ID SOL71245322 Type f5 Reporter f5 Modified 2016-10-05T00:00:00
Description
Vulnerability Recommended Actions
If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.
Supplemental Information
SOL9970: Subscribing to email notifications regarding F5 products
SOL9957: Creating a custom RSS feed to view new and updated documents
SOL4602: Overview of the F5 security vulnerability response policy
SOL4918: Overview of the F5 critical issue hotfix policy
{"result": {"cve": [{"id": "CVE-2015-8138", "type": "cve", "title": "CVE-2015-8138", "description": "NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to bypass the origin timestamp validation via a packet with an origin timestamp set to zero.", "published": "2017-01-30T16:59:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8138", "cvelist": ["CVE-2015-8138"], "lastseen": "2017-11-25T11:37:06"}], "f5": [{"id": "F5:K71245322", "type": "f5", "title": "NTP vulnerability CVE-2015-8138", "description": "\nF5 Product Development has assigned ID 570697 (BIG-IP), ID 573411 (BIG-IQ), ID 507785 (ARX), LRS-60602 (LineRate), and INSTALLER-2199 (Traffix SDC) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 12.0.0 - 12.1.0 \n11.6.0 - 11.6.1 \n11.5.3 - 11.5.4 \n11.5.0 HF7 \n11.4.1 HF9 - HF11 \n11.4.0 HF10| 12.1.1 - 12.1.2 \n11.5.1 - 11.5.2 \n11.5.0 - 11.5.0 HF6 \n11.4.1 - 11.4.1 HF8 \n11.4.0 - 11.4.0 HF9 \n11.2.1 \n10.1.0 - 10.2.4| Medium| ntpd \nBIG-IP AAM| 12.0.0 - 12.1.0 \n11.6.0 - 11.6.1 \n11.5.3 - 11.5.4 \n11.5.0 HF7 \n11.4.1 HF9 \n11.4.0 HF10| 12.1.1 - 12.1.2 \n11.5.1 - 11.5.2 \n11.5.0 - 11.5.0 HF6 \n11.4.1 - 11.4.1 HF8 \n11.4.0 - 11.4.0 HF9| Medium| ntpd \nBIG-IP AFM| 12.0.0 - 12.1.0 \n11.6.0 - 11.6.1 \n11.5.3 - 11.5.4 \n11.5.0 HF7 \n11.4.1 HF9 \n11.4.0 HF10| 12.1.1 - 12.1.2 \n11.5.1 - 11.5.2 \n11.5.0 - 11.5.0 HF6 \n11.4.1 - 11.4.1 HF8 \n11.4.0 - 11.4.0 HF9| Medium| ntpd \nBIG-IP Analytics| 12.0.0 - 12.1.0 \n11.6.0 - 11.6.1 \n11.5.3 - 11.5.4 \n11.5.0 HF7 \n11.4.1 HF9 \n11.4.0 HF10| 12.1.1 - 12.1.2 \n11.5.1 - 11.5.2 \n11.5.0 - 11.5.0 HF6 \n11.4.1 - 11.4.1 HF8 \n11.4.0 - 11.4.0 HF9 \n11.2.1| Medium| ntpd \nBIG-IP APM| 12.0.0 - 12.1.0 \n11.6.0 - 11.6.1 \n11.5.3 - 11.5.4 \n11.5.0 HF7 \n11.4.1 HF9 \n11.4.0 HF10| 12.1.1 - 12.1.2 \n11.5.1 - 11.5.2 \n11.5.0 - 11.5.0 HF6 \n11.4.1 - 11.4.1 HF8 \n11.4.0 - 11.4.0 HF9 \n11.2.1 \n10.1.0 - 10.2.4| Medium| ntpd \nBIG-IP ASM| 12.0.0 - 12.1.0 \n11.6.0 - 11.6.1 \n11.5.3 - 11.5.4 \n11.5.0 HF7 \n11.4.1 HF9 \n11.4.0 HF10| 12.1.1 - 12.1.2 \n11.5.1 - 11.5.2 \n11.5.0 - 11.5.0 HF6 \n11.4.1 - 11.4.1 HF8 \n11.4.0 - 11.4.0 HF9 \n11.2.1 \n10.1.0 - 10.2.4| Medium| ntpd \nBIG-IP DNS| 12.0.0 - 12.1.0| 12.1.1 - 12.1.2| Medium| ntpd \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| 11.6.0 - 11.6.1 \n11.5.3 - 11.5.4 \n11.5.0 HF7 \n11.4.1 HF9 \n11.4.0 HF10| 11.5.1 - 11.5.2 \n11.5.0 - 11.5.0 HF6 \n11.4.1 - 11.4.1 HF8 \n11.4.0 - 11.4.0 HF9 \n11.2.1 \n10.1.0 - 10.2.4| Medium| ntpd \nBIG-IP Link Controller| 12.0.0 - 12.1.0 \n11.6.0 - 11.6.1 \n11.5.3 - 11.5.4 \n11.5.0 HF7 \n11.4.1 HF9 \n11.4.0 HF10| 12.1.1 - 12.1.2 \n11.5.1 - 11.5.2 \n11.5.0 - 11.5.0 HF6 \n11.4.1 - 11.4.1 HF8 \n11.4.0 - 11.4.0 HF9 \n11.2.1 \n10.1.0 - 10.2.4| Medium| ntpd \nBIG-IP PEM| 12.0.0 - 12.1.0 \n11.6.0 - 11.6.1 \n11.5.3 - 11.5.4 \n11.5.0 HF7 \n11.4.1 HF9 \n11.4.0 HF10| 12.1.1 - 12.1.2 \n11.5.1 - 11.5.2 \n11.5.0 - 11.5.0 HF6 \n11.4.1 - 11.4.1 HF8 \n11.4.0 - 11.4.0 HF9| Medium| ntpd \nBIG-IP PSM| 11.4.1 HF9 \n11.4.0 HF10| 11.4.1 - 11.4.1 HF8 \n11.4.0 - 11.4.0 HF9 \n11.2.1 \n10.1.0 - 10.2.4| Medium| ntpd \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| 6.0.0 - 6.4.0| None| Low| ntpd \nEnterprise Manager| None| 3.0.0 - 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Medium| ntpd \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Medium| ntpd \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Medium| ntpd \nBIG-IQ ADC| 4.5.0| None| Medium| ntpd \nBIG-IQ Centralized Management| 4.6.0| None| Medium| ntpd \nBIG-IQ Cloud and Orchestration| 1.0.0| None| Medium| ntpd \nLineRate| 2.5.0 - 2.6.1| None| Medium| ntpd \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| None| Low| ntpd\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "published": "2016-02-22T22:22:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://support.f5.com/csp/article/K71245322", "cvelist": ["CVE-2015-8138"], "lastseen": "2017-06-08T00:16:40"}, {"id": "F5:K80996302", "type": "f5", "title": "Multiple NTP vulnerabilities", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebSafe| None| 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.0.2| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "published": "2016-12-17T02:37:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://support.f5.com/csp/article/K80996302", "cvelist": ["CVE-2016-9312", "CVE-2015-8138", "CVE-2016-7433", "CVE-2016-7427", "CVE-2016-7429", "CVE-2016-7428", "CVE-2016-7431"], "lastseen": "2017-06-08T00:16:02"}], "nessus": [{"id": "REDHAT-RHSA-2016-0063.NASL", "type": "nessus", "title": "RHEL 6 / 7 : ntp (RHSA-2016:0063)", "description": "Updated ntp packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source.\n\nIt was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client.\n(CVE-2015-8138)\n\nAll ntp users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the update, the ntpd daemon will restart automatically.", "published": "2016-01-26T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=88172", "cvelist": ["CVE-2015-8138"], "lastseen": "2017-10-29T13:42:04"}, {"id": "SL_20160125_NTP_ON_SL6_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : ntp on SL6.x, SL7.x i386/x86_64", "description": "It was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client.\n(CVE-2015-8138)\n\nAfter installing the update, the ntpd daemon will restart automatically.", "published": "2016-01-26T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=88175", "cvelist": ["CVE-2015-8138"], "lastseen": "2017-10-29T13:38:29"}, {"id": "CENTOS_RHSA-2016-0063.NASL", "type": "nessus", "title": "CentOS 6 / 7 : ntp (CESA-2016:0063)", "description": "Updated ntp packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source.\n\nIt was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client.\n(CVE-2015-8138)\n\nAll ntp users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the update, the ntpd daemon will restart automatically.", "published": "2016-01-26T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=88147", "cvelist": ["CVE-2015-8138"], "lastseen": "2018-07-03T10:06:15"}, {"id": "F5_BIGIP_SOL71245322.NASL", "type": "nessus", "title": "F5 Networks BIG-IP : NTP vulnerability (K71245322)", "description": "NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to bypass the origin timestamp validation via a packet with an origin timestamp set to zero. (CVE-2015-8138)", "published": "2016-02-23T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=88888", "cvelist": ["CVE-2015-8138"], "lastseen": "2018-07-12T17:36:34"}, {"id": "ORACLEVM_OVMSA-2016-0006.NASL", "type": "nessus", "title": "OracleVM 3.3 : ntp (OVMSA-2016-0006)", "description": "The remote OracleVM system is missing necessary patches to address critical security updates :\n\n - don't accept server/peer packets with zero origin timestamp (CVE-2015-8138)", "published": "2016-01-26T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=88169", "cvelist": ["CVE-2015-8138"], "lastseen": "2017-10-29T13:34:51"}, {"id": "ORACLELINUX_ELSA-2016-0063.NASL", "type": "nessus", "title": "Oracle Linux 6 / 7 : ntp (ELSA-2016-0063)", "description": "From Red Hat Security Advisory 2016:0063 :\n\nUpdated ntp packages that fix one security issue are now available for Red Hat Enterprise Linux 6 and 7.\n\nRed Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nThe Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source.\n\nIt was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client.\n(CVE-2015-8138)\n\nAll ntp users are advised to upgrade to these updated packages, which contain a backported patch to resolve this issue. After installing the update, the ntpd daemon will restart automatically.", "published": "2016-01-26T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=88167", "cvelist": ["CVE-2015-8138"], "lastseen": "2017-10-29T13:39:50"}, {"id": "ARISTA_EOS_SA0019.NASL", "type": "nessus", "title": "Arista Networks EOS Multiple Vulnerabilities (SA0019)", "description": "The version of Arista Networks EOS running on the remote device is affected by multiple vulnerabilities :\n\n - A flaw exists in NTP in the receive() function within file ntpd/ntp_proto.c that allows packets with an origin timestamp of zero to bypass security checks. An unauthenticated, remote attacker can exploit this to spoof arbitrary content. (CVE-2015-8138)\n\n - A flaw exists in NTP when handling crafted Crypto NAK Packets having spoofed source addresses that match an existing associated peer. A unauthenticated, remote attacker can exploit this to demobilize a client association, resulting in a denial of service condition.\n (CVE-2016-1547)\n\n - A flaw exists in NTP when handling packets that have been spoofed to appear to be coming from a valid ntpd server, which may cause a switch to interleaved symmetric mode. An unauthenticated, remote attacker can exploit this, via a packet having a spoofed timestamp, to cause the client to reject future legitimate server responses, resulting in a denial of service condition.\n (CVE-2016-1548)\n\n - A flaw exits in NTP when handling a saturation of ephemeral associations. An authenticated, remote attacker can exploit this to defeat the clock selection algorithm and thereby modify a victim's clock.\n (CVE-2016-1549)\n\n - A flaw exists in NTP in the message authentication functionality of libntp that is triggered when handling a series of specially crafted messages. An unauthenticated, remote attacker can exploit this to partially recover the message digest key.\n (CVE-2016-1550)", "published": "2018-02-28T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=107061", "cvelist": ["CVE-2016-1548", "CVE-2015-8138", "CVE-2016-1550", "CVE-2016-1547", "CVE-2016-1549"], "lastseen": "2018-03-01T06:04:04"}, {"id": "FEDORA_2016-8BB1932088.NASL", "type": "nessus", "title": "Fedora 23 : ntp-4.2.6p5-36.fc23 (2016-8bb1932088)", "description": "Security fix for CVE-2015-7974, CVE-2015-8138, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8158\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2016-03-04T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=89577", "cvelist": ["CVE-2015-8138", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-10-29T13:37:19"}, {"id": "ALA_ALAS-2016-649.NASL", "type": "nessus", "title": "Amazon Linux AMI : ntp (ALAS-2016-649)", "description": "It was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client.\n(CVE-2015-8138)\n\nA NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process. (CVE-2015-7977)\n\nIt was found that NTP does not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key.\n(CVE-2015-7974)\n\nA stack-based buffer overflow was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process. (CVE-2015-7978)\n\nIt was found that when NTP is configured in broadcast mode, an off-path attacker could broadcast packets with bad authentication (wrong key, mismatched key, incorrect MAC, etc) to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server. This could cause the time on affected clients to become out of sync over a longer period of time.\n(CVE-2015-7979)\n\nA flaw was found in the way the ntpq client certain processed incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance.\n(CVE-2015-8158)\n\nA flaw was found in ntpd that allows remote attackers to cause a denial of service (ephemeral-association demobilization) by sending a spoofed crypto-NAK packet with incorrect authentication data at a certain time. (CVE-2016-4953)\n\n(Updated 2016-10-18: CVE-2016-4953 was fixed in this release but was not previously part of this errata.)", "published": "2016-02-10T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=88661", "cvelist": ["CVE-2015-8138", "CVE-2016-4953", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2018-04-19T08:12:28"}, {"id": "SUSE_SU-2016-1175-1.NASL", "type": "nessus", "title": "SUSE SLES11 Security Update : ntp (SUSE-SU-2016:1175-1)", "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\nThese security issues were fixed :\n\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784).\n\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000).\n\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802).\n\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960).\n\n - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995).\n\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629).\n\nThe update package also includes non-security fixes. See advisory for details.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2016-05-02T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=90820", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-12-28T22:56:29"}], "openvas": [{"id": "OPENVAS:1361412562310122859", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2016-0063", "description": "Oracle Linux Local Security Checks ELSA-2016-0063", "published": "2016-01-26T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122859", "cvelist": ["CVE-2015-8138"], "lastseen": "2017-07-24T12:54:56"}, {"id": "OPENVAS:1361412562310882375", "type": "openvas", "title": "CentOS Update for ntp CESA-2016:0063 centos7 ", "description": "Check the version of ntp", "published": "2016-01-26T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882375", "cvelist": ["CVE-2015-8138"], "lastseen": "2017-07-25T10:54:46"}, {"id": "OPENVAS:1361412562310871547", "type": "openvas", "title": "RedHat Update for ntp RHSA-2016:0063-01", "description": "Check the version of ntp", "published": "2016-01-26T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871547", "cvelist": ["CVE-2015-8138"], "lastseen": "2017-07-27T10:53:47"}, {"id": "OPENVAS:1361412562310882376", "type": "openvas", "title": "CentOS Update for ntp CESA-2016:0063 centos6 ", "description": "Check the version of ntp", "published": "2016-01-26T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882376", "cvelist": ["CVE-2015-8138"], "lastseen": "2017-07-25T10:54:52"}, {"id": "OPENVAS:1361412562310120639", "type": "openvas", "title": "Amazon Linux Local Check: alas-2016-649", "description": "Amazon Linux Local Security Checks", "published": "2016-02-11T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120639", "cvelist": ["CVE-2015-8138", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-07-24T12:54:42"}, {"id": "OPENVAS:1361412562310807227", "type": "openvas", "title": "Fedora Update for ntp FEDORA-2016-8", "description": "Check the version of ntp", "published": "2016-02-05T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807227", "cvelist": ["CVE-2015-8138", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-07-25T10:54:03"}, {"id": "OPENVAS:1361412562310703629", "type": "openvas", "title": "Debian Security Advisory DSA 3629-1 (ntp - security update)", "description": "Several vulnerabilities were discovered\nin the Network Time Protocol daemon and utility programs:\n\nCVE-2015-7974 \nMatt Street discovered that insufficient key validation allows\nimpersonation attacks between authenticated peers.\n\nCVE-2015-7977CVE-2015-7978Stephen Gray discovered that a NULL pointer dereference\nand a buffer overflow in the handling of ntpdc reslist \ncommands may\nresult in denial of service.\n\nCVE-2015-7979 \nAanchal Malhotra discovered that if NTP is configured for broadcast\nmode, an attacker can send malformed authentication packets which\nbreak associations with the server for other broadcast clients.\n\nCVE-2015-8138 \nMatthew van Gundy and Jonathan Gardner discovered that missing\nvalidation of origin timestamps in ntpd clients may result in denial\nof service.\n\nCVE-2015-8158 \nJonathan Gardner discovered that missing input sanitising in ntpq\nmay result in denial of service.\n\nCVE-2016-1547 \nStephen Gray and Matthew van Gundy discovered that incorrect handling\nof crypto NAK packets may result in denial of service.\n\nCVE-2016-1548 \nJonathan Gardner and Miroslav Lichvar discovered that ntpd clients\ncould be forced to change from basic client/server mode to interleaved\nsymmetric mode, preventing time synchronisation.\n\nCVE-2016-1550 \nMatthew van Gundy, Stephen Gray and Loganaden Velvindron discovered\nthat timing leaks in the the packet authentication code could result\nin recovery of a message digest.\n\nCVE-2016-2516Yihan Lian discovered that duplicate IPs on unconfig \ndirectives will\ntrigger an assert.\n\nCVE-2016-2518 \nYihan Lian discovered that an OOB memory access could potentially\ncrash ntpd.", "published": "2016-08-02T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703629", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-8138", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7979", "CVE-2016-1547", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-12-18T11:06:24"}, {"id": "OPENVAS:1361412562310105666", "type": "openvas", "title": "Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016", "description": "Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.\n\nOn January 19, 2016, NTP Consortium at Network Time Foundation released a security advisory detailing 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities, and logic issues that may allow an attacker to shift a client", "published": "2016-05-09T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105666", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-07-02T21:12:44"}, {"id": "OPENVAS:1361412562310131203", "type": "openvas", "title": "Mageia Linux Local Check: mgasa-2016-0039", "description": "Mageia Linux Local Security Checks mgasa-2016-0039", "published": "2016-02-02T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310131203", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-07-24T12:54:56"}, {"id": "OPENVAS:1361412562310105726", "type": "openvas", "title": "Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016", "description": "Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package.\nVersions of this package are affected by one or more vulnerabilities that could allow an\nunauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time\nbeing advertised by a device acting as a Network Time Protocol (NTP) server.\n\nOn January 19, 2016, NTP Consortium at Network Time Foundation released a security advisory\ndetailing 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities,\nand logic issues that may allow an attacker to shift a client", "published": "2016-05-18T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105726", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-07-02T21:13:20"}], "redhat": [{"id": "RHSA-2016:0063", "type": "redhat", "title": "(RHSA-2016:0063) Important: ntp security update", "description": "The Network Time Protocol (NTP) is used to synchronize a computer's time\nwith a referenced time source.\n\nIt was discovered that ntpd as a client did not correctly check the\noriginate timestamp in received packets. A remote attacker could use this\nflaw to send a crafted packet to an ntpd client that would effectively\ndisable synchronization with the server, or push arbitrary offset/delay\nmeasurements to modify the time on the client. (CVE-2015-8138)\n\nAll ntp users are advised to upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. After installing the\nupdate, the ntpd daemon will restart automatically.\n", "published": "2016-01-25T05:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://access.redhat.com/errata/RHSA-2016:0063", "cvelist": ["CVE-2015-8138"], "lastseen": "2018-06-06T18:05:13"}], "centos": [{"id": "CESA-2016:0063", "type": "centos", "title": "ntp, ntpdate, sntp security update", "description": "**CentOS Errata and Security Advisory** CESA-2016:0063\n\n\nThe Network Time Protocol (NTP) is used to synchronize a computer's time\nwith a referenced time source.\n\nIt was discovered that ntpd as a client did not correctly check the\noriginate timestamp in received packets. A remote attacker could use this\nflaw to send a crafted packet to an ntpd client that would effectively\ndisable synchronization with the server, or push arbitrary offset/delay\nmeasurements to modify the time on the client. (CVE-2015-8138)\n\nAll ntp users are advised to upgrade to these updated packages, which\ncontain a backported patch to resolve this issue. After installing the\nupdate, the ntpd daemon will restart automatically.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-January/021623.html\nhttp://lists.centos.org/pipermail/centos-announce/2016-January/021624.html\n\n**Affected packages:**\nntp\nntp-doc\nntp-perl\nntpdate\nsntp\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-0063.html", "published": "2016-01-25T14:27:37", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2016-January/021623.html", "cvelist": ["CVE-2015-8138"], "lastseen": "2017-10-03T18:25:18"}], "oraclelinux": [{"id": "ELSA-2016-0063", "type": "oraclelinux", "title": "ntp security update", "description": "[4.2.6p5-5.el6_7.4]\n- don't accept server/peer packets with zero origin timestamp (CVE-2015-8138)", "published": "2016-01-25T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://linux.oracle.com/errata/ELSA-2016-0063.html", "cvelist": ["CVE-2015-8138"], "lastseen": "2017-04-18T17:19:15"}, {"id": "ELSA-2016-0780", "type": "oraclelinux", "title": "ntp security and bug fix update", "description": "[4.2.6p5-10]\n- don't accept server/peer packets with zero origin timestamp (CVE-2015-8138)\n- fix crash with reslist command (CVE-2015-7977, CVE-2015-7978)\n[4.2.6p5-9]\n- fix crash with invalid logconfig command (CVE-2015-5194)\n- fix crash when referencing disabled statistic type (CVE-2015-5195)\n- don't hang in sntp with crafted reply (CVE-2015-5219)\n- don't crash with crafted autokey packet (CVE-2015-7691, CVE-2015-7692,\n CVE-2015-7702)\n- fix memory leak with autokey (CVE-2015-7701)\n- don't allow setting driftfile and pidfile remotely (CVE-2015-7703)\n- don't crash in ntpq with crafted packet (CVE-2015-7852)\n- add option to set Differentiated Services Code Point (DSCP) (#1228314)\n- extend rawstats log (#1242895)\n- fix resetting of leap status (#1243034)\n- report clock state changes related to leap seconds (#1242937)\n- allow -4/-6 on restrict lines with mask (#1232146)\n- retry joining multicast groups (#1288534)\n- explain synchronised state in ntpstat man page (#1286969)\n[4.2.6p5-7]\n- check origin timestamp before accepting KoD RATE packet (CVE-2015-7704)\n- allow only one step larger than panic threshold with -g (CVE-2015-5300)", "published": "2016-05-12T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2016-0780.html", "cvelist": ["CVE-2015-7703", "CVE-2015-8138", "CVE-2015-7977", "CVE-2015-5219", "CVE-2015-7704", "CVE-2015-7701", "CVE-2015-7692", "CVE-2015-7702", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7691", "CVE-2015-5300", "CVE-2015-5195", "CVE-2015-7978"], "lastseen": "2017-08-16T11:10:48"}, {"id": "ELSA-2016-2583", "type": "oraclelinux", "title": "ntp security and bug fix update", "description": "[4.2.6p5-25.0.1]\n- add disable monitor to default ntp.conf [CVE-2013-5211]\n[4.2.6p5-25]\n- don't allow spoofed packet to enable symmetric interleaved mode\n (CVE-2016-1548)\n- check mode of new source in config command (CVE-2016-2518)\n- make MAC check resilient against timing attack (CVE-2016-1550)\n[4.2.6p5-24]\n- fix crash with invalid logconfig command (CVE-2015-5194)\n- fix crash when referencing disabled statistic type (CVE-2015-5195)\n- don't hang in sntp with crafted reply (CVE-2015-5219)\n- don't crash with crafted autokey packet (CVE-2015-7691, CVE-2015-7692,\n CVE-2015-7702)\n- fix memory leak with autokey (CVE-2015-7701)\n- don't allow setting driftfile and pidfile remotely (CVE-2015-7703)\n- don't crash in ntpq with crafted packet (CVE-2015-7852)\n- check key ID in packets authenticated with symmetric key (CVE-2015-7974)\n- fix crash with reslist command (CVE-2015-7977, CVE-2015-7978)\n- don't allow spoofed packets to demobilize associations (CVE-2015-7979,\n CVE-2016-1547)\n- don't accept server/peer packets with zero origin timestamp (CVE-2015-8138)\n- fix infinite loop in ntpq/ntpdc (CVE-2015-8158)\n- fix resetting of leap status (#1242553)\n- extend rawstats log (#1242877)\n- report clock state changes related to leap seconds (#1242935)\n- allow -4/-6 on restrict lines with mask (#1304492)\n- explain synchronised state in ntpstat man page (#1309594)", "published": "2016-11-09T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2016-2583.html", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-7703", "CVE-2015-8138", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2015-5219", "CVE-2013-5211", "CVE-2015-7979", "CVE-2015-7701", "CVE-2015-7692", "CVE-2016-1547", "CVE-2015-7702", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7691", "CVE-2015-5196", "CVE-2015-5195", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-08-16T11:11:48"}], "talos": [{"id": "TALOS-2016-0077", "type": "talos", "title": "Network Time Protocol Origin Timestamp Check Impersonation Vulnerability", "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0077\n\n## Network Time Protocol Origin Timestamp Check Impersonation Vulnerability\n\n##### January 19, 2016\n\n##### CVE Number\n\nCVE-2015-8138\n\nCERT VU#357792\n\n### Summary\n\nTo distinguish legitimate peer responses from forgeries, a client attempts to verify a response packet by ensuring that the origin timestamp in an incoming packet matches the transmit timestamp it transmitted in its last request. A logic error exists that allows packets with an origin timestamp of zero to bypass this check whenever there is not an outstanding request to the server.\n\nIt appears this defect applies to all modes except interleaved and broadcast modes and was introduced in version 4.2.5p179.\n\n### Tested Versions\n\nntp 4.2.8p3 \nNTPsec aa48d001683e5b791a743ec9c575aaf7d867a2b0c\n\n### Product URLs\n\n<http://www.ntp.org> \n<http://www.ntpsec.org/>\n\n### CVSS Score\n\nCVSSv2: 5.0 - AV:N/AC:L/Au:N/C:N/I:P/A:N \nCVSSv3: 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\n\n### Details\n\nreceive() in ntp_proto.c contains the following sanity check for the origin timestamp when running in basic mode:\n \n \n if (!L_ISEQU(&p_org, &peer->aorg)) {\n peer->bogusorg++;\n peer->flash |= TEST2; /* bogus */\n if (!L_ISZERO(&peer->dst) && L_ISEQU(&p_org,\n &peer->dst)) {\n peer->flip = 1;\n report_event(PEVNT_XLEAVE, peer, NULL);\n }\n } else {\n L_CLR(&peer->aorg);\n }\n \n\nIf the incoming origin timestamp is not equal to the stored origin timestamp in the peer structure, the packet is marked as bogus and will be ignored. If the origin timestamp matches the saved origin timestamp in the peer structure, the origin timestamp in the peer structure is zeroed out.\n\nThis means an attacker can spoof the peer server and send a time update with a zero origin timestamp. The client will check that incoming timestamp against the one stored in the peer, which is zero. The timestamps will match and the client will process the incoming packet for time. The client is not in a state in which it is expecting a reply from the server, but it processes it anyway.\n\nWe have successfully used this vulnerability to force a client to move its time. Our proof-of-concept requires no authentication or special access and works for any client configured in basic mode.\n\nWe can maintain the client at our spoofed time by sending regular updates, every 5 seconds for example, enough to overcome the real server time updates in the clock selection process. The client will oscillate between the peered and rejected state with the peer since it is receiving drastically different times between the spoofed and real packets.\n\nIn order to be considered for clock selection, we have to ensure that the measured dispersion and delay for our packets are low. We achieve this by setting the receive timestamp to the offset value by which we want to move the clock for the initial time change. For example, to move the clock 20 years forward we set the transmit timestamp to (current time + 630720000) and the receive timestamp to 630720000. We also must set the precision to -128 to minimize the dispersion. Once the time has changed, we can maintain that spoofed time by changing receive to zero and keeping transmit the same. This keeps the delay low enough to be considered in clock selection.\n\nAdditionally, even when the update has too large of an offset or too big of a delay to win the clock selection, we can at least use the zero origin timestamp to make a client ignore real time updates in some instances by forcing the client to think a real server update is a popcorn spike.\n\n### Recommended Fix\n\nIdeally, the client would not process any packet from a peer if it did not have an active request out.\n\n### Timeline\n\n2015-10-16 - Vendor Disclosure \n2016-01-19 - Public Release\n\n##### Credit\n\nMatthew Van Gundy and Jonathan Gardner\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0078\n\nPrevious Report\n\nTALOS-2016-0076\n", "published": "2016-01-19T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0077", "cvelist": ["CVE-2015-8138"], "lastseen": "2017-07-26T06:23:54"}, {"id": "TALOS-2016-0078", "type": "talos", "title": "Network Time Protocol ntpq and ntpdc Origin Timestamp Disclosure Vulnerability", "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0078\n\n## Network Time Protocol ntpq and ntpdc Origin Timestamp Disclosure Vulnerability\n\n##### January 19, 2016\n\n##### CVE Number\n\nCVE-2015-8139\n\nCERT VU#357792\n\n### Summary\n\nTo prevent off-path attackers from impersonating legitimate peers, clients require that the origin timestamp in a received response packet match the transmit timestamp from its last request to a given peer. Under assumption that only the recipient of the request packet will know the value of the transmit timestamp, this prevents an attacker from forging replies.\n\nUnfortunately, ntpq and ntpdc will disclose the value of the origin timestamp expected in the next peer response to any clients that are authorized to make ntpq (respectively ntpdc) queries.\n\nThis vulnerability appears to have been present in ntpd since, at least, 4.0.94 of May 1999. It appears in the earliest commit in the NTP project git repository.\n\n### Tested Versions\n\nntp 4.2.8p3 \nNTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92\n\n### Product URLs\n\n<http://www.ntp.org> \n<http://www.ntpsec.org/>\n\n### CVSS Score\n\nCVSSv2: 5.0 - AV:N/AC:L/Au:N/C:P/I:N/A:N \nCVSSv3: 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n\n### Details\n\nHere is an example from ntpq:\n \n \n ntpq> peer\n remote refid st t when poll reach delay offset jitter\n ==============================================================================\n *server .LOCL. 1 u 69 64 76 0.525 35.063 23.483\n ntpq> as\n \n ind assid status conf reach auth condition last_event cnt\n ===========================================================\n 1 43286 965a yes yes none sys.peer sys_peer 5\n ntpq> rv 43286 org\n org=d9c79a63.b05e631b Tue, Oct 13 2015 14:57:39.688\n \n\nHere is an example from ntpdc:\n \n \n ntpdc> showpeer 192.168.33.10\n remote 192.168.33.10, local 192.168.33.11\n ...\n reference time: d9c79a0e.1ef70a98 Tue, Oct 13 2015 14:56:14.120\n originate timestamp: d9c79a63.b05e631b Tue, Oct 13 2015 14:57:39.688\n receive timestamp: d9c79a20.b9d5ee3d Tue, Oct 13 2015 14:56:32.725\n transmit timestamp: d9c79a20.b9d5ee3d Tue, Oct 13 2015 14:56:32.725\n \n\nFor associations that do not employ authentication, response packets are only authenticated using the packet source address and the expected origin timestamp. The necessary ntpq and ntpdc commands do not require authentication. As a result, an unauthenticated off-path attacker that can spoof the source address of a remote peer can forge responses from that peer using this vulnerability.\n\nThere is an interplay between this vulnerability and the 0rigin (zero origin) vulnerability (CVE-2015-8138). Because the 0rigin vulnerability resets the expected origin timestamp from live servers to zero when a response with the correct origin timestamp is received, forging responses from live servers is trivial. This vulnerability gives attackers the additional power to forge responses from unreachable peers and symmetric peers.\n\n### Mitigation\n\nThe peer origin variable is read via ntpq (mode 6) packets with a non-zero association id, opcode equal to READVAR (2), and the variable name \"org\".\n\nIt can also be read with ntpdc (mode 7) packets with a request code of PEER_INFO (2).\n\nThis vulnerability can be mitigated by adding the `noquery` option to all restrict entries as in:\n \n \n restrict -4 default noquery ...\n restrict -6 default noquery ...\n restrict 127.0.0.1 noquery ...\n restrict ::1 noquery ...\n \n\nWARNING: Common configurations allow local users to send ntpq and ntpdc requests to the local ntpd using permissive restrict entries. This will allow malicious, unprivileged, local users to discover the value of the origin timestamp necessary to spoof responses from ntpd peers. Therefore, we DO NOT recommend the common practice of allowing queries from localhost.\n\nUnfortunately, despite the impression given by NTP's documentation, the `notrust` restrict option CANNOT be used to mitigate this vulnerability because it DOES NOT have any effect on ntpq and ntpdc requests.\n\n### Timeline\n\n2015-10-16 - Vendor Disclosure \n2016-01-19 - Public Release\n\n##### Credit\n\nMatthew Van Gundy\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0079\n\nPrevious Report\n\nTALOS-2016-0077\n", "published": "2016-01-19T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0078", "cvelist": ["CVE-2015-8138", "CVE-2015-8139"], "lastseen": "2017-07-26T06:23:59"}, {"id": "TALOS-2016-0260", "type": "talos", "title": "Network Time Protocol Origin Timestamp Check Denial of Service Vulnerability", "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0260\n\n## Network Time Protocol Origin Timestamp Check Denial of Service Vulnerability\n\n##### March 29, 2017\n\n##### CVE Number\n\nCVE-2016-9042\n\n### Summary\n\nAn exploitable denial of service vulnerability exists in the origin timestamp check functionality of ntpd 4.2.8p9. A specially crafted unauthenticated network packet can be used to reset the expected origin timestamp for target peers. Legitimate replies from targeted peers will fail the origin timestamp check (TEST2) causing the reply to be dropped and creating a denial of service condition.\n\n### Tested Versions\n\nNTP 4.2.8p9\n\n### Product URLs\n\nhttp://www.ntp.org\n\n### CVSSv3 Score\n\nCVSSv2: 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv3: 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\n\n### Details\n\nIn most modes, NTP prevents spoofing by off-path attackers by verifying that the origin timestamp of an incoming NTP packet matches the transmit timestamp on the daemon's last outgoing packet --- using the transmit and origin timestamps as a per-request nonce. This test described in RFC 5905 and dubbed `TEST2` in ntpd's source code. To prevent an NTP daemon from accepting responses to duplicated request packets, RFC 5095 also specifies that the expected origin timestamp should be set to zero after successfully validating the origin timestamp of an incoming packet. Unfortunately, ntpd releases before 4.2.8p9 did not correctly reject incoming packets bearing a zero origin timestamp. This allowed a trivial bypass of TEST2, the origin timestamp check, by setting the origin timestamp on spoofed packets equal to zero (CVE-2015-8138,CVE-2016-7431).\n\nntp-4.2.8p9 fixes CVE-2015-8138 by rejecting packets with zero origin timestamps in all modes where that is not expected legitimate behavior. However, for reasons unknown, before rejecting a packet bearing a zero origin timestamp, ntp-4.2.8p9 clears the expected origin timestamp (peer->aorg) as can be seen in the following abstracted code:\n \n \n if (0) {\n } else if (L_ISZERO(&p_org)) {\n char *action;\n \n L_CLR(&peer->aorg);\n ...\n peer->bogusorg++;\n peer->flash |= TEST2; /* bogus */\n ... /* packet will be dropped */\n } else if (!L_ISEQU(&p_org, &peer->aorg)) {\n peer->bogusorg++;\n peer->flash |= TEST2; /* bogus */\n ... /* packet will be dropped */\n } else {\n L_CLR(&peer->aorg);\n }\n \n\nThis leads to a trivial denial of service. An unauthenticated network attacker who knows the address of one of the peers of a victim ntpd process can send the victim ntpd spoofed packets with the source address of the peer and a zero origin timestamp in order to reset peer->aorg for that peer. This will cause the next packet sent from the peer to fail the origin timestamp check (TEST2) and be dropped. The attacker can repeat this each poll period for all known peers in order to prevent their packets from being accepted by the victim ntpd.\n\nThis attack is very effective against symmetric associations where the duration between an outgoing packet from the victim ntpd and its \"response\" will be on the order of seconds to minutes. The attack is more difficult for client-server associations where the request-response window is likely to be on the order of milliseconds. However, if the attacker can observe the victim ntpd's request packet, it can attempt to race the remote peer's legitimate response.\n\nAn attacker can learn the currently selected peer of a victim ntpd process by sending the victim a client mode request and reading the peer's address from the refid field of the victim's response. This allows the attacker to target the currently selected peer one at a time until it has learned and targeted all peers of the victim ntpd process. If the victim allows NTP control queries or the attacker can observe the victim's NTP traffic, the attacker can easily learn all the victim's peers.\n\nThe call to L_CLR(&peer->aorg) when a zero-origin timestamp packet is received appears unnecessary and should be removed. To see that clearing peer->aorg is unnecessary, let's consider the operation of each NTP mode in turn after omitting the L_CLR(&peer->aorg):\n\n * Client-Server: Servers are stateless, so the change has no effect on them. Clients should not be sending requests with zero transmit timestamps and, therefore, should not be receiving responses with zero origin timestamps. Thus, removing the L_CLR(&peer->aorg) should have no effect on legitimate client-server behavior.\n\n * Broadcast: Broadcast packets are handled separately and thus are not influenced by the behavior of this code.\n\n * Symmetric (Active and Passive): When two symmetric peers are synchronized to a legitimate time source (0 < stratum < 16) and the association between them is fully operational, the origin timestamp on incoming packets will be non-zero and equal to peer->aorg, thus avoiding the L_CLR(&peer->aorg). The interesting cases occur when there is packet loss or one peer resets their association (e.g. ntpd is restarted).\n\nWithout loss of generality, let A be the sender and B the recipient of the first packet with pkt->org != peer->aorg. If A reset its association with B, pkt->org == 0. Otherwise, pkt->org != 0 && pkt->org != peer->aorg. In either case, B will mark the packet as having failed TEST2. However, if the packet is authenticated correctly for the association, B will update peer->xmt = pkt->xmt before rejecting the packet due to failing TEST2. In B's next packet to A, it will set pkt->org = peer->xmt and peer->aorg = pkt->xmt, ensuring that the packet will pass TEST2 at A, causing it to be accepted by A, and overwriting any previous value of peer->aorg at B. A will update its peer variables for B as well, ensuring that A's next packet will be accepted by B. From this point on, the symmetric association between A and B has successfully resynchronized.\n\nThus, we see that recovery from packet loss or peer restart is not hampered by allowing peer->aorg to maintain its previous value when a packet with a zero origin timestamp is received. Further to the point, ntpd versions prior to ntp-4.2.8p6 did not clear peer->aorg upon receipt of a packet bearing a zero origin timestamp.\n\n### Mitigation\n\nThe only ntpd-based mitigations for this vulnerability are to try to make it harder for an attacker to guess the peers of ntpd instances and to monitor ntpd logs for messages such as the following:\n \n \n ntpd[16767]: receive: Drop 0 origin timestamp from sym_active@192.168.33.12 xmt 0xdbe84918.63324800\n \n ntpd[16767]: receive: Unexpected origin timestamp 0xdbe849a1.279a6fea does not match aorg 0000000000.00000000 from sym_active@192.168.33.12 xmt 0xdbe849a4.52a12e3a\n \n\nAll ntpd instances should be configured to block control queries from untrusted servers. This is best practice.\n\nAll ntpd clients should block all incoming traffic that does not originate from a known peer address. This can be accomplished with a stateful firewall.\n\nBecause peer->aorg is cleared before authentication is enforced, enabling NTP authentication does not prevent exploitation of this vulnerability.\n\n### Timeline\n\n2017-01-04 - Vendor Disclosure \n2017-03-29 - Public Release \n\n\n##### Credit\n\nDiscovered by Matthew Van Gundy of Cisco ASIG.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0230\n\nPrevious Report\n\nTALOS-2017-0269\n", "published": "2017-03-29T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0260", "cvelist": ["CVE-2015-8138", "CVE-2016-9042", "CVE-2016-7431"], "lastseen": "2018-05-06T23:08:45"}, {"id": "TALOS-2016-0203", "type": "talos", "title": "Network Time Protocol Control Mode Unauthenticated Trap Information Disclosure and DDoS Amplification Vulnerability", "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0203\n\n## Network Time Protocol Control Mode Unauthenticated Trap Information Disclosure and DDoS Amplification Vulnerability\n\n##### November 21, 2016\n\n##### CVE Number\n\nCVE-2016-9310\n\n### Summary\n\nAn exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. A specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, preventing legitimate monitoring. A remote, unauthenticated, network attacker can trigger this vulnerability.\n\n### Tested Versions\n\nNTP 4.2.8p3 \nNTP 4.2.8p8 \nNTPsec 0.9.1 \nNTPsec 0.9.3\n\n### Product URLs\n\nhttp://www.ntp.org \nhttp://www.ntpsec.org/\n\n### CVSS Scores\n\nCVSSv2: 6.4 - (AV:N/AC:L/Au:N/C:P/I:P/A:N) \nCVSSv3: 6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\n\n### Details\n\nntpd provides a `trap` functionality that sends asynchronous notifications to a number of `trap receivers` whenever an event of interest occurs. Example events of interest include: association mobilization and demobilization, authentication failures, reachability changes, etc.\n\nSince at least ntp-4.0.94 (July 21, 1999), ntpd has allowed traps to be configured via control (mode 6) and private (mode 7) NTP modes. Though private mode requires messages modifying trap settings to be be authenticated, control mode allows unauthenticated packets to modify trap settings using the `SETTRAP` and `UNSETTRAP` control messages.\n\nThis vulnerability can be used to achieve several goals:\n\n * Time Shifting: If an attacker controls a host that is allowed to receive traps (i.e. not restricted by `restrict noquery` or `restrict notrap`), the attacker can instruct a victim ntpd instance to send traps to the attacker's host. Whenever a reportable event occurs for some peer, the victim ntpd will send a trap to the attacker leaking all the peer variables associated with that peer. The information leaked includes the peer's org and rec variables allowing the attacker to bypass TEST2 and impersonate said peer in a manner similar to CVE-2015-8139 and CVE-2016-1548.\n\nThe attacker can force the victim ntpd to leak the information for any peer at any time by triggering a reportable event for said peer. There are multiple methods to trigger a reportable event for a peer, among them spoofing an invalid crypto-NAK or incorrectly authenticated packet from the peer.\n\nNOTE: With ntp-4.2.8p8 and earlier the 0rigin attack (CVE-2015-8138) [1] already allows impersonation of reachable peers. In those ntpd versions, this vulnerability provides another method for impersonating unreachable peers.\n\n * DDoS Amplification: An attacker can use an ntpd instance as a DDoS amplifier to DDoS hosts that are allowed to receive traps from the ntpd instance using the following technique. The amplification factor is 12-13x.\n\nThe attacker forges a `SETTRAP` packet from the `victim` to the `amplifier`, causing the `amplifier` to set a trap for the `victim`. The attacker then repeatedly triggers reportable events causing trap messages to be sent to the victim. E.g. the attacker rapidly forges invalid crypto-NAKs and/or bad_auth packets from the `victim`'s `sys_peer`.\n\nntpd attempts to limit the number of consecutive traps sent for events of a single type. To maximize effect, the attacker can alternate between events of different types.\n\nntpd will periodically time out old traps when a new one is set. Therefore, for a long-term attack, the attacker may need to periodically refresh the trap on the `amplifier`.\n\n * Evading Monitoring: In an environment where dynamically configured traps are used to modify an ntpd instance, an unauthenticated attacker can remove traps set by legitimate monitoring systems by spoofing the source address of the `trap receiver` in an `UNSETTRAP` message.\n\nAuthentication should be required in order to modify trap configuration.\n\n### Mitigation\n\nSeveral mitigations can lessen the impact of this vulnerability.\n\n 1. Unauthorized hosts can be prevented from receiving traps using the `restrict default notrap` restriction. This setting is the default on many modern Linux systems.\n\nThis mitigation has no effect on the \"Evading Monitoring\" impact described above because the alleged sender of the packet is an authorized trap receiver.\n\n 2. Block NTP control mode trap configuration commands using a firewall or IPS. It does not appear that support for configuring control mode traps was ever implemented in ntpq, the reference NTP control mode client. As such, on most networks blocking control mode trap configuration commands should have no effect on legitimate traffic. Specifically, firewalls should block packets with the following characteristics:\n\n * UDP Destination Port: 123\n * NTP Mode: 6\n * NTP Control Operation Code: 6 (SETTRAP) or 31 (UNSETTRAP)\n\nTraps specified in ntp.conf cannot be modified using this vulnerability.\n\n[1] http://www.talosintelligence.com/reports/TALOS-2016-0077/\n\n### Timeline\n\n2016-09-20 - Vendor Disclosure \n2016-11-21 - Public Release\n\n##### Credit\n\nDiscovered by Matthew Van Gundy of Cisco ASIG.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0131\n\nPrevious Report\n\nTALOS-2016-0204\n", "published": "2016-11-21T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0203", "cvelist": ["CVE-2016-1548", "CVE-2015-8138", "CVE-2015-8139", "CVE-2016-9310"], "lastseen": "2017-07-26T06:23:56"}], "seebug": [{"id": "SSV:96543", "type": "seebug", "title": "Network Time Protocol Origin Timestamp Check Denial of Service Vulnerability(CVE-2016-9042)", "description": "### Summary\r\nAn exploitable denial of service vulnerability exists in the origin timestamp check functionality of ntpd 4.2.8p9. A specially crafted unauthenticated network packet can be used to reset the expected origin timestamp for target peers. Legitimate replies from targeted peers will fail the origin timestamp check (TEST2) causing the reply to be dropped and creating a denial of service condition.\r\n\r\n### Tested Versions\r\nNTP 4.2.8p9\r\n\r\n### Product URLs\r\nhttp://www.ntp.org\r\n\r\n### CVSSv3 Score\r\nCVSSv2: 4.3 - (AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv3: 3.7 - CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L\r\n\r\n### Details\r\nIn most modes, NTP prevents spoofing by off-path attackers by verifying that the origin timestamp of an incoming NTP packet matches the transmit timestamp on the daemon's last outgoing packet --- using the transmit and origin timestamps as a per-request nonce. This test described in RFC 5905 and dubbed TEST2 in ntpd's source code. To prevent an NTP daemon from accepting responses to duplicated request packets, RFC 5095 also specifies that the expected origin timestamp should be set to zero after successfully validating the origin timestamp of an incoming packet. Unfortunately, ntpd releases before 4.2.8p9 did not correctly reject incoming packets bearing a zero origin timestamp. This allowed a trivial bypass of TEST2, the origin timestamp check, by setting the origin timestamp on spoofed packets equal to zero (CVE-2015-8138,CVE-2016-7431).\r\n\r\nntp-4.2.8p9 fixes CVE-2015-8138 by rejecting packets with zero origin timestamps in all modes where that is not expected legitimate behavior. However, for reasons unknown, before rejecting a packet bearing a zero origin timestamp, ntp-4.2.8p9 clears the expected origin timestamp (peer->aorg) as can be seen in the following abstracted code:\r\n```\r\nif (0) {\r\n} else if (L_ISZERO(&p_org)) {\r\n char *action;\r\n\r\n L_CLR(&peer->aorg);\r\n ...\r\n peer->bogusorg++;\r\n peer->flash |= TEST2; /* bogus */\r\n ... /* packet will be dropped */\r\n} else if (!L_ISEQU(&p_org, &peer->aorg)) {\r\n peer->bogusorg++;\r\n peer->flash |= TEST2; /* bogus */\r\n ... /* packet will be dropped */\r\n} else {\r\n L_CLR(&peer->aorg);\r\n}\r\n```\r\n\r\nThis leads to a trivial denial of service. An unauthenticated network attacker who knows the address of one of the peers of a victim ntpd process can send the victim ntpd spoofed packets with the source address of the peer and a zero origin timestamp in order to reset peer->aorg for that peer. This will cause the next packet sent from the peer to fail the origin timestamp check (TEST2) and be dropped. The attacker can repeat this each poll period for all known peers in order to prevent their packets from being accepted by the victim ntpd.\r\n\r\nThis attack is very effective against symmetric associations where the duration between an outgoing packet from the victim ntpd and its \"response\" will be on the order of seconds to minutes. The attack is more difficult for client-server associations where the request-response window is likely to be on the order of milliseconds. However, if the attacker can observe the victim ntpd's request packet, it can attempt to race the remote peer's legitimate response.\r\n\r\nAn attacker can learn the currently selected peer of a victim ntpd process by sending the victim a client mode request and reading the peer's address from the refid field of the victim's response. This allows the attacker to target the currently selected peer one at a time until it has learned and targeted all peers of the victim ntpd process. If the victim allows NTP control queries or the attacker can observe the victim's NTP traffic, the attacker can easily learn all the victim's peers.\r\n\r\nThe call to LCLR(&peer->aorg) when a zero-origin timestamp packet is received appears unnecessary and should be removed. To see that clearing peer->aorg is unnecessary, let's consider the operation of each NTP mode in turn after omitting the LCLR(&peer->aorg):\r\n\r\n* Client-Server: Servers are stateless, so the change has no effect on them. Clients should not be sending requests with zero transmit timestamps and, therefore, should not be receiving responses with zero origin timestamps. Thus, removing the L_CLR(&peer->aorg) should have no effect on legitimate client-server behavior.\r\n* Broadcast: Broadcast packets are handled separately and thus are not influenced by the behavior of this code.\r\n* Symmetric (Active and Passive): When two symmetric peers are synchronized to a legitimate time source (0 < stratum < 16) and the association between them is fully operational, the origin timestamp on incoming packets will be non-zero and equal to peer->aorg, thus avoiding the L_CLR(&peer->aorg). The interesting cases occur when there is packet loss or one peer resets their association (e.g. ntpd is restarted).\r\n\r\n\r\nWithout loss of generality, let A be the sender and B the recipient of the first packet with pkt->org != peer->aorg. If A reset its association with B, pkt->org == 0. Otherwise, pkt->org != 0 && pkt->org != peer->aorg. In either case, B will mark the packet as having failed TEST2. However, if the packet is authenticated correctly for the association, B will update peer->xmt = pkt->xmt before rejecting the packet due to failing TEST2. In B's next packet to A, it will set pkt->org = peer->xmt and peer->aorg = pkt->xmt, ensuring that the packet will pass TEST2 at A, causing it to be accepted by A, and overwriting any previous value of peer->aorg at B. A will update its peer variables for B as well, ensuring that A's next packet will be accepted by B. From this point on, the symmetric association between A and B has successfully resynchronized.\r\n\r\nThus, we see that recovery from packet loss or peer restart is not hampered by allowing peer->aorg to maintain its previous value when a packet with a zero origin timestamp is received. Further to the point, ntpd versions prior to ntp-4.2.8p6 did not clear peer->aorg upon receipt of a packet bearing a zero origin timestamp.\r\n\r\n### Mitigation\r\nThe only ntpd-based mitigations for this vulnerability are to try to make it harder for an attacker to guess the peers of ntpd instances and to monitor ntpd logs for messages such as the following:\r\n```\r\nntpd[16767]: receive: Drop 0 origin timestamp from sym_active@192.168.33.12 xmt 0xdbe84918.63324800\r\n\r\nntpd[16767]: receive: Unexpected origin timestamp 0xdbe849a1.279a6fea does not match aorg 0000000000.00000000 from sym_active@192.168.33.12 xmt 0xdbe849a4.52a12e3a\r\n```\r\nAll ntpd instances should be configured to block control queries from untrusted servers. This is best practice.\r\n\r\nAll ntpd clients should block all incoming traffic that does not originate from a known peer address. This can be accomplished with a stateful firewall.\r\n\r\nBecause peer->aorg is cleared before authentication is enforced, enabling NTP authentication does not prevent exploitation of this vulnerability.\r\n### Timeline\r\n* 2017-01-04 - Vendor Disclosure\r\n* 2017-03-29 - Public Release\r\n\r\n### CREDIT\r\n* Discovered by Matthew Van Gundy of Cisco ASIG.", "published": "2017-09-20T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.seebug.org/vuldb/ssvid-96543", "cvelist": ["CVE-2015-8138", "CVE-2016-7431", "CVE-2016-9042"], "lastseen": "2017-11-19T12:01:00"}, {"id": "SSV:96647", "type": "seebug", "title": "Network Time Protocol Control Mode Unauthenticated Trap Information Disclosure and DDoS Amplification Vulnerability(CVE-2016-9310)", "description": "### Summary\r\nAn exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. A specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, preventing legitimate monitoring. A remote, unauthenticated, network attacker can trigger this vulnerability.\r\n\r\n### Tested Versions\r\n* NTP 4.2.8p3\r\n* NTP 4.2.8p8\r\n* NTPsec 0.9.1\r\n* NTPsec 0.9.3\r\n\r\n### Product URLs\r\n* http://www.ntp.org\r\n* http://www.ntpsec.org/\r\n\r\n### CVSS Scores\r\n* CVSSv2: 6.4 - (AV:N/AC:L/Au:N/C:P/I:P/A:N)\r\n* CVSSv3: 6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\r\n\r\n### Details\r\nntpd provides a `trap` functionality that sends asynchronous notifications to a number of `trap receivers` whenever an event of interest occurs. Example events of interest include: association mobilization and demobilization, authentication failures, reachability changes, etc.\r\n\r\nSince at least ntp-4.0.94 (July 21, 1999), ntpd has allowed traps to be configured via control (mode 6) and private (mode 7) NTP modes. Though private mode requires messages modifying trap settings to be be authenticated, control mode allows unauthenticated packets to modify trap settings using the `SETTRAP` and `UNSETTRAP` control messages.\r\n\r\nThis vulnerability can be used to achieve several goals:\r\n\r\n* Time Shifting: If an attacker controls a host that is allowed to receive traps (i.e. not restricted by `restrict noquery` or `restrict notrap`), the attacker can instruct a victim ntpd instance to send traps to the attacker's host. Whenever a reportable event occurs for some peer, the victim ntpd will send a trap to the attacker leaking all the peer variables associated with that peer. The information leaked includes the peer's org and rec variables allowing the attacker to bypass TEST2 and impersonate said peer in a manner similar to CVE-2015-8139 and CVE-2016-1548.\r\nThe attacker can force the victim ntpd to leak the information for any peer at any time by triggering a reportable event for said peer. There are multiple methods to trigger a reportable event for a peer, among them spoofing an invalid crypto-NAK or incorrectly authenticated packet from the peer.\r\nNOTE: With ntp-4.2.8p8 and earlier the 0rigin attack (CVE-2015-8138) [1] already allows impersonation of reachable peers. In those ntpd versions, this vulnerability provides another method for impersonating unreachable peers.\r\n\r\n* DDoS Amplification: An attacker can use an ntpd instance as a DDoS amplifier to DDoS hosts that are allowed to receive traps from the ntpd instance using the following technique. The amplification factor is 12-13x.\r\n\r\nThe attacker forges a `SETTRAP` packet from the `victim` to the `amplifier`, causing the `amplifier` to set a trap for the `victim`. The attacker then repeatedly triggers reportable events causing trap messages to be sent to the victim. E.g. the attacker rapidly forges invalid crypto-NAKs and/or bad_auth packets from the `victim`'s `sys_peer`.\r\nntpd attempts to limit the number of consecutive traps sent for events of a single type. To maximize effect, the attacker can alternate between events of different types.\r\nntpd will periodically time out old traps when a new one is set. Therefore, for a long-term attack, the attacker may need to periodically refresh the trap on the `amplifier`.\r\nEvading Monitoring: In an environment where dynamically configured traps are used to modify an ntpd instance, an unauthenticated attacker can remove traps set by legitimate monitoring systems by spoofing the source address of the `trap receiver` in an `UNSETTRAP` message.\r\n\r\nAuthentication should be required in order to modify trap configuration.\r\n\r\n### Mitigation\r\nSeveral mitigations can lessen the impact of this vulnerability.\r\n\r\n1. Unauthorized hosts can be prevented from receiving traps using the `restrict default notrap` restriction. This setting is the default on many modern Linux systems.\r\nThis mitigation has no effect on the \"Evading Monitoring\" impact described above because the alleged sender of the packet is an authorized trap receiver.\r\n2. Block NTP control mode trap configuration commands using a firewall or IPS. It does not appear that support for configuring control mode traps was ever implemented in ntpq, the reference NTP control mode client. As such, on most networks blocking control mode trap configuration commands should have no effect on legitimate traffic. Specifically, firewalls should block packets with the following characteristics:\r\n\t* UDP Destination Port: 123\r\n\t* NTP Mode: 6\r\n\t* NTP Control Operation Code: 6 (SETTRAP) or 31 (UNSETTRAP)\r\n\r\nTraps specified in ntp.conf cannot be modified using this vulnerability.\r\n[1] http://www.talosintelligence.com/reports/TALOS-2016-0077/\r\n\r\n### Timeline\r\n* 2016-09-20 - Vendor Disclosure\r\n* 2016-11-21 - Public Release", "published": "2017-10-11T00:00:00", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-96647", "cvelist": ["CVE-2015-8138", "CVE-2015-8139", "CVE-2016-1548", "CVE-2016-9310"], "lastseen": "2017-11-19T12:15:06"}], "amazon": [{"id": "ALAS-2016-649", "type": "amazon", "title": "Important: ntp", "description": "**Issue Overview:**\n\nIt was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client. ([CVE-2015-8138 __](<https://access.redhat.com/security/cve/CVE-2015-8138>))\n\nA NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process. ([CVE-2015-7977 __](<https://access.redhat.com/security/cve/CVE-2015-7977>))\n\nIt was found that NTP does not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key. ([CVE-2015-7974 __](<https://access.redhat.com/security/cve/CVE-2015-7974>))\n\nA stack-based buffer overflow was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process. ([CVE-2015-7978 __](<https://access.redhat.com/security/cve/CVE-2015-7978>))\n\nIt was found that when NTP is configured in broadcast mode, an off-path attacker could broadcast packets with bad authentication (wrong key, mismatched key, incorrect MAC, etc) to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server. This could cause the time on affected clients to become out of sync over a longer period of time. ([CVE-2015-7979 __](<https://access.redhat.com/security/cve/CVE-2015-7979>))\n\nA flaw was found in the way the ntpq client certain processed incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance. ([CVE-2015-8158 __](<https://access.redhat.com/security/cve/CVE-2015-8158>))\n\n \n**Affected Packages:** \n\n\nntp\n\n \n**Issue Correction:** \nRun _yum update ntp_ to update your system. \n\n\n \n**New Packages:**\n \n \n i686: \n ntp-4.2.6p5-36.29.amzn1.i686 \n ntpdate-4.2.6p5-36.29.amzn1.i686 \n ntp-debuginfo-4.2.6p5-36.29.amzn1.i686 \n \n noarch: \n ntp-doc-4.2.6p5-36.29.amzn1.noarch \n ntp-perl-4.2.6p5-36.29.amzn1.noarch \n \n src: \n ntp-4.2.6p5-36.29.amzn1.src \n \n x86_64: \n ntpdate-4.2.6p5-36.29.amzn1.x86_64 \n ntp-4.2.6p5-36.29.amzn1.x86_64 \n ntp-debuginfo-4.2.6p5-36.29.amzn1.x86_64 \n \n \n", "published": "2016-02-09T13:30:00", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://alas.aws.amazon.com/ALAS-2016-649.html", "cvelist": ["CVE-2015-8138", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2016-09-28T21:04:12"}], "paloalto": [{"id": "PAN-SA-2016-0019", "type": "paloalto", "title": "NTP Vulnerabilities", "description": "The open source ntp project has been found to contain several vulnerabilities (CVE-2015-8158, CVE-2015-8138, CVE-2015-7979, CVE-2015-7978, CVE-2015-7977, CVE-2015-7976, CVE-2015-7975, CVE-2015-7974, CVE-2015-7973, all released in January 2016). Palo Alto...\n", "published": "2016-08-15T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://securityadvisories.paloaltonetworks.com/Home/Detail/52", "cvelist": ["CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2018-07-04T09:48:49"}], "suse": [{"id": "SUSE-SU-2016:1175-1", "type": "suse", "title": "Security update for ntp (important)", "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n - bsc#784760: Remove local clock from default configuration\n\n", "published": "2016-04-28T19:09:34", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00059.html", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2016-09-04T11:47:01"}, {"id": "OPENSUSE-SU-2016:1292-1", "type": "suse", "title": "Security update for ntp (important)", "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n\n This update was imported from the SUSE:SLE-12-SP1:Update update project.\n\n", "published": "2016-05-12T21:07:47", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00038.html", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2016-09-04T12:22:35"}, {"id": "SUSE-SU-2016:1177-1", "type": "suse", "title": "Security update for ntp (important)", "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n\n", "published": "2016-04-28T19:13:09", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00060.html", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2016-09-04T12:46:49"}, {"id": "SUSE-SU-2016:1247-1", "type": "suse", "title": "Security update for ntp (important)", "description": "ntp was updated to version 4.2.8p6 to fix 28 security issues.\n\n Major functional changes:\n - The "sntp" commandline tool changed its option handling in a major way,\n some options have been renamed or dropped.\n - "controlkey 1" is added during update to ntp.conf to allow sntp to work.\n - The local clock is being disabled during update.\n - ntpd is no longer running chrooted.\n\n Other functional changes:\n - ntp-signd is installed.\n - "enable mode7" can be added to the configuration to allow ntdpc to work\n as compatibility mode option.\n - "kod" was removed from the default restrictions.\n - SHA1 keys are used by default instead of MD5 keys.\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n - CVE-2015-7871: NAK to the Future: Symmetric association authentication\n bypass via crypto-NAK (bsc#951608).\n - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning\n FAIL on some bogus values (bsc#951608).\n - CVE-2015-7854: Password Length Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7853: Invalid length data provided by a custom refclock driver\n could cause a buffer overflow (bsc#951608).\n - CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#951608).\n - CVE-2015-7850: remote config logfile-keyfile (bsc#951608).\n - CVE-2015-7849: trusted key use-after-free (bsc#951608).\n - CVE-2015-7848: mode 7 loop counter underrun (bsc#951608).\n - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#951608).\n - CVE-2015-7703: configuration directives "pidfile" and "driftfile" should\n only be allowed locally (bsc#951608).\n - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD should validate\n the origin timestamp field (bsc#951608).\n - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete autokey data\n packet length checks (bsc#951608).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n - Add a controlkey line to /etc/ntp.conf if one does not already exist to\n allow runtime configuuration via ntpq.\n - bsc#946386: Temporarily disable memlock to avoid problems due to high\n memory usage during name resolution.\n - bsc#905885: Use SHA1 instead of MD5 for symmetric keys.\n - Improve runtime configuration:\n * Read keytype from ntp.conf\n * Don't write ntp keys to syslog.\n - Fix legacy action scripts to pass on command line arguments.\n - bsc#944300: Remove "kod" from the restrict line in ntp.conf.\n - bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.\n - Add a controlkey to ntp.conf to make the above work.\n - Don't let "keysdir" lines in ntp.conf trigger the "keys" parser.\n - Disable mode 7 (ntpdc) again, now that we don't use it anymore.\n - Add "addserver" as a new legacy action.\n - bsc#910063: Fix the comment regarding addserver in ntp.conf.\n - bsc#926510: Disable chroot by default.\n - bsc#920238: Enable ntpdc for backwards compatibility.\n\n", "published": "2016-05-06T13:07:50", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00020.html", "cvelist": ["CVE-2015-7703", "CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7855", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7704", "CVE-2015-7979", "CVE-2015-7701", "CVE-2015-7976", "CVE-2015-7848", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7692", "CVE-2015-7851", "CVE-2015-7702", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7849", "CVE-2015-7691", "CVE-2015-7705", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7850", "CVE-2015-7854", "CVE-2015-7978", "CVE-2015-7853"], "lastseen": "2016-09-04T12:27:22"}, {"id": "SUSE-SU-2016:1311-1", "type": "suse", "title": "Security update for ntp (important)", "description": "This network time protocol server ntp was updated to 4.2.8p6 to fix the\n following issues:\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n Major functional changes:\n - The "sntp" commandline tool changed its option handling in a major way.\n - "controlkey 1" is added during update to ntp.conf to allow sntp to work.\n - The local clock is being disabled during update.\n - ntpd is no longer running chrooted.\n\n\n Other functional changes:\n - ntp-signd is installed.\n - "enable mode7" can be added to the configuration to allow ntdpc to work\n as compatibility mode option.\n - "kod" was removed from the default restrictions.\n - SHA1 keys are used by default instead of MD5 keys.\n\n These security issues were fixed:\n - CVE-2015-5219: An endless loop due to incorrect precision to double\n conversion (bsc#943216).\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n - CVE-2015-7871: NAK to the Future: Symmetric association authentication\n bypass via crypto-NAK (bsc#951608).\n - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning\n FAIL on some bogus values (bsc#951608).\n - CVE-2015-7854: Password Length Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7853: Invalid length data provided by a custom refclock driver\n could cause a buffer overflow (bsc#951608).\n - CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#951608).\n - CVE-2015-7850: remote config logfile-keyfile (bsc#951608).\n - CVE-2015-7849: trusted key use-after-free (bsc#951608).\n - CVE-2015-7848: mode 7 loop counter underrun (bsc#951608).\n - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#951608).\n - CVE-2015-7703: configuration directives "pidfile" and "driftfile" should\n only be allowed locally (bsc#951608).\n - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD should validate\n the origin timestamp field (bsc#951608).\n - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete autokey data\n packet length checks (bsc#951608).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n - Add a controlkey line to /etc/ntp.conf if one does not already exist to\n allow runtime configuuration via ntpq.\n - bsc#946386: Temporarily disable memlock to avoid problems due to high\n memory usage during name resolution.\n - bsc#905885: Use SHA1 instead of MD5 for symmetric keys.\n - Improve runtime configuration:\n * Read keytype from ntp.conf\n * Don't write ntp keys to syslog.\n - Fix legacy action scripts to pass on command line arguments.\n - bsc#944300: Remove "kod" from the restrict line in ntp.conf.\n - bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.\n - Don't let "keysdir" lines in ntp.conf trigger the "keys" parser.\n - Disable mode 7 (ntpdc) again, now that we don't use it anymore.\n - Add "addserver" as a new legacy action.\n - bsc#910063: Fix the comment regarding addserver in ntp.conf.\n - bsc#926510: Disable chroot by default.\n - bsc#920238: Enable ntpdc for backwards compatibility.\n - bsc#784760: Remove local clock from default configuration.\n - bsc#942441/fate#319496: Require perl-Socket6.\n - Improve runtime configuration:\n * Read keytype from ntp.conf\n * Don't write ntp keys to syslog.\n - bsc#920183: Allow -4 and -6 address qualifiers in "server" directives.\n - Use upstream ntp-wait, because our version is incompatible with the new\n ntpq command line syntax.\n\n", "published": "2016-05-17T15:09:17", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00048.html", "cvelist": ["CVE-2015-7703", "CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7855", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-5219", "CVE-2015-7704", "CVE-2015-7979", "CVE-2015-7701", "CVE-2015-7976", "CVE-2015-7848", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7692", "CVE-2015-7851", "CVE-2015-7702", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7849", "CVE-2015-7691", "CVE-2015-7705", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7850", "CVE-2015-7854", "CVE-2015-7978", "CVE-2015-7853"], "lastseen": "2016-09-04T12:46:49"}, {"id": "SUSE-SU-2016:2094-1", "type": "suse", "title": "Security update for yast2-ntp-client (important)", "description": "The YaST2 NTP Client was updated to handle the presence of both xntp and\n ntp packages.\n\n If none are installed, "ntp" will be installed.\n\n Security Issues:\n\n * CVE-2016-4953\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953</a>>\n * CVE-2016-4954\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954</a>>\n * CVE-2016-4955\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955</a>>\n * CVE-2016-4956\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956</a>>\n * CVE-2016-4957\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957</a>>\n * CVE-2016-1547\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547</a>>\n * CVE-2016-1548\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548</a>>\n * CVE-2016-1549\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549</a>>\n * CVE-2016-1550\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550</a>>\n * CVE-2016-1551\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551</a>>\n * CVE-2016-2516\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516</a>>\n * CVE-2016-2517\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517</a>>\n * CVE-2016-2518\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518</a>>\n * CVE-2016-2519\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519</a>>\n * CVE-2015-8158\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158</a>>\n * CVE-2015-8138\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138</a>>\n * CVE-2015-7979\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979</a>>\n * CVE-2015-7978\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978</a>>\n * CVE-2015-7977\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977</a>>\n * CVE-2015-7976\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976</a>>\n * CVE-2015-7975\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975</a>>\n * CVE-2015-7974\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974</a>>\n * CVE-2015-7973\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973</a>>\n * CVE-2015-5300\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300</a>>\n * CVE-2015-5194\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194</a>>\n * CVE-2015-7871\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871</a>>\n * CVE-2015-7855\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855</a>>\n * CVE-2015-7854\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854</a>>\n * CVE-2015-7853\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853</a>>\n * CVE-2015-7852\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852</a>>\n * CVE-2015-7851\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851</a>>\n * CVE-2015-7850\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850</a>>\n * CVE-2015-7849\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849</a>>\n * CVE-2015-7848\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848</a>>\n * CVE-2015-7701\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701</a>>\n * CVE-2015-7703\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703</a>>\n * CVE-2015-7704\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704</a>>\n * CVE-2015-7705\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705</a>>\n * CVE-2015-7691\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691</a>>\n * CVE-2015-7692\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692</a>>\n * CVE-2015-7702\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702</a>>\n * CVE-2015-1798\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798</a>>\n * CVE-2015-1799\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799</a>>\n\n\n", "published": "2016-08-17T21:08:25", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00042.html", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-7703", "CVE-2016-4956", "CVE-2016-4955", "CVE-2015-8138", "CVE-2015-7855", "CVE-2016-4953", "CVE-2015-7973", "CVE-2015-1799", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7704", "CVE-2016-1551", "CVE-2015-7979", "CVE-2016-4954", "CVE-2015-7701", "CVE-2015-7976", "CVE-2015-7848", "CVE-2015-7975", "CVE-2015-7692", "CVE-2016-1547", "CVE-2015-7851", "CVE-2015-7702", "CVE-2016-4957", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7849", "CVE-2015-7691", "CVE-2016-2519", "CVE-2016-2517", "CVE-2015-7705", "CVE-2015-1798", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7850", "CVE-2016-1549", "CVE-2015-7854", "CVE-2015-7978", "CVE-2015-7853"], "lastseen": "2016-09-04T12:46:49"}, {"id": "SUSE-SU-2016:1912-1", "type": "suse", "title": "Security update for ntp (important)", "description": "NTP was updated to version 4.2.8p8 to fix several security issues and to\n ensure the continued maintainability of the package.\n\n These security issues were fixed:\n\n * CVE-2016-4953: Bad authentication demobilized ephemeral associations\n (bsc#982065).\n * CVE-2016-4954: Processing spoofed server packets (bsc#982066).\n * CVE-2016-4955: Autokey association reset (bsc#982067).\n * CVE-2016-4956: Broadcast interleave (bsc#982068).\n * CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).\n * CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS\n (bsc#977459).\n * CVE-2016-1548: Prevent the change of time of an ntpd client or\n denying service to an ntpd client by forcing it to change from basic\n client/server mode to interleaved symmetric mode (bsc#977461).\n * CVE-2016-1549: Sybil vulnerability: ephemeral association attack\n (bsc#977451).\n * CVE-2016-1550: Improve security against buffer comparison timing\n attacks (bsc#977464).\n * CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y\n * CVE-2016-2516: Duplicate IPs on unconfig directives could have\n caused an assertion botch in ntpd (bsc#977452).\n * CVE-2016-2517: Remote configuration trustedkey/\n requestkey/controlkey values are not properly validated (bsc#977455).\n * CVE-2016-2518: Crafted addpeer with hmode > 7 causes array\n wraparound with MATCH_ASSOC (bsc#977457).\n * CVE-2016-2519: ctl_getitem() return value not always checked\n (bsc#977458).\n * CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966).\n * CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n * CVE-2015-7979: Off-path Denial of Service (DoS) attack on\n authenticated broadcast mode (bsc#962784).\n * CVE-2015-7978: Stack exhaustion in recursive traversal of\n restriction list (bsc#963000).\n * CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n * CVE-2015-7976: ntpq saveconfig command allowed dangerous characters\n in filenames (bsc#962802).\n * CVE-2015-7975: nextvar() missing length check (bsc#962988).\n * CVE-2015-7974: NTP did not verify peer associations of symmetric\n keys when authenticating packets, which might have allowed remote\n attackers to conduct impersonation attacks via an arbitrary trusted\n key, aka a "skeleton" key (bsc#962960).\n * CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n * CVE-2015-5300: MITM attacker can force ntpd to make a step larger\n than the panic threshold (bsc#951629).\n * CVE-2015-5194: Crash with crafted logconfig configuration command\n (bsc#943218).\n * CVE-2015-7871: NAK to the Future: Symmetric association\n authentication bypass via crypto-NAK (bsc#952611).\n * CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning\n FAIL on some bogus values (bsc#952611).\n * CVE-2015-7854: Password Length Memory Corruption Vulnerability\n (bsc#952611).\n * CVE-2015-7853: Invalid length data provided by a custom refclock\n driver could cause a buffer overflow (bsc#952611).\n * CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability\n (bsc#952611).\n * CVE-2015-7851: saveconfig Directory Traversal Vulnerability\n (bsc#952611).\n * CVE-2015-7850: Clients that receive a KoD now validate the origin\n timestamp field (bsc#952611).\n * CVE-2015-7849: Prevent use-after-free trusted key (bsc#952611).\n * CVE-2015-7848: Prevent mode 7 loop counter underrun (bsc#952611).\n * CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#952611).\n * CVE-2015-7703: Configuration directives "pidfile" and "driftfile"\n should only be allowed locally (bsc#943221).\n * CVE-2015-7704: Clients that receive a KoD should validate the origin\n timestamp field (bsc#952611).\n * CVE-2015-7705: Clients that receive a KoD should validate the origin\n timestamp field (bsc#952611).\n * CVE-2015-7691: Incomplete autokey data packet length checks\n (bsc#952611).\n * CVE-2015-7692: Incomplete autokey data packet length checks\n (bsc#952611).\n * CVE-2015-7702: Incomplete autokey data packet length checks\n (bsc#952611).\n * CVE-2015-1798: The symmetric-key feature in the receive function in\n ntp_proto.c in ntpd in NTP required a correct MAC only if the MAC\n field has a nonzero length, which made it easier for\n man-in-the-middle attackers to spoof packets by omitting the MAC\n (bsc#924202).\n * CVE-2015-1799: The symmetric-key feature in the receive function in\n ntp_proto.c in ntpd in NTP performed state-variable updates upon\n receiving certain invalid packets, which made it easier for\n man-in-the-middle attackers to cause a denial of service\n (synchronization loss) by spoofing the source IP address of a peer\n (bsc#924202).\n\n These non-security issues were fixed:\n\n * Keep the parent process alive until the daemon has finished\n initialisation, to make sure that the PID file exists when the\n parent returns.\n * bsc#979302: Change the process name of the forking DNS worker\n process to avoid the impression that ntpd is started twice.\n * bsc#981422: Don't ignore SIGCHILD because it breaks wait().\n * Separate the creation of ntp.keys and key #1 in it to avoid problems\n when upgrading installations that have the file, but no key #1,\n which is needed e.g. by "rcntp addserver".\n * bsc#957226: Restrict the parser in the startup script to the first\n occurrance of "keys" and "controlkey" in ntp.conf.\n * Enable compile-time support for MS-SNTP (--enable-ntp-signd)\n * bsc#975496: Fix ntp-sntp-dst.patch.\n * bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path,\n which caused the synchronization to fail.\n * bsc#782060: Speedup ntpq.\n * bsc#951559: Fix the TZ offset output of sntp during DST.\n * bsc#916617: Add /var/db/ntp-kod.\n * bsc#951351: Add ntp-ENOBUFS.patch to limit a warning that might\n happen quite a lot on loaded systems.\n * Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n * bnc#784760: Remove local clock from default configuration.\n * Fix incomplete backporting of "rcntp ntptimemset".\n * bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.\n * Don't let "keysdir" lines in ntp.conf trigger the "keys" parser.\n * bsc#910063: Fix the comment regarding addserver in ntp.conf.\n * bsc#944300: Remove "kod" from the restrict line in ntp.conf.\n * bsc#905885: Use SHA1 instead of MD5 for symmetric keys.\n * bsc#926510: Re-add chroot support, but mark it as deprecated and\n disable it by default.\n * bsc#920895: Drop support for running chrooted, because it is an\n ongoing source of problems and not really needed anymore, given that\n ntp now drops privileges and runs under apparmor.\n * bsc#920183: Allow -4 and -6 address qualifiers in "server"\n directives.\n * Use upstream ntp-wait, because our version is incompatible with the\n new ntpq command line syntax.\n * bsc#920905: Adjust Util.pm to the Perl version on SLE11.\n * bsc#920238: Enable ntpdc for backwards compatibility.\n * bsc#920893: Don't use %exclude.\n * bsc#988417: Default to NTPD_FORCE_SYNC_ON_STARTUP="yes"\n * bsc#988565: Ignore errors when removing extra files during\n uninstallation\n * bsc#988558: Don't blindly guess the value to use for IP_TOS\n\n Security Issues:\n\n * CVE-2016-4953\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953</a>>\n * CVE-2016-4954\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954</a>>\n * CVE-2016-4955\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955</a>>\n * CVE-2016-4956\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956</a>>\n * CVE-2016-4957\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957</a>>\n * CVE-2016-1547\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547</a>>\n * CVE-2016-1548\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548</a>>\n * CVE-2016-1549\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549</a>>\n * CVE-2016-1550\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550</a>>\n * CVE-2016-1551\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551</a>>\n * CVE-2016-2516\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516</a>>\n * CVE-2016-2517\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517</a>>\n * CVE-2016-2518\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518</a>>\n * CVE-2016-2519\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519</a>>\n * CVE-2015-8158\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158</a>>\n * CVE-2015-8138\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138</a>>\n * CVE-2015-7979\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979</a>>\n * CVE-2015-7978\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978</a>>\n * CVE-2015-7977\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977</a>>\n * CVE-2015-7976\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976</a>>\n * CVE-2015-7975\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975</a>>\n * CVE-2015-7974\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974</a>>\n * CVE-2015-7973\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973</a>>\n * CVE-2015-5300\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300</a>>\n * CVE-2015-5194\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194</a>>\n * CVE-2015-7871\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871</a>>\n * CVE-2015-7855\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855</a>>\n * CVE-2015-7854\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854</a>>\n * CVE-2015-7853\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853</a>>\n * CVE-2015-7852\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852</a>>\n * CVE-2015-7851\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851</a>>\n * CVE-2015-7850\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850</a>>\n * CVE-2015-7849\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849</a>>\n * CVE-2015-7848\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848</a>>\n * CVE-2015-7701\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701</a>>\n * CVE-2015-7703\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703</a>>\n * CVE-2015-7704\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704</a>>\n * CVE-2015-7705\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705</a>>\n * CVE-2015-7691\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691</a>>\n * CVE-2015-7692\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692</a>>\n * CVE-2015-7702\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702</a>>\n * CVE-2015-1798\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798</a>>\n * CVE-2015-1799\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799</a>>\n\n\n", "published": "2016-07-29T19:08:48", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00026.html", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-7703", "CVE-2016-4956", "CVE-2016-4955", "CVE-2015-8138", "CVE-2015-7855", "CVE-2016-4953", "CVE-2015-7973", "CVE-2015-1799", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7704", "CVE-2016-1551", "CVE-2015-7979", "CVE-2016-4954", "CVE-2015-7701", "CVE-2015-7976", "CVE-2015-7848", "CVE-2015-7975", "CVE-2015-7692", "CVE-2016-1547", "CVE-2015-7851", "CVE-2015-7702", "CVE-2016-4957", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7849", "CVE-2015-7691", "CVE-2016-2519", "CVE-2016-2517", "CVE-2015-7705", "CVE-2015-1798", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7850", "CVE-2016-1549", "CVE-2015-7854", "CVE-2015-7978", "CVE-2015-7853"], "lastseen": "2016-09-04T11:46:06"}], "debian": [{"id": "DSA-3629", "type": "debian", "title": "ntp -- security update", "description": "Several vulnerabilities were discovered in the Network Time Protocol daemon and utility programs:\n\n * [CVE-2015-7974](<https://security-tracker.debian.org/tracker/CVE-2015-7974>)\n\nMatt Street discovered that insufficient key validation allows impersonation attacks between authenticated peers.\n\n * [CVE-2015-7977](<https://security-tracker.debian.org/tracker/CVE-2015-7977>) [CVE-2015-7978](<https://security-tracker.debian.org/tracker/CVE-2015-7978>)\n\nStephen Gray discovered that a NULL pointer dereference and a buffer overflow in the handling of ntpdc reslist commands may result in denial of service.\n\n * [CVE-2015-7979](<https://security-tracker.debian.org/tracker/CVE-2015-7979>)\n\nAanchal Malhotra discovered that if NTP is configured for broadcast mode, an attacker can send malformed authentication packets which break associations with the server for other broadcast clients.\n\n * [CVE-2015-8138](<https://security-tracker.debian.org/tracker/CVE-2015-8138>)\n\nMatthew van Gundy and Jonathan Gardner discovered that missing validation of origin timestamps in ntpd clients may result in denial of service.\n\n * [CVE-2015-8158](<https://security-tracker.debian.org/tracker/CVE-2015-8158>)\n\nJonathan Gardner discovered that missing input sanitising in ntpq may result in denial of service.\n\n * [CVE-2016-1547](<https://security-tracker.debian.org/tracker/CVE-2016-1547>)\n\nStephen Gray and Matthew van Gundy discovered that incorrect handling of crypto NAK packets may result in denial of service.\n\n * [CVE-2016-1548](<https://security-tracker.debian.org/tracker/CVE-2016-1548>)\n\nJonathan Gardner and Miroslav Lichvar discovered that ntpd clients could be forced to change from basic client/server mode to interleaved symmetric mode, preventing time synchronisation.\n\n * [CVE-2016-1550](<https://security-tracker.debian.org/tracker/CVE-2016-1550>)\n\nMatthew van Gundy, Stephen Gray and Loganaden Velvindron discovered that timing leaks in the packet authentication code could result in recovery of a message digest.\n\n * [CVE-2016-2516](<https://security-tracker.debian.org/tracker/CVE-2016-2516>)\n\nYihan Lian discovered that duplicate IPs on unconfig directives will trigger an assert.\n\n * [CVE-2016-2518](<https://security-tracker.debian.org/tracker/CVE-2016-2518>)\n\nYihan Lian discovered that an OOB memory access could potentially crash ntpd.\n\nFor the stable distribution (jessie), these problems have been fixed in version 1:4.2.6.p5+dfsg-7+deb8u2.\n\nFor the testing distribution (stretch), these problems have been fixed in version 1:4.2.8p7+dfsg-1.\n\nFor the unstable distribution (sid), these problems have been fixed in version 1:4.2.8p7+dfsg-1.\n\nWe recommend that you upgrade your ntp packages.", "published": "2016-07-25T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-3629", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-8138", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7979", "CVE-2016-1547", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-10-05T13:14:19"}], "slackware": [{"id": "SSA-2016-120-01", "type": "slackware", "title": "ntp", "description": "New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix security issues.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/ntp-4.2.8p7-i486-1_slack14.1.txz: Upgraded.\n This release patches several low and medium severity security issues:\n CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering\n CVE-2016-1549: Sybil vulnerability: ephemeral association attack,\n AKA: ntp-sybil - MITIGATION ONLY\n CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion\n botch\n CVE-2016-2517: Remote configuration trustedkey/requestkey values are not\n properly validated\n CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with\n MATCH_ASSOC\n CVE-2016-2519: ctl_getitem() return value not always checked\n CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos\n CVE-2016-1548: Interleave-pivot - MITIGATION ONLY\n CVE-2015-7704: KoD fix: peer associations were broken by the fix for\n NtpBug2901, AKA: Symmetric active/passive mode is broken\n CVE-2015-8138: Zero Origin Timestamp Bypass, AKA: Additional KoD Checks\n CVE-2016-1550: Improve NTP security against buffer comparison timing attacks,\n authdecrypt-timing, AKA: authdecrypt-timing\n For more information, see:\n http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ntp-4.2.8p7-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/ntp-4.2.8p7-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ntp-4.2.8p7-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ntp-4.2.8p7-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ntp-4.2.8p7-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ntp-4.2.8p7-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8p7-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8p7-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8p7-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8p7-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8p7-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8p7-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\n785dc2ef5f80edb28dc781e261c3fe3f ntp-4.2.8p7-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n899421096b7b63e6cb269f8b01dfd875 ntp-4.2.8p7-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\ndfd34cbd31be3572a2bcae7f59cdfd91 ntp-4.2.8p7-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n63c4b31736040e7950361cd0d7081c8b ntp-4.2.8p7-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\ne760ae0c6cc3fa933e4d65d6995b0c84 ntp-4.2.8p7-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\naa448523b27bb4fcccc2f46cf4d72bc5 ntp-4.2.8p7-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\n3bc7e54a4164a4f91be996b5cf2e643e ntp-4.2.8p7-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n0f6ea4dae476709f26f5d0e33378576c ntp-4.2.8p7-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\ndbe827ee7ece6ce5ca083cdd5960162c ntp-4.2.8p7-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n89f3edf183a6a9847d69b8349f98c901 ntp-4.2.8p7-x86_64-1_slack14.1.txz\n\nSlackware -current package:\n4018b86edd15e40e8c5e9f50d907dcff n/ntp-4.2.8p7-i586-1.txz\n\nSlackware x86_64 -current package:\n7dd6b64ba8c9fdaebb7becc1f5c3963d n/ntp-4.2.8p7-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg ntp-4.2.8p7-i486-1_slack14.1.txz\n\nThen, restart the NTP daemon:\n\n > sh /etc/rc.d/rc.ntpd restart", "published": "2016-04-29T14:57:25", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.630758", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-8138", "CVE-2016-1550", "CVE-2016-2516", "CVE-2015-7704", "CVE-2016-1551", "CVE-2016-1547", "CVE-2016-2519", "CVE-2016-2517", "CVE-2016-1549"], "lastseen": "2018-02-02T18:11:37"}, {"id": "SSA-2016-054-04", "type": "slackware", "title": "ntp", "description": "New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix security issues.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/ntp-4.2.8p6-i486-1_slack14.1.txz: Upgraded.\n In addition to bug fixes and enhancements, this release fixes\n several low and medium severity vulnerabilities.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ntp-4.2.8p6-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/ntp-4.2.8p6-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ntp-4.2.8p6-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ntp-4.2.8p6-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ntp-4.2.8p6-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ntp-4.2.8p6-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8p6-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8p6-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8p6-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8p6-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8p6-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8p6-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\n31365ae4f12849e65d4ad1c8c7d5f89a ntp-4.2.8p6-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n5a2d24bdacd8dd05ab9e0613c829212b ntp-4.2.8p6-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\ne70f7422bc81c144e6fac1df2c202634 ntp-4.2.8p6-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\nf6637f6d24b94a6b17c68467956a6283 ntp-4.2.8p6-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\n82601e105f95e324dfd1e2f0df513673 ntp-4.2.8p6-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\nd3ba32d46f7eef8f75a3444bbee4c677 ntp-4.2.8p6-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\nc5ff13e58fbbea0b7a677e947449e7b1 ntp-4.2.8p6-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n9e2abfaf0b0b7bf84a8a4db89f60eff6 ntp-4.2.8p6-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\ne1e6b84808b7562314e0e29479153553 ntp-4.2.8p6-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n8db0a4ca68805c7f5e487d5bcd69d098 ntp-4.2.8p6-x86_64-1_slack14.1.txz\n\nSlackware -current package:\nf96f443f54a74c20b5eb67467f5958ea n/ntp-4.2.8p6-i586-1.txz\n\nSlackware x86_64 -current package:\n5e256f2e1906b4c75047a966996a7a41 n/ntp-4.2.8p6-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg ntp-4.2.8p6-i486-1_slack14.1.txz\n\nThen, restart the NTP daemon:\n\n > sh /etc/rc.d/rc.ntpd restart", "published": "2016-02-23T11:51:20", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.546478", "cvelist": ["CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2018-02-02T18:11:31"}], "cisco": [{"id": "CISCO-SA-20160428-NTPD", "type": "cisco", "title": "Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: April 2016", "description": "A vulnerability in Network Time Protocol (NTP) could allow an authenticated, remote attacker to cause a reload of the affected system.\n\nThe vulnerability is due to insufficient checking of the duplicate peers requested to be removed by the NTP Mode 7 'unconfig' command. A successful exploit could allow an authenticated, remote attacker to cause a reload of the affected system.\n\nA vulnerability in Network Time Protocol (NTP) could allow an authenticated, remote attacker to cause a reload of the affected system.\n\nThe vulnerability is due to insufficient validation of the user supplied data. A successful exploit could allow an authenticated, remote attacker to cause a reload of the affected system.\n\nA vulnerability in Network Time Protocol (NTP) could allow an authenticated, remote attacker to cause out-of-bond references on the affected device.\n\nThe vulnerability is due to insufficient validation of the crafted packets carrying a illegal hmode value. A successful exploit could allow an authenticated, remote attacker to cause out-of-bond references on the affected device.\n\nA vulnerability in Network Time Protocol (NTP) could allow an authenticated, remote attacker to change the values of trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted.\n\nThe vulnerability is due to insufficient validation of remote configuration trustedkey/requestkey values when the system is expressly configured to allow for remote configuration. A successful exploit could allow an authenticated, remote attacker to change the values of trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted.\n\nA vulnerability in Network Time Protocol (NTP) could allow an authenticated, remote attacker to modify the system clock on a targeted system.\n\nThe vulnerability is due to not enforcing the limit on the number of active ephemeral associations that may be created under a single key. A successful exploit could allow a malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win ntpd's clock selection algorithm and modify a victim's clock.\n\nA vulnerability in Network Time Protocol (NTP) could allow an unauthenticated, remote attacker to brute force the message digest by guessing values and determining when the comparison function runs for a longer amount of time.\n\nThe vulnerability is due to susceptibility of the authentication process to brute force by a timing attack. A successful exploit could allow an unauthenticated, remote attacker to brute force the message digest by guessing values and determining when the comparison function runs for a longer amount of time.\n\nA vulnerability in Network Time Protocol (NTP) could allow an unauthenticated, remote attacker to cause a preemptable client association to be removed.\n\nThe vulnerability is due to insufficient validation the pre-emptable client associations' authentication. A successful exploit could allow an unauthenticated, remote attacker to cause a preemptable client association to be removed.\n\nA vulnerability in Network Time Protocol (NTP) could allow an unauthenticated, remote attacker to change an existing client/server association to an interleaved symmetric mode, allowing malicious actor can then control the time or deny access to the legitimate server.\n\nThe vulnerability is due to insufficient validation of the user supplied data. A successful exploit could allow an unauthenticated, remote attacker to change an existing client/server association to an interleaved symmetric mode, allowing malicious actor can then control the time or deny access to the legitimate server.\n\nA vulnerability in Network Time Protocol (NTP) could allow an unauthenticated, remote attacker to inject the refclock source IP to the NTPd process and thus take over the system clock on a targeted system.\n\nThe vulnerability is due to insufficient checks of the source IP address of the incoming NTP packet by the affected software. An attacker could exploit this vulnerability by sending a crafted packet to a targeted system. A successful exploit could allow remote attacker to inject the refclock source IP to the NTPd process and thus take over the system clock on a targeted system\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow an unauthenticated, remote attacker to modify time settings on a targeted system.\n\nThe vulnerability is due to incorrect processing of NTP update packets. An attacker could exploit this vulnerability by sending crafted updates that contain an a zero-origin timestamp to the clients' peer server. An exploit could allow the attacker to modify the time values received by the client, preventing client systems from receiving further updates from its legitimately configured time server.\n\nA vulnerability in the Network Time Protocol daemon could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to improper validation of user-supplied input. An unauthenticated, remote attacker could exploit the vulnerability by sending malicious requests to the targeted system.\n\nMultiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.\n\nOn April 26, 2016, the NTP Consortium of the Network Time Foundation released a security notice that details 11 issues regarding DoS vulnerabilities, information disclosure vulnerabilities, and logic issues that may allow an attacker to shift a system's time. Two of the vulnerabilities disclosed in the NTP security notice address issues that were previously disclosed without a complete fix.\n\nThe new vulnerabilities disclosed in this document are as follows:\n\n CVE-2016-1547: Network Time Protocol CRYPTO-NAK Denial of Service Vulnerability\n CVE-2016-1548: Network Time Protocol Interleave-Pivot Denial of Service Vulnerability\n CVE-2016-1549: Network Time Protocol Sybil Ephemeral Association Attack Vulnerability\n CVE-2016-1550: Network Time Protocol Improve NTP Security Against Buffer Comparison Timing Attacks\n CVE-2016-1551: Network Time Protocol Refclock Impersonation Vulnerability\n CVE-2016-2516: Network Time Protocol Duplicate IPs on Unconfig Directives Will Cause an Assertion Botch in ntpd\n CVE-2016-2517: Network Time Protocol Remote Configuration Trustedkey/Requestkey/Controlkey Values Are Not Properly Validated\n CVE-2016-2518: Network Time Protocol Crafted addpeer Causes Array Wraparound with MATCH_ASSOC\n CVE-2016-2519: Network Time Protocol Remote ctl_getitem() Return Value Not Always Checked\n\nThe two vulnerabilities that were previously disclosed without a complete fix are as follows:\n\n CVE-2015-8138: Network Time Protocol Zero Origin Timestamp Bypass\n CVE-2015-7704: Network Time Protocol Packet Processing Denial of Service Vulnerability\n\nThose vulnerabilities were disclosed by Cisco in the following Cisco Security Advisories:\n\n \n Multiple Vulnerabilities in ntpd Affecting Cisco Products - October 2015[\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151021-ntp\"]\n \n Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016[\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd\"]\n\nAdditional details about each vulnerability are in the NTP Consortium Security Notice[\"http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security\"].\n\nCisco will release software updates that address these vulnerabilities.\n\nWorkarounds that address one or more of these vulnerabilities may be available and will be documented in the Cisco bug for each affected product.\n\nThis advisory is available at the following link: \n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160428-ntpd[\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160428-ntpd\"]", "published": "2016-04-28T09:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160428-ntpd", "cvelist": ["CVE-2015-7704", "CVE-2015-8138", "CVE-2016-1547", "CVE-2016-1548", "CVE-2016-1549", "CVE-2016-1550", "CVE-2016-1551", "CVE-2016-2516", "CVE-2016-2517", "CVE-2016-2518", "CVE-2016-2519"], "lastseen": "2018-02-03T06:00:24"}, {"id": "CISCO-SA-20160127-NTPD", "type": "cisco", "title": "Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016", "description": "A vulnerability in the Network Time Protocol daemon (ntpd) could allow an authenticated, remote attacker to leverage any trusted key, not just the trusted key for its address.\n\nThe vulnerability is exists because ntpd does not properly verify that the key being used matches the proper servers' key. An attacker could exploit this vulnerability by sending packets with any trusted key, as long as the keyid references another key the systems share and that key is used to compute the message authentication code (MAC). An exploit could allow the attacker to masquerade as another configured trusted association.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow an unauthenticated, adjacent attacker to replay broadcast server packets.\n\nThe vulnerability is due to no replay protection on NTP broadcast packets. An attacker could exploit this vulnerability by capturing and retransmiting NTP broadcast packets to a targeted system. An exploit could allow the attacker to cause time settings on a targeted system to stop updating and maintain a particular time value.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow an unauthenticated, remote attacker to modify time settings on a targeted system.\n\nThe vulnerability is due to incorrect processing of NTP update packets. An attacker could exploit this vulnerability by sending crafted updates that contain an a zero-origin timestamp to the clients' peer server. An exploit could allow the attacker to modify the time values received by the client, preventing client systems from receiving further updates from its legitimately configured time server.\n\nA vulnerability in the Standard Network Time Protocol query program (ntpq) could allow an unauthenticated, remote attacker to replay a previously captured ntpq command.\n\nThe vulnerability is due to an invalid checking of the sequence number. An attacker could exploit this vulnerability by capturing an authenticated ntpq command that was executed and then replaying back the command at a later stage. An exploit could allow the attacker to replay previously captured ntpq commands.\n\nA vulnerability in the list_restrict4() and list_restrict6() routines of the Network Time Protocol daemon (ntpd) could allow an authenticated, remote attacker to cause the ntpd to crash.\n\nThe vulnerability is due to a null pointer dereference in the list_restrict4() and list_restrict6() routines. An attacker could exploit this vulnerability by performing an ntpdc reslist command against a device that has a large number of NTP restrictions in place. An exploit could allow the attacker to cause the ntpd to crash.\n\nA vulnerability in the standard Network Time Protocol query program (ntpq) could allow a unauthenticated, local attacker to execute a buffer overflow attack.\n\nThe vulnerability is due to the function nextvar() executing a memcpy() into the name buffer without a proper length check. An attacker could exploit this vulnerability by calling ntpq to read variable names from an untrusted source, such as a user or environment variable. An exploit could allow the attacker to trigger a buffer overflow.\n\nA vulnerability in the standard and special Network Time Protocol query program (ntpq and ntpdc) could allow an unauthenticated, remote attacker to cause the ntpq or ntpdc program to remain in a processing loop.\n\nThe vulnerability is due to a loop that is not exited under certain conditions in the ntpq and ntpdc processes. An attacker could exploit this vulnerability by sending malicious packets to an ntpq or ntpdc client from a malicious NTP server or from a privileged network position by conducting a man-in-the-middle attack between a targeted client and the NTP server. An exploit could allow the attacker to cause the ntpq or ntpdc process to enter an infinite loop, resulting in a denial of service (DoS) condition.\n\nA vulnerability in the standard and the special Network Time Protocol query program (ntpq and ntpdc) could allow an unauthenticated, remote attacker to obtain the value of the origin timestamp expected in the next peer response.\n\nThe vulnerability is due to ntpq and ntpdc providing this information without requiring authentication. An attacker could exploit this issue by querying the client with the appropriate ntpq or ntpdc commands. An exploit could allow the attacker to obtain the next peer response origin timestamp, which could be leveraged in further attacks.\n\nA vulnerability of the Network Time Protocol daemon (ntpd) could allow an authenticated, remote attacker to cause the ntpd to crash by exhausting the call stack.\n\nThe vulnerability exists because function calls to list_restrict4() or list_restrict6() can be made to exhaust space on the call stack. An attacker could exploit this vulnerability by performing an ntpdc reslist command against a device that has a large number of NTP restrictions in place. An exploit could allow the attacker to cause the ntpd to crash.\n\nA vulnerability the Network Time Protocol daemon (ntpd) could allow an unauthenticated, remote attacker to prevent clients from synchronizing to a time server.\n\nThe vulnerability is due to the improper handling of malicious packets by the broadcast server. An attacker could exploit this vulnerability by sending malicious, authenticated packets to the broadcast network. An exploit could allow the attacker to prevent the broadcast clients from synchronizing with configured time servers.\n\nAn issue in the standard Network Time Protocol query program (ntpq) could allow an authenticated, remote attacker to create files on the system with dangerous characters in the filename.\n\nThe issue is due to to improper validation of characters within filenames. An attacker could exploit this issue by saving a filename with the saveconfig command. An exploit could allow the attacker to write filenames to the system that may contain potentially dangerous character sequences.\n\nMultiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.\n\nOn January 19, 2016, NTP Consortium at Network Time Foundation released a security advisory detailing 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities, and logic issues that may allow an attacker to shift a client's time. The vulnerabilities covered in this document are as follows:\n\n CVE-2015-7973: Network Time Protocol Replay Attack on Authenticated Broadcast Mode Vulnerability \n CVE-2015-7974: Network Time Protocol Missing Trusted Key Check\n CVE-2015-7975: Standard Network Time Protocol Query Program nextvar() Missing Length Check\n CVE-2015-7976: Standard Network Time Protocol Query Program saveconfig Command Allows Dangerous Characters in Filenames\n CVE-2015-7978: Network Time Protocol Daemon reslist NULL Pointer Deference Denial of Service Vulnerability\n CVE-2015-7977: Network Time Protocol Stack Exhaustion Denial of Service\n CVE-2015-7979: Network Time Protocol Off-Path Broadcast Mode Denial of Service \n CVE-2015-8138: Network Time Protocol Zero Origin Timestamp Bypass\n CVE-2015-8139: Network Time Protocol Information Disclosure of Origin Timestamp\n CVE-2015-8140: Standard Network Time Protocol Query Program Replay Attack\n CVE-2015-8158: Standard and Special Network Time Protocol Query Program Infinite loop\n\nAdditional details on each of the vulnerabilities are in the official security advisory from the NTP Consortium at Network Time Foundation at the following link: Security Notice[\"http://nwtime.org/security-policy/\"]\n\nCisco has released software updates that address these vulnerabilities.\n\nWorkarounds that address some of these vulnerabilities may be available. Available workarounds will be documented in the corresponding Cisco bug for each affected product. \n\nThis advisory is available at the following link:\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd", "published": "2016-01-27T20:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd", "cvelist": ["CVE-2015-7973", "CVE-2015-7974", "CVE-2015-7975", "CVE-2015-7976", "CVE-2015-7977", "CVE-2015-7978", "CVE-2015-7979", "CVE-2015-8138", "CVE-2015-8139", "CVE-2015-8140", "CVE-2015-8158"], "lastseen": "2018-07-14T16:40:18"}, {"id": "CISCO-SA-20161123-NTPD", "type": "cisco", "title": "Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: November 2016", "description": "A vulnerability in Network Time Protocol (NTP) could allow an unauthenticated, remote attacker to modify the system clock on a targeted system.\n\nThe vulnerability is due to insufficient checks of user-supplied data by the affected software. An attacker could exploit this vulnerability by sending a crafted packet to a targeted NTP client. A successful exploit could disable server synchronization, resulting in the ability to modify the system clock on the targeted client system.\n\nA vulnerability in the Network Time Protocol (NTP) service could allow a local attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to improper initial sync calculations that are performed by the affected software. The vulnerability was introduced as the result of an attempt to fix NTP Bug 2085, involving a condition where the root delay was included twice, causing a higher than expected jitter value. Because of a misinterpretation of a small-print variable, a root distance would not include the peer dispersion. An attacker could exploit this vulnerability to cause a partial DoS condition on an affected system.\n\nA vulnerability in the Network Time Protocol (NTP) service could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to improper handling of crafted packets by the affected software when the trap service is enabled. An attacker could exploit this vulnerability by sending crafted packets to a targeted system. An exploit could cause a NULL pointer dereference that could cause the ntpd service to crash, resulting in a DoS condition.\n\nA vulnerability in the Network Time Protocol (NTP) service could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to insufficient resource pooling when rate limiting for all associations is configured within the affected software. An attacker could exploit this vulnerability by sending crafted packets with a spoofed source address to the targeted system. An exploit could prevent the affected software from accepting valid responses from its configured sources, resulting in a DoS condition.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow a local attacker to cause a denial of service (DoS) condition on a targeted system.\n\nThe vulnerability is due to improper validation of user-supplied data by the affected software. An attacker could exploit the vulnerability by sending a malicious packet to a targeted system. A successful exploit could cause the ntpd to stop functioning, resulting in a DoS condition.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.\n\nThe vulnerability is due to improper validation of user-supplied data by the affected software. An unauthenticated, remote attacker could exploit the vulnerability by sending a malicious packet to a targeted system. A successful exploit could cause the ntpd to stop functioning, resulting in a DoS condition.\n\nA vulnerability in the broadcast-mode, poll-interval enforcement functionality of the Network Time Protocol (NTP) service could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to improper resource management by the affected software. An attacker who has access to the broadcast domain of a targeted system could exploit this vulnerability by injecting crafted, broadcast-mode NTP packets into the broadcast domain in which the targeted system resides. A successful exploit could cause the NTP daemon to reject broadcast-mode packets from legitimate broadcast servers, resulting in a DoS condition.\n\nA vulnerability in the broadcast-mode, replay prevention functionality of the Network Time Protocol (NTP) service could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to improper resource management by the affected software. An attacker who has access to the broadcast domain of a targeted system could exploit this vulnerability by injecting crafted, broadcast-mode NTP packets into the broadcast domain in which the targeted system resides. A successful exploit could cause the NTP daemon to reject broadcast-mode packets from legitimate broadcast servers, resulting in a DoS condition.\n\nA vulnerability in the control mode (mode 6) functionality of the Network Time Protocol (NTP) service could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to improper security restrictions that could lead to configuration modification. If the restrict default noquery best current practices recommendation for NTP is not specified, an attacker could exploit this vulnerability by sending a crafted control mode packet to an affected system. An exploit could allow the attacker to modify the affected software. The attacker could set ntpd traps, which could be leveraged to disclose sensitive information or aid in DDoS amplification. In addition, an attacker could unset ntpd traps, which could disable monitoring, resulting in a DoS condition.\n\nMultiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.\n\nOn November 21, 2016, the NTP Consortium of the Network Time Foundation released a security notice that details ten issues regarding DoS vulnerabilities and logic issues that may allow an attacker to shift a system's time.\n\nThe new vulnerabilities disclosed in this document are as follows:\n\nNetwork Time Protocol Trap Service Denial of Service Vulnerability\nNetwork Time Protocol Broadcast Mode Denial of Service Vulnerability\nNetwork Time Protocol Broadcast Mode Denial of Service Vulnerability\nNetwork Time Protocol Insufficient Resource Pool Denial of Service Vulnerability\nNetwork Time Protocol Configuration Modification Denial of Service Vulnerability\nNetwork Time Protocol mrulist Query Requests Denial of Service Vulnerability\nNetwork Time Protocol Multiple Binds to the Same Port Vulnerability\nNetwork Time Protocol Rate Limiting Denial of Service Vulnerability\n\nAs well as:\n\nRegression of CVE-2015-8138\nNetwork Time Protocol Reboot sync calculation problem\n Additional details about each vulnerability are in the NTP Consortium Security Notice [\"http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se\"].\n\nWorkarounds that address one or more of these vulnerabilities may be available and are documented in the Cisco bug for each affected product.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161123-ntpd [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161123-ntpd\"]", "published": "2016-11-23T16:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161123-ntpd", "cvelist": ["CVE-2015-8138", "CVE-2016-7426", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-7429", "CVE-2016-7431", "CVE-2016-7433", "CVE-2016-7434", "CVE-2016-9310", "CVE-2016-9311", "CVE-2016-9312"], "lastseen": "2018-04-07T14:09:29"}], "freebsd": [{"id": "B2487D9A-0C30-11E6-ACD0-D050996490D0", "type": "freebsd", "title": "ntp -- multiple vulnerabilities", "description": "\nNetwork Time Foundation reports:\n\nNTF's NTP Project has been notified of the following low-\n\t and medium-severity vulnerabilities that are fixed in\n\t ntp-4.2.8p7, released on Tuesday, 26 April 2016:\n\nBug 3020 / CVE-2016-1551: Refclock impersonation\n\t vulnerability, AKA: refclock-peering. Reported by\n\t Matt Street and others of Cisco ASIG\nBug 3012 / CVE-2016-1549: Sybil vulnerability:\n\t ephemeral association attack, AKA: ntp-sybil -\n\t MITIGATION ONLY. Reported by Matthew Van Gundy\n\t of Cisco ASIG\nBug 3011 / CVE-2016-2516: Duplicate IPs on\n\t unconfig directives will cause an assertion botch.\n\t Reported by Yihan Lian of the Cloud Security Team,\n\t Qihoo 360\nBug 3010 / CVE-2016-2517: Remote configuration\n\t trustedkey/requestkey values are not properly\n\t validated. Reported by Yihan Lian of the Cloud\n\t Security Team, Qihoo 360\nBug 3009 / CVE-2016-2518: Crafted addpeer with\n\t hmode > 7 causes array wraparound with MATCH_ASSOC.\n\t Reported by Yihan Lian of the Cloud Security Team,\n\t Qihoo 360\nBug 3008 / CVE-2016-2519: ctl_getitem() return\n\t value not always checked. Reported by Yihan Lian\n\t of the Cloud Security Team, Qihoo 360\nBug 3007 / CVE-2016-1547: Validate crypto-NAKs,\n\t AKA: nak-dos. Reported by Stephen Gray and\n\t Matthew Van Gundy of Cisco ASIG\nBug 2978 / CVE-2016-1548: Interleave-pivot -\n\t MITIGATION ONLY. Reported by Miroslav Lichvar of\n\t RedHat and separately by Jonathan Gardner of\n\t Cisco ASIG.\nBug 2952 / CVE-2015-7704: KoD fix: peer\n\t associations were broken by the fix for\n\t NtpBug2901, AKA: Symmetric active/passive mode\n\t is broken. Reported by Michael Tatarinov,\n\t NTP Project Developer Volunteer\nBug 2945 / Bug 2901 / CVE-2015-8138: Zero\n\t Origin Timestamp Bypass, AKA: Additional KoD Checks.\n\t Reported by Jonathan Gardner of Cisco ASIG\nBug 2879 / CVE-2016-1550: Improve NTP security\n\t against buffer comparison timing attacks,\n\t authdecrypt-timing, AKA: authdecrypt-timing.\n\t Reported independently by Loganaden Velvindron,\n\t and Matthew Van Gundy and Stephen Gray of\n\t Cisco ASIG.\n\n\n", "published": "2016-04-26T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/b2487d9a-0c30-11e6-acd0-d050996490d0.html", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-8138", "CVE-2016-1550", "CVE-2016-2516", "CVE-2015-7704", "CVE-2016-1551", "CVE-2016-1547", "CVE-2016-2519", "CVE-2016-2517", "CVE-2016-1549"], "lastseen": "2017-04-18T17:18:09"}, {"id": "5237F5D7-C020-11E5-B397-D050996490D0", "type": "freebsd", "title": "ntp -- multiple vulnerabilities", "description": "\nNetwork Time Foundation reports:\n\nNTF's NTP Project has been notified of the following low-\n\t and medium-severity vulnerabilities that are fixed in\n\t ntp-4.2.8p6, released on Tuesday, 19 January 2016:\n\nBug 2948 / CVE-2015-8158: Potential Infinite Loop\n\t in ntpq. Reported by Cisco ASIG.\nBug 2945 / CVE-2015-8138: origin: Zero Origin\n\t Timestamp Bypass. Reported by Cisco ASIG.\nBug 2942 / CVE-2015-7979: Off-path Denial of\n\t Service (DoS) attack on authenticated broadcast\n\t mode. Reported by Cisco ASIG.\nBug 2940 / CVE-2015-7978: Stack exhaustion in\n\t recursive traversal of restriction list.\n\t Reported by Cisco ASIG.\nBug 2939 / CVE-2015-7977: reslist NULL pointer\n\t dereference. Reported by Cisco ASIG.\nBug 2938 / CVE-2015-7976: ntpq saveconfig command\n\t allows dangerous characters in filenames.\n\t Reported by Cisco ASIG.\nBug 2937 / CVE-2015-7975: nextvar() missing length\n\t check. Reported by Cisco ASIG.\nBug 2936 / CVE-2015-7974: Skeleton Key: Missing\n\t key check allows impersonation between authenticated\n\t peers. Reported by Cisco ASIG.\nBug 2935 / CVE-2015-7973: Deja Vu: Replay attack on\n\t authenticated broadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following\n\t two issues:\n\nBug 2947 / CVE-2015-8140: ntpq vulnerable to replay\n\t attacks. Reported by Cisco ASIG.\nBug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc,\n\t disclose origin. Reported by Cisco ASIG.\n\n\n", "published": "2016-01-20T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://vuxml.freebsd.org/freebsd/5237f5d7-c020-11e5-b397-d050996490d0.html", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-04-18T17:18:10"}], "ubuntu": [{"id": "USN-3096-1", "type": "ubuntu", "title": "NTP vulnerabilities", "description": "Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to perform a replay attack. (CVE-2015-7973)\n\nMatt Street discovered that NTP incorrectly verified peer associations of symmetric keys. A remote attacker could use this issue to perform an impersonation attack. (CVE-2015-7974)\n\nJonathan Gardner discovered that the NTP ntpq utility incorrectly handled memory. An attacker could possibly use this issue to cause ntpq to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-7975)\n\nJonathan Gardner discovered that the NTP ntpq utility incorrectly handled dangerous characters in filenames. An attacker could possibly use this issue to overwrite arbitrary files. (CVE-2015-7976)\n\nStephen Gray discovered that NTP incorrectly handled large restrict lists. An attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7977, CVE-2015-7978)\n\nAanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7979)\n\nJonathan Gardner discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could use this issue to spoof peer servers. (CVE-2015-8138)\n\nJonathan Gardner discovered that the NTP ntpq utility did not properly handle certain incorrect values. An attacker could possibly use this issue to cause ntpq to hang, resulting in a denial of service. (CVE-2015-8158)\n\nIt was discovered that the NTP cronjob incorrectly cleaned up the statistics directory. A local attacker could possibly use this to escalate privileges. (CVE-2016-0727)\n\nStephen Gray and Matthew Van Gundy discovered that NTP incorrectly validated crypto-NAKs. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1547)\n\nMiroslav Lichvar and Jonathan Gardner discovered that NTP incorrectly handled switching to interleaved symmetric mode. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1548)\n\nMatthew Van Gundy, Stephen Gray and Loganaden Velvindron discovered that NTP incorrectly handled message authentication. A remote attacker could possibly use this issue to recover the message digest key. (CVE-2016-1550)\n\nYihan Lian discovered that NTP incorrectly handled duplicate IPs on unconfig directives. An authenticated remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2516)\n\nYihan Lian discovered that NTP incorrectly handled certail peer associations. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2518)\n\nJakub Prokes discovered that NTP incorrectly handled certain spoofed packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4954)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain packets when autokey is enabled. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4955)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain spoofed broadcast packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4956)\n\nIn the default installation, attackers would be isolated by the NTP AppArmor profile.", "published": "2016-10-05T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/3096-1/", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2016-4956", "CVE-2016-4955", "CVE-2015-8138", "CVE-2016-0727", "CVE-2015-7973", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7979", "CVE-2016-4954", "CVE-2015-7976", "CVE-2015-7975", "CVE-2016-1547", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2018-03-29T18:17:58"}], "cloudfoundry": [{"id": "CFOUNDRY:0B67E4FF46553AC705FD601C96C1A6B6", "type": "cloudfoundry", "title": "USN-3096-1: NTP vulnerabilities - Cloud Foundry", "description": "USN-3096-1 NTP vulnerabilities\n\n# \n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\nCanonical Ubuntu 14.04 LTS\n\n# Description\n\nAanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to perform a replay attack. (CVE-2015-7973)\n\nMatt Street discovered that NTP incorrectly verified peer associations of symmetric keys. A remote attacker could use this issue to perform an impersonation attack. (CVE-2015-7974)\n\nJonathan Gardner discovered that the NTP ntpq utility incorrectly handled dangerous characters in filenames. An attacker could possibly use this issue to overwrite arbitrary files. (CVE-2015-7976)\n\nStephen Gray discovered that NTP incorrectly handled large restrict lists. An attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7977, CVE-2015-7978)\n\nAanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7979)\n\nJonathan Gardner discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could use this issue to spoof peer servers. (CVE-2015-8138)\n\nJonathan Gardner discovered that the NTP ntpq utility did not properly handle certain incorrect values. An attacker could possibly use this issue to cause ntpq to hang, resulting in a denial of service. (CVE-2015-8158)\n\nIt was discovered that the NTP cronjob incorrectly cleaned up the statistics directory. A local attacker could possibly use this to escalate privileges. (CVE-2016-0727)\n\nStephen Gray and Matthew Van Gundy discovered that NTP incorrectly validated crypto-NAKs. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1547)\n\nMiroslav Lichvar and Jonathan Gardner discovered that NTP incorrectly handled switching to interleaved symmetric mode. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1548)\n\nMatthew Van Gundy, Stephen Gray and Loganaden Velvindron discovered that NTP incorrectly handled message authentication. A remote attacker could possibly use this issue to recover the message digest key. (CVE-2016-1550)\n\nYihan Lian discovered that NTP incorrectly handled duplicate IPs on unconfig directives. An authenticated remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2516)\n\nYihan Lian discovered that NTP incorrectly handled certain peer associations. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2518)\n\nJakub Prokes discovered that NTP incorrectly handled certain spoofed packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4954)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain packets when autokey is enabled. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4955)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain spoofed broadcast packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4956)\n\nIn the default installation, attackers would be isolated by the NTP AppArmor profile.\n\n# Affected Cloud Foundry Products and Versions\n\nSeverity is medium unless otherwise noted.\n\nCloud Foundry BOSH stemcells are vulnerable, including:\n\n * All versions prior to 3146.24\n * 3151.x versions prior to 3151.2\n * 3232.x versions prior to 3232.22\n * 3233.x versions prior to 3233.2\n * 3262.x versions prior to 3262.21\n * Other versions prior to 3263.7\n\n# Mitigation\n\nThe Cloud Foundry team recommends upgrading to the following BOSH stemcells:\n\n * Upgrade all versions prior to 3146.x to 3146.24\n * Upgrade 3151.x versions to 3151.2\n * Upgrade 3232.x versions to 3232.22\n * Upgrade 3233.x versions to 3233.2\n * Upgrade 3262.x versions to 3262.21\n * Upgrade other versions to 3263.7\n\n# Credit\n\nMatt Street, Aanchal Malhotra, Jonathan Gardner, Matthew Van Gundy, Stephen Gray, Loganaden Velvindron, Yihan Lian, Jakub Prokes, Miroslav Lichvar\n\n# References\n\n * <https://www.ubuntu.com/usn/usn-3096-1/>\n", "published": "2016-12-21T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.cloudfoundry.org/blog/usn-3096-1/", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2016-4956", "CVE-2016-4955", "CVE-2015-8138", "CVE-2016-0727", "CVE-2015-7973", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7979", "CVE-2016-4954", "CVE-2015-7976", "CVE-2016-1547", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2018-01-12T14:52:51"}], "cert": [{"id": "VU:718152", "type": "cert", "title": "NTP.org ntpd contains multiple vulnerabilities", "description": "### Overview\n\nThe NTP.org reference implementation of `ntpd` contains multiple vulnerabilities.\n\n### Description\n\nNTP.org's reference implementation of NTP server, `ntpd`, contains multiple vulnerabilities. \n\n[**CWE-294**](<http://cwe.mitre.org/data/definitions/294.html>)**: Authentication Bypass by Capture-replay - **CVE-2015-7973 \n \nAn attacker on the network can record and replay authenticated broadcast mode packets. Also known as the \"Deja Vu\" attack. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7974 \n \nA missing key check allows impersonation between authenticated peers. Also known as the \"Skeleton Key\" attack. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7975 \n \nThe `nextvar()` function does not properly validate length. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7976 \n \n`ntpq saveconfig` command allows dangerous characters in filenames \n \n[**CWE-476**](<http://cwe.mitre.org/data/definitions/476.html>)**: NULL Pointer Dereference - **CVE-2015-7977 \n \n`reslist` NULL pointer dereference \n \n[**CWE-400**](<http://cwe.mitre.org/data/definitions/400.html>)**: Uncontrolled Resource Consumption ('Resource Exhaustion') - **CVE-2015-7978 \n \nStack exhaustion in recursive traversal of restriction list \n \n[**CWE-821**](<http://cwe.mitre.org/data/definitions/821.html>)**: Incorrect Synchronization - **CVE-2015-7979 \n \nOff-path Denial of Service (DoS) attack on authenticated broadcast and other pre-emptable modes \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-8138 \n \nZero Origin Timestamp Bypass \n \n[**CWE-200**](<http://cwe.mitre.org/data/definitions/200.html>)**: Information Exposure - **CVE-2015-8139 \n \nNetwork Time Protocol ntpq and ntpdc Origin Timestamp Disclosure Vulnerability \n<http://support.ntp.org/bin/view/Main/NtpBug2946> \n \n[**CWE-294**](<http://cwe.mitre.org/data/definitions/294.html>)**: Authentication Bypass by Capture-replay - **CVE-2015-8140 \n \nNetwork Time Protocol ntpq Control Protocol Replay Vulnerability \n<http://support.ntp.org/bin/view/Main/NtpBug2947> \n \n[**CWE-400**](<http://cwe.mitre.org/data/definitions/400.html>)**: Uncontrolled Resource Consumption ('Resource Exhaustion') - **CVE-2015-8158 \n \nPotential Infinite Loop in ntpq \n<http://support.ntp.org/bin/view/Main/NtpBug2948> \n \n[**CWE-821**](<http://cwe.mitre.org/data/definitions/821.html>)**: Incorrect Synchronization - **CVE-2016-1547 \n \nAn off-path attacker can deny service to `ntpd` clients by demobilizing preemptable associations using spoofed crypto-NAK packets. This vulnerability involves different code paths than those used by CVE-2015-7979. \n \n[**CWE-290**](<http://cwe.mitre.org/data/definitions/290.html>)**: Authentication Bypass by Spoofing - **CVE-2016-1548 \n \nBy spoofing packets from a legitimate server, an attacker can change the time of an` ntpd` client or deny service to an `ntpd` client by forcing it to change from basic client/server mode to interleaved symmetric mode. \n \n[**CWE-362**](<http://cwe.mitre.org/data/definitions/362.html>)**: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') - **CVE-2016-1549 \n \nntpd does not prevent Sybil attacks from authenticated peers. An malicious authenticated peer can create any number of ephemeral associations in order to win ntpd's clock selection algorithm and modify a victim's clock. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2016-1550 \n \nntpd does not use a constant-time memory comparison function when validating the authentication digest on incoming packets. In some situations this may allow an attacker to conduct a timing attack to compute the value of the valid authentication digest causing forged packets to be accepted by `ntpd`. \n \n[**CWE-290**](<http://cwe.mitre.org/data/definitions/290.html>)**: Authentication Bypass by Spoofing - **CVE-2016-1551 \n \nntpd does not filter IPv4 bogon packets received from the network. This allows unauthenticated network attackers to spoof refclock packets to ntpd processes on systems that do not implement bogon filtering. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2016-2516, CVE-2016-2517 \n \nDuplicate IPs on `unconfig` directives will cause an assertion botch in `ntpd`. A regression caused by the patch for CVE-2016-2516 was fixed and identified as CVE-2016-2517. \n \n[**CWE-125**](<http://cwe.mitre.org/data/definitions/125.html>)**: Out-of-bounds Read - **CVE-2016-2518 \n \nUsing a crafted packet to create a peer association with hmode > 7 causes the MATCH_ASSOC() lookup to make an out-of-bounds reference. \n \n[**CWE-119**](<http://cwe.mitre.org/data/definitions/119.html>)**: Improper Restriction of Operations within the Bounds of a Memory Buffer - **CVE-2016-2519 \n \n`ntpq` and `ntpdc` can be used to store and retrieve information in `ntpd`. It is possible to store a data value that is larger than the size of the buffer that the `ctl_getitem()` function of `ntpd` uses to report the return value. If the length of the requested data value returned by `ctl_getitem()` is too large, the value NULL is returned instead. There are 2 cases where the return value from `ctl_getitem()` was not directly checked to make sure it's not NULL, but there are subsequent INSIST() checks that make sure the return value is not NULL. There are no data values ordinarily stored in `ntpd` that would exceed this buffer length. But if one has permission to store values and one stores a value that is \"too large\", then `ntpd` will abort if an attempt is made to read that oversized value. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7704**, **CVE-2015-7705 \n \nAn ntpd client that honors Kiss-of-Death (KoD) responses will honor KoD messages that have been forged by an attacker, causing it to delay or stop querying its servers for time updates. Also, an attacker can forge packets that claim to be from the target and send them to servers often enough that a server that implements KoD rate limiting will send the target machine a KoD response to attempt to reduce the rate of incoming packets, or it may also trigger a firewall block at the server for packets from the target machine. For either of these attacks to succeed, the attacker must know what servers the target is communicating with. An attacker can be anywhere on the Internet and can frequently learn the identity of the target's time source by sending the target a time query. \n \nFor more information on these vulnerabilities, please see NTP.org's [April 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security>) as well as the [January 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit>). \n \n--- \n \n### Impact\n\nUnauthenticated remote attackers may be able to spoof packets to cause denial of service, authentication bypass on commands, or certain configuration changes. For more information on these vulnerabilities, please see NTP.org's [April 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security>) as well as the [January 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit>). \n \n--- \n \n### Solution\n\n**Apply an update** \n \nPartial patches for some of these issues were initially released in January 2016 as version 4.2.8p6. Complete patches for all of these issues are now available in version [4.2.8p7](<http://www.ntp.org/downloads.html>), released 2016-04-26. Affected users are encouraged to update as soon as possible. \n \n--- \n \n### Vendor Information \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nNTP Project| | 19 Jan 2016| 22 Apr 2016 \nACCESS| | 25 Apr 2016| 25 Apr 2016 \nAlcatel-Lucent| | 25 Apr 2016| 25 Apr 2016 \nApple| | 25 Apr 2016| 25 Apr 2016 \nArista Networks, Inc.| | 25 Apr 2016| 25 Apr 2016 \nAruba Networks| | 25 Apr 2016| 25 Apr 2016 \nAT&T;| | 25 Apr 2016| 25 Apr 2016 \nAvaya, Inc.| | 25 Apr 2016| 25 Apr 2016 \nBelkin, Inc.| | 25 Apr 2016| 25 Apr 2016 \nBlue Coat Systems| | 25 Apr 2016| 25 Apr 2016 \nCA Technologies| | 25 Apr 2016| 25 Apr 2016 \nCentOS| | 25 Apr 2016| 25 Apr 2016 \nCheck Point Software Technologies| | 25 Apr 2016| 25 Apr 2016 \nCisco| | 08 Jan 2016| 08 Jan 2016 \nCoreOS| | 25 Apr 2016| 25 Apr 2016 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23718152 Vendor Status Inquiry>). \n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P \nTemporal | 5.3 | E:POC/RL:OF/RC:C \nEnvironmental | 5.3 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n### References\n\n * <http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security>\n * <http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit>\n\n### Credit\n\nThanks to Cisco TALOS for reporting many of these issues to us. The Network Time Foundation credits many researchers for these vulnerabilities; see NTP.org's [January 2016](<http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit>) and [April 2016](<http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security>) security advisories for the complete list.\n\nThis document was written by Garret Wassermann.\n\n### Other Information\n\n * CVE IDs: [CVE-2015-7704](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7704>) [CVE-2015-7705](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7705>) [CVE-2015-7973](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7973>) [CVE-2015-7974](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7974>) [CVE-2015-7975](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7975>) [CVE-2015-7976](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7976>) [CVE-2015-7977](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7977>) [CVE-2015-7978](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7978>) [CVE-2015-7979](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7979>) [CVE-2015-8138](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8138>) [CVE-2015-8139](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8139>) [CVE-2015-8140](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8140>) [CVE-2015-8158](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8158>) [CVE-2016-1547](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1547>) [CVE-2016-1548](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1548>) [CVE-2016-1549](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1549>) [CVE-2016-1550](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1550>) [CVE-2016-1551](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1551>) [CVE-2016-2516](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2516>) [CVE-2016-2517](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2517>) [CVE-2016-2518](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2518>) [CVE-2016-2519](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2519>)\n * Date Public: 26 Apr 2016\n * Date First Published: 27 Apr 2016\n * Date Last Updated: 28 Apr 2016\n * Document Revision: 48\n\n", "published": "2016-04-27T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.kb.cert.org/vuls/id/718152", "cvelist": ["CVE-2016-1548", "CVE-2016-1548", "CVE-2016-1548", "CVE-2016-2518", "CVE-2016-2518", "CVE-2016-2518", "CVE-2015-8140", "CVE-2015-8140", "CVE-2015-8140", "CVE-2015-8138", "CVE-2015-8138", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7973", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-7977", "CVE-2015-7977", "CVE-2016-1550", "CVE-2016-1550", "CVE-2016-1550", "CVE-2015-8158", "CVE-2015-8158", "CVE-2015-8158", "CVE-2016-2516", "CVE-2016-2516", "CVE-2016-2516", "CVE-2016-2516", "CVE-2015-7704", "CVE-2015-7704", "CVE-2015-7704", "CVE-2016-1551", "CVE-2016-1551", "CVE-2016-1551", "CVE-2015-7979", "CVE-2015-7979", "CVE-2015-7979", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-7976", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-8139", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7975", "CVE-2015-7975", "CVE-2016-1547", "CVE-2016-1547", "CVE-2016-1547", "CVE-2016-2519", "CVE-2016-2519", "CVE-2016-2519", "CVE-2016-2517", "CVE-2016-2517", "CVE-2016-2517", "CVE-2016-2517", "CVE-2015-7705", "CVE-2015-7705", "CVE-2015-7705", "CVE-2015-7974", "CVE-2015-7974", "CVE-2015-7974", "CVE-2016-1549", "CVE-2016-1549", "CVE-2016-1549", "CVE-2015-7978", "CVE-2015-7978", "CVE-2015-7978"], "lastseen": "2017-08-16T11:10:15"}], "gentoo": [{"id": "GLSA-201607-15", "type": "gentoo", "title": "NTP: Multiple vulnerabilities", "description": "### Background\n\nNTP contains software for the Network Time Protocol.\n\n### Description\n\nMultiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly cause a Denial of Service condition.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll NTP users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/ntp-4.2.8_p8\"", "published": "2016-07-20T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/201607-15", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-7703", "CVE-2016-4956", "CVE-2015-8140", "CVE-2016-4955", "CVE-2015-8138", "CVE-2015-7855", "CVE-2016-4953", "CVE-2015-7973", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7704", "CVE-2016-1551", "CVE-2015-7979", "CVE-2016-4954", "CVE-2015-7701", "CVE-2015-7976", "CVE-2015-7848", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7692", "CVE-2016-1547", "CVE-2015-7851", "CVE-2015-7702", "CVE-2016-4957", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7849", "CVE-2015-7691", "CVE-2016-2519", "CVE-2016-2517", "CVE-2015-7705", "CVE-2015-7974", "CVE-2015-7850", "CVE-2016-1549", "CVE-2015-7854", "CVE-2015-7978", "CVE-2015-7853"], "lastseen": "2016-09-06T19:47:00"}], "oracle": [{"id": "ORACLE:CPUJUL2016-2881720", "type": "oracle", "title": "Oracle Critical Patch Update - July 2016", "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Oracle continues to periodically receive reports of attempts to maliciously exploit vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nThis Critical Patch Update contains 276 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\nPlease note that the vulnerabilities in this Critical Patch Update are scored using versions 3.0 of Common Vulnerability Scoring Standard (CVSS).\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available [here](<http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>).\n", "published": "2016-07-19T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "cvelist": ["CVE-2015-5600", "CVE-2016-5465", "CVE-2015-4000", "CVE-2016-3446", "CVE-2016-3508", "CVE-2016-3547", "CVE-2016-3529", "CVE-2016-5452", "CVE-2016-5445", "CVE-2016-1548", "CVE-2016-2518", "CVE-2016-3485", "CVE-2016-3444", "CVE-2015-1792", "CVE-2014-3566", "CVE-2016-3552", "CVE-2015-0235", "CVE-2016-3615", "CVE-2015-1793", "CVE-2016-3491", "CVE-2016-3553", "CVE-2016-3477", "CVE-2016-3613", "CVE-2016-5477", "CVE-2016-3488", "CVE-2015-3197", "CVE-2016-3592", "CVE-2016-3573", "CVE-2016-3494", "CVE-2016-5466", "CVE-2016-5019", "CVE-2015-3236", "CVE-2016-3544", "CVE-2014-3572", "CVE-2016-0705", "CVE-2016-3545", "CVE-2016-3611", "CVE-2015-7181", "CVE-2015-0206", "CVE-2015-1789", "CVE-2016-3597", "CVE-2016-3598", "CVE-2016-5455", "CVE-2016-3574", "CVE-2015-8138", "CVE-2016-3500", "CVE-2016-5472", "CVE-2016-4051", "CVE-2016-3445", "CVE-2016-5454", "CVE-2016-3554", "CVE-2016-5458", "CVE-2015-3195", "CVE-2016-0798", "CVE-2016-3570", "CVE-2016-3432", "CVE-2016-3515", "CVE-2016-2108", "CVE-2016-5447", "CVE-2016-3474", "CVE-2016-3528", "CVE-2016-5440", "CVE-2016-3580", "CVE-2014-3571", "CVE-2016-5450", "CVE-2016-3496", "CVE-2016-3555", "CVE-2016-3596", "CVE-2016-1938", "CVE-2016-5468", "CVE-2016-3481", "CVE-2016-3563", "CVE-2016-0799", "CVE-2016-3539", "CVE-2016-3507", "CVE-2016-3584", "CVE-2016-3519", "CVE-2016-5460", "CVE-2016-3472", "CVE-2016-3583", "CVE-2016-5471", "CVE-2016-3511", "CVE-2016-3479", "CVE-2016-3499", "CVE-2013-2064", "CVE-2014-0224", "CVE-2016-5467", "CVE-2016-0635", "CVE-2016-3498", "CVE-2016-2105", "CVE-2016-3560", "CVE-2016-3514", "CVE-2016-5453", "CVE-2016-3440", "CVE-2016-4052", "CVE-2015-3194", "CVE-2016-2107", "CVE-2016-3607", "CVE-2016-3556", "CVE-2016-3512", "CVE-2016-3532", "CVE-2015-7501", "CVE-2016-1550", "CVE-2016-3475", "CVE-2015-3253", "CVE-2016-0701", "CVE-2016-3476", "CVE-2016-3588", "CVE-2016-3424", "CVE-2016-3471", "CVE-2016-1182", "CVE-2015-7704", "CVE-2016-3585", "CVE-2016-5444", "CVE-2016-3538", "CVE-2014-8275", "CVE-2016-3452", "CVE-2015-7979", "CVE-2016-3549", "CVE-2016-0797", "CVE-2015-7182", "CVE-2016-0702", "CVE-2015-2808", "CVE-2014-3570", "CVE-2016-5451", "CVE-2015-7575", "CVE-2016-3577", "CVE-2016-3591", "CVE-2016-3567", "CVE-2016-3467", "CVE-2016-3537", "CVE-2016-3593", "CVE-2016-3606", "CVE-2016-5456", "CVE-2016-3468", "CVE-2016-3540", "CVE-2016-2109", "CVE-2016-3559", "CVE-2016-5476", "CVE-2015-2721", "CVE-2016-3530", "CVE-2015-3193", "CVE-2014-9708", "CVE-2016-5473", "CVE-2016-3568", "CVE-2016-3453", "CVE-2016-5464", "CVE-2016-5462", "CVE-2016-3490", "CVE-2016-3572", "CVE-2016-3513", "CVE-2012-3137", "CVE-2015-0228", "CVE-2016-3509", "CVE-2015-3237", "CVE-2016-3565", "CVE-2016-5437", "CVE-2016-3534", "CVE-2016-3503", "CVE-2015-7183", "CVE-2016-3550", "CVE-2015-1788", "CVE-2016-3525", "CVE-2016-3587", "CVE-2016-3561", "CVE-2016-3504", "CVE-2016-3581", "CVE-2016-3501", "CVE-2016-5457", "CVE-2016-1547", "CVE-2015-3183", "CVE-2016-3614", "CVE-2012-3410", "CVE-2016-5461", "CVE-2016-5439", "CVE-2015-0204", "CVE-2016-5449", "CVE-2016-3578", "CVE-2016-3527", "CVE-2016-0800", "CVE-2016-3489", "CVE-2016-3483", "CVE-2016-3433", "CVE-2016-5459", "CVE-2016-1181", "CVE-2016-3450", "CVE-2016-3524", "CVE-2016-5442", "CVE-2016-3564", "CVE-2016-5470", "CVE-2013-2566", "CVE-2016-2176", "CVE-2015-1790", "CVE-2016-3542", "CVE-2016-1978", "CVE-2016-3575", "CVE-2016-3531", "CVE-2016-3502", "CVE-2016-3459", "CVE-2016-5446", "CVE-2016-3480", "CVE-2016-3533", "CVE-2016-5469", "CVE-2016-3526", "CVE-2016-5448", "CVE-2016-3486", "CVE-2016-3448", "CVE-2016-5474", "CVE-2016-5436", "CVE-2016-3523", "CVE-2016-5441", "CVE-2016-5475", "CVE-2016-3576", "CVE-2016-3595", "CVE-2016-3610", "CVE-2016-3458", "CVE-2016-3484", "CVE-2016-3586", "CVE-2016-3520", "CVE-2016-3451", "CVE-2016-3582", "CVE-2015-5300", "CVE-2016-3497", "CVE-2016-3589", "CVE-2016-3517", "CVE-2016-3608", "CVE-2016-3510", "CVE-2016-3493", "CVE-2016-3536", "CVE-2016-3548", "CVE-2016-3506", "CVE-2016-3571", "CVE-2016-3487", "CVE-2016-3546", "CVE-2016-5463", "CVE-2016-3541", "CVE-2016-3081", "CVE-2016-3521", "CVE-2015-0205", "CVE-2016-4053", "CVE-2016-3579", "CVE-2016-5443", "CVE-2016-3557", "CVE-2016-3558", "CVE-2016-2106", "CVE-2016-3594", "CVE-2016-3478", "CVE-2016-3522", "CVE-2016-3535", "CVE-2016-3543", "CVE-2016-3612", "CVE-2014-3569", "CVE-2016-3470", "CVE-2016-3518", "CVE-2016-3516", "CVE-2015-1791", "CVE-2016-3569", "CVE-2016-3482", "CVE-2016-3590", "CVE-2015-8104", "CVE-2016-3609", "CVE-2016-3566", "CVE-2016-3469"], "lastseen": "2018-04-18T20:23:41"}]}}
