2015-11-01T00:00:00", "id": "SECURITYVULNS:DOC:32649", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:32649", "title": "[USN-2783-1] NTP vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:03", "bulletinFamily": "software", "description": "Multiple memory corruptions.", "modified": "2015-11-01T00:00:00", "published": "2015-11-01T00:00:00", "id": "SECURITYVULNS:VULN:14751", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14751", "title": "ntp multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "oraclelinux": [{"lastseen": "2018-08-31T01:48:38", "bulletinFamily": "unix", "description": "[4.2.6p5-10]\n- don't accept server/peer packets with zero origin timestamp (CVE-2015-8138)\n- fix crash with reslist command (CVE-2015-7977, CVE-2015-7978)\n[4.2.6p5-9]\n- fix crash with invalid logconfig command (CVE-2015-5194)\n- fix crash when referencing disabled statistic type (CVE-2015-5195)\n- don't hang in sntp with crafted reply (CVE-2015-5219)\n- don't crash with crafted autokey packet (CVE-2015-7691, CVE-2015-7692,\n CVE-2015-7702)\n- fix memory leak with autokey (CVE-2015-7701)\n- don't allow setting driftfile and pidfile remotely (CVE-2015-7703)\n- don't crash in ntpq with crafted packet (CVE-2015-7852)\n- add option to set Differentiated Services Code Point (DSCP) (#1228314)\n- extend rawstats log (#1242895)\n- fix resetting of leap status (#1243034)\n- report clock state changes related to leap seconds (#1242937)\n- allow -4/-6 on restrict lines with mask (#1232146)\n- retry joining multicast groups (#1288534)\n- explain synchronised state in ntpstat man page (#1286969)\n[4.2.6p5-7]\n- check origin timestamp before accepting KoD RATE packet (CVE-2015-7704)\n- allow only one step larger than panic threshold with -g (CVE-2015-5300)", "modified": "2016-05-12T00:00:00", "published": "2016-05-12T00:00:00", "id": "ELSA-2016-0780", "href": "http://linux.oracle.com/errata/ELSA-2016-0780.html", "title": "ntp security and bug fix update", "type": "oraclelinux", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T01:41:05", "bulletinFamily": "unix", "description": "[4.2.6p5-25.0.1]\n- add disable monitor to default ntp.conf [CVE-2013-5211]\n[4.2.6p5-25]\n- don't allow spoofed packet to enable symmetric interleaved mode\n (CVE-2016-1548)\n- check mode of new source in config command (CVE-2016-2518)\n- make MAC check resilient against timing attack (CVE-2016-1550)\n[4.2.6p5-24]\n- fix crash with invalid logconfig command (CVE-2015-5194)\n- fix crash when referencing disabled statistic type (CVE-2015-5195)\n- don't hang in sntp with crafted reply (CVE-2015-5219)\n- don't crash with crafted autokey packet (CVE-2015-7691, CVE-2015-7692,\n CVE-2015-7702)\n- fix memory leak with autokey (CVE-2015-7701)\n- don't allow setting driftfile and pidfile remotely (CVE-2015-7703)\n- don't crash in ntpq with crafted packet (CVE-2015-7852)\n- check key ID in packets authenticated with symmetric key (CVE-2015-7974)\n- fix crash with reslist command (CVE-2015-7977, CVE-2015-7978)\n- don't allow spoofed packets to demobilize associations (CVE-2015-7979,\n CVE-2016-1547)\n- don't accept server/peer packets with zero origin timestamp (CVE-2015-8138)\n- fix infinite loop in ntpq/ntpdc (CVE-2015-8158)\n- fix resetting of leap status (#1242553)\n- extend rawstats log (#1242877)\n- report clock state changes related to leap seconds (#1242935)\n- allow -4/-6 on restrict lines with mask (#1304492)\n- explain synchronised state in ntpstat man page (#1309594)", "modified": "2016-11-09T00:00:00", "published": "2016-11-09T00:00:00", "id": "ELSA-2016-2583", "href": "http://linux.oracle.com/errata/ELSA-2016-2583.html", "title": "ntp security and bug fix update", "type": "oraclelinux", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:09:36", "bulletinFamily": "unix", "description": "Aleksis Kauppinen discovered that NTP incorrectly handled certain remote config packets. In a non-default configuration, a remote authenticated attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-5146)\n\nMiroslav Lichvar discovered that NTP incorrectly handled logconfig directives. In a non-default configuration, a remote authenticated attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-5194)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain statistics types. In a non-default configuration, a remote authenticated attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-5195)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain file paths. In a non-default configuration, a remote authenticated attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service, or overwrite certain files. (CVE-2015-5196, CVE-2015-7703)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain packets. A remote attacker could possibly use this issue to cause NTP to hang, resulting in a denial of service. (CVE-2015-5219)\n\nAanchal Malhotra, Isaac E. Cohen, and Sharon Goldberg discovered that NTP incorrectly handled restarting after hitting a panic threshold. A remote attacker could possibly use this issue to alter the system time on clients. (CVE-2015-5300)\n\nIt was discovered that NTP incorrectly handled autokey data packets. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\nIt was discovered that NTP incorrectly handled memory when processing certain autokey messages. A remote attacker could possibly use this issue to cause NTP to consume memory, resulting in a denial of service. (CVE-2015-7701)\n\nAanchal Malhotra, Isaac E. Cohen, and Sharon Goldberg discovered that NTP incorrectly handled rate limiting. A remote attacker could possibly use this issue to cause clients to stop updating their clock. (CVE-2015-7704, CVE-2015-7705)\n\nYves Younan discovered that NTP incorrectly handled logfile and keyfile directives. In a non-default configuration, a remote authenticated attacker could possibly use this issue to cause NTP to enter a loop, resulting in a denial of service. (CVE-2015-7850)\n\nYves Younan and Aleksander Nikolich discovered that NTP incorrectly handled ascii conversion. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-7852)\n\nYves Younan discovered that NTP incorrectly handled reference clock memory. A malicious refclock could possibly use this issue to cause NTP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2015-7853)\n\nJohn D \u201cDoug\u201d Birdwell discovered that NTP incorrectly handled decoding certain bogus values. An attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7855)\n\nStephen Gray discovered that NTP incorrectly handled symmetric association authentication. A remote attacker could use this issue to possibly bypass authentication and alter the system clock. (CVE-2015-7871)\n\nIn the default installation, attackers would be isolated by the NTP AppArmor profile.", "modified": "2015-10-27T00:00:00", "published": "2015-10-27T00:00:00", "id": "USN-2783-1", "href": "https://usn.ubuntu.com/2783-1/", "title": "NTP vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "debian": [{"lastseen": "2018-10-16T22:14:42", "bulletinFamily": "unix", "description": "Package : ntp\nVersion : 1:4.2.6.p2+dfsg-1+deb6u4\nCVE ID : CVE-2015-5146 CVE-2015-5194 CVE-2015-5195 CVE-2015-5219 \n CVE-2015-5300 CVE-2015-7691 CVE-2015-7692 CVE-2015-7701\n CVE-2015-7702 CVE-2015-7703 CVE-2015-7704 CVE-2015-7850\n CVE-2015-7851 CVE-2015-7852 CVE-2015-7855 CVE-2015-7871\n\nSeveral security issues where found in ntp:\n\nCVE-2015-5146\n\n A flaw was found in the way ntpd processed certain remote\n configuration packets. An attacker could use a specially crafted\n package to cause ntpd to crash if:\n\n * ntpd enabled remote configuration\n * The attacker had the knowledge of the configuration password\n * The attacker had access to a computer entrusted to perform remote\n configuration\n\n Note that remote configuration is disabled by default in NTP. \n\nCVE-2015-5194\n\n It was found that ntpd could crash due to an uninitialized variable\n when processing malformed logconfig configuration commands.\n\nCVE-2015-5195\n\n It was found that ntpd exits with a segmentation fault when a\n statistics type that was not enabled during compilation (e.g.\n timingstats) is referenced by the statistics or filegen\n configuration command\n\nCVE-2015-5219\n\n It was discovered that sntp program would hang in an infinite loop when\n a crafted NTP packet was received, related to the conversion of the\n precision value in the packet to double.\n\nCVE-2015-5300\n\n It was found that ntpd did not correctly implement the -g option:\n \n Normally, ntpd exits with a message to the system log if the offset\n exceeds the panic threshold, which is 1000 s by default. This\n option allows the time to be set to any value without restriction;\n however, this can happen only once. If the threshold is exceeded\n after that, ntpd will exit with a message to the system log. This\n option can be used with the -q and -x options.\n \n ntpd could actually step the clock multiple times by more than the\n panic threshold if its clock discipline doesn't have enough time to\n reach the sync state and stay there for at least one update. If a\n man-in-the-middle attacker can control the NTP traffic since ntpd\n was started (or maybe up to 15-30 minutes after that), they can\n prevent the client from reaching the sync state and force it to step\n its clock by any amount any number of times, which can be used by\n attackers to expire certificates, etc.\n \n This is contrary to what the documentation says. Normally, the\n assumption is that an MITM attacker can step the clock more than the\n panic threshold only once when ntpd starts and to make a larger\n adjustment the attacker has to divide it into multiple smaller\n steps, each taking 15 minutes, which is slow.\n\nCVE-2015-7691, CVE-2015-7692, CVE-2015-7702\n\n It was found that the fix for CVE-2014-9750 was incomplete: three\n issues were found in the value length checks in ntp_crypto.c, where\n a packet with particular autokey operations that contained malicious\n data was not always being completely validated. Receipt of these\n packets can cause ntpd to crash.\n\nCVE-2015-7701\n\n A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd is\n configured to use autokey authentication, an attacker could send\n packets to ntpd that would, after several days of ongoing attack,\n cause it to run out of memory.\n\nCVE-2015-7703\n\n Miroslav Lichv\u00e1r of Red Hat found that the :config command can be\n used to set the pidfile and driftfile paths without any\n restrictions. A remote attacker could use this flaw to overwrite a\n file on the file system with a file containing the pid of the ntpd\n process (immediately) or the current estimated drift of the system\n clock (in hourly intervals). For example:\n \n ntpq -c ':config pidfile /tmp/ntp.pid'\n ntpq -c ':config driftfile /tmp/ntp.drift'\n \n In Debian ntpd is configured to drop root privileges, which limits\n the impact of this issue.\n\nCVE-2015-7704\n\n When ntpd as an NTP client receives a Kiss-of-Death (KoD) packet\n from the server to reduce its polling rate, it doesn't check if the\n originate timestamp in the reply matches the transmit timestamp from\n its request. An off-path attacker can send a crafted KoD packet to\n the client, which will increase the client's polling interval to a\n large value and effectively disable synchronization with the server.\n\nCVE-2015-7850\n\n An exploitable denial of service vulnerability exists in the remote\n configuration functionality of the Network Time Protocol. A\n specially crafted configuration file could cause an endless loop\n resulting in a denial of service. An attacker could provide a the\n malicious configuration file to trigger this vulnerability.\n\nCVE-2015-7851\n\n A potential path traversal vulnerability exists in the config file\n saving of ntpd on VMS. A specially crafted path could cause a path\n traversal potentially resulting in files being overwritten. An\n attacker could provide a malicious path to trigger this\n vulnerability.\n\n This issue does not affect Debian.\n\nCVE-2015-7852\n\n A potential off by one vulnerability exists in the cookedprint\n functionality of ntpq. A specially crafted buffer could cause a\n buffer overflow potentially resulting in null byte being written out\n of bounds.\n\nCVE-2015-7855\n\n It was found that NTP's decodenetnum() would abort with an assertion\n failure when processing a mode 6 or mode 7 packet containing an\n unusually long data value where a network address was expected. This\n could allow an authenticated attacker to crash ntpd.\n\nCVE-2015-7871\n\n An error handling logic error exists within ntpd that manifests due\n to improper error condition handling associated with certain\n crypto-NAK packets. An unauthenticated, off\u00ad-path attacker can force\n ntpd processes on targeted servers to peer with time sources of the\n attacker's choosing by transmitting symmetric active crypto\u00ad-NAK\n packets to ntpd. This attack bypasses the authentication typically\n required to establish a peer association and allows an attacker to\n make arbitrary changes to system time.\n\n", "modified": "2015-10-28T20:45:22", "published": "2015-10-28T20:45:22", "id": "DEBIAN:DLA-335-1:922EB", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201510/msg00015.html", "title": "[SECURITY] [DLA 335-1] ntp security update", "type": "debian", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2019-02-16T02:08:32", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3388-1 security@debian.org\nhttps://www.debian.org/security/ Kurt Roeckx\nNovember 01, 2015 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : ntp\nCVE ID : CVE-2014-9750 CVE-2014-9751 CVE-2015-3405 CVE-2015-5146 \n CVE-2015-5194 CVE-2015-5195 CVE-2015-5219 CVE-2015-5300\n CVE-2015-7691 CVE-2015-7692 CVE-2015-7701 CVE-2015-7702\n CVE-2015-7703 CVE-2015-7704 CVE-2015-7850 CVE-2015-7852\n CVE-2015-7855 CVE-2015-7871\n\nSeveral vulnerabilities were discovered in the Network Time Protocol\ndaemon and utility programs:\n\nCVE-2015-5146\n\n A flaw was found in the way ntpd processed certain remote\n configuration packets. An attacker could use a specially crafted\n package to cause ntpd to crash if:\n\n * ntpd enabled remote configuration\n * The attacker had the knowledge of the configuration password\n * The attacker had access to a computer entrusted to perform remote\n configuration\n\n Note that remote configuration is disabled by default in NTP.\n\nCVE-2015-5194\n\n It was found that ntpd could crash due to an uninitialized\n variable when processing malformed logconfig configuration\n commands.\n\nCVE-2015-5195\n\n It was found that ntpd exits with a segmentation fault when a\n statistics type that was not enabled during compilation (e.g.\n timingstats) is referenced by the statistics or filegen\n configuration command\n\nCVE-2015-5219\n\n It was discovered that sntp program would hang in an infinite loop\n when a crafted NTP packet was received, related to the conversion\n of the precision value in the packet to double.\n\nCVE-2015-5300\n\n It was found that ntpd did not correctly implement the -g option:\n\n Normally, ntpd exits with a message to the system log if the offset\n exceeds the panic threshold, which is 1000 s by default. This\n option allows the time to be set to any value without restriction;\n however, this can happen only once. If the threshold is exceeded\n after that, ntpd will exit with a message to the system log. This\n option can be used with the -q and -x options.\n\n ntpd could actually step the clock multiple times by more than the\n panic threshold if its clock discipline doesn't have enough time to\n reach the sync state and stay there for at least one update. If a\n man-in-the-middle attacker can control the NTP traffic since ntpd\n was started (or maybe up to 15-30 minutes after that), they can\n prevent the client from reaching the sync state and force it to step\n its clock by any amount any number of times, which can be used by\n attackers to expire certificates, etc.\n\n This is contrary to what the documentation says. Normally, the\n assumption is that an MITM attacker can step the clock more than the\n panic threshold only once when ntpd starts and to make a larger\n adjustment the attacker has to divide it into multiple smaller\n steps, each taking 15 minutes, which is slow.\n\nCVE-2015-7691, CVE-2015-7692, CVE-2015-7702\n\n It was found that the fix for CVE-2014-9750 was incomplete: three\n issues were found in the value length checks in ntp_crypto.c, where\n a packet with particular autokey operations that contained malicious\n data was not always being completely validated. Receipt of these\n packets can cause ntpd to crash.\n\nCVE-2015-7701\n\n A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd is\n configured to use autokey authentication, an attacker could send\n packets to ntpd that would, after several days of ongoing attack,\n cause it to run out of memory.\n\nCVE-2015-7703\n\n Miroslav Lichvar of Red Hat found that the :config command can be\n used to set the pidfile and driftfile paths without any\n restrictions. A remote attacker could use this flaw to overwrite a\n file on the file system with a file containing the pid of the ntpd\n process (immediately) or the current estimated drift of the system\n clock (in hourly intervals). For example:\n\n ntpq -c ':config pidfile /tmp/ntp.pid'\n ntpq -c ':config driftfile /tmp/ntp.drift'\n\n In Debian ntpd is configured to drop root privileges, which limits\n the impact of this issue.\n\nCVE-2015-7704\n\n If ntpd as an NTP client receives a Kiss-of-Death (KoD) packet\n from the server to reduce its polling rate, it doesn't check if the\n originate timestamp in the reply matches the transmit timestamp from\n its request. An off-path attacker can send a crafted KoD packet to\n the client, which will increase the client's polling interval to a\n large value and effectively disable synchronization with the server.\n\nCVE-2015-7850\n\n An exploitable denial of service vulnerability exists in the remote\n configuration functionality of the Network Time Protocol. A\n specially crafted configuration file could cause an endless loop\n resulting in a denial of service. An attacker could provide a the\n malicious configuration file to trigger this vulnerability.\n\nCVE-2015-7852\n\n A potential off by one vulnerability exists in the cookedprint\n functionality of ntpq. A specially crafted buffer could cause a\n buffer overflow potentially resulting in null byte being written out\n of bounds.\n\nCVE-2015-7855\n\n It was found that NTP's decodenetnum() would abort with an assertion\n failure when processing a mode 6 or mode 7 packet containing an\n unusually long data value where a network address was expected. This\n could allow an authenticated attacker to crash ntpd.\n\nCVE-2015-7871\n\n An error handling logic error exists within ntpd that manifests due\n to improper error condition handling associated with certain\n crypto-NAK packets. An unauthenticated, off-path attacker can force\n ntpd processes on targeted servers to peer with time sources of the\n attacker's choosing by transmitting symmetric active crypto-NAK\n packets to ntpd. This attack bypasses the authentication typically\n required to establish a peer association and allows an attacker to\n make arbitrary changes to system time.\n\nFor the oldstable distribution (wheezy), these problems have been fixed\nin version 1:4.2.6.p5+dfsg-2+deb7u6.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 1:4.2.6.p5+dfsg-7+deb8u1.\n\nFor the testing distribution (stretch), these problems have been fixed\nin version 1:4.2.8p4+dfsg-3.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1:4.2.8p4+dfsg-3.\n\nWe recommend that you upgrade your ntp packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2015-11-01T22:21:19", "published": "2015-11-01T22:21:19", "id": "DEBIAN:DSA-3388-1:B971A", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00288.html", "title": "[SECURITY] [DSA 3388-1] ntp security update", "type": "debian", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "cisco": [{"lastseen": "2019-02-01T01:15:55", "bulletinFamily": "software", "description": "A vulnerability in the Network Time Protocol (NTP) daemon could allow an unauthenticated, remote attacker to cause a denial of service condition.\n\nThe vulnerability is due to improper memory operations performed by the affected software when handling private mode packets. An attacker could exploit the vulnerability by submitting a crafted NTP request to a targeted system. A successful exploit could allow the attacker to abnormally terminate the NTP process, leading to a denial of service condition for legitimate users.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow a local attacker to cause memory corruption.\n\nThe vulnerability is due to improper memory operations performed by the affected software when handling crafted refclock drivers. An attacker could exploit the vulnerability by loading a crafted refclock driver. A successful exploit could allow the attacker to cause memory corruption on the targeted system.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow an authenticated, remote attacker to bypass security restrictions.\n\nThe vulnerability is due to improper memory operations performed by the affected software when handling key files. An attacker could exploit the vulnerability by submitting a crafted Network Time Protocol (NTP) request to a targeted system. A successful exploit could allow the attacker to bypass security restrictions.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected system.\n\nThe vulnerability is due to improper processing of Network Time Protocol (NTP) packets when processing configuration files. An attacker could exploit this vulnerability by sending a malicious configuration file to a targeted system. If successful, the attacker could cause the service to fail, leading to a DoS condition for legitimate users.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to improper boundary checking when performing memory operations. An unauthenticated, remote attacker could exploit the vulnerability by sending malicious requests to a targeted system, triggering a memory operation that could result in an off-by-one error. If successful, the attacker could cause memory corruption that could result in a DoS condition.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow an unauthenticated, remote attacker to cause memory corruption.\n\nThe vulnerability is due to improper memory operations performed by the affected software when handling crafted key files. An attacker could exploit the vulnerability by submitting a crafted password to the affected software. A successful exploit could allow the attacker to cause memory corruption on the targeted system.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow an unauthenticated, remote attacker to conduct directory traversal attacks.\n\nThe vulnerability is due to improper handling of directory traversal character sequences. An unauthenticated, remote attacker could exploit the vulnerability by sending requests containing directory traversal character sequences to the targeted system. If successful, the attacker could write to arbitrary locations on the targeted system.\n\nA vulnerability in the Network Time Protocol daemon could allow an unauthenticated, remote attacker to bypass authentication restrictions and gain unauthorized access to the affected application.\n\nThe vulnerability is due to improper authentication checks when establishing symmetric peer relationships. An unauthenticated, remote attacker could exploit the vulnerability by sending malicious peer requests to the targeted system.\n\nA vulnerability in the Network Time Protocol daemon could allow an unauthenticated, remote attacker to bypass security protections.\n\nThe vulnerability is due to improper validation of user-supplied input. An unauthenticated, remote attacker could exploit the vulnerability by sending malicious requests to the targeted system.\n\nA vulnerability in the Network Time Protocol daemon could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to improper handling of user-supplied input. An unauthenticated, remote attacker could exploit the vulnerability by sending malicious requests to the targeted system.\n\nA vulnerability in the Network Time Protocol daemon could allow an unauthenticated, remote attacker to modify the application configuration.\n\nThe vulnerability is due to improper validation of user-supplied input. An unauthenticated, remote attacker could exploit the vulnerability by sending malicious requests to the targeted system.\n\nMultiple Cisco products incorporate a version of the ntpd package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time being advertised by a device acting as a network time protocol (NTP) server.\n\nOn October 21st, 2015, NTP.org released a security advisory detailing 13 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities, and logic issues that may result in an attacker gaining the ability to modify an NTP server's advertised time. The vulnerabilities covered in this document are as follows: \n\n CVE-2015-7691 - Denial of Service AutoKey Malicious Message\n CVE-2015-7692 - Denial of Service AutoKey Malicious Message\n CVE-2015-7701 - Denial of Service CRYPTO_ASSOC Memory Leak\n CVE-2015-7702 - Denial of Service AutoKey Malicious Message\n CVE-2015-7703 - Configuration Directive File Overwrite Vulnerability\n CVE-2015-7704 - Denial of Service by Spoofed Kiss-o'-Death\n CVE-2015-7705 - Denial of Service by Priming the Pump\n CVE-2015-7848 - Network Time Protocol ntpd Multiple Integer Overflow Read Access Violations\n CVE-2015-7849 - Network Time Protocol Trusted Keys Memory Corruption Vulnerability\n CVE-2015-7850 - Network Time Protocol Remote Configuration Denial of Service Vulnerability\n CVE-2015-7851 - Network Time Protocol ntpd saveconfig Directory Traversal Vulnerability\n CVE-2015-7852 - Network Time Protocol ntpq atoascii Memory Corruption Vulnerability\n CVE-2015-7853 - Network Time Protocol Reference Clock Memory Corruption Vulnerability\n CVE-2015-7854 - Network Time Protocol Password Length Memory Corruption Vulnerability\n CVE-2015-7855 - Denial of Service Long Control Packet Message \n CVE-2015-7871 - NAK to the Future: NTP Symmetric Association Authentication Bypass Vulnerability\n\nAdditional details on each of the vulnerabilities can be found at the following links:\n\nOfficial Security Advisory from ntp.org: Security Notice[\"http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities\"]\n\nBoston University: Attacking the Network Time Protocol[\"http://www.cs.bu.edu/~goldbe/NTPattack.html\"]\n\nCisco TALOS: TALOS Vulnerability Reports[\"http://talosintel.com/vulnerability-reports/\"]\n\nCisco will release software updates that address these vulnerabilities.\n\nWorkarounds that mitigate one or more of the vulnerabilities may be available for certain products, please see the individual Cisco Bug IDs for details. \n\nThis advisory is available at the following link:\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151021-ntp[\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151021-ntp\"]\n\ncA vulnerability in the Network Time Protocol daemon could allow an\nunauthenticated, remote attacker to cause a denial of service (DoS)\ncondition.\n\nThe vulnerability is due to improper validation of\nuser-supplied input. An unauthenticated, remote attacker could exploit\nthe vulnerability by sending malicious requests to the targeted system.", "modified": "2016-01-27T19:20:38", "published": "2015-10-21T23:00:00", "id": "CISCO-SA-20151021-NTP", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151021-ntp", "type": "cisco", "title": "Multiple Vulnerabilities in ntpd Affecting Cisco Products - October 2015", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2018-08-31T01:14:31", "bulletinFamily": "unix", "description": "\nntp.org reports:\n\nNTF's NTP Project has been notified of the following 13 low-\n\t and medium-severity vulnerabilities that are fixed in\n\t ntp-4.2.8p4, released on Wednesday, 21 October 2015:\n\nBug 2941 CVE-2015-7871 NAK to the Future: Symmetric\n\t\tassociation authentication bypass via crypto-NAK\n\t\t(Cisco ASIG)\nBug 2922 CVE-2015-7855 decodenetnum() will ASSERT botch\n\t\tinstead of returning FAIL on some bogus values (IDA)\nBug 2921 CVE-2015-7854 Password Length Memory Corruption\n\t\tVulnerability. (Cisco TALOS)\nBug 2920 CVE-2015-7853 Invalid length data provided by a\n\t\tcustom refclock driver could cause a buffer overflow.\n\t\t(Cisco TALOS)\nBug 2919 CVE-2015-7852 ntpq atoascii() Memory Corruption\n\t\tVulnerability. (Cisco TALOS)\nBug 2918 CVE-2015-7851 saveconfig Directory Traversal\n\t\tVulnerability. (OpenVMS) (Cisco TALOS)\nBug 2917 CVE-2015-7850 remote config logfile-keyfile.\n\t\t(Cisco TALOS)\nBug 2916 CVE-2015-7849 trusted key use-after-free.\n\t\t(Cisco TALOS)\nBug 2913 CVE-2015-7848 mode 7 loop counter underrun.\n\t\t(Cisco TALOS)\nBug 2909 CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC.\n\t\t(Tenable)\nBug 2902 : CVE-2015-7703 configuration directives \"pidfile\"\n\t\tand \"driftfile\" should only be allowed locally. (RedHat)\nBug 2901 : CVE-2015-7704, CVE-2015-7705 Clients that\n\t\treceive a KoD should validate the origin timestamp field.\n\t\t(Boston University)\nBug 2899 : CVE-2015-7691, CVE-2015-7692, CVE-2015-7702\n\t\tIncomplete autokey data packet length checks. (Tenable)\n\nThe only generally-exploitable bug in the above list is the\n\t crypto-NAK bug, which has a CVSS2 score of 6.4.\nAdditionally, three bugs that have already been fixed in\n\t ntp-4.2.8 but were not fixed in ntp-4.2.6 as it was EOL'd\n\t have a security component, but are all below 1.8 CVSS score,\n\t so we're reporting them here:\n\nBug 2382 : Peer precision < -31 gives division by zero\nBug 1774 : Segfaults if cryptostats enabled when built\n\t\twithout OpenSSL\nBug 1593 : ntpd abort in free() with logconfig syntax error\n\n\n", "modified": "2016-08-09T00:00:00", "published": "2015-10-21T00:00:00", "id": "C4A18A12-77FC-11E5-A687-206A8A720317", "href": "https://vuxml.freebsd.org/freebsd/c4a18a12-77fc-11e5-a687-206a8a720317.html", "title": "ntp -- 13 low- and medium-severity vulnerabilities", "type": "freebsd", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "slackware": [{"lastseen": "2018-08-31T02:37:10", "bulletinFamily": "unix", "description": "New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix security issues.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/ntp-4.2.8p4-i486-1_slack14.1.txz: Upgraded.\n In addition to bug fixes and enhancements, this release fixes\n several low and medium severity vulnerabilities.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9750\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5196\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ntp-4.2.8p4-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/ntp-4.2.8p4-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ntp-4.2.8p4-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ntp-4.2.8p4-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ntp-4.2.8p4-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ntp-4.2.8p4-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8p4-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8p4-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8p4-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8p4-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8p4-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8p4-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\n21dd14178fea17a88c9326c8672ecefd ntp-4.2.8p4-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n8647479b2007b92ff8598184f2275263 ntp-4.2.8p4-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\ne0f122e8e271dc84db06202c03cc0288 ntp-4.2.8p4-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\ndb0aff04b72b3d8c96ca8c8e1ed36c05 ntp-4.2.8p4-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\n5914e43e886e5ff88fefd30083493e30 ntp-4.2.8p4-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\n4335c3bf2ae24afc5ad734e8d80b3e94 ntp-4.2.8p4-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\n39b05698797b638b67130e0b170e0a4b ntp-4.2.8p4-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\ndcf4a56ba1d013ee1c9d0e624e158709 ntp-4.2.8p4-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n1fd3a7beaf23303e2c211af377662614 ntp-4.2.8p4-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n438c3185aa8ec20d1c2b5e51786e4d41 ntp-4.2.8p4-x86_64-1_slack14.1.txz\n\nSlackware -current package:\n81bfb2fed450cb26a51b5e1cee0d33ed n/ntp-4.2.8p4-i586-1.txz\n\nSlackware x86_64 -current package:\n8bae4ad633af40d4d54b7686e4b225f9 n/ntp-4.2.8p4-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg ntp-4.2.8p4-i486-1_slack14.1.txz\n\nThen, restart the NTP daemon:\n\n > sh /etc/rc.d/rc.ntpd restart", "modified": "2015-10-29T15:49:05", "published": "2015-10-29T15:49:05", "id": "SSA-2015-302-03", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.581166", "title": "ntp", "type": "slackware", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T12:46:49", "bulletinFamily": "unix", "description": "This network time protocol server ntp was updated to 4.2.8p6 to fix the\n following issues:\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n Major functional changes:\n - The "sntp" commandline tool changed its option handling in a major way.\n - "controlkey 1" is added during update to ntp.conf to allow sntp to work.\n - The local clock is being disabled during update.\n - ntpd is no longer running chrooted.\n\n\n Other functional changes:\n - ntp-signd is installed.\n - "enable mode7" can be added to the configuration to allow ntdpc to work\n as compatibility mode option.\n - "kod" was removed from the default restrictions.\n - SHA1 keys are used by default instead of MD5 keys.\n\n These security issues were fixed:\n - CVE-2015-5219: An endless loop due to incorrect precision to double\n conversion (bsc#943216).\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n - CVE-2015-7871: NAK to the Future: Symmetric association authentication\n bypass via crypto-NAK (bsc#951608).\n - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning\n FAIL on some bogus values (bsc#951608).\n - CVE-2015-7854: Password Length Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7853: Invalid length data provided by a custom refclock driver\n could cause a buffer overflow (bsc#951608).\n - CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#951608).\n - CVE-2015-7850: remote config logfile-keyfile (bsc#951608).\n - CVE-2015-7849: trusted key use-after-free (bsc#951608).\n - CVE-2015-7848: mode 7 loop counter underrun (bsc#951608).\n - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#951608).\n - CVE-2015-7703: configuration directives "pidfile" and "driftfile" should\n only be allowed locally (bsc#951608).\n - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD should validate\n the origin timestamp field (bsc#951608).\n - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete autokey data\n packet length checks (bsc#951608).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n - Add a controlkey line to /etc/ntp.conf if one does not already exist to\n allow runtime configuuration via ntpq.\n - bsc#946386: Temporarily disable memlock to avoid problems due to high\n memory usage during name resolution.\n - bsc#905885: Use SHA1 instead of MD5 for symmetric keys.\n - Improve runtime configuration:\n * Read keytype from ntp.conf\n * Don't write ntp keys to syslog.\n - Fix legacy action scripts to pass on command line arguments.\n - bsc#944300: Remove "kod" from the restrict line in ntp.conf.\n - bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.\n - Don't let "keysdir" lines in ntp.conf trigger the "keys" parser.\n - Disable mode 7 (ntpdc) again, now that we don't use it anymore.\n - Add "addserver" as a new legacy action.\n - bsc#910063: Fix the comment regarding addserver in ntp.conf.\n - bsc#926510: Disable chroot by default.\n - bsc#920238: Enable ntpdc for backwards compatibility.\n - bsc#784760: Remove local clock from default configuration.\n - bsc#942441/fate#319496: Require perl-Socket6.\n - Improve runtime configuration:\n * Read keytype from ntp.conf\n * Don't write ntp keys to syslog.\n - bsc#920183: Allow -4 and -6 address qualifiers in "server" directives.\n - Use upstream ntp-wait, because our version is incompatible with the new\n ntpq command line syntax.\n\n", "modified": "2016-05-17T15:09:17", "published": "2016-05-17T15:09:17", "id": "SUSE-SU-2016:1311-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00048.html", "type": "suse", "title": "Security update for ntp (important)", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T12:27:22", "bulletinFamily": "unix", "description": "ntp was updated to version 4.2.8p6 to fix 28 security issues.\n\n Major functional changes:\n - The "sntp" commandline tool changed its option handling in a major way,\n some options have been renamed or dropped.\n - "controlkey 1" is added during update to ntp.conf to allow sntp to work.\n - The local clock is being disabled during update.\n - ntpd is no longer running chrooted.\n\n Other functional changes:\n - ntp-signd is installed.\n - "enable mode7" can be added to the configuration to allow ntdpc to work\n as compatibility mode option.\n - "kod" was removed from the default restrictions.\n - SHA1 keys are used by default instead of MD5 keys.\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n - CVE-2015-7871: NAK to the Future: Symmetric association authentication\n bypass via crypto-NAK (bsc#951608).\n - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning\n FAIL on some bogus values (bsc#951608).\n - CVE-2015-7854: Password Length Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7853: Invalid length data provided by a custom refclock driver\n could cause a buffer overflow (bsc#951608).\n - CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#951608).\n - CVE-2015-7850: remote config logfile-keyfile (bsc#951608).\n - CVE-2015-7849: trusted key use-after-free (bsc#951608).\n - CVE-2015-7848: mode 7 loop counter underrun (bsc#951608).\n - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#951608).\n - CVE-2015-7703: configuration directives "pidfile" and "driftfile" should\n only be allowed locally (bsc#951608).\n - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD should validate\n the origin timestamp field (bsc#951608).\n - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete autokey data\n packet length checks (bsc#951608).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n - Add a controlkey line to /etc/ntp.conf if one does not already exist to\n allow runtime configuuration via ntpq.\n - bsc#946386: Temporarily disable memlock to avoid problems due to high\n memory usage during name resolution.\n - bsc#905885: Use SHA1 instead of MD5 for symmetric keys.\n - Improve runtime configuration:\n * Read keytype from ntp.conf\n * Don't write ntp keys to syslog.\n - Fix legacy action scripts to pass on command line arguments.\n - bsc#944300: Remove "kod" from the restrict line in ntp.conf.\n - bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.\n - Add a controlkey to ntp.conf to make the above work.\n - Don't let "keysdir" lines in ntp.conf trigger the "keys" parser.\n - Disable mode 7 (ntpdc) again, now that we don't use it anymore.\n - Add "addserver" as a new legacy action.\n - bsc#910063: Fix the comment regarding addserver in ntp.conf.\n - bsc#926510: Disable chroot by default.\n - bsc#920238: Enable ntpdc for backwards compatibility.\n\n", "modified": "2016-05-06T13:07:50", "published": "2016-05-06T13:07:50", "id": "SUSE-SU-2016:1247-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00020.html", "title": "Security update for ntp (important)", "type": "suse", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T11:46:06", "bulletinFamily": "unix", "description": "NTP was updated to version 4.2.8p8 to fix several security issues and to\n ensure the continued maintainability of the package.\n\n These security issues were fixed:\n\n * CVE-2016-4953: Bad authentication demobilized ephemeral associations\n (bsc#982065).\n * CVE-2016-4954: Processing spoofed server packets (bsc#982066).\n * CVE-2016-4955: Autokey association reset (bsc#982067).\n * CVE-2016-4956: Broadcast interleave (bsc#982068).\n * CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).\n * CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS\n (bsc#977459).\n * CVE-2016-1548: Prevent the change of time of an ntpd client or\n denying service to an ntpd client by forcing it to change from basic\n client/server mode to interleaved symmetric mode (bsc#977461).\n * CVE-2016-1549: Sybil vulnerability: ephemeral association attack\n (bsc#977451).\n * CVE-2016-1550: Improve security against buffer comparison timing\n attacks (bsc#977464).\n * CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y\n * CVE-2016-2516: Duplicate IPs on unconfig directives could have\n caused an assertion botch in ntpd (bsc#977452).\n * CVE-2016-2517: Remote configuration trustedkey/\n requestkey/controlkey values are not properly validated (bsc#977455).\n * CVE-2016-2518: Crafted addpeer with hmode > 7 causes array\n wraparound with MATCH_ASSOC (bsc#977457).\n * CVE-2016-2519: ctl_getitem() return value not always checked\n (bsc#977458).\n * CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966).\n * CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n * CVE-2015-7979: Off-path Denial of Service (DoS) attack on\n authenticated broadcast mode (bsc#962784).\n * CVE-2015-7978: Stack exhaustion in recursive traversal of\n restriction list (bsc#963000).\n * CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n * CVE-2015-7976: ntpq saveconfig command allowed dangerous characters\n in filenames (bsc#962802).\n * CVE-2015-7975: nextvar() missing length check (bsc#962988).\n * CVE-2015-7974: NTP did not verify peer associations of symmetric\n keys when authenticating packets, which might have allowed remote\n attackers to conduct impersonation attacks via an arbitrary trusted\n key, aka a "skeleton" key (bsc#962960).\n * CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n * CVE-2015-5300: MITM attacker can force ntpd to make a step larger\n than the panic threshold (bsc#951629).\n * CVE-2015-5194: Crash with crafted logconfig configuration command\n (bsc#943218).\n * CVE-2015-7871: NAK to the Future: Symmetric association\n authentication bypass via crypto-NAK (bsc#952611).\n * CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning\n FAIL on some bogus values (bsc#952611).\n * CVE-2015-7854: Password Length Memory Corruption Vulnerability\n (bsc#952611).\n * CVE-2015-7853: Invalid length data provided by a custom refclock\n driver could cause a buffer overflow (bsc#952611).\n * CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability\n (bsc#952611).\n * CVE-2015-7851: saveconfig Directory Traversal Vulnerability\n (bsc#952611).\n * CVE-2015-7850: Clients that receive a KoD now validate the origin\n timestamp field (bsc#952611).\n * CVE-2015-7849: Prevent use-after-free trusted key (bsc#952611).\n * CVE-2015-7848: Prevent mode 7 loop counter underrun (bsc#952611).\n * CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#952611).\n * CVE-2015-7703: Configuration directives "pidfile" and "driftfile"\n should only be allowed locally (bsc#943221).\n * CVE-2015-7704: Clients that receive a KoD should validate the origin\n timestamp field (bsc#952611).\n * CVE-2015-7705: Clients that receive a KoD should validate the origin\n timestamp field (bsc#952611).\n * CVE-2015-7691: Incomplete autokey data packet length checks\n (bsc#952611).\n * CVE-2015-7692: Incomplete autokey data packet length checks\n (bsc#952611).\n * CVE-2015-7702: Incomplete autokey data packet length checks\n (bsc#952611).\n * CVE-2015-1798: The symmetric-key feature in the receive function in\n ntp_proto.c in ntpd in NTP required a correct MAC only if the MAC\n field has a nonzero length, which made it easier for\n man-in-the-middle attackers to spoof packets by omitting the MAC\n (bsc#924202).\n * CVE-2015-1799: The symmetric-key feature in the receive function in\n ntp_proto.c in ntpd in NTP performed state-variable updates upon\n receiving certain invalid packets, which made it easier for\n man-in-the-middle attackers to cause a denial of service\n (synchronization loss) by spoofing the source IP address of a peer\n (bsc#924202).\n\n These non-security issues were fixed:\n\n * Keep the parent process alive until the daemon has finished\n initialisation, to make sure that the PID file exists when the\n parent returns.\n * bsc#979302: Change the process name of the forking DNS worker\n process to avoid the impression that ntpd is started twice.\n * bsc#981422: Don't ignore SIGCHILD because it breaks wait().\n * Separate the creation of ntp.keys and key #1 in it to avoid problems\n when upgrading installations that have the file, but no key #1,\n which is needed e.g. by "rcntp addserver".\n * bsc#957226: Restrict the parser in the startup script to the first\n occurrance of "keys" and "controlkey" in ntp.conf.\n * Enable compile-time support for MS-SNTP (--enable-ntp-signd)\n * bsc#975496: Fix ntp-sntp-dst.patch.\n * bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path,\n which caused the synchronization to fail.\n * bsc#782060: Speedup ntpq.\n * bsc#951559: Fix the TZ offset output of sntp during DST.\n * bsc#916617: Add /var/db/ntp-kod.\n * bsc#951351: Add ntp-ENOBUFS.patch to limit a warning that might\n happen quite a lot on loaded systems.\n * Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n * bnc#784760: Remove local clock from default configuration.\n * Fix incomplete backporting of "rcntp ntptimemset".\n * bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.\n * Don't let "keysdir" lines in ntp.conf trigger the "keys" parser.\n * bsc#910063: Fix the comment regarding addserver in ntp.conf.\n * bsc#944300: Remove "kod" from the restrict line in ntp.conf.\n * bsc#905885: Use SHA1 instead of MD5 for symmetric keys.\n * bsc#926510: Re-add chroot support, but mark it as deprecated and\n disable it by default.\n * bsc#920895: Drop support for running chrooted, because it is an\n ongoing source of problems and not really needed anymore, given that\n ntp now drops privileges and runs under apparmor.\n * bsc#920183: Allow -4 and -6 address qualifiers in "server"\n directives.\n * Use upstream ntp-wait, because our version is incompatible with the\n new ntpq command line syntax.\n * bsc#920905: Adjust Util.pm to the Perl version on SLE11.\n * bsc#920238: Enable ntpdc for backwards compatibility.\n * bsc#920893: Don't use %exclude.\n * bsc#988417: Default to NTPD_FORCE_SYNC_ON_STARTUP="yes"\n * bsc#988565: Ignore errors when removing extra files during\n uninstallation\n * bsc#988558: Don't blindly guess the value to use for IP_TOS\n\n Security Issues:\n\n * CVE-2016-4953\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953</a>>\n * CVE-2016-4954\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954</a>>\n * CVE-2016-4955\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955</a>>\n * CVE-2016-4956\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956</a>>\n * CVE-2016-4957\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957</a>>\n * CVE-2016-1547\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547</a>>\n * CVE-2016-1548\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548</a>>\n * CVE-2016-1549\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549</a>>\n * CVE-2016-1550\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550</a>>\n * CVE-2016-1551\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551</a>>\n * CVE-2016-2516\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516</a>>\n * CVE-2016-2517\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517</a>>\n * CVE-2016-2518\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518</a>>\n * CVE-2016-2519\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519</a>>\n * CVE-2015-8158\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158</a>>\n * CVE-2015-8138\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138</a>>\n * CVE-2015-7979\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979</a>>\n * CVE-2015-7978\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978</a>>\n * CVE-2015-7977\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977</a>>\n * CVE-2015-7976\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976</a>>\n * CVE-2015-7975\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975</a>>\n * CVE-2015-7974\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974</a>>\n * CVE-2015-7973\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973</a>>\n * CVE-2015-5300\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300</a>>\n * CVE-2015-5194\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194</a>>\n * CVE-2015-7871\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871</a>>\n * CVE-2015-7855\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855</a>>\n * CVE-2015-7854\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854</a>>\n * CVE-2015-7853\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853</a>>\n * CVE-2015-7852\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852</a>>\n * CVE-2015-7851\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851</a>>\n * CVE-2015-7850\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850</a>>\n * CVE-2015-7849\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849</a>>\n * CVE-2015-7848\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848</a>>\n * CVE-2015-7701\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701</a>>\n * CVE-2015-7703\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703</a>>\n * CVE-2015-7704\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704</a>>\n * CVE-2015-7705\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705</a>>\n * CVE-2015-7691\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691</a>>\n * CVE-2015-7692\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692</a>>\n * CVE-2015-7702\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702</a>>\n * CVE-2015-1798\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798</a>>\n * CVE-2015-1799\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799</a>>\n\n\n", "modified": "2016-07-29T19:08:48", "published": "2016-07-29T19:08:48", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00026.html", "id": "SUSE-SU-2016:1912-1", "title": "Security update for ntp (important)", "type": "suse", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-09-04T12:46:49", "bulletinFamily": "unix", "description": "The YaST2 NTP Client was updated to handle the presence of both xntp and\n ntp packages.\n\n If none are installed, "ntp" will be installed.\n\n Security Issues:\n\n * CVE-2016-4953\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953</a>>\n * CVE-2016-4954\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954</a>>\n * CVE-2016-4955\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955</a>>\n * CVE-2016-4956\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956</a>>\n * CVE-2016-4957\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957</a>>\n * CVE-2016-1547\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547</a>>\n * CVE-2016-1548\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548</a>>\n * CVE-2016-1549\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549</a>>\n * CVE-2016-1550\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550</a>>\n * CVE-2016-1551\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551</a>>\n * CVE-2016-2516\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516</a>>\n * CVE-2016-2517\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517</a>>\n * CVE-2016-2518\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518</a>>\n * CVE-2016-2519\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519</a>>\n * CVE-2015-8158\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158</a>>\n * CVE-2015-8138\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138</a>>\n * CVE-2015-7979\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979</a>>\n * CVE-2015-7978\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978</a>>\n * CVE-2015-7977\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977</a>>\n * CVE-2015-7976\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976</a>>\n * CVE-2015-7975\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975</a>>\n * CVE-2015-7974\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974</a>>\n * CVE-2015-7973\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973</a>>\n * CVE-2015-5300\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300</a>>\n * CVE-2015-5194\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194</a>>\n * CVE-2015-7871\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871</a>>\n * CVE-2015-7855\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855</a>>\n * CVE-2015-7854\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854</a>>\n * CVE-2015-7853\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853</a>>\n * CVE-2015-7852\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852</a>>\n * CVE-2015-7851\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851</a>>\n * CVE-2015-7850\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850</a>>\n * CVE-2015-7849\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849</a>>\n * CVE-2015-7848\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848</a>>\n * CVE-2015-7701\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701</a>>\n * CVE-2015-7703\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703</a>>\n * CVE-2015-7704\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704</a>>\n * CVE-2015-7705\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705</a>>\n * CVE-2015-7691\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691</a>>\n * CVE-2015-7692\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692</a>>\n * CVE-2015-7702\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702</a>>\n * CVE-2015-1798\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798</a>>\n * CVE-2015-1799\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799</a>>\n\n\n", "modified": "2016-08-17T21:08:25", "published": "2016-08-17T21:08:25", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00042.html", "id": "SUSE-SU-2016:2094-1", "type": "suse", "title": "Security update for yast2-ntp-client (important)", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2016-09-06T19:47:00", "bulletinFamily": "unix", "description": "### Background\n\nNTP contains software for the Network Time Protocol.\n\n### Description\n\nMultiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly cause a Denial of Service condition.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll NTP users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/ntp-4.2.8_p8\"", "modified": "2016-07-20T00:00:00", "published": "2016-07-20T00:00:00", "id": "GLSA-201607-15", "href": "https://security.gentoo.org/glsa/201607-15", "type": "gentoo", "title": "NTP: Multiple vulnerabilities", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "ics": [{"lastseen": "2018-08-31T01:37:32", "bulletinFamily": "info", "description": "### **CVSS v3 10.0**\n\n**ATTENTION: **Remotely exploitable/low skill level to exploit.\n\n**Vendor:** Rockwell Automation\n\n**Equipment:** Stratix 5900\n\n**Vulnerabilities:** Improper Input Validation, Resource Management Errors, Improper Authentication, Path Traversal_._\n\n## REPOSTED INFORMATION\n\nThis advisory was originally posted to the NCCIC Portal on April 4, 2017, and is being released to the NCCIC/ICS-CERT web site.\n\n## AFFECTED PRODUCTS\n\nRockwell Automation reports that these vulnerabilities affect the following Stratix 5900 Services Routers:\n\n * Stratix 5900, All Versions prior to 15.6.3.\n\n## IMPACT\n\nAn attacker who exploits these vulnerabilities may be able to perform man-in-the-middle attacks, create denial of service conditions, or remotely execute arbitrary code.\n\n## MITIGATION\n\nRockwell Automation has provided a new firmware version, Version 15.6.3, to mitigate these vulnerabilities.\n\nRockwell Automation encourages users of the affected versions to update to the latest available software versions addressing the associated risk, and including improvements to further harden the software and enhance its resilience against similar malicious attacks. Users can find the latest firmware version by searching for their device at the following web site:\n\n<http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?famID=15>\n\nAdditional precautions and risk mitigation strategies specific to these types of attacks are recommended in the Rockwell Automation security release. When possible, multiple strategies should be implemented simultaneously.\n\n<https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1041191>\n\nPlease also refer to Cisco\u2019s security advisories (linked below) for additional workarounds and details for these vulnerabilities.\n\nNCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nICS-CERT also provides a section for [control systems security recommended practices](<https://ics-cert.us-cert.gov/content/recommended-practices>) on the ICS-CERT web page. Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.](<https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>)\n\nAdditional mitigation guidance and recommended practices are publicly available in the ICS\u2011CERT Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B>), that is available for download from the [ICS-CERT web site](<https://ics-cert.us-cert.gov/>).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities.\n\n## VULNERABILITY OVERVIEW\n\n## [**IMPROPER INPUT VALIDATION CWE-20**](<https://cwe.mitre.org/data/definitions/20.html>)\n\n[Cisco IOS and IOS XE Software DNS Forwarder Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-dns>).\n\n[CVE-2016-6380](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6380>) has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS and IOS XE Software AAA Login Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-aaados>).\n\n[CVE-2016-6393](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6380>) has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS and IOS XE Software H.323 Message Validation Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-h323>).\n\n[CVE-2016-6384](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6384>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS and IOS XE Software Internet Key Exchange Version 1 Fragmentation Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-ios-ikev1>).\n\n[CVE-2016-6381](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6381>) has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS and IOS XE Software Multicast Routing Denial of Service Vulnerabilities](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-msdp>).\n\n[CVE-2016-6382](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6382>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**INFORMATION EXPOSURE CWE-200**](<https://cwe.mitre.org/data/definitions/200.html>)\n\n[IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1>).\n\n[CVE-2016-6415](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6415>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N>)).\n\n## [**INPUT VALIDATION CWE-20 **](<https://cwe.mitre.org/data/definitions/20.html>)\n\n[Cisco Products IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160525-ipv6>).\n\n[CVE-2016-1409](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1409>) has been assigned to this vulnerability. A CVSS v3 base score of 5.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS and IOS XE and Cisco Unified Communications Manager Software Session Initiation Protocol Memory Leak Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-sip>).\n\n[CVE-2016-1350](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1350>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS and IOS XE Software Internet Key Exchange Version 2 Fragmentation Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-ios-ikev2>).\n\n[CVE-2016-1344](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1344>) has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**INTEGER OVERFLOW OR WRAPAROUND CWE 190**](<https://cwe.mitre.org/data/definitions/190.html>)\n\n## [**IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119**](<https://cwe.mitre.org/data/definitions/119.html>)\n\n## [**IMPROPER INPUT VALIDATION CWE-20**](<https://cwe.mitre.org/data/definitions/20.html>)\n\n## [**PATH TRAVERSAL CWE-22**](<https://cwe.mitre.org/data/definitions/22.html>)\n\n## [**PERMISSIONS, PRIVILEGES, AND ACCESS CONTROLS CWE-264**](<https://cwe.mitre.org/data/definitions/264.html>)\n\n## [**IMPROPER AUTHENTICATION CWE-287**](<https://cwe.mitre.org/data/definitions/287.html>)\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Multiple Vulnerabilities in ntpd Affecting Cisco Products - October 2015](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151021-ntp>).\n\n[CVE-2015-7691](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7691>), [CVE-2015-7692](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7692>), [CVE-2015-7701](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7701>), [CVE-2015-7702](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7702>), [CVE-2015-7703](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7703>), [CVE-2015-7704](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7704>), [CVE-2015-7705](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7705>), [CVE-2015-7848](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7848>), [CVE-2015-7849](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7849>), [CVE-2015-7850](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7850>), [CVE-2015-7851](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7851>), [CVE-2015-7852](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7852>), [CVE-2015-7853](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7853>), [CVE-2015-7854](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7854>), [CVE-2015-7855](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7855>), and [CVE-2015-7871](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7871>) have been assigned to these vulnerabilities. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L>)).\n\n## [**IMPROPER AUTHENTICATION CWE-287**](<https://cwe.mitre.org/data/definitions/287.html>)\n\n[Multiple Vulnerabilities in ntpd (April 2015) Affecting Cisco Products](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-ntpd>).\n\n[CVE-2015-1798](<https://nvd.nist.gov/vuln/detail/CVE-2015-1798>) and [CVE-2015-1799](<https://nvd.nist.gov/vuln/detail/CVE-2015-1799>) have been assigned to this vulnerability. A CVSS v3 base score of 5.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N>)).\n\n## [**INPUT VALIDATION CWE 20**](<https://cwe.mitre.org/data/definitions/20.html>)\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS Software and IOS XE Software Internet Key Exchange Version 2 Denial of Service Vulnerabilities](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-ikev2>).\n\n[CVE-2015-0642](<https://nvd.nist.gov/vuln/detail/CVE-2015-0642>) and [CVE-2015-0643](<https://nvd.nist.gov/vuln/detail/CVE-2015-0643>) have been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS Software and IOS XE Software TCP Packet Memory Leak Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-tcpleak>).\n\n[CVE-2015-0646](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0646>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119**](<https://cwe.mitre.org/data/definitions/119.html>)\n\n## [**IMPROPER INPUT VALIDATION CWE-20**](<https://cwe.mitre.org/data/definitions/20.html>)\n\n## [**CRYPTOGRAPHIC ISSUES CWE 310**](<https://cwe.mitre.org/data/definitions/310.html>)\n\n[Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150320-openssl>).\n\n[CVE-2015-0207](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0207>), [CVE-2015-0209](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0209>), [CVE-2015-0285](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0285>), [CVE-2015-0287](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0287>), [CVE-2015-0288](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0288>), [CVE-2015-0289](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0289>), [CVE-2015-0290](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0290>), [CVE-2015-0291](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0291>), [CVE-2015-0292](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0292>), [CVE-2015-0293](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0293>), and [CVE-2015-1787](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1787>) have been assigned to these vulnerabilities. A CVSS v3 base score of 4.0 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N>)).\n\n## [**CRYPTOGRAPHIC ISSUES CWE 310**](<https://cwe.mitre.org/data/definitions/310.html>)\n\n[SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle>).\n\n[CVE-2014-3566](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566>) has been assigned to this vulnerability. A CVSS v3 base score of 4.0 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS Software DHCP Version 6 Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-dhcpv6>).\n\n[CVE-2014-3359](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3359>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS Software Metadata Vulnerabilities](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-metadata>).\n\n[CVE-2014-3355](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3355>) and [CVE-2014-3356](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3356>) have been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**IMPROPER INPUT VALIDATION CWE-20**](<https://cwe.mitre.org/data/definitions/20.html>)\n\n[Cisco IOS Software Network Address Translation Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-nat>).\n\n[CVE-2014-3361](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3361>) has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS Software RSVP Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-rsvp>).\n\n[CVE-2014-3354](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3354>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**NUMERIC ERRORS CWE 189**](<https://cwe.mitre.org/data/definitions/189.html>)\n\n[Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-sip>).\n\n[CVE-2014-3360](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3360>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS Software IPsec Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20140625-CVE-2014-3299>).\n\n[CVE-2014-3299](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3299>) has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**CRYPTOGRAPHIC ISSUES CWE-310**](<https://cwe.mitre.org/data/definitions/310.html>)\n\n## [**RACE CONDITION CWE-362**](<https://cwe.mitre.org/data/definitions/362.html>)\n\n## [**IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119**](<https://cwe.mitre.org/data/definitions/119.html>)\n\n## [**RESOURCE MANAGEMENT ERRORS CWE-399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n## [**NULL POINTER DEREFERENCE CWE-476**](<https://cwe.mitre.org/data/definitions/476.html>)\n\n[Multiple Vulnerabilities in OpenSSL Affecting Cisco Products](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl>).\n\n[CVE-2010-5298](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298>), [CVE-2014-0076](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0076>), [CVE-2014-0195](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0195>), [CVE-2014-0198](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0198>), [CVE-2014-0221](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0221>), [CVE-2014-0224](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224>), and [CVE-2014-3470](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3470>) have been assigned to these vulnerabilities. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H>)).\n\n## [**IMPROPER INPUT VALIDATION CWE-20**](<https://cwe.mitre.org/data/definitions/20.html>)\n\n[Cisco IOS Software Crafted IPv6 Packet Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ipv6>).\n\n[CVE-2014-2113](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2113>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS Software Internet Key Exchange Version 2 Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ikev2>).\n\n[CVE-2014-2108](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2108>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**IMPROPER INPUT VALIDATION CWE-20**](<https://cwe.mitre.org/data/definitions/20.html>)\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS Software Network Address Translation Vulnerabilities](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-nat>).\n\n[CVE-2014-2109](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2109>) and [CVE-2014-2111](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2111>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**IMPROPER INPUT VALIDATION CWE-20**](<https://cwe.mitre.org/data/definitions/20.html>)\n\n[Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-sip>).\n\n[CVE-2014-2106](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2106>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS Software SSL VPN Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn>).\n\n[CVE-2014-2112](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2112>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## RESEARCHER\n\nCisco Systems, Inc. reported these vulnerabilities to Rockwell Automation.\n\n## BACKGROUND\n\n**Critical Infrastructure Sectors:** Critical Manufacturing, Energy, Water and Wastewater Systems\n\n**Area Deployed:** Worldwide\n\n**Company Headquarters Location: **United States\n", "modified": "2017-05-10T00:00:00", "published": "2017-05-09T00:00:00", "id": "ICSA-17-094-04", "href": "https://ics-cert.us-cert.gov//advisories/ICSA-17-094-04", "title": "Rockwell Automation Stratix 5900", "type": "ics", "cvss": {"score": 8.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:COMPLETE/"}}]}