ID FEDORA_2015-5761.NASL Type nessus Reporter Tenable Modified 2015-10-19T00:00:00
Description
Security fix for CVE-2015-1799, CVE-2015-1798, #1210324
Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Fedora Security Advisory 2015-5761.
#
include("compat.inc");
if (description)
{
script_id(83008);
script_version("$Revision: 1.3 $");
script_cvs_date("$Date: 2015/10/19 23:14:51 $");
script_cve_id("CVE-2015-1798", "CVE-2015-1799");
script_bugtraq_id(73950, 73951);
script_xref(name:"FEDORA", value:"2015-5761");
script_name(english:"Fedora 22 : ntp-4.2.6p5-30.fc22 (2015-5761)");
script_summary(english:"Checks rpm output for the updated package.");
script_set_attribute(
attribute:"synopsis",
value:"The remote Fedora host is missing a security update."
);
script_set_attribute(
attribute:"description",
value:
"Security fix for CVE-2015-1799, CVE-2015-1798, #1210324
Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues."
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.redhat.com/show_bug.cgi?id=1199430"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.redhat.com/show_bug.cgi?id=1199435"
);
script_set_attribute(
attribute:"see_also",
value:"https://bugzilla.redhat.com/show_bug.cgi?id=1210324"
);
# https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155864.html
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?7e8c1ee7"
);
script_set_attribute(attribute:"solution", value:"Update the affected ntp package.");
script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:N/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:ntp");
script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:22");
script_set_attribute(attribute:"patch_publication_date", value:"2015/04/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/23");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2015 Tenable Network Security, Inc.");
script_family(english:"Fedora Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! ereg(pattern:"^22([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 22.x", "Fedora " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
flag = 0;
if (rpm_check(release:"FC22", reference:"ntp-4.2.6p5-30.fc22")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
else security_warning(0);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ntp");
}
{"hash": "ce72ebbde5bd79ab19bc8c2f1d34efc07ba212db68a681e4fb6f07c437a2814f", "naslFamily": "Fedora Local Security Checks", "id": "FEDORA_2015-5761.NASL", "lastseen": "2017-10-29T13:44:47", "viewCount": 0, "hashmap": [{"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "b2d32a37ecce68acf73991034a83fd44", "key": "cpe"}, {"hash": "9e8aa618908042d890401183847de928", "key": "cvelist"}, {"hash": "292538aeb1ca5698ccfa8c77fabc8e70", "key": "cvss"}, {"hash": "48815e4d0dd314cc5cffe85b0475d869", "key": "description"}, {"hash": "3a945e05d8c6638d212d07571cbc15dc", "key": "href"}, {"hash": "9a00910eeedb8c835c4637a953896665", "key": "modified"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "2ef7154e284db47f0a5f353e9a2976cc", "key": "pluginID"}, {"hash": "3110310d810944dbf1b77d4fbc340e18", "key": "published"}, {"hash": "ea55a5f018861b6cea7d2f3ecca9616d", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "d8336b51d9dce929d20291982dee58d5", "key": "sourceData"}, {"hash": "793802c5efe69be647e5ad328d6182b7", "key": "title"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}], "bulletinFamily": "scanner", "cpe": ["p-cpe:/a:fedoraproject:fedora:ntp", "cpe:/o:fedoraproject:fedora:22"], "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "edition": 2, "enchantments": {"vulnersScore": 2.1}, "type": "nessus", "description": "Security fix for CVE-2015-1799, CVE-2015-1798, #1210324\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "title": "Fedora 22 : ntp-4.2.6p5-30.fc22 (2015-5761)", "history": [{"bulletin": {"hash": "2cc939edba1c5134e3c779df1e520030a5caa30fe6b4aada0edbb9b926000500", "naslFamily": "Fedora Local Security Checks", "edition": 1, "lastseen": "2016-09-26T17:26:26", "enchantments": {}, "hashmap": [{"hash": "ea55a5f018861b6cea7d2f3ecca9616d", "key": "references"}, {"hash": "2ef7154e284db47f0a5f353e9a2976cc", "key": "pluginID"}, {"hash": "292538aeb1ca5698ccfa8c77fabc8e70", "key": "cvss"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "d8336b51d9dce929d20291982dee58d5", "key": "sourceData"}, {"hash": "793802c5efe69be647e5ad328d6182b7", "key": "title"}, {"hash": "9a00910eeedb8c835c4637a953896665", "key": "modified"}, {"hash": "3110310d810944dbf1b77d4fbc340e18", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "be931514784f88df80712740ad2723e7", "key": "naslFamily"}, {"hash": "9e8aa618908042d890401183847de928", "key": "cvelist"}, {"hash": "48815e4d0dd314cc5cffe85b0475d869", "key": "description"}, {"hash": "3a945e05d8c6638d212d07571cbc15dc", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}], "bulletinFamily": "scanner", "cpe": [], "history": [], "id": "FEDORA_2015-5761.NASL", "type": "nessus", "description": "Security fix for CVE-2015-1799, CVE-2015-1798, #1210324\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "viewCount": 0, "title": "Fedora 22 : ntp-4.2.6p5-30.fc22 (2015-5761)", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "objectVersion": "1.2", "cvelist": ["CVE-2015-1799", "CVE-2015-1798"], "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-5761.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(83008);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 23:14:51 $\");\n\n script_cve_id(\"CVE-2015-1798\", \"CVE-2015-1799\");\n script_bugtraq_id(73950, 73951);\n script_xref(name:\"FEDORA\", value:\"2015-5761\");\n\n script_name(english:\"Fedora 22 : ntp-4.2.6p5-30.fc22 (2015-5761)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2015-1799, CVE-2015-1798, #1210324\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1199430\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1199435\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1210324\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155864.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7e8c1ee7\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected ntp package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"ntp-4.2.6p5-30.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "published": "2015-04-23T00:00:00", "pluginID": "83008", "references": ["http://www.nessus.org/u?7e8c1ee7", "https://bugzilla.redhat.com/show_bug.cgi?id=1199435", "https://bugzilla.redhat.com/show_bug.cgi?id=1210324", "https://bugzilla.redhat.com/show_bug.cgi?id=1199430"], "reporter": "Tenable", "modified": "2015-10-19T00:00:00", "href": "https://www.tenable.com/plugins/index.php?view=single&id=83008"}, "lastseen": "2016-09-26T17:26:26", "edition": 1, "differentElements": ["cpe"]}], "objectVersion": "1.3", "cvelist": ["CVE-2015-1799", "CVE-2015-1798"], "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-5761.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(83008);\n script_version(\"$Revision: 1.3 $\");\n script_cvs_date(\"$Date: 2015/10/19 23:14:51 $\");\n\n script_cve_id(\"CVE-2015-1798\", \"CVE-2015-1799\");\n script_bugtraq_id(73950, 73951);\n script_xref(name:\"FEDORA\", value:\"2015-5761\");\n\n script_name(english:\"Fedora 22 : ntp-4.2.6p5-30.fc22 (2015-5761)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2015-1799, CVE-2015-1798, #1210324\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1199430\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1199435\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1210324\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155864.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7e8c1ee7\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected ntp package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:ND/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/04/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/04/23\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"ntp-4.2.6p5-30.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "published": "2015-04-23T00:00:00", "pluginID": "83008", "references": ["http://www.nessus.org/u?7e8c1ee7", "https://bugzilla.redhat.com/show_bug.cgi?id=1199435", "https://bugzilla.redhat.com/show_bug.cgi?id=1210324", "https://bugzilla.redhat.com/show_bug.cgi?id=1199430"], "reporter": "Tenable", "modified": "2015-10-19T00:00:00", "href": "https://www.tenable.com/plugins/index.php?view=single&id=83008"}
{"result": {"cve": [{"id": "CVE-2015-1799", "type": "cve", "title": "CVE-2015-1799", "description": "The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer.", "published": "2015-04-08T06:59:05", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1799", "cvelist": ["CVE-2015-1799"], "lastseen": "2018-01-05T11:51:35"}, {"id": "CVE-2015-1798", "type": "cve", "title": "CVE-2015-1798", "description": "The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC.", "published": "2015-04-08T06:59:04", "cvss": {"score": 1.8, "vector": "AV:ADJACENT_NETWORK/AC:HIGH/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1798", "cvelist": ["CVE-2015-1798"], "lastseen": "2018-01-05T11:51:35"}], "f5": [{"id": "F5:K16506", "type": "f5", "title": "NTP vulnerability CVE-2015-1799", "description": "\nF5 Product Development has assigned ID 515347 (BIG-IP), ID 517524 (BIG-IQ), and ID 517526 (Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H519461-1 on the **Diagnostics **> **Identified **> **Low** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| 12.0.0| Low| NTP daemon \nBIG-IP AAM| 11.4.0 - 11.6.0| 12.0.0| Low| NTP daemon \nBIG-IP AFM| 11.3.0 - 11.6.0| 12.0.0| Low| NTP daemon \nBIG-IP Analytics| 11.0.0 - 11.6.0| 12.0.0| Low| NTP daemon \nBIG-IP APM| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| 12.0.0| Low| NTP daemon \nBIG-IP ASM| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| 12.0.0| Low| NTP daemon \nBIG-IP DNS| None| 12.0.0| Not vulnerable| None \nBIG-IP Edge Gateway| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| NTP daemon \nBIG-IP GTM| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| None| Low| NTP daemon \nBIG-IP Link Controller| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| 12.0.0| Low| NTP daemon \nBIG-IP PEM| 11.3.0 - 11.6.0| 12.0.0| Low| NTP daemon \nBIG-IP PSM| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| None| Low| NTP daemon \nBIG-IP WebAccelerator| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| NTP daemon \nBIG-IP WOM| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| NTP daemon \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| 3.0.0 - 3.1.1 HF5| 3.1.1 HF6| Low| NTP daemon \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Low| NTP daemon \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Low| NTP daemon \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Low| NTP daemon \nBIG-IQ ADC| 4.5.0| None| Low| NTP daemon \nBIG-IQ Centralized Management| 4.6.0| 5.0.0| Low| NTP daemon \nBIG-IQ Cloud and Orchestration| 1.0.0| None| Low| NTP daemon \nF5 iWorkflow| None| 2.0.0| Not vulnerable| None \nLineRate| None| 2.2.0 - 2.5.1 \n1.6.0 - 1.6.4| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.1.0 \n3.3.2 - 3.5.1| Not vulnerable| None \n \n**Note**: As of February 17, 2015, AskF5 Security Advisory articles include the **Severity** value. Security Advisory articles published before this date do not list a **Severity** value.\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, you can revert any NTP symmetric authentication configuration customizations that exposed the vulnerability.\n\n**Impact of action:** The impact of the suggested workaround will depend on the specific environment. F5 recommends that you test any such changes during a maintenance window, and consider the possible impact on your specific environment.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n", "published": "2015-04-24T21:07:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://support.f5.com/csp/article/K16506", "cvelist": ["CVE-2015-1799"], "lastseen": "2017-06-08T00:16:20"}, {"id": "SOL16506", "type": "f5", "title": "SOL16506 - NTP vulnerability CVE-2015-1799", "description": "Vulnerability Recommended Actions\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability, you can revert any NTP symmetric authentication configuration customizations that exposed the vulnerability.\n\n**Impact of action:** The impact of the suggested workaround will depend on the specific environment. F5 recommends that you test any such changes during a maintenance window, and consider the possible impact on your specific environment.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n", "published": "2015-04-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/16000/500/sol16506.html", "cvelist": ["CVE-2015-1799"], "lastseen": "2016-09-26T17:23:11"}, {"id": "F5:K16505", "type": "f5", "title": "NTP vulnerability CVE-2015-1798", "description": "\nF5 Product Development has assigned ID 515345 (BIG-IP) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H519461 on the **Diagnostics **> **Identified **> **Low** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 11.6.0 HF4, 11.6.0 HF5 \n11.5.3| 12.0.0 \n11.0.0 - 11.5.2, 11.5.4, 11.6.0 HF3, 11.6.0 HF6 and later hotfixes \n10.1.0 - 10.2.4| Low| NTP daemon \nBIG-IP AAM| 11.6.0 HF4, 11.6.0 HF5 \n11.5.3| 12.0.0 \n11.0.0 - 11.5.2, 11.5.4, 11.6.0 HF3, 11.6.0 HF6 and later hotfixes| Low| NTP daemon \nBIG-IP AFM| 11.6.0 HF4, 11.6.0 HF5 \n11.5.3| 12.0.0 \n11.0.0 - 11.5.2, 11.5.4, 11.6.0 HF3, 11.6.0 HF6 and later hotfixes| Low| NTP daemon \nBIG-IP Analytics| 11.6.0 HF4, 11.6.0 HF5 \n11.5.3| 12.0.0 \n11.0.0 - 11.5.2, 11.5.4, 11.6.0 HF3, 11.6.0 HF6 and later hotfixes| Low| NTP daemon \nBIG-IP APM| 11.6.0 HF4, 11.6.0 HF5 \n11.5.3| 12.0.0 \n11.0.0 - 11.5.2, 11.5.4, 11.6.0 HF3, 11.6.0 HF6 and later hotfixes \n10.1.0 - 10.2.4| Low| NTP daemon \nBIG-IP ASM| 11.6.0 HF4, 11.6.0 HF5 \n11.5.3| 12.0.0 \n11.0.0 - 11.5.2, 11.5.4, 11.6.0 HF3, 11.6.0 HF6 and later hotfixes \n10.1.0 - 10.2.4| Low| NTP daemon \nBIG-IP DNS| None| 12.0.0| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| 11.6.0 HF4, 11.6.0 HF5 \n11.5.3| 11.0.0 - 11.5.2, 11.5.4, 11.6.0 HF3, 11.6.0 HF6 and later hotfixes \n10.1.0 - 10.2.4| Low| NTP daemon \nBIG-IP Link Controller| 11.6.0 HF4, 11.6.0 HF5 \n11.5.3| 12.0.0 \n11.0.0 - 11.5.2, 11.5.4, 11.6.0 HF3, 11.6.0 HF6 and later hotfixes \n10.1.0 - 10.2.4| Low| NTP daemon \nBIG-IP PEM| 11.6.0 HF4, 11.6.0 HF5 \n11.5.3| 12.0.0 \n11.0.0 - 11.5.2, 11.5.4, 11.6.0 HF3, 11.6.0 HF6 and later hotfixes| Low| NTP daemon \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| Not vulnerable| NTP daemon \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| None| 6.0.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.0.0 - 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nLineRate| None| 2.2.0 - 2.5.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.1.0 \n3.3.2 - 3.5.1| Not vulnerable| None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. \n \nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>).\n\nTo mitigate this vulnerability, you can revert any NTP configuration customizations that exposed the vulnerability.\n\n**Impact of action:** The impact of the suggested workaround will depend on the specific environment. F5 recommends testing any such changes during a maintenance window with consideration to the possible impact on your specific environment.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 12.x)](<https://support.f5.com/csp/article/K13123>)\n * [K3122: Using the BIG-IP Configuration utility to add an NTP server](<https://support.f5.com/csp/article/K3122>)\n * [K14120: Defining advanced NTP configurations on the BIG-IP system (11.x - 12.x)](<https://support.f5.com/csp/article/K14120>)\n * [K11237: Defining advanced NTP configurations on the BIG-IP system (9.x - 10.x)](<https://support.f5.com/csp/article/K11237>)\n", "published": "2015-04-24T01:54:00", "cvss": {"score": 1.8, "vector": "AV:ADJACENT_NETWORK/AC:HIGH/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://support.f5.com/csp/article/K16505", "cvelist": ["CVE-2015-1798"], "lastseen": "2017-06-08T00:16:20"}, {"id": "SOL16505", "type": "f5", "title": "SOL16505 - NTP vulnerability CVE-2015-1798", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. \n \nF5 responds to vulnerabilities in accordance with the **Severity** values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nTo mitigate this vulnerability, you can revert any NTP configuration customizations that exposed the vulnerability.\n\n**Impact of action:** The impact of the suggested workaround will depend on the specific environment. F5 recommends testing any such changes during a maintenance window with consideration to the possible impact on your specific environment.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n * SOL3122: Using the BIG-IP Configuration utility to add an NTP server\n * SOL14120: Defining advanced NTP configurations on the BIG-IP system (11.x - 12.x)\n * SOL11237: Defining advanced NTP configurations on the BIG-IP system (9.x - 10.x)\n", "published": "2015-04-23T00:00:00", "cvss": {"score": 1.8, "vector": "AV:ADJACENT_NETWORK/AC:HIGH/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/16000/500/sol16505.html", "cvelist": ["CVE-2015-1798"], "lastseen": "2016-03-29T21:02:20"}], "nessus": [{"id": "AIX_IV74263.NASL", "type": "nessus", "title": "AIX 6.1 TL 8 : ntp (IV74263)", "description": "Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable to a denial of service, caused by an error when using symmetric key authentication. By sending specially-crafted packets to both peering hosts, an attacker could exploit this vulnerability to prevent synchronization.", "published": "2015-08-25T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=85606", "cvelist": ["CVE-2015-1799"], "lastseen": "2017-10-29T13:39:22"}, {"id": "AIX_IV73783.NASL", "type": "nessus", "title": "AIX 6.1 TL 9 : ntp (IV73783)", "description": "Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable to a denial of service, caused by an error when using symmetric key authentication. By sending specially-crafted packets to both peering hosts, an attacker could exploit this vulnerability to prevent synchronization.", "published": "2015-08-25T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=85603", "cvelist": ["CVE-2015-1799"], "lastseen": "2017-10-29T13:46:14"}, {"id": "F5_BIGIP_SOL16506.NASL", "type": "nessus", "title": "F5 Networks BIG-IP : NTP vulnerability (K16506)", "description": "The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer.\n(CVE-2015-1799)", "published": "2015-09-21T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=86026", "cvelist": ["CVE-2015-1799"], "lastseen": "2018-07-12T17:52:26"}, {"id": "AIX_IV74261.NASL", "type": "nessus", "title": "AIX 7.1 TL 3 : ntp (IV74261)", "description": "The remote AIX host has a version of Network Time Protocol (NTP) installed that is affected by a denial of service vulnerability due to a flaw in the symmetric-key feature in the receive() function in file ntp_proto.c when receiving certain invalid packets, which causes state-variable updates to be performed. A man-in-the-middle attacker can exploit this, by spoofing the source IP of a peer, to cause a synchronization loss.", "published": "2015-08-25T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=85604", "cvelist": ["CVE-2015-1799"], "lastseen": "2018-06-12T18:12:40"}, {"id": "AIX_IV74262.NASL", "type": "nessus", "title": "AIX 7.1 TL 2 : ntp (IV74262)", "description": "Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable to a denial of service, caused by an error when using symmetric key authentication. By sending specially-crafted packets to both peering hosts, an attacker could exploit this vulnerability to prevent synchronization.", "published": "2015-08-25T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=85605", "cvelist": ["CVE-2015-1799"], "lastseen": "2017-10-29T13:39:30"}, {"id": "FREEBSD_PKG_EBD84C96DD7E11E4854E3C970E169BC2.NASL", "type": "nessus", "title": "FreeBSD : ntp -- multiple vulnerabilities (ebd84c96-dd7e-11e4-854e-3c970e169bc2)", "description": "ntp.org reports :\n\n- [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto.\n\n- [Sec 2781] Authentication doesn't protect symmetric associations against DoS attacks.", "published": "2015-04-08T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=82631", "cvelist": ["CVE-2015-1799", "CVE-2015-1798"], "lastseen": "2017-10-29T13:38:14"}, {"id": "SLACKWARE_SSA_2015-111-08.NASL", "type": "nessus", "title": "Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2015-111-08)", "description": "New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.", "published": "2015-04-22T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=82921", "cvelist": ["CVE-2015-1799", "CVE-2015-1798"], "lastseen": "2017-10-29T13:44:28"}, {"id": "UBUNTU_USN-2567-1.NASL", "type": "nessus", "title": "Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : ntp vulnerabilities (USN-2567-1)", "description": "Miroslav Lichvar discovered that NTP incorrectly validated MAC fields.\nA remote attacker could possibly use this issue to bypass authentication and spoof packets. (CVE-2015-1798)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain invalid packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2015-1799)\n\nJuergen Perlinger discovered that NTP incorrectly generated MD5 keys on big-endian platforms. This issue could either cause ntp-keygen to hang, or could result in non-random keys. (CVE number pending).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-04-14T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=82765", "cvelist": ["CVE-2015-1799", "CVE-2015-1798"], "lastseen": "2017-10-29T13:43:23"}, {"id": "ALA_ALAS-2015-520.NASL", "type": "nessus", "title": "Amazon Linux AMI : ntp (ALAS-2015-520)", "description": "The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC.\n(CVE-2015-1798)\n\nThe symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer.\n(CVE-2015-1799)\n\nThis update also addresses leap-second handling. With older ntp versions, the -x option was sometimes used as a workaround to avoid kernel inserting/deleting leap seconds by stepping the clock and possibly upsetting running applications. That no longer works with 4.2.6 as ntpd steps the clock itself when a leap second occurs. The fix is to treat the one second offset gained during leap second as a normal offset and check the stepping threshold (set by -x or tinker step) to decide if a step should be applied. See this forum post for more information on the Amazon Linux AMI's leap-second handling.", "published": "2015-05-07T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=83271", "cvelist": ["CVE-2015-1799", "CVE-2015-1798"], "lastseen": "2018-04-19T07:59:55"}, {"id": "CISCO-SA-20150408-NTPD-IOSXE.NASL", "type": "nessus", "title": "Cisco IOS XE Software Multiple Vulnerabilities in ntpd (cisco-sa-20150408-ntpd)", "description": "According to its self-reported version, the IOS XE is affected by one or more vulnerabilities. Please see the included Cisco BIDs and the Cisco Security Advisory for more information.", "published": "2018-04-10T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=108955", "cvelist": ["CVE-2015-1799", "CVE-2015-1798"], "lastseen": "2018-05-22T03:01:44"}], "aix": [{"id": "NTP_ADVISORY3.ASC", "type": "aix", "title": "Vulnerability in NTPv3 affects AIX", "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Fri Aug 21 09:06:03 CDT 2015 \n|Updated: Mon Feb 15 13:19:18 CST 2016\n|Update: Changed AIX 6.1.8 and 7.1.2 impacted levels. \n\n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/ntp_advisory3.asc\nhttps://aix.software.ibm.com/aix/efixes/security/ntp_advisory3.asc\nftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory3.asc\n\n\nSecurity Bulletin: Vulnerability in NTPv3 affects AIX (CVE-2015-1799)\n\n\n===============================================================================\n\nSUMMARY:\n\n A vulnerability in NTPv3 affects AIX. \n\n\n===============================================================================\n\nVULNERABILITY DETAILS:\n\n CVEID: CVE-2015-1799\n DESCRIPTION: Network Time Protocol (NTP) Project NTP daemon (ntpd) is\n vulnerable to a denial of service, caused by an error when using\n symmetric key authentication. By sending specially-crafted packets to\n both peering hosts, an attacker could exploit this vulnerability to\n prevent synchronization. \n CVSS Base Score: 5.4 \n CVSS Temporal Score: See\n http://xforce.iss.net/xforce/xfdb/102052 for the current score.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:A/AC:M/Au:N/C:P/I:P/A:P)\n\n\n AFFECTED PRODUCTS AND VERSIONS:\n \n AIX 6.1, 7.1\n VIOS 2.2.x\n\n The following AIX fileset levels are vulnerable:\n\n AIX Fileset Lower Level Upper Level KEY\n --------------------------------------------------------\n| bos.net.tcp.client 6.1.0.0 6.1.8.20 key_w_fs\n bos.net.tcp.client 6.1.0.0 6.1.9.45 key_w_fs\n| bos.net.tcp.client 7.1.0.0 7.1.2.20 key_w_fs\n bos.net.tcp.client 7.1.0.0 7.1.3.45 key_w_fs\n\n\n AIX Fileset (VIOS) Lower Level Upper Level\n ------------------------------------------------------------\n| bos.net.tcp.client 6.1.0.0(2.2.0.0) 6.1.8.19(2.2.2.70)\n bos.net.tcp.client 6.1.0.0(2.2.0.0) 6.1.9.45(2.2.3.50)\n\n\n Note: to find out whether the affected filesets are installed \n on your systems, refer to the lslpp command found in AIX user's guide.\n\n Example: lslpp -L | grep -i bos.net.tcp.client\n\n REMEDIATION:\n\n A. APARS\n \n IBM has assigned the following APARs to this problem:\n\n AIX Level APAR Availability SP KEY\n ---------------------------------------------------\n 6.1.9 IV73783 12/04/15 SP6 key_w_apar\n 7.1.3 IV74261 2/26/16 SP6 key_w_apar\n\n Subscribe to the APARs here:\n\n http://www.ibm.com/support/docview.wss?uid=isg1IV73783\n http://www.ibm.com/support/docview.wss?uid=isg1IV74261\n\n By subscribing, you will receive periodic email alerting you\n to the status of the APAR, and a link to download the fix once\n it becomes available.\n\n B. FIXES\n\n Fixes are available.\n\n The fixes can be downloaded via ftp or http from:\n\n ftp://aix.software.ibm.com/aix/efixes/security/ntp_fix3.tar\n http://aix.software.ibm.com/aix/efixes/security/ntp_fix3.tar\n https://aix.software.ibm.com/aix/efixes/security/ntp_fix3.tar \n\n The link above is to a tar file containing this signed\n advisory, fix packages, and OpenSSL signatures for each package.\n The fixes below include prerequisite checking. This will\n enforce the correct mapping between the fixes and AIX\n Technology Levels.\n\n AIX Level Interim Fix (*.Z) KEY\n ------------------------------------------------\n 6.1.8.6 IV74263s6a.150714.epkg.Z key_w_fix\n 6.1.9.5 IV73783s5a.150714.epkg.Z key_w_fix\n 7.1.2.6 IV74262s6a.150714.epkg.Z key_w_fix\n 7.1.3.5 IV74261s5a.150714.epkg.Z key_w_fix\n\n\n To extract the fixes from the tar file:\n\n tar xvf ntp_fix3.tar\n cd ntp_fix3\n\n Verify you have retrieved the fixes intact:\n\n The checksums below were generated using the\n \"openssl dgst -sha256 file\" command as the followng:\n\n openssl dgst -sha256 filename KEY\n -----------------------------------------------------------------------------------------------------\n 1b47c44eae7b3dd5d219586a5dafa806cd54c18872dbeee13774ae0f18242786 IV74263s6a.150714.epkg.Z key_w_csum\n ad3c3496796c9837ab7247a639e8d61e354d29c45daf940a39518f0ede5fe5ca IV73783s5a.150714.epkg.Z key_w_csum\n 785292432666ac70d019b31018965a03f3fcf8f870ec2a9473ec2e127a4a2f5f IV74262s6a.150714.epkg.Z key_w_csum\n 3ff500cc1235275a9ce1b66c9c0f41b94ccd500930dbc9d90a9e0dfe93364c14 IV74261s5a.150714.epkg.Z key_w_csum\n\n These sums should match exactly. The OpenSSL signatures in the tar\n file and on this advisory can also be used to verify the\n integrity of the fixes. If the sums or signatures cannot be\n confirmed, contact IBM AIX Security at\n security-alert@austin.ibm.com and describe the discrepancy.\n \n openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>\n\n openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>\n\n Published advisory OpenSSL signature file location:\n \n http://aix.software.ibm.com/aix/efixes/security/ntp_advisory3.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/ntp_advisory3.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory3.asc.sig \n\n C. FIX AND INTERIM FIX INSTALLATION\n\n IMPORTANT: If possible, it is recommended that a mksysb backup\n of the system be created. Verify it is both bootable and\n readable before proceeding.\n\n To preview a fix installation:\n\n installp -a -d fix_name -p all # where fix_name is the name of the\n # fix package being previewed.\n To install a fix package:\n\n installp -a -d fix_name -X all # where fix_name is the name of the\n # fix package being installed.\n\n Interim fixes have had limited functional and regression\n testing but not the full regression testing that takes place\n for Service Packs; however, IBM does fully support them.\n\n Interim fix management documentation can be found at:\n\n http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html\n\n To preview an interim fix installation:\n\n emgr -e ipkg_name -p # where ipkg_name is the name of the\n # interim fix package being previewed.\n\n To install an interim fix package:\n\n emgr -e ipkg_name -X # where ipkg_name is the name of the\n # interim fix package being installed.\n\n You should verify applying this configuration change does not cause\n any compatibility issues. If you change the default setting after\n applying the fix, you will expose yourself to the attack described\n above. IBM recommends that you review your entire environment to\n identify other areas where you have enabled the Diffie-Hellman\n key-exchange protocol used in TLS and take appropriate mitigation and\n remediation actions.\n\n WORKAROUNDS AND MITIGATIONS:\n\n None.\n\n\n===============================================================================\n\nCONTACT US:\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n To obtain the PGP public key that can be used to communicate\n securely with the AIX Security Team via security-alert@austin.ibm.com you\n can either:\n\n A. Download the key from our web page:\n\nhttp://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n \n Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html\n On-line Calculator V2:\n http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\n\n\nACKNOWLEDGEMENTS:\n\n None.\n\n\nCHANGE HISTORY:\n\n First Issued: Fri Aug 21 09:06:03 CDT 2015 \n| Updated: Mon Feb 15 13:19:18 CST 2016\n| Update: Changed AIX 6.1.8 and 7.1.2 impacted levels.\n\n===============================================================================\n\n*The CVSS Environment Score is customer environment specific and will \nultimately impact the Overall CVSS Score. Customers can evaluate the impact \nof this vulnerability in their environments by accessing the links in the \nReference section of this Security Bulletin. \n\nDisclaimer\nAccording to the Forum of Incident Response and Security Teams (FIRST), the \nCommon Vulnerability Scoring System (CVSS) is an \"industry open standard \ndesigned to convey vulnerability severity and help to determine urgency and \npriority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY \nOF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS \nFOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT \nOF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n", "published": "2015-08-21T09:06:03", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://aix.software.ibm.com/aix/efixes/security/ntp_advisory3.asc", "cvelist": ["CVE-2015-1799"], "lastseen": "2016-10-24T17:48:11"}, {"id": "NTP4_ADVISORY.ASC", "type": "aix", "title": "Vulnerabilities in NTPv4 affect AIX", "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Mon Jun 29 10:00:16 CDT 2015\n\n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/ntp4_advisory.asc\nhttps://aix.software.ibm.com/aix/efixes/security/ntp4_advisory.asc\nftp://aix.software.ibm.com/aix/efixes/security/ntp4_advisory.asc\n\n \nSecurity Bulletin: Vulnerabilities in NTPv4 affect AIX \n\n\n===============================================================================\n\nSUMMARY:\n\n There are two vulnerabilities in NTPv4 that affect AIX.\n\n\n===============================================================================\n\nVULNERABILITY DETAILS:\n\n CVEID: CVE-2014-9297\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9297\n DESCRIPTION:\n Network Time Protocol (NTP) Project NTP daemon (ntpd) could allow a\n remote attacker to conduct spoofing attacks, caused by insufficient\n entropy in PRNG. An attacker could exploit this vulnerability to spoof\n the IPv6 address ::1 to bypass ACLs and launch further attacks on the\n system.\n CVSS:\n CVSS Base Score: 5.00\n CVSS Temporal Score: See \n http://xforce.iss.net/xforce/xfdb/100004 for the current score. \n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n CVEID: CVE-2015-1799\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799\n DESCRIPTION:\n Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable\n to a denial of service, caused by an error when using symmetric key\n authentication. By sending specially-crafted packets to both peering\n hosts, an attacker could exploit this vulnerability to prevent\n synchronization.\n CVSS:\n CVSS Base Score: 5.40\n CVSS Temporal Score: See\n http://xforce.iss.net/xforce/xfdb/102052 for the current score.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:A/AC:M/Au:N/C:P/I:P/A:P)\n\n\n AFFECTED PRODUCTS AND VERSIONS:\n \n AIX 6.1, 7.1\n VIOS 2.2.x\n\n The following fileset levels are vulnerable:\n \n AIX Fileset Lower Level Upper Level KEY\n --------------------------------------------------------\n ntp.rte 6.1.0.0 6.1.6.4 key_w_fs\n ntp.rte 7.1.0.0 7.1.0.4 key_w_fs\n\n AIX Fileset (VIOS) Lower Level Upper Level\n ------------------------------------------------------------\n ntp.rte 6.1.0.0(2.2.0.0) 6.1.6.4(2.2.2.6)\n ntp.rte 6.1.0.0(2.2.0.0) 6.1.6.4(2.2.3.4)\n\n\n Note: to find out whether the affected filesets are installed \n on your systems, refer to the lslpp command found in AIX user's guide.\n\n Example: lslpp -L | grep -i ntp.rte \n\n\n REMEDIATION:\n \n A. APARS\n \n IBM has assigned the following APARs to this problem:\n\n AIX Level APAR Availability SP KEY\n ---------------------------------------------------\n 6.1.9 IV71094 12/4/15 SP6 key_w_apar\n 7.1.3 IV71096 2/26/16 SP6 key_w_apar\n\n Subscribe to the APARs here:\n\n http://www.ibm.com/support/docview.wss?uid=isg1IV71094\n http://www.ibm.com/support/docview.wss?uid=isg1IV71096\n\n By subscribing, you will receive periodic email alerting you\n to the status of the APAR, and a link to download the fix once\n it becomes available.\n\n B. FIXES\n\n Fixes are available. The fixes can be downloaded via ftp or\n http from:\n\n ftp://aix.software.ibm.com/aix/efixes/security/ntp4_fix.tar\n http://aix.software.ibm.com/aix/efixes/security/ntp4_fix.tar\n https://aix.software.ibm.com/aix/efixes/security/ntp4_fix.tar \n\n The link above is to a tar file containing this signed\n advisory, fix packages, and OpenSSL signatures for each package.\n The fixes below include prerequisite checking. This will\n enforce the correct mapping between the fixes and AIX\n Technology Levels.\n\n AIX Level Interim Fix (*.Z) KEY\n ------------------------------------------------\n 6.1 IV71094s0a.150618.epkg.Z key_w_fix\n 7.1 IV71096s0a.150618.epkg.Z key_w_fix\n\n To extract the fixes from the tar file:\n\n tar xvf ntp4_fix.tar\n cd ntp4_fix\n\n Verify you have retrieved the fixes intact:\n\n The checksums below were generated using the\n \"openssl dgst -sha256 file\" command as the followng:\n\n openssl dgst -sha256 filename KEY\n -----------------------------------------------------------------------------------------------------\n daa13bf1d503c5e955b86ebd997895bf0bb47d9394f7d858a2628f762a062344 IV71094s0a.150618.epkg.Z key_w_csum\n 811e3169a1c244a48d6380f8eb1462b47e2c2c8c7db8a20e3165de7fd0bba822 IV71096s0a.150618.epkg.Z key_w_csum\n\n\n These sums should match exactly. The OpenSSL signatures in the tar\n file and on this advisory can also be used to verify the\n integrity of the fixes. If the sums or signatures cannot be\n confirmed, contact IBM AIX Security at\n security-alert@austin.ibm.com and describe the discrepancy.\n \n openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>\n\n openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>\n\n Published advisory OpenSSL signature file location:\n \n http://aix.software.ibm.com/aix/efixes/security/ntp4_advisory.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/ntp4_advisory.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/ntp4_advisory.asc.sig \n\n C. FIX AND INTERIM FIX INSTALLATION\n\n IMPORTANT: If possible, it is recommended that a mksysb backup\n of the system be created. Verify it is both bootable and\n readable before proceeding.\n\n To preview a fix installation:\n\n installp -a -d fix_name -p all # where fix_name is the name of the\n # fix package being previewed.\n To install a fix package:\n\n installp -a -d fix_name -X all # where fix_name is the name of the\n # fix package being installed.\n\n Interim fixes have had limited functional and regression\n testing but not the full regression testing that takes place\n for Service Packs; however, IBM does fully support them.\n\n Interim fix management documentation can be found at:\n\n http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html\n\n To preview an interim fix installation:\n\n emgr -e ipkg_name -p # where ipkg_name is the name of the\n # interim fix package being previewed.\n\n To install an interim fix package:\n\n emgr -e ipkg_name -X # where ipkg_name is the name of the\n # interim fix package being installed.\n\n\n WORKAROUNDS AND MITIGATIONS:\n\n None.\n\n\n===============================================================================\n\nCONTACT US:\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n To obtain the PGP public key that can be used to communicate\n securely with the AIX Security Team via security-alert@austin.ibm.com you\n can either:\n\n A. Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n \n Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html\n On-line Calculator V2: \n http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\n\n\nACKNOWLEDGEMENTS:\n\n None.\n\n\nCHANGE HISTORY:\n\n First Issued: Mon Jun 29 10:00:16 CDT 2015\n\n===============================================================================\n\n*The CVSS Environment Score is customer environment specific and will \nultimately impact the Overall CVSS Score. Customers can evaluate the impact \nof this vulnerability in their environments by accessing the links in the \nReference section of this Security Bulletin. \n\nDisclaimer\nAccording to the Forum of Incident Response and Security Teams (FIRST), the \nCommon Vulnerability Scoring System (CVSS) is an \"industry open standard \ndesigned to convey vulnerability severity and help to determine urgency and \npriority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY \nOF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS \nFOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT \nOF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n", "published": "2015-06-29T10:00:16", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://aix.software.ibm.com/aix/efixes/security/ntp4_advisory.asc", "cvelist": ["CVE-2015-1799", "CVE-2014-9297"], "lastseen": "2016-10-24T17:48:11"}], "cisco": [{"id": "CISCO-SA-20150408-CVE-2015-1799", "type": "cisco", "title": "Network Time Protocol Daemon Symmetric Mode Packet Processing Denial of Service Vulnerability", "description": "A vulnerability in authentication code of ntpd could allow an unauthenticated, remote attacker to inject NTP state variables without knowledge of the NTP keys.\n\nThe vulnerability is due to invalid processing of the NTP packets when authentication fails. An attacker could exploit this vulnerability by periodically sending NTP packets with set NTP state variables. A successful exploit could allow the attacker to disrupt communication between NTP hosts, preventing synchronization.\n\nA vulnerability in ntpd could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected system.\n\nThe vulnerability is due to improper processing of Network Time Protocol (NTP) packets when handling symmetric key authentication failures. An attacker could exploit this vulnerability by conducting a man-in-the-middle attack to periodically transmit crafted NTP packets with set NTP state variables. An exploit could allow the attacker to disrupt communication between NTP hosts, preventing synchronization and leading to a DoS condition for legitimate users.\n\nNTP.org has confirmed this vulnerability in a security advisory and released software updates.\n\nTo exploit this vulnerability, an attacker may require access to trusted, internal networks to send crafted requests to the affected software. This access requirement could limit the likelihood of a successful exploit.\n\nAn attacker may attempt to perform a man-in-the-middle attack to send crafted packets to the targeted device in an attempt to exploit this vulnerability.\n\nReports indicate that systems that are configured to use the symmetric key authentication mechanism are affected.", "published": "2015-04-08T16:41:16", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20150408-CVE-2015-1799", "cvelist": ["CVE-2015-1799"], "lastseen": "2017-09-26T15:33:47"}, {"id": "CISCO-SA-20150408-NTPD", "type": "cisco", "title": "Multiple Vulnerabilities in ntpd (April 2015) Affecting Cisco Products", "description": "A vulnerability in the authentication code of ntpd could allow an unauthenticated, remote attacker to inject NTP state variables without knowledge of the NTP keys.\n\nThe vulnerability is due to invalid processing of the NTP packets when authentication fails. An attacker could exploit this vulnerability by periodically sending NTP packets with set NTP state variables. A successful exploit could allow the attacker to disrupt communication between NTP hosts, preventing synchronization.\n\nA vulnerability in the message authentication code (MAC) validation routine of ntpd could allow an unauthenticated, remote attacker to bypass the NTP authentication feature.\n\nThe vulnerability is due to incorrect validation of the MAC field. An attacker could exploit this vulnerability by sending unauthenticated NTP packets to an NTP host that is configured with symmetric key authentication. An exploit could allow the attacker to inject NTP packets to the NTP host without knowledge of the NTP symmetric key.\n\nMultiple Cisco products incorporate a version of the ntpd package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to bypass authentication controls or to create a denial of service (DoS) condition.\n\nOn April 7, 2015, NTP.org and US-CERT released a security advisory dealing with two issues regarding bypass of authentication controls. These vulnerabilities are referenced in this document as follows:\n\n CVE-2015-1798: NTP Authentication bypass vulnerability\n CVE-2015-1799: NTP Authentication doesn't protect symmetric associations against DoS attacks\n\nCisco has released software updates that address these vulnerabilities. \n\nWorkarounds that mitigate these vulnerabilities are available.\n\nThis advisory is available at the following link:\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-ntpd[\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-ntpd\"]", "published": "2015-04-08T16:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-ntpd", "cvelist": ["CVE-2015-1798", "CVE-2015-1799"], "lastseen": "2018-07-14T12:39:04"}, {"id": "CISCO-SA-20150408-CVE-2015-1798", "type": "cisco", "title": "Network Time Protocol Daemon MAC Checking Failure Authentication Bypass Vulnerability", "description": "A vulnerability in the Network Time Protocol (NTP) daemon could allow an unauthenticated, adjacent attacker to bypass authentication mechanisms and access an affected system.\n\nThe vulnerability is due to incorrect validation of the message authentication code (MAC) field. An attacker could exploit this vulnerability by sending unauthenticated NTP packets to an NTP host that is configured with symmetric key authentication. An exploit could allow the attacker to inject NTP packets to the NTP host without knowing the NTP symmetric key.\n\nNTP.org has released a security notice and software updates to address the vulnerability.\n\nTo exploit the vulnerability, the attacker may need access to trusted or internal networks to transmit crafted packets to the affected system. This access requirement limits the likelihood of a successful exploit.\n\nThe vulnerability is exploitable only on an application that is configured with the symmetric key authentication mechanism. Authentication using autokey is not affected.\n\nA vulnerability in the message authentication code (MAC) validation routine of ntpd could allow an unauthenticated, remote attacker to bypass the NTP authentication feature.\n\nThe vulnerability is due to incorrect validation of the MAC field. An attacker could exploit this vulnerability by sending unauthenticated NTP packets to an NTP host that is configured with symmetric key authentication. An exploit could allow the attacker to inject NTP packets to the NTP host without the knowledge of the NTP symmetric key.", "published": "2015-04-08T17:05:12", "cvss": {"score": 1.8, "vector": "AV:ADJACENT_NETWORK/AC:HIGH/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20150408-CVE-2015-1798", "cvelist": ["CVE-2015-1798"], "lastseen": "2017-09-26T15:33:47"}], "cert": [{"id": "VU:374268", "type": "cert", "title": "NTP Project ntpd reference implementation contains multiple vulnerabilities", "description": "### Overview\n\nNTP Project ntpd reference implementation accepts unauthenticated packets with symmetric key cryptography and does not protect symmetric associations against denial of service attacks.\n\n### Description\n\nCVE-2015-1798, [bug 2779](<http://bugs.ntp.org/show_bug.cgi?id=2779>): \n\nIn NTP4 installations utilizing symmetric key authentication, versions ntp-4.2.5p99 to ntp-4.2.8p1, packets with no message authentication code (MAC) are accepted as though they have a valid MAC. An attacker may be able to leverage this validation error to send packets that will be accepted by the client. The CVSS score reflects this issue. \n \nCVE-2015-1799, [bug 2781](<http://bugs.ntp.org/show_bug.cgi?id=2781>): \n \nIn NTP installations utilizing symmetric key authentication, including xntp3.3wy to version ntp-4.2.8p1, a denial of service condition is created when two peering hosts receive packets in which the originate and transmit timestamps do not match. An attacker who periodically sends such packets to both hosts can prevent synchronization. \n \nFor more information about these issues, visit [NTP's security notice](<http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities>). \n \n--- \n \n### Impact\n\nAn unauthenticated attacker with network access may be able to inject packets or prevent peer synchronization among symmetrically authenticated hosts. \n \n--- \n \n### Solution\n\n**Apply an update** \n \nThe NTP Project has released [version ntp-4.2.8p2](<http://www.ntp.org/downloads.html>) to address these issues. \n \n--- \n \n### Vendor Information \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nArista Networks, Inc.| | -| 10 Apr 2015 \nFreeBSD Project| | 24 Mar 2015| 10 Apr 2015 \nNTP Project| | 23 Mar 2015| 07 Apr 2015 \nEfficientIP| | -| 10 Apr 2015 \nACCESS| | 24 Mar 2015| 24 Mar 2015 \nAlcatel-Lucent| | 24 Mar 2015| 24 Mar 2015 \nApple| | 24 Mar 2015| 24 Mar 2015 \nArch Linux| | 30 Mar 2015| 30 Mar 2015 \nAT&T;| | 24 Mar 2015| 24 Mar 2015 \nAvaya, Inc.| | 24 Mar 2015| 24 Mar 2015 \nBarracuda Networks| | 24 Mar 2015| 24 Mar 2015 \nBelkin, Inc.| | 24 Mar 2015| 24 Mar 2015 \nBlue Coat Systems| | 24 Mar 2015| 24 Mar 2015 \nBrocade| | 30 Mar 2015| 30 Mar 2015 \nCA Technologies| | 24 Mar 2015| 24 Mar 2015 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23374268 Vendor Status Inquiry>). \n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 5.4 | AV:A/AC:M/Au:N/C:P/I:P/A:P \nTemporal | 4.2 | E:POC/RL:OF/RC:C \nEnvironmental | 4.2 | CDP:N/TD:H/CR:ND/IR:ND/AR:ND \n \n### References\n\n * <http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities>\n * <http://bugs.ntp.org/show_bug.cgi?id=2781>\n * <http://bugs.ntp.org/show_bug.cgi?id=2779>\n * <http://www.ntp.org/downloads.html>\n\n### Credit\n\nThe NTP Project credits Miroslav Lichvar of Red Hat for reporting these issues.\n\nThis document was written by Joel Land.\n\n### Other Information\n\n * CVE IDs: [CVE-2015-1798](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1798>) [CVE-2015-1799](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1799>)\n * Date Public: 07 Apr 2015\n * Date First Published: 07 Apr 2015\n * Date Last Updated: 10 Apr 2015\n * Document Revision: 18\n\n", "published": "2015-04-07T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.kb.cert.org/vuls/id/374268", "cvelist": ["CVE-2015-1799", "CVE-2015-1799", "CVE-2015-1799", "CVE-2015-1798", "CVE-2015-1798", "CVE-2015-1798"], "lastseen": "2016-02-03T09:13:12"}], "freebsd": [{"id": "EBD84C96-DD7E-11E4-854E-3C970E169BC2", "type": "freebsd", "title": "ntp -- multiple vulnerabilities", "description": "\nntp.org reports:\n\n\n[Sec 2779] ntpd accepts unauthenticated packets\n\t with symmetric key crypto.\n[Sec 2781] Authentication doesn't protect symmetric\n\t associations against DoS attacks.\n\n\n", "published": "2015-04-07T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://vuxml.freebsd.org/freebsd/ebd84c96-dd7e-11e4-854e-3c970e169bc2.html", "cvelist": ["CVE-2015-1799", "CVE-2015-1798"], "lastseen": "2016-09-26T17:24:20"}], "suse": [{"id": "SUSE-SU-2015:1173-1", "type": "suse", "title": "Security update for ntp (important)", "description": "ntp was updated to fix two security issues:\n\n * CVE-2015-1799: ntpd authentication did not protect symmetric\n associations against DoS attacks (bsc#924202)\n * CVE-2015-3405: ntp-keygen may generate non-random symmetric keys on\n big-endian systems (bsc#928321)\n\n Security Issues:\n\n * CVE-2015-1799\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799</a>>\n * CVE-2015-3405\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3405\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3405</a>>\n\n", "published": "2015-07-02T17:05:24", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00000.html", "cvelist": ["CVE-2015-3405", "CVE-2015-1799"], "lastseen": "2016-09-04T11:56:37"}, {"id": "SUSE-SU-2016:1912-1", "type": "suse", "title": "Security update for ntp (important)", "description": "NTP was updated to version 4.2.8p8 to fix several security issues and to\n ensure the continued maintainability of the package.\n\n These security issues were fixed:\n\n * CVE-2016-4953: Bad authentication demobilized ephemeral associations\n (bsc#982065).\n * CVE-2016-4954: Processing spoofed server packets (bsc#982066).\n * CVE-2016-4955: Autokey association reset (bsc#982067).\n * CVE-2016-4956: Broadcast interleave (bsc#982068).\n * CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).\n * CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS\n (bsc#977459).\n * CVE-2016-1548: Prevent the change of time of an ntpd client or\n denying service to an ntpd client by forcing it to change from basic\n client/server mode to interleaved symmetric mode (bsc#977461).\n * CVE-2016-1549: Sybil vulnerability: ephemeral association attack\n (bsc#977451).\n * CVE-2016-1550: Improve security against buffer comparison timing\n attacks (bsc#977464).\n * CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y\n * CVE-2016-2516: Duplicate IPs on unconfig directives could have\n caused an assertion botch in ntpd (bsc#977452).\n * CVE-2016-2517: Remote configuration trustedkey/\n requestkey/controlkey values are not properly validated (bsc#977455).\n * CVE-2016-2518: Crafted addpeer with hmode > 7 causes array\n wraparound with MATCH_ASSOC (bsc#977457).\n * CVE-2016-2519: ctl_getitem() return value not always checked\n (bsc#977458).\n * CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966).\n * CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n * CVE-2015-7979: Off-path Denial of Service (DoS) attack on\n authenticated broadcast mode (bsc#962784).\n * CVE-2015-7978: Stack exhaustion in recursive traversal of\n restriction list (bsc#963000).\n * CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n * CVE-2015-7976: ntpq saveconfig command allowed dangerous characters\n in filenames (bsc#962802).\n * CVE-2015-7975: nextvar() missing length check (bsc#962988).\n * CVE-2015-7974: NTP did not verify peer associations of symmetric\n keys when authenticating packets, which might have allowed remote\n attackers to conduct impersonation attacks via an arbitrary trusted\n key, aka a "skeleton" key (bsc#962960).\n * CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n * CVE-2015-5300: MITM attacker can force ntpd to make a step larger\n than the panic threshold (bsc#951629).\n * CVE-2015-5194: Crash with crafted logconfig configuration command\n (bsc#943218).\n * CVE-2015-7871: NAK to the Future: Symmetric association\n authentication bypass via crypto-NAK (bsc#952611).\n * CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning\n FAIL on some bogus values (bsc#952611).\n * CVE-2015-7854: Password Length Memory Corruption Vulnerability\n (bsc#952611).\n * CVE-2015-7853: Invalid length data provided by a custom refclock\n driver could cause a buffer overflow (bsc#952611).\n * CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability\n (bsc#952611).\n * CVE-2015-7851: saveconfig Directory Traversal Vulnerability\n (bsc#952611).\n * CVE-2015-7850: Clients that receive a KoD now validate the origin\n timestamp field (bsc#952611).\n * CVE-2015-7849: Prevent use-after-free trusted key (bsc#952611).\n * CVE-2015-7848: Prevent mode 7 loop counter underrun (bsc#952611).\n * CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#952611).\n * CVE-2015-7703: Configuration directives "pidfile" and "driftfile"\n should only be allowed locally (bsc#943221).\n * CVE-2015-7704: Clients that receive a KoD should validate the origin\n timestamp field (bsc#952611).\n * CVE-2015-7705: Clients that receive a KoD should validate the origin\n timestamp field (bsc#952611).\n * CVE-2015-7691: Incomplete autokey data packet length checks\n (bsc#952611).\n * CVE-2015-7692: Incomplete autokey data packet length checks\n (bsc#952611).\n * CVE-2015-7702: Incomplete autokey data packet length checks\n (bsc#952611).\n * CVE-2015-1798: The symmetric-key feature in the receive function in\n ntp_proto.c in ntpd in NTP required a correct MAC only if the MAC\n field has a nonzero length, which made it easier for\n man-in-the-middle attackers to spoof packets by omitting the MAC\n (bsc#924202).\n * CVE-2015-1799: The symmetric-key feature in the receive function in\n ntp_proto.c in ntpd in NTP performed state-variable updates upon\n receiving certain invalid packets, which made it easier for\n man-in-the-middle attackers to cause a denial of service\n (synchronization loss) by spoofing the source IP address of a peer\n (bsc#924202).\n\n These non-security issues were fixed:\n\n * Keep the parent process alive until the daemon has finished\n initialisation, to make sure that the PID file exists when the\n parent returns.\n * bsc#979302: Change the process name of the forking DNS worker\n process to avoid the impression that ntpd is started twice.\n * bsc#981422: Don't ignore SIGCHILD because it breaks wait().\n * Separate the creation of ntp.keys and key #1 in it to avoid problems\n when upgrading installations that have the file, but no key #1,\n which is needed e.g. by "rcntp addserver".\n * bsc#957226: Restrict the parser in the startup script to the first\n occurrance of "keys" and "controlkey" in ntp.conf.\n * Enable compile-time support for MS-SNTP (--enable-ntp-signd)\n * bsc#975496: Fix ntp-sntp-dst.patch.\n * bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path,\n which caused the synchronization to fail.\n * bsc#782060: Speedup ntpq.\n * bsc#951559: Fix the TZ offset output of sntp during DST.\n * bsc#916617: Add /var/db/ntp-kod.\n * bsc#951351: Add ntp-ENOBUFS.patch to limit a warning that might\n happen quite a lot on loaded systems.\n * Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n * bnc#784760: Remove local clock from default configuration.\n * Fix incomplete backporting of "rcntp ntptimemset".\n * bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.\n * Don't let "keysdir" lines in ntp.conf trigger the "keys" parser.\n * bsc#910063: Fix the comment regarding addserver in ntp.conf.\n * bsc#944300: Remove "kod" from the restrict line in ntp.conf.\n * bsc#905885: Use SHA1 instead of MD5 for symmetric keys.\n * bsc#926510: Re-add chroot support, but mark it as deprecated and\n disable it by default.\n * bsc#920895: Drop support for running chrooted, because it is an\n ongoing source of problems and not really needed anymore, given that\n ntp now drops privileges and runs under apparmor.\n * bsc#920183: Allow -4 and -6 address qualifiers in "server"\n directives.\n * Use upstream ntp-wait, because our version is incompatible with the\n new ntpq command line syntax.\n * bsc#920905: Adjust Util.pm to the Perl version on SLE11.\n * bsc#920238: Enable ntpdc for backwards compatibility.\n * bsc#920893: Don't use %exclude.\n * bsc#988417: Default to NTPD_FORCE_SYNC_ON_STARTUP="yes"\n * bsc#988565: Ignore errors when removing extra files during\n uninstallation\n * bsc#988558: Don't blindly guess the value to use for IP_TOS\n\n Security Issues:\n\n * CVE-2016-4953\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953</a>>\n * CVE-2016-4954\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954</a>>\n * CVE-2016-4955\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955</a>>\n * CVE-2016-4956\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956</a>>\n * CVE-2016-4957\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957</a>>\n * CVE-2016-1547\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547</a>>\n * CVE-2016-1548\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548</a>>\n * CVE-2016-1549\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549</a>>\n * CVE-2016-1550\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550</a>>\n * CVE-2016-1551\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551</a>>\n * CVE-2016-2516\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516</a>>\n * CVE-2016-2517\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517</a>>\n * CVE-2016-2518\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518</a>>\n * CVE-2016-2519\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519</a>>\n * CVE-2015-8158\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158</a>>\n * CVE-2015-8138\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138</a>>\n * CVE-2015-7979\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979</a>>\n * CVE-2015-7978\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978</a>>\n * CVE-2015-7977\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977</a>>\n * CVE-2015-7976\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976</a>>\n * CVE-2015-7975\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975</a>>\n * CVE-2015-7974\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974</a>>\n * CVE-2015-7973\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973</a>>\n * CVE-2015-5300\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300</a>>\n * CVE-2015-5194\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194</a>>\n * CVE-2015-7871\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871</a>>\n * CVE-2015-7855\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855</a>>\n * CVE-2015-7854\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854</a>>\n * CVE-2015-7853\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853</a>>\n * CVE-2015-7852\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852</a>>\n * CVE-2015-7851\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851</a>>\n * CVE-2015-7850\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850</a>>\n * CVE-2015-7849\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849</a>>\n * CVE-2015-7848\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848</a>>\n * CVE-2015-7701\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701</a>>\n * CVE-2015-7703\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703</a>>\n * CVE-2015-7704\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704</a>>\n * CVE-2015-7705\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705</a>>\n * CVE-2015-7691\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691</a>>\n * CVE-2015-7692\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692</a>>\n * CVE-2015-7702\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702</a>>\n * CVE-2015-1798\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798</a>>\n * CVE-2015-1799\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799</a>>\n\n\n", "published": "2016-07-29T19:08:48", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00026.html", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-7703", "CVE-2016-4956", "CVE-2016-4955", "CVE-2015-8138", "CVE-2015-7855", "CVE-2016-4953", "CVE-2015-7973", "CVE-2015-1799", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7704", "CVE-2016-1551", "CVE-2015-7979", "CVE-2016-4954", "CVE-2015-7701", "CVE-2015-7976", "CVE-2015-7848", "CVE-2015-7975", "CVE-2015-7692", "CVE-2016-1547", "CVE-2015-7851", "CVE-2015-7702", "CVE-2016-4957", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7849", "CVE-2015-7691", "CVE-2016-2519", "CVE-2016-2517", "CVE-2015-7705", "CVE-2015-1798", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7850", "CVE-2016-1549", "CVE-2015-7854", "CVE-2015-7978", "CVE-2015-7853"], "lastseen": "2016-09-04T11:46:06"}, {"id": "SUSE-SU-2016:2094-1", "type": "suse", "title": "Security update for yast2-ntp-client (important)", "description": "The YaST2 NTP Client was updated to handle the presence of both xntp and\n ntp packages.\n\n If none are installed, "ntp" will be installed.\n\n Security Issues:\n\n * CVE-2016-4953\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953</a>>\n * CVE-2016-4954\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954</a>>\n * CVE-2016-4955\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955</a>>\n * CVE-2016-4956\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956</a>>\n * CVE-2016-4957\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957</a>>\n * CVE-2016-1547\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547</a>>\n * CVE-2016-1548\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548</a>>\n * CVE-2016-1549\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549</a>>\n * CVE-2016-1550\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550</a>>\n * CVE-2016-1551\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551</a>>\n * CVE-2016-2516\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516</a>>\n * CVE-2016-2517\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517</a>>\n * CVE-2016-2518\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518</a>>\n * CVE-2016-2519\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519</a>>\n * CVE-2015-8158\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158</a>>\n * CVE-2015-8138\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138</a>>\n * CVE-2015-7979\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979</a>>\n * CVE-2015-7978\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978</a>>\n * CVE-2015-7977\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977</a>>\n * CVE-2015-7976\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976</a>>\n * CVE-2015-7975\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975</a>>\n * CVE-2015-7974\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974</a>>\n * CVE-2015-7973\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973</a>>\n * CVE-2015-5300\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300</a>>\n * CVE-2015-5194\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194</a>>\n * CVE-2015-7871\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871</a>>\n * CVE-2015-7855\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855</a>>\n * CVE-2015-7854\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854</a>>\n * CVE-2015-7853\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853</a>>\n * CVE-2015-7852\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852</a>>\n * CVE-2015-7851\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851</a>>\n * CVE-2015-7850\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850</a>>\n * CVE-2015-7849\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849</a>>\n * CVE-2015-7848\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848</a>>\n * CVE-2015-7701\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701</a>>\n * CVE-2015-7703\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703</a>>\n * CVE-2015-7704\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704</a>>\n * CVE-2015-7705\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705</a>>\n * CVE-2015-7691\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691</a>>\n * CVE-2015-7692\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692</a>>\n * CVE-2015-7702\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702</a>>\n * CVE-2015-1798\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798</a>>\n * CVE-2015-1799\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799</a>>\n\n\n", "published": "2016-08-17T21:08:25", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00042.html", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-7703", "CVE-2016-4956", "CVE-2016-4955", "CVE-2015-8138", "CVE-2015-7855", "CVE-2016-4953", "CVE-2015-7973", "CVE-2015-1799", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7704", "CVE-2016-1551", "CVE-2015-7979", "CVE-2016-4954", "CVE-2015-7701", "CVE-2015-7976", "CVE-2015-7848", "CVE-2015-7975", "CVE-2015-7692", "CVE-2016-1547", "CVE-2015-7851", "CVE-2015-7702", "CVE-2016-4957", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7849", "CVE-2015-7691", "CVE-2016-2519", "CVE-2016-2517", "CVE-2015-7705", "CVE-2015-1798", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7850", "CVE-2016-1549", "CVE-2015-7854", "CVE-2015-7978", "CVE-2015-7853"], "lastseen": "2016-09-04T12:46:49"}], "openvas": [{"id": "OPENVAS:1361412562310842167", "type": "openvas", "title": "Ubuntu Update for ntp USN-2567-1", "description": "Check the version of ntp", "published": "2015-04-14T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842167", "cvelist": ["CVE-2015-1799", "CVE-2015-1798"], "lastseen": "2018-04-30T14:02:53"}, {"id": "OPENVAS:703223", "type": "openvas", "title": "Debian Security Advisory DSA 3223-1 (ntp - security update)", "description": "Multiple vulnerabilities were\ndiscovered in ntp, an implementation of the Network Time Protocol:\n\nCVE-2015-1798 \nWhen configured to use a symmetric key with an NTP peer, ntpd would\naccept packets without MAC as if they had a valid MAC. This could\nallow a remote attacker to bypass the packet authentication and send\nmalicious packets without having to know the symmetric key.\n\nCVE-2015-1799 \nWhen peering with other NTP hosts using authenticated symmetric\nassociation, ntpd would update its internal state variables before\nthe MAC of the NTP messages was validated. This could allow a remote\nattacker to cause a denial of service by impeding synchronization\nbetween NTP peers.\n\nAdditionally, it was discovered that generating MD5 keys using ntp-keygen\non big endian machines would either trigger an endless loop, or generate\nnon-random keys.", "published": "2015-04-12T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=703223", "cvelist": ["CVE-2015-1799", "CVE-2015-1798"], "lastseen": "2017-07-24T12:53:48"}, {"id": "OPENVAS:1361412562310703223", "type": "openvas", "title": "Debian Security Advisory DSA 3223-1 (ntp - security update)", "description": "Multiple vulnerabilities were\ndiscovered in ntp, an implementation of the Network Time Protocol:\n\nCVE-2015-1798 \nWhen configured to use a symmetric key with an NTP peer, ntpd would\naccept packets without MAC as if they had a valid MAC. This could\nallow a remote attacker to bypass the packet authentication and send\nmalicious packets without having to know the symmetric key.\n\nCVE-2015-1799 \nWhen peering with other NTP hosts using authenticated symmetric\nassociation, ntpd would update its internal state variables before\nthe MAC of the NTP messages was validated. This could allow a remote\nattacker to cause a denial of service by impeding synchronization\nbetween NTP peers.\n\nAdditionally, it was discovered that generating MD5 keys using ntp-keygen\non big endian machines would either trigger an endless loop, or generate\nnon-random keys.", "published": "2015-04-12T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703223", "cvelist": ["CVE-2015-1799", "CVE-2015-1798"], "lastseen": "2018-04-06T11:29:26"}, {"id": "OPENVAS:1361412562310105677", "type": "openvas", "title": "Multiple Vulnerabilities in ntpd (April 2015) Affecting Cisco Products", "description": "Multiple Cisco products incorporate a version of the ntpd package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to bypass authentication controls or to create a denial of service (DoS) condition.\n\nOn April 7, 2015, NTP.org and US-CERT released a security advisory dealing with two issues regarding bypass of authentication controls. These vulnerabilities are referenced in this document as follows:\n CVE-2015-1798: NTP Authentication bypass vulnerability\n CVE-2015-1799: NTP Authentication doesn", "published": "2016-05-10T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105677", "cvelist": ["CVE-2015-1799", "CVE-2015-1798"], "lastseen": "2017-07-02T21:12:55"}, {"id": "OPENVAS:1361412562310850815", "type": "openvas", "title": "SuSE Update for ntp SUSE-SU-2015:1173-1 (ntp)", "description": "Check the version of ntp", "published": "2015-10-13T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850815", "cvelist": ["CVE-2015-3405", "CVE-2015-1799"], "lastseen": "2017-12-12T11:16:39"}, {"id": "OPENVAS:1361412562310869656", "type": "openvas", "title": "Fedora Update for ntp FEDORA-2015-5761", "description": "Check the version of ntp", "published": "2015-07-07T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869656", "cvelist": ["CVE-2015-1799", "CVE-2015-1798"], "lastseen": "2017-07-25T10:52:55"}, {"id": "OPENVAS:1361412562310120060", "type": "openvas", "title": "Amazon Linux Local Check: ALAS-2015-520", "description": "Amazon Linux Local Security Checks", "published": "2015-09-08T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120060", "cvelist": ["CVE-2015-1799", "CVE-2015-1798"], "lastseen": "2017-07-24T12:53:22"}, {"id": "OPENVAS:1361412562310121407", "type": "openvas", "title": "Gentoo Linux Local Check: https://security.gentoo.org/glsa/201509-01", "description": "Gentoo Linux Local Security Checks https://security.gentoo.org/glsa/201509-01", "published": "2015-09-29T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310121407", "cvelist": ["CVE-2015-5146", "CVE-2015-1799", "CVE-2015-1798"], "lastseen": "2018-04-09T11:25:59"}, {"id": "OPENVAS:1361412562310871405", "type": "openvas", "title": "RedHat Update for ntp RHSA-2015:1459-01", "description": "Check the version of ntp", "published": "2015-07-23T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871405", "cvelist": ["CVE-2015-3405", "CVE-2015-1799", "CVE-2014-9298", "CVE-2014-9297", "CVE-2015-1798"], "lastseen": "2017-08-26T11:22:18"}, {"id": "OPENVAS:1361412562310123068", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2015-1459", "description": "Oracle Linux Local Security Checks ELSA-2015-1459", "published": "2015-10-06T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123068", "cvelist": ["CVE-2015-3405", "CVE-2015-1799", "CVE-2014-9298", "CVE-2014-9297", "CVE-2015-1798"], "lastseen": "2017-08-26T11:22:58"}], "archlinux": [{"id": "ASA-201504-8", "type": "archlinux", "title": "ntp: multiple issues", "description": "CVE-2015-1798 (accept unauthenticated packets):\n\nWhen ntpd is configured to use a symmetric key to authenticate a remote NTP\nserver/peer, it checks if the NTP message authentication code (MAC) in received\npackets is valid, but not if there actually is any MAC included. Packets without\na MAC are accepted as if they had a valid MAC. This allows a MITM attacker to\nsend false packets that are accepted by the client/peer without having to know\nthe symmetric key. The attacker needs to know the transmit timestamp of the\nclient to match it in the forged reply and the false reply needs to reach the\nclient before the genuine reply from the server. The attacker doesn't\nnecessarily need to be relaying the packets between the client and the server. \n\nCVE-2015-1799 (denial of service):\n\nAn attacker knowing that NTP hosts A and B are peering with each other\n(symmetric association) can send a packet to host A with source address of B\nwhich will set the NTP state variables on A to the values sent by the attacker.\nHost A will then send on its next poll to B a packet with originate timestamp\nthat doesn't match the transmit timestamp of B and the packet will be dropped.\nIf the attacker does this periodically for both hosts, they won't be able to\nsynchronize to each other. This is a known denial-of-service attack", "published": "2015-04-08T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2015-April/000275.html", "cvelist": ["CVE-2015-1799", "CVE-2015-1798"], "lastseen": "2016-09-02T18:44:47"}, {"id": "ASA-201504-9", "type": "archlinux", "title": "chrony: denial of service", "description": "CVE-2015-1853 (denial of service):\nThis issue is similiar to the "ntp CVE-2015-1799"-issue.\nAn attacker knowing that NTP hosts A and B are peering with each other\n(symmetric association) can send a packet to host A with source address of B\nwhich will set the NTP state variables on A to the values sent by the attacker.\nHost A will then send on its next poll to B a packet with originate timestamp\nthat doesn't match the transmit timestamp of B and the packet will be dropped.\nIf the attacker does this periodically for both hosts, they won't be able to\nsynchronize to each other. This is a known denial-of-service attack", "published": "2015-04-08T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2015-April/000278.html", "cvelist": ["CVE-2015-1799", "CVE-2015-1853"], "lastseen": "2016-09-02T18:44:44"}], "debian": [{"id": "DLA-192", "type": "debian", "title": "ntp -- LTS security update", "description": "* [CVE-2015-1798](<https://security-tracker.debian.org/tracker/CVE-2015-1798>)\n\nWhen ntpd is configured to use a symmetric key to authenticate a remote NTP server/peer, it checks if the NTP message authentication code (MAC) in received packets is valid, but not if there actually is any MAC included. Packets without a MAC are accepted as if they had a valid MAC. This allows a MITM attacker to send false packets that are accepted by the client/peer without having to know the symmetric key. The attacker needs to know the transmit timestamp of the client to match it in the forged reply and the false reply needs to reach the client before the genuine reply from the server. The attacker doesn't necessarily need to be relaying the packets between the client and the server.\n\nAuthentication using autokey doesn't have this problem as there is a check that requires the key ID to be larger than NTP_MAXKEY, which fails for packets without a MAC.\n\n * [CVE-2015-1799](<https://security-tracker.debian.org/tracker/CVE-2015-1799>)\n\nAn attacker knowing that NTP hosts A and B are peering with each other (symmetric association) can send a packet to host A with source address of B which will set the NTP state variables on A to the values sent by the attacker. Host A will then send on its next poll to B a packet with originate timestamp that doesn't match the transmit timestamp of B and the packet will be dropped. If the attacker does this periodically for both hosts, they won't be able to synchronize to each other. This is a known denial-of-service attack, described at <https://www.eecis.udel.edu/~mills/onwire.html> .\n\nAccording to the document the NTP authentication is supposed to protect symmetric associations against this attack, but that doesn't seem to be the case. The state variables are updated even when authentication fails and the peers are sending packets with originate timestamps that don't match the transmit timestamps on the receiving side.\n\nntp-keygen on big endian hosts\n\nUsing ntp-keygen to generate an MD5 key on big endian hosts resulted in either an infite loop or an key of only 93 possible keys.", "published": "2015-04-10T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/2015/dla-192", "cvelist": ["CVE-2015-1799", "CVE-2015-1798"], "lastseen": "2016-09-02T12:56:34"}, {"id": "DSA-3223", "type": "debian", "title": "ntp -- security update", "description": "Multiple vulnerabilities were discovered in ntp, an implementation of the Network Time Protocol:\n\n * [CVE-2015-1798](<https://security-tracker.debian.org/tracker/CVE-2015-1798>)\n\nWhen configured to use a symmetric key with an NTP peer, ntpd would accept packets without MAC as if they had a valid MAC. This could allow a remote attacker to bypass the packet authentication and send malicious packets without having to know the symmetric key.\n\n * [CVE-2015-1799](<https://security-tracker.debian.org/tracker/CVE-2015-1799>)\n\nWhen peering with other NTP hosts using authenticated symmetric association, ntpd would update its internal state variables before the MAC of the NTP messages was validated. This could allow a remote attacker to cause a denial of service by impeding synchronization between NTP peers.\n\nAdditionally, it was discovered that generating MD5 keys using ntp-keygen on big endian machines would either trigger an endless loop, or generate non-random keys.\n\nFor the stable distribution (wheezy), these problems have been fixed in version 1:4.2.6.p5+dfsg-2+deb7u4.\n\nFor the unstable distribution (sid), these problems have been fixed in version 1:4.2.6.p5+dfsg-7.\n\nWe recommend that you upgrade your ntp packages.", "published": "2015-04-12T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://www.debian.org/security/dsa-3223", "cvelist": ["CVE-2015-3405", "CVE-2015-1799", "CVE-2015-1798"], "lastseen": "2018-06-25T13:30:51"}, {"id": "DSA-3222", "type": "debian", "title": "chrony -- security update", "description": "Miroslav Lichvar of Red Hat discovered multiple vulnerabilities in chrony, an alternative NTP client and server:\n\n * [CVE-2015-1821](<https://security-tracker.debian.org/tracker/CVE-2015-1821>)\n\nUsing particular address/subnet pairs when configuring access control would cause an invalid memory write. This could allow attackers to cause a denial of service (crash) or execute arbitrary code.\n\n * [CVE-2015-1822](<https://security-tracker.debian.org/tracker/CVE-2015-1822>)\n\nWhen allocating memory to save unacknowledged replies to authenticated command requests, a pointer would be left uninitialized, which could trigger an invalid memory write. This could allow attackers to cause a denial of service (crash) or execute arbitrary code.\n\n * [CVE-2015-1853](<https://security-tracker.debian.org/tracker/CVE-2015-1853>)\n\nWhen peering with other NTP hosts using authenticated symmetric association, the internal state variables would be updated before the MAC of the NTP messages was validated. This could allow a remote attacker to cause a denial of service by impeding synchronization between NTP peers.\n\nFor the stable distribution (wheezy), these problems have been fixed in version 1.24-3.1+deb7u3.\n\nFor the unstable distribution (sid), these problems have been fixed in version 1.30-2.\n\nWe recommend that you upgrade your chrony packages.", "published": "2015-04-12T00:00:00", "cvss": {"score": 6.5, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.debian.org/security/dsa-3222", "cvelist": ["CVE-2015-1821", "CVE-2015-1799", "CVE-2015-1822", "CVE-2015-1853"], "lastseen": "2018-07-04T01:12:50"}], "amazon": [{"id": "ALAS-2015-520", "type": "amazon", "title": "Important: ntp", "description": "**Issue Overview:**\n\nThe symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC. ([CVE-2015-1798 __](<https://access.redhat.com/security/cve/CVE-2015-1798>))\n\nThe symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer. ([CVE-2015-1799 __](<https://access.redhat.com/security/cve/CVE-2015-1799>))\n\nThis update also addresses [leap-second handling](<https://bugzilla.redhat.com/show_bug.cgi?id=1196635>). With older ntp versions, the -x option was sometimes used as a workaround to avoid kernel inserting/deleting leap seconds by stepping the clock and possibly upsetting running applications. That no longer works with 4.2.6 as ntpd steps the clock itself when a leap second occurs. The fix is to treat the one second offset gained during leap second as a normal offset and check the stepping threshold (set by -x or tinker step) to decide if a step should be applied. See [this forum post](<https://forums.aws.amazon.com/ann.jspa?annID=3064>) for more information on the Amazon Linux AMI's leap-second handling. \n\n\n \n**Affected Packages:** \n\n\nntp\n\n \n**Issue Correction:** \nRun _yum update ntp_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n ntp-debuginfo-4.2.6p5-30.24.amzn1.i686 \n ntp-4.2.6p5-30.24.amzn1.i686 \n ntpdate-4.2.6p5-30.24.amzn1.i686 \n \n noarch: \n ntp-doc-4.2.6p5-30.24.amzn1.noarch \n ntp-perl-4.2.6p5-30.24.amzn1.noarch \n \n src: \n ntp-4.2.6p5-30.24.amzn1.src \n \n x86_64: \n ntp-4.2.6p5-30.24.amzn1.x86_64 \n ntpdate-4.2.6p5-30.24.amzn1.x86_64 \n ntp-debuginfo-4.2.6p5-30.24.amzn1.x86_64 \n \n \n", "published": "2015-05-05T15:56:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://alas.aws.amazon.com/ALAS-2015-520.html", "cvelist": ["CVE-2015-1799", "CVE-2015-1798"], "lastseen": "2016-09-28T21:04:10"}], "slackware": [{"id": "SSA-2015-111-08", "type": "slackware", "title": "ntp", "description": "New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix security issues.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/ntp-4.2.8p2-i486-1_slack14.1.txz: Upgraded.\n In addition to bug fixes and enhancements, this release fixes the\n following medium-severity vulnerabilities involving private key\n authentication:\n * ntpd accepts unauthenticated packets with symmetric key crypto.\n * Authentication doesn't protect symmetric associations against DoS attacks.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ntp-4.2.8p2-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/ntp-4.2.8p2-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ntp-4.2.8p2-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ntp-4.2.8p2-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ntp-4.2.8p2-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ntp-4.2.8p2-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8p2-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8p2-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8p2-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8p2-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8p2-i486-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8p2-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\n570bb3e4bb7b065101fa4963e757d7e7 ntp-4.2.8p2-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\ne6add42a70a66496be2d4978370c2799 ntp-4.2.8p2-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\n99f1cfa5e23a256d840ed0a56b7f9400 ntp-4.2.8p2-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n0a6622196521e084d36cda13fc6da824 ntp-4.2.8p2-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\n28cfe042c585cf036582ce5f0c2daadf ntp-4.2.8p2-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\nc436da55cd2d113142410a9d982c5ac5 ntp-4.2.8p2-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\ncf69f8ecb5e4c1902dfb22d0f9685278 ntp-4.2.8p2-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n9c8344ec56d5d2335fd7370e2f9cf639 ntp-4.2.8p2-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n9dcf0eafa851ad018f8341c2fb9307b5 ntp-4.2.8p2-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\ne0c063f4e46a72ec86012a46299a46df ntp-4.2.8p2-x86_64-1_slack14.1.txz\n\nSlackware -current package:\n5f72de16e3bb6cd216e7694a49671cee n/ntp-4.2.8p2-i486-1.txz\n\nSlackware x86_64 -current package:\n1ba531770e4a2ae6e8e7116aaa26523e n/ntp-4.2.8p2-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg ntp-4.2.8p2-i486-1_slack14.1.txz\n\nThen, restart the NTP daemon:\n\n > sh /etc/rc.d/rc.ntpd restart", "published": "2015-04-21T18:21:55", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2015&m=slackware-security.522767", "cvelist": ["CVE-2015-1799", "CVE-2015-1798"], "lastseen": "2018-02-02T18:11:35"}], "ubuntu": [{"id": "USN-2567-1", "type": "ubuntu", "title": "NTP vulnerabilities", "description": "Miroslav Lichvar discovered that NTP incorrectly validated MAC fields. A remote attacker could possibly use this issue to bypass authentication and spoof packets. (CVE-2015-1798)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain invalid packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2015-1799)\n\nJuergen Perlinger discovered that NTP incorrectly generated MD5 keys on big-endian platforms. This issue could either cause ntp-keygen to hang, or could result in non-random keys. (CVE number pending)", "published": "2015-04-13T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://usn.ubuntu.com/2567-1/", "cvelist": ["CVE-2015-1799", "CVE-2015-1798"], "lastseen": "2018-03-29T18:18:57"}], "gentoo": [{"id": "GLSA-201509-01", "type": "gentoo", "title": "NTP: Multiple vulnerablities", "description": "### Background\n\nNTP contains software for the Network Time Protocol.\n\n### Description\n\nMultiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll NTP users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/ntp-4.2.8_p3\"", "published": "2015-09-24T00:00:00", "cvss": {"score": 4.3, "vector": "AV:ADJACENT_NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/201509-01", "cvelist": ["CVE-2015-5146", "CVE-2015-1799", "CVE-2015-1798"], "lastseen": "2016-09-06T19:46:45"}], "oraclelinux": [{"id": "ELSA-2015-1459", "type": "oraclelinux", "title": "ntp security, bug fix, and enhancement update", "description": "[4.2.6p5-5]\n- reject packets without MAC when authentication is enabled (CVE-2015-1798)\n- protect symmetric associations with symmetric key against DoS attack\n (CVE-2015-1799)\n- fix generation of MD5 keys with ntp-keygen on big-endian systems\n (CVE-2015-3405)\n- log when stepping clock for leap second or ignoring it with -x (#1204625)\n[4.2.6p5-4]\n- fix typos in ntpd man page (#1194463)", "published": "2015-07-28T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-1459.html", "cvelist": ["CVE-2015-3405", "CVE-2015-1799", "CVE-2014-9298", "CVE-2014-9297", "CVE-2015-1798"], "lastseen": "2017-08-26T12:02:03"}, {"id": "ELSA-2015-2231", "type": "oraclelinux", "title": "ntp security, bug fix, and enhancement update", "description": "[4.2.6p5-22]\n- check origin timestamp before accepting KoD RATE packet (CVE-2015-7704)\n- allow only one step larger than panic threshold with -g (CVE-2015-5300)\n[4.2.6p5-20]\n- validate lengths of values in extension fields (CVE-2014-9297)\n- drop packets with spoofed source address ::1 (CVE-2014-9298)\n- reject packets without MAC when authentication is enabled (CVE-2015-1798)\n- protect symmetric associations with symmetric key against DoS attack (CVE-2015-1799)\n- fix generation of MD5 keys with ntp-keygen on big-endian systems (CVE-2015-3405)\n- add option to set Differentiated Services Code Point (DSCP) (#1202828)\n- add nanosecond support to SHM refclock (#1117702)\n- allow creating all SHM segments with owner-only access (#1122012)\n- allow different thresholds for forward and backward step (#1193154)\n- allow symmetric keys up to 32 bytes again (#1191111)\n- don't step clock for leap second with -x option (#1191122)\n- don't drop packets with source port below 123 (#1171640)\n- retry joining multicast groups (#1207014)\n- increase memlock limit again (#1053569)\n- warn when monitor can't be disabled due to limited restrict (#1191108)\n- use larger RSA exponent in ntp-keygen (#1191116)\n- fix crash in ntpq mreadvar command (#1180721)\n- move sntp kod database to allow SELinux labeling (#1082934)\n- fix typos in ntpd man page (#1195211)\n- improve documentation of restrict command (#1213953)", "published": "2015-11-23T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-2231.html", "cvelist": ["CVE-2014-9751", "CVE-2015-3405", "CVE-2015-1799", "CVE-2014-9298", "CVE-2015-7704", "CVE-2014-9297", "CVE-2014-9750", "CVE-2015-1798", "CVE-2015-5300"], "lastseen": "2016-09-04T11:16:10"}], "redhat": [{"id": "RHSA-2015:2231", "type": "redhat", "title": "(RHSA-2015:2231) Moderate: ntp security, bug fix, and enhancement update", "description": "The Network Time Protocol (NTP) is used to synchronize a computer's time\nwith another referenced time source. These packages include the ntpd\nservice which continuously adjusts system time and utilities used to query\nand configure the ntpd service.\n\nIt was found that because NTP's access control was based on a source IP\naddress, an attacker could bypass source IP restrictions and send\nmalicious control and configuration packets by spoofing ::1 addresses.\n(CVE-2014-9298, CVE-2014-9751)\n\nA denial of service flaw was found in the way NTP hosts that were peering\nwith each other authenticated themselves before updating their internal\nstate variables. An attacker could send packets to one peer host, which\ncould cascade to other peers, and stop the synchronization process among\nthe reached peers. (CVE-2015-1799)\n\nA flaw was found in the way the ntp-keygen utility generated MD5 symmetric\nkeys on big-endian systems. An attacker could possibly use this flaw to\nguess generated MD5 keys, which could then be used to spoof an NTP client\nor server. (CVE-2015-3405)\n\nA stack-based buffer overflow was found in the way the NTP autokey protocol\nwas implemented. When an NTP client decrypted a secret received from an NTP\nserver, it could cause that client to crash. (CVE-2014-9297, CVE-2014-9750)\n\nIt was found that ntpd did not check whether a Message Authentication Code\n(MAC) was present in a received packet when ntpd was configured to use\nsymmetric cryptographic keys. A man-in-the-middle attacker could use this\nflaw to send crafted packets that would be accepted by a client or a peer\nwithout the attacker knowing the symmetric key. (CVE-2015-1798)\n\nThe CVE-2015-1798 and CVE-2015-1799 issues were discovered by Miroslav\nLichv\u00e1r of Red Hat.\n\nBug fixes:\n\n* The ntpd service truncated symmetric keys specified in the key file to 20\nbytes. As a consequence, it was impossible to configure NTP authentication\nto work with peers that use longer keys. With this update, the maximum key\nlength has been changed to 32 bytes. (BZ#1191111)\n\n* The ntpd service could previously join multicast groups only when\nstarting, which caused problems if ntpd was started during system boot\nbefore network was configured. With this update, ntpd attempts to join\nmulticast groups every time network configuration is changed. (BZ#1207014)\n\n* Previously, the ntp-keygen utility used the exponent of 3 when generating\nRSA keys. Consequently, generating RSA keys failed when FIPS mode was\nenabled. With this update, ntp-keygen has been modified to use the exponent\nof 65537, and generating keys in FIPS mode now works as expected.\n(BZ#1191116)\n\n* The ntpd service dropped incoming NTP packets if their source port was\nlower than 123 (the NTP port). With this update, ntpd no longer checks the\nsource port number, and clients behind NAT are now able to correctly\nsynchronize with the server. (BZ#1171640)\n\nEnhancements:\n\n* This update adds support for configurable Differentiated Services Code\nPoints (DSCP) in NTP packets, simplifying configuration in large networks\nwhere different NTP implementations or versions are using different DSCP\nvalues. (BZ#1202828)\n\n* This update adds the ability to configure separate clock stepping\nthresholds for each direction (backward and forward). Use the \"stepback\"\nand \"stepfwd\" options to configure each threshold. (BZ#1193154)\n\n* Support for nanosecond resolution has been added to the Structural\nHealth Monitoring (SHM) reference clock. Prior to this update, when a\nPrecision Time Protocol (PTP) hardware clock was used as a time source to\nsynchronize the system clock, the accuracy of the synchronization was\nlimited due to the microsecond resolution of the SHM protocol. The\nnanosecond extension in the SHM protocol now allows sub-microsecond\nsynchronization of the system clock. (BZ#1117702)\n\nAll ntp users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues and add these\nenhancements.", "published": "2015-11-19T19:42:12", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2015:2231", "cvelist": ["CVE-2014-9297", "CVE-2014-9298", "CVE-2014-9750", "CVE-2014-9751", "CVE-2015-1798", "CVE-2015-1799", "CVE-2015-3405"], "lastseen": "2018-04-15T14:24:55"}, {"id": "RHSA-2015:1459", "type": "redhat", "title": "(RHSA-2015:1459) Moderate: ntp security, bug fix, and enhancement update", "description": "The Network Time Protocol (NTP) is used to synchronize a computer's time\nwith another referenced time source.\n\nIt was found that because NTP's access control was based on a source IP\naddress, an attacker could bypass source IP restrictions and send malicious\ncontrol and configuration packets by spoofing ::1 addresses.\n(CVE-2014-9298)\n\nA denial of service flaw was found in the way NTP hosts that were peering\nwith each other authenticated themselves before updating their internal\nstate variables. An attacker could send packets to one peer host, which\ncould cascade to other peers, and stop the synchronization process among\nthe reached peers. (CVE-2015-1799)\n\nA flaw was found in the way the ntp-keygen utility generated MD5 symmetric\nkeys on big-endian systems. An attacker could possibly use this flaw to\nguess generated MD5 keys, which could then be used to spoof an NTP client\nor server. (CVE-2015-3405)\n\nA stack-based buffer overflow was found in the way the NTP autokey protocol\nwas implemented. When an NTP client decrypted a secret received from an NTP\nserver, it could cause that client to crash. (CVE-2014-9297)\n\nIt was found that ntpd did not check whether a Message Authentication Code\n(MAC) was present in a received packet when ntpd was configured to use\nsymmetric cryptographic keys. A man-in-the-middle attacker could use this\nflaw to send crafted packets that would be accepted by a client or a peer\nwithout the attacker knowing the symmetric key. (CVE-2015-1798)\n\nThe CVE-2015-1798 and CVE-2015-1799 issues were discovered by Miroslav\nLichv\u00e1r of Red Hat.\n\nBug fixes:\n\n* The ntpd daemon truncated symmetric keys specified in the key file to 20\nbytes. As a consequence, it was impossible to configure NTP authentication\nto work with peers that use longer keys. The maximum length of keys has now\nbeen changed to 32 bytes. (BZ#1053551)\n\n* The ntp-keygen utility used the exponent of 3 when generating RSA keys,\nand generating RSA keys failed when FIPS mode was enabled. ntp-keygen has\nbeen modified to use the exponent of 65537, and generating keys in FIPS\nmode now works as expected. (BZ#1184421)\n\n* The ntpd daemon included a root delay when calculating its root\ndispersion. Consequently, the NTP server reported larger root dispersion\nthan it should have and clients could reject the source when its distance\nreached the maximum synchronization distance (1.5 seconds by default).\nCalculation of root dispersion has been fixed, the root dispersion is now\nreported correctly, and clients no longer reject the server due to a large\nsynchronization distance. (BZ#1045376)\n\n* The ntpd daemon dropped incoming NTP packets if their source port was\nlower than 123 (the NTP port). Clients behind Network Address Translation\n(NAT) were unable to synchronize with the server if their source port was\ntranslated to ports below 123. With this update, ntpd no longer checks the\nsource port number. (BZ#1171630)\n\nEnhancements:\n\n* This update introduces configurable access of memory segments used for\nShared Memory Driver (SHM) reference clocks. Previously, only the first two\nmemory segments were created with owner-only access, allowing just two SHM\nreference clocks to be used securely on a system. Now, the owner-only\naccess to SHM is configurable with the \"mode\" option, and it is therefore\npossible to use more SHM reference clocks securely. (BZ#1122015)\n\n* Support for nanosecond resolution has been added to the SHM reference\nclock. Prior to this update, when a Precision Time Protocol (PTP) hardware\nclock was used as a time source to synchronize the system clock (for\nexample, with the timemaster service from the linuxptp package), the\naccuracy of the synchronization was limited due to the microsecond\nresolution of the SHM protocol. The nanosecond extension in the SHM\nprotocol now enables sub-microsecond synchronization of the system clock.\n(BZ#1117704)", "published": "2015-07-22T04:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1459", "cvelist": ["CVE-2014-9297", "CVE-2014-9298", "CVE-2014-9750", "CVE-2014-9751", "CVE-2015-1798", "CVE-2015-1799", "CVE-2015-3405"], "lastseen": "2018-06-12T21:09:41"}], "centos": [{"id": "CESA-2015:1459", "type": "centos", "title": "ntp, ntpdate security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:1459\n\n\nThe Network Time Protocol (NTP) is used to synchronize a computer's time\nwith another referenced time source.\n\nIt was found that because NTP's access control was based on a source IP\naddress, an attacker could bypass source IP restrictions and send malicious\ncontrol and configuration packets by spoofing ::1 addresses.\n(CVE-2014-9298)\n\nA denial of service flaw was found in the way NTP hosts that were peering\nwith each other authenticated themselves before updating their internal\nstate variables. An attacker could send packets to one peer host, which\ncould cascade to other peers, and stop the synchronization process among\nthe reached peers. (CVE-2015-1799)\n\nA flaw was found in the way the ntp-keygen utility generated MD5 symmetric\nkeys on big-endian systems. An attacker could possibly use this flaw to\nguess generated MD5 keys, which could then be used to spoof an NTP client\nor server. (CVE-2015-3405)\n\nA stack-based buffer overflow was found in the way the NTP autokey protocol\nwas implemented. When an NTP client decrypted a secret received from an NTP\nserver, it could cause that client to crash. (CVE-2014-9297)\n\nIt was found that ntpd did not check whether a Message Authentication Code\n(MAC) was present in a received packet when ntpd was configured to use\nsymmetric cryptographic keys. A man-in-the-middle attacker could use this\nflaw to send crafted packets that would be accepted by a client or a peer\nwithout the attacker knowing the symmetric key. (CVE-2015-1798)\n\nThe CVE-2015-1798 and CVE-2015-1799 issues were discovered by Miroslav\nLichv\u00e1r of Red Hat.\n\nBug fixes:\n\n* The ntpd daemon truncated symmetric keys specified in the key file to 20\nbytes. As a consequence, it was impossible to configure NTP authentication\nto work with peers that use longer keys. The maximum length of keys has now\nbeen changed to 32 bytes. (BZ#1053551)\n\n* The ntp-keygen utility used the exponent of 3 when generating RSA keys,\nand generating RSA keys failed when FIPS mode was enabled. ntp-keygen has\nbeen modified to use the exponent of 65537, and generating keys in FIPS\nmode now works as expected. (BZ#1184421)\n\n* The ntpd daemon included a root delay when calculating its root\ndispersion. Consequently, the NTP server reported larger root dispersion\nthan it should have and clients could reject the source when its distance\nreached the maximum synchronization distance (1.5 seconds by default).\nCalculation of root dispersion has been fixed, the root dispersion is now\nreported correctly, and clients no longer reject the server due to a large\nsynchronization distance. (BZ#1045376)\n\n* The ntpd daemon dropped incoming NTP packets if their source port was\nlower than 123 (the NTP port). Clients behind Network Address Translation\n(NAT) were unable to synchronize with the server if their source port was\ntranslated to ports below 123. With this update, ntpd no longer checks the\nsource port number. (BZ#1171630)\n\nEnhancements:\n\n* This update introduces configurable access of memory segments used for\nShared Memory Driver (SHM) reference clocks. Previously, only the first two\nmemory segments were created with owner-only access, allowing just two SHM\nreference clocks to be used securely on a system. Now, the owner-only\naccess to SHM is configurable with the \"mode\" option, and it is therefore\npossible to use more SHM reference clocks securely. (BZ#1122015)\n\n* Support for nanosecond resolution has been added to the SHM reference\nclock. Prior to this update, when a Precision Time Protocol (PTP) hardware\nclock was used as a time source to synchronize the system clock (for\nexample, with the timemaster service from the linuxptp package), the\naccuracy of the synchronization was limited due to the microsecond\nresolution of the SHM protocol. The nanosecond extension in the SHM\nprotocol now enables sub-microsecond synchronization of the system clock.\n(BZ#1117704)\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2015-July/002074.html\n\n**Affected packages:**\nntp\nntp-doc\nntp-perl\nntpdate\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-1459.html", "published": "2015-07-26T14:13:05", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-cr-announce/2015-July/002074.html", "cvelist": ["CVE-2014-9751", "CVE-2015-3405", "CVE-2015-1799", "CVE-2014-9298", "CVE-2014-9297", "CVE-2014-9750", "CVE-2015-1798"], "lastseen": "2017-10-03T18:26:31"}, {"id": "CESA-2015:2231", "type": "centos", "title": "ntp, ntpdate, sntp security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:2231\n\n\nThe Network Time Protocol (NTP) is used to synchronize a computer's time\nwith another referenced time source. These packages include the ntpd\nservice which continuously adjusts system time and utilities used to query\nand configure the ntpd service.\n\nIt was found that because NTP's access control was based on a source IP\naddress, an attacker could bypass source IP restrictions and send\nmalicious control and configuration packets by spoofing ::1 addresses.\n(CVE-2014-9298, CVE-2014-9751)\n\nA denial of service flaw was found in the way NTP hosts that were peering\nwith each other authenticated themselves before updating their internal\nstate variables. An attacker could send packets to one peer host, which\ncould cascade to other peers, and stop the synchronization process among\nthe reached peers. (CVE-2015-1799)\n\nA flaw was found in the way the ntp-keygen utility generated MD5 symmetric\nkeys on big-endian systems. An attacker could possibly use this flaw to\nguess generated MD5 keys, which could then be used to spoof an NTP client\nor server. (CVE-2015-3405)\n\nA stack-based buffer overflow was found in the way the NTP autokey protocol\nwas implemented. When an NTP client decrypted a secret received from an NTP\nserver, it could cause that client to crash. (CVE-2014-9297, CVE-2014-9750)\n\nIt was found that ntpd did not check whether a Message Authentication Code\n(MAC) was present in a received packet when ntpd was configured to use\nsymmetric cryptographic keys. A man-in-the-middle attacker could use this\nflaw to send crafted packets that would be accepted by a client or a peer\nwithout the attacker knowing the symmetric key. (CVE-2015-1798)\n\nThe CVE-2015-1798 and CVE-2015-1799 issues were discovered by Miroslav\nLichv\u00e1r of Red Hat.\n\nBug fixes:\n\n* The ntpd service truncated symmetric keys specified in the key file to 20\nbytes. As a consequence, it was impossible to configure NTP authentication\nto work with peers that use longer keys. With this update, the maximum key\nlength has been changed to 32 bytes. (BZ#1191111)\n\n* The ntpd service could previously join multicast groups only when\nstarting, which caused problems if ntpd was started during system boot\nbefore network was configured. With this update, ntpd attempts to join\nmulticast groups every time network configuration is changed. (BZ#1207014)\n\n* Previously, the ntp-keygen utility used the exponent of 3 when generating\nRSA keys. Consequently, generating RSA keys failed when FIPS mode was\nenabled. With this update, ntp-keygen has been modified to use the exponent\nof 65537, and generating keys in FIPS mode now works as expected.\n(BZ#1191116)\n\n* The ntpd service dropped incoming NTP packets if their source port was\nlower than 123 (the NTP port). With this update, ntpd no longer checks the\nsource port number, and clients behind NAT are now able to correctly\nsynchronize with the server. (BZ#1171640)\n\nEnhancements:\n\n* This update adds support for configurable Differentiated Services Code\nPoints (DSCP) in NTP packets, simplifying configuration in large networks\nwhere different NTP implementations or versions are using different DSCP\nvalues. (BZ#1202828)\n\n* This update adds the ability to configure separate clock stepping\nthresholds for each direction (backward and forward). Use the \"stepback\"\nand \"stepfwd\" options to configure each threshold. (BZ#1193154)\n\n* Support for nanosecond resolution has been added to the Structural\nHealth Monitoring (SHM) reference clock. Prior to this update, when a\nPrecision Time Protocol (PTP) hardware clock was used as a time source to\nsynchronize the system clock, the accuracy of the synchronization was\nlimited due to the microsecond resolution of the SHM protocol. The\nnanosecond extension in the SHM protocol now allows sub-microsecond\nsynchronization of the system clock. (BZ#1117702)\n\nAll ntp users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues and add these\nenhancements.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2015-November/002507.html\n\n**Affected packages:**\nntp\nntp-doc\nntp-perl\nntpdate\nsntp\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-2231.html", "published": "2015-11-30T19:45:44", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://lists.centos.org/pipermail/centos-cr-announce/2015-November/002507.html", "cvelist": ["CVE-2014-9751", "CVE-2015-3405", "CVE-2015-1799", "CVE-2014-9298", "CVE-2014-9297", "CVE-2014-9750", "CVE-2015-1798"], "lastseen": "2017-10-03T18:25:31"}], "ics": [{"id": "ICSA-17-094-04", "type": "ics", "title": "Rockwell Automation Stratix 5900", "description": "### **CVSS v3 10.0**\n\n**ATTENTION: **Remotely exploitable/low skill level to exploit.\n\n**Vendor:** Rockwell Automation\n\n**Equipment:** Stratix 5900\n\n**Vulnerabilities:** Improper Input Validation, Resource Management Errors, Improper Authentication, Path Traversal_._\n\n## REPOSTED INFORMATION\n\nThis advisory was originally posted to the NCCIC Portal on April 4, 2017, and is being released to the NCCIC/ICS-CERT web site.\n\n## AFFECTED PRODUCTS\n\nRockwell Automation reports that these vulnerabilities affect the following Stratix 5900 Services Routers:\n\n * Stratix 5900, All Versions prior to 15.6.3.\n\n## IMPACT\n\nAn attacker who exploits these vulnerabilities may be able to perform man-in-the-middle attacks, create denial of service conditions, or remotely execute arbitrary code.\n\n## MITIGATION\n\nRockwell Automation has provided a new firmware version, Version 15.6.3, to mitigate these vulnerabilities.\n\nRockwell Automation encourages users of the affected versions to update to the latest available software versions addressing the associated risk, and including improvements to further harden the software and enhance its resilience against similar malicious attacks. Users can find the latest firmware version by searching for their device at the following web site:\n\n<http://compatibility.rockwellautomation.com/Pages/MultiProductDownload.aspx?famID=15>\n\nAdditional precautions and risk mitigation strategies specific to these types of attacks are recommended in the Rockwell Automation security release. When possible, multiple strategies should be implemented simultaneously.\n\n<https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1041191>\n\nPlease also refer to Cisco\u2019s security advisories (linked below) for additional workarounds and details for these vulnerabilities.\n\nNCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.\n\nICS-CERT also provides a section for [control systems security recommended practices](<https://ics-cert.us-cert.gov/content/recommended-practices>) on the ICS-CERT web page. Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.](<https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>)\n\nAdditional mitigation guidance and recommended practices are publicly available in the ICS\u2011CERT Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B>), that is available for download from the [ICS-CERT web site](<https://ics-cert.us-cert.gov/>).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities.\n\n## VULNERABILITY OVERVIEW\n\n## [**IMPROPER INPUT VALIDATION CWE-20**](<https://cwe.mitre.org/data/definitions/20.html>)\n\n[Cisco IOS and IOS XE Software DNS Forwarder Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-dns>).\n\n[CVE-2016-6380](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6380>) has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS and IOS XE Software AAA Login Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-aaados>).\n\n[CVE-2016-6393](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6380>) has been assigned to this vulnerability. A CVSS v3 base score of 8.1 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS and IOS XE Software H.323 Message Validation Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-h323>).\n\n[CVE-2016-6384](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6384>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS and IOS XE Software Internet Key Exchange Version 1 Fragmentation Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-ios-ikev1>).\n\n[CVE-2016-6381](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6381>) has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS and IOS XE Software Multicast Routing Denial of Service Vulnerabilities](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160928-msdp>).\n\n[CVE-2016-6382](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6382>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**INFORMATION EXPOSURE CWE-200**](<https://cwe.mitre.org/data/definitions/200.html>)\n\n[IKEv1 Information Disclosure Vulnerability in Multiple Cisco Products](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160916-ikev1>).\n\n[CVE-2016-6415](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-6415>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N>)).\n\n## [**INPUT VALIDATION CWE-20 **](<https://cwe.mitre.org/data/definitions/20.html>)\n\n[Cisco Products IPv6 Neighbor Discovery Crafted Packet Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160525-ipv6>).\n\n[CVE-2016-1409](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1409>) has been assigned to this vulnerability. A CVSS v3 base score of 5.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS and IOS XE and Cisco Unified Communications Manager Software Session Initiation Protocol Memory Leak Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-sip>).\n\n[CVE-2016-1350](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1350>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS and IOS XE Software Internet Key Exchange Version 2 Fragmentation Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160323-ios-ikev2>).\n\n[CVE-2016-1344](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1344>) has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**INTEGER OVERFLOW OR WRAPAROUND CWE 190**](<https://cwe.mitre.org/data/definitions/190.html>)\n\n## [**IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119**](<https://cwe.mitre.org/data/definitions/119.html>)\n\n## [**IMPROPER INPUT VALIDATION CWE-20**](<https://cwe.mitre.org/data/definitions/20.html>)\n\n## [**PATH TRAVERSAL CWE-22**](<https://cwe.mitre.org/data/definitions/22.html>)\n\n## [**PERMISSIONS, PRIVILEGES, AND ACCESS CONTROLS CWE-264**](<https://cwe.mitre.org/data/definitions/264.html>)\n\n## [**IMPROPER AUTHENTICATION CWE-287**](<https://cwe.mitre.org/data/definitions/287.html>)\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Multiple Vulnerabilities in ntpd Affecting Cisco Products - October 2015](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151021-ntp>).\n\n[CVE-2015-7691](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7691>), [CVE-2015-7692](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7692>), [CVE-2015-7701](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7701>), [CVE-2015-7702](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7702>), [CVE-2015-7703](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7703>), [CVE-2015-7704](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7704>), [CVE-2015-7705](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7705>), [CVE-2015-7848](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7848>), [CVE-2015-7849](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7849>), [CVE-2015-7850](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7850>), [CVE-2015-7851](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7851>), [CVE-2015-7852](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7852>), [CVE-2015-7853](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7853>), [CVE-2015-7854](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7854>), [CVE-2015-7855](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7855>), and [CVE-2015-7871](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7871>) have been assigned to these vulnerabilities. A CVSS v3 base score of 7.2 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L>)).\n\n## [**IMPROPER AUTHENTICATION CWE-287**](<https://cwe.mitre.org/data/definitions/287.html>)\n\n[Multiple Vulnerabilities in ntpd (April 2015) Affecting Cisco Products](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-ntpd>).\n\n[CVE-2015-1798](<https://nvd.nist.gov/vuln/detail/CVE-2015-1798>) and [CVE-2015-1799](<https://nvd.nist.gov/vuln/detail/CVE-2015-1799>) have been assigned to this vulnerability. A CVSS v3 base score of 5.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N>)).\n\n## [**INPUT VALIDATION CWE 20**](<https://cwe.mitre.org/data/definitions/20.html>)\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS Software and IOS XE Software Internet Key Exchange Version 2 Denial of Service Vulnerabilities](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-ikev2>).\n\n[CVE-2015-0642](<https://nvd.nist.gov/vuln/detail/CVE-2015-0642>) and [CVE-2015-0643](<https://nvd.nist.gov/vuln/detail/CVE-2015-0643>) have been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS Software and IOS XE Software TCP Packet Memory Leak Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150325-tcpleak>).\n\n[CVE-2015-0646](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0646>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119**](<https://cwe.mitre.org/data/definitions/119.html>)\n\n## [**IMPROPER INPUT VALIDATION CWE-20**](<https://cwe.mitre.org/data/definitions/20.html>)\n\n## [**CRYPTOGRAPHIC ISSUES CWE 310**](<https://cwe.mitre.org/data/definitions/310.html>)\n\n[Multiple Vulnerabilities in OpenSSL (March 2015) Affecting Cisco Products](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150320-openssl>).\n\n[CVE-2015-0207](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0207>), [CVE-2015-0209](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0209>), [CVE-2015-0285](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0285>), [CVE-2015-0287](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0287>), [CVE-2015-0288](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0288>), [CVE-2015-0289](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0289>), [CVE-2015-0290](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0290>), [CVE-2015-0291](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0291>), [CVE-2015-0292](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0292>), [CVE-2015-0293](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0293>), and [CVE-2015-1787](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1787>) have been assigned to these vulnerabilities. A CVSS v3 base score of 4.0 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N>)).\n\n## [**CRYPTOGRAPHIC ISSUES CWE 310**](<https://cwe.mitre.org/data/definitions/310.html>)\n\n[SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle>).\n\n[CVE-2014-3566](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566>) has been assigned to this vulnerability. A CVSS v3 base score of 4.0 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS Software DHCP Version 6 Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-dhcpv6>).\n\n[CVE-2014-3359](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3359>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS Software Metadata Vulnerabilities](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-metadata>).\n\n[CVE-2014-3355](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3355>) and [CVE-2014-3356](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3356>) have been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**IMPROPER INPUT VALIDATION CWE-20**](<https://cwe.mitre.org/data/definitions/20.html>)\n\n[Cisco IOS Software Network Address Translation Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-nat>).\n\n[CVE-2014-3361](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3361>) has been assigned to this vulnerability. A CVSS v3 base score of 6.8 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS Software RSVP Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-rsvp>).\n\n[CVE-2014-3354](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3354>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**NUMERIC ERRORS CWE 189**](<https://cwe.mitre.org/data/definitions/189.html>)\n\n[Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140924-sip>).\n\n[CVE-2014-3360](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3360>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS Software IPsec Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/Cisco-SA-20140625-CVE-2014-3299>).\n\n[CVE-2014-3299](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3299>) has been assigned to this vulnerability. A CVSS v3 base score of 7.7 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**CRYPTOGRAPHIC ISSUES CWE-310**](<https://cwe.mitre.org/data/definitions/310.html>)\n\n## [**RACE CONDITION CWE-362**](<https://cwe.mitre.org/data/definitions/362.html>)\n\n## [**IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119**](<https://cwe.mitre.org/data/definitions/119.html>)\n\n## [**RESOURCE MANAGEMENT ERRORS CWE-399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n## [**NULL POINTER DEREFERENCE CWE-476**](<https://cwe.mitre.org/data/definitions/476.html>)\n\n[Multiple Vulnerabilities in OpenSSL Affecting Cisco Products](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140605-openssl>).\n\n[CVE-2010-5298](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-5298>), [CVE-2014-0076](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0076>), [CVE-2014-0195](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0195>), [CVE-2014-0198](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0198>), [CVE-2014-0221](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0221>), [CVE-2014-0224](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0224>), and [CVE-2014-3470](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3470>) have been assigned to these vulnerabilities. A CVSS v3 base score of 10.0 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H>)).\n\n## [**IMPROPER INPUT VALIDATION CWE-20**](<https://cwe.mitre.org/data/definitions/20.html>)\n\n[Cisco IOS Software Crafted IPv6 Packet Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ipv6>).\n\n[CVE-2014-2113](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2113>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS Software Internet Key Exchange Version 2 Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ikev2>).\n\n[CVE-2014-2108](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2108>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**IMPROPER INPUT VALIDATION CWE-20**](<https://cwe.mitre.org/data/definitions/20.html>)\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS Software Network Address Translation Vulnerabilities](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-nat>).\n\n[CVE-2014-2109](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2109>) and [CVE-2014-2111](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2111>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**IMPROPER INPUT VALIDATION CWE-20**](<https://cwe.mitre.org/data/definitions/20.html>)\n\n[Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-sip>).\n\n[CVE-2014-2106](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2106>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## [**RESOURCE MANAGEMENT ERRORS CWE 399**](<https://cwe.mitre.org/data/definitions/399.html>)\n\n[Cisco IOS Software SSL VPN Denial of Service Vulnerability](<https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140326-ios-sslvpn>).\n\n[CVE-2014-2112](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2112>) has been assigned to this vulnerability. A CVSS v3 base score of 8.6 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H>)).\n\n## RESEARCHER\n\nCisco Systems, Inc. reported these vulnerabilities to Rockwell Automation.\n\n## BACKGROUND\n\n**Critical Infrastructure Sectors:** Critical Manufacturing, Energy, Water and Wastewater Systems\n\n**Area Deployed:** Worldwide\n\n**Company Headquarters Location: **United States\n", "published": "2017-05-09T00:00:00", "cvss": {"score": 8.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:COMPLETE/"}, "href": "https://ics-cert.us-cert.gov//advisories/ICSA-17-094-04", "cvelist": ["CVE-2014-3360", "CVE-2014-3566", "CVE-2016-6415", "CVE-2014-3299", "CVE-2015-0643", "CVE-2015-7703", "CVE-2014-2108", "CVE-2014-3355", "CVE-2014-2111", "CVE-2015-7855", "CVE-2014-0076", "CVE-2015-0288", "CVE-2014-0224", "CVE-2015-1799", "CVE-2014-3354", "CVE-2016-1350", "CVE-2015-0285", "CVE-2014-3359", "CVE-2015-7704", "CVE-2015-0207", "CVE-2016-1409", "CVE-2015-0642", "CVE-2014-3470", "CVE-2016-6393", "CVE-2015-7701", "CVE-2015-7848", "CVE-2014-3356", "CVE-2015-0293", "CVE-2010-5298", "CVE-2016-6381", "CVE-2015-7692", "CVE-2014-0195", "CVE-2014-0198", "CVE-2015-0209", "CVE-2016-1344", "CVE-2015-7851", "CVE-2015-7702", "CVE-2015-7852", "CVE-2015-0646", "CVE-2015-7871", "CVE-2014-2113", "CVE-2015-7849", "CVE-2015-7691", "CVE-2015-0291", "CVE-2014-2106", "CVE-2015-0287", "CVE-2015-7705", "CVE-2015-1798", "CVE-2016-6382", "CVE-2015-0289", "CVE-2015-0292", "CVE-2015-7850", "CVE-2016-6380", "CVE-2015-0290", "CVE-2014-3361", "CVE-2016-6384", "CVE-2015-1787", "CVE-2014-2112", "CVE-2015-7854", "CVE-2014-2109", "CVE-2014-0221", "CVE-2015-7853"], "lastseen": "2017-12-04T19:02:20"}], "threatpost": [{"id": "TWO-NTP-KEY-AUTHENTICATION-VULNERABILITIES-PATCHED/112067", "type": "threatpost", "title": "NTP Symmetric Key Authentication Security Vulnerabilities Patched", "description": "NTP, the much maligned protocol abused in a number of [high volume DDoS attacks](<https://threatpost.com/volume-of-ntp-amplification-attacks-getting-louder/105763>) a year ago, is suffering from newly patched vulnerabilities that could allow an attacker to send unauthenticated packets to a client that would be executed.\n\nThe Department of Homeland Security and CERT at the Software Engineering Institute at Carnegie Mellon University on Tuesday issued an [advisory](<http://www.kb.cert.org/vuls/id/374268>) warning of the [two vulnerabilities](<http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities>), which were patched in [ntp-4.2 8p2](<http://www.ntp.org/downloads.html>).\n\n### Related Posts\n\n#### [Unsecured DNSSEC Easily Weaponized, Researchers Warn](<https://threatpost.com/unsecured-dnssec-easily-weaponized-researchers-warn/119969/> \"Permalink to Unsecured DNSSEC Easily Weaponized, Researchers Warn\" )\n\nAugust 18, 2016 , 8:18 am\n\n#### [Botnet Powered by 25,000 CCTV Devices Uncovered](<https://threatpost.com/botnet-powered-by-25000-cctv-devices-uncovered/118948/> \"Permalink to Botnet Powered by 25,000 CCTV Devices Uncovered\" )\n\nJune 28, 2016 , 3:20 pm\n\n#### [NTP Patches Flaws That Enable DDoS](<https://threatpost.com/ntp-patches-flaws-that-enable-ddos/118470/> \"Permalink to NTP Patches Flaws That Enable DDoS\" )\n\nJune 3, 2016 , 2:45 pm\n\nThe first vulnerability, CVE-2015-1798, affects ntp-4.2.5p99 to ntp-4.2.8p1 versions using symmetric key authentication. According to the advisory, packets sent without message authentication code (MAC) are accepted as though they had one.\n\n\u201cAn attacker may be able to leverage this validation error to send packets that will be accepted by the client,\u201d the advisory said.\n\nThe second flaw affects versions xntp3.3wy to version ntp-4.2.8p1 that use symmetric key authentication, and creates a denial of service condition when peering hosts receive packets where the timestamps don\u2019t match.\n\n\u201cAn attacker who periodically sends such packets to both hosts can prevent synchronization,\u201d the advisory said.\n\nNTP is a protocol used to synchronize time on computer clocks; considered a set-and-forget feature on networks. Hackers who specialize in distributed denial-of-service attacks found a way to exploit vulnerabilities in NTP to amplify DDoS attacks to, at the time, unprecedented levels.\n\nLast February, traffic optimization company CloudFlare reported a [NTP-based DDoS attack](<https://threatpost.com/ntp-amplification-blamed-for-400-gbps-ddos-attack/104201>) against one of its customers that peaked at 400 Gbps, topping the previous high of 300 Gbps against Spamhaus in March 2013.\n\n\u201cRemarkably, it is possible that the attacker used only a single server running on a network that allowed source IP address spoofing to initiate the requests,\u201d CloudFlare CEO Matthew Prince told Threatpost at the time.\n\nNTP-based DDoS attacks are a relatively simple way of spoofing IP addresses in order to disrupt websites or web-based services.\n\n\u201cNTP attacks are definitely on the rise. Because the amplification factor per misconfigured server can be 10x as large as a typical DNS amplification attack, they pose a significant risk,\u201d Prince said.\n\nRed Hat\u2019s Miroslav Lichvar reported the issue in early March to NTP, which patched the vulnerabilities yesterday.", "published": "2015-04-08T11:37:00", "cvss": {"score": 1.8, "vector": "AV:ADJACENT_NETWORK/AC:HIGH/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://threatpost.com/two-ntp-key-authentication-vulnerabilities-patched/112067/", "cvelist": ["CVE-2015-1798"], "lastseen": "2016-09-04T20:47:08"}]}}
