ID FREEBSD_PKG_5237F5D7C02011E5B397D050996490D0.NASL Type nessus Reporter Tenable Modified 2018-11-10T00:00:00
Description
Network Time Foundation reports :
NTF's NTP Project has been notified of the following low- and
medium-severity vulnerabilities that are fixed in ntp-4.2.8p6,
released on Tuesday, 19 January 2016 :
Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported
by Cisco ASIG.
Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.
Reported by Cisco ASIG.
Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on
authenticated broadcast mode. Reported by Cisco ASIG.
Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of
restriction list. Reported by Cisco ASIG.
Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows
impersonation between authenticated peers. Reported by Cisco ASIG.
Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated
broadcast mode. Reported by Cisco ASIG.
Additionally, mitigations are published for the following two issues :
Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.
Reported by Cisco ASIG.
Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose
origin. Reported by Cisco ASIG.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from the FreeBSD VuXML database :
#
# Copyright 2003-2018 Jacques Vidrine and contributors
#
# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
# HTML, PDF, PostScript, RTF and so forth) with or without modification,
# are permitted provided that the following conditions are met:
# 1. Redistributions of source code (VuXML) must retain the above
# copyright notice, this list of conditions and the following
# disclaimer as the first lines of this file unmodified.
# 2. Redistributions in compiled form (transformed to other DTDs,
# published online in any format, converted to PDF, PostScript,
# RTF and other formats) must reproduce the above copyright
# notice, this list of conditions and the following disclaimer
# in the documentation and/or other materials provided with the
# distribution.
#
# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
#
include("compat.inc");
if (description)
{
script_id(88068);
script_version("2.13");
script_cvs_date("Date: 2018/11/10 11:49:45");
script_cve_id("CVE-2015-7973", "CVE-2015-7974", "CVE-2015-7975", "CVE-2015-7976", "CVE-2015-7977", "CVE-2015-7978", "CVE-2015-7979", "CVE-2015-8138", "CVE-2015-8139", "CVE-2015-8140", "CVE-2015-8158");
script_xref(name:"FreeBSD", value:"SA-16:09.ntp");
script_name(english:"FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)");
script_summary(english:"Checks for updated packages in pkg_info output");
script_set_attribute(
attribute:"synopsis",
value:
"The remote FreeBSD host is missing one or more security-related
updates."
);
script_set_attribute(
attribute:"description",
value:
"Network Time Foundation reports :
NTF's NTP Project has been notified of the following low- and
medium-severity vulnerabilities that are fixed in ntp-4.2.8p6,
released on Tuesday, 19 January 2016 :
- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported
by Cisco ASIG.
- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.
Reported by Cisco ASIG.
- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on
authenticated broadcast mode. Reported by Cisco ASIG.
- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of
restriction list. Reported by Cisco ASIG.
- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported
by Cisco ASIG.
- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous
characters in filenames. Reported by Cisco ASIG.
- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported
by Cisco ASIG.
- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows
impersonation between authenticated peers. Reported by Cisco ASIG.
- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated
broadcast mode. Reported by Cisco ASIG.
Additionally, mitigations are published for the following two issues :
- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.
Reported by Cisco ASIG.
- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose
origin. Reported by Cisco ASIG."
);
# http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?d42322ca"
);
# https://vuxml.freebsd.org/freebsd/5237f5d7-c020-11e5-b397-d050996490d0.html
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?ac5aee1a"
);
script_set_attribute(attribute:"solution", value:"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ntp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:ntp-devel");
script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/01/20");
script_set_attribute(attribute:"patch_publication_date", value:"2016/01/21");
script_set_attribute(attribute:"plugin_publication_date", value:"2016/01/22");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"FreeBSD Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
exit(0);
}
include("audit.inc");
include("freebsd_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (pkg_test(save_report:TRUE, pkg:"ntp<4.2.8p6")) flag++;
if (pkg_test(save_report:TRUE, pkg:"ntp-devel<4.3.90")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());
else security_warning(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
{"id": "FREEBSD_PKG_5237F5D7C02011E5B397D050996490D0.NASL", "bulletinFamily": "scanner", "title": "FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)", "description": "Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and\nmedium-severity vulnerabilities that are fixed in ntp-4.2.8p6,\nreleased on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported\nby Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on\nauthenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of\nrestriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported\nby Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous\ncharacters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported\nby Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows\nimpersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated\nbroadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\norigin. Reported by Cisco ASIG.", "published": "2016-01-22T00:00:00", "modified": "2018-11-10T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=88068", "reporter": "Tenable", "references": ["http://www.nessus.org/u?d42322ca", "http://www.nessus.org/u?ac5aee1a"], "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "type": "nessus", "lastseen": "2019-01-16T20:23:08", "history": [{"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p6, released on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported by Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported by Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported by Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. Reported by Cisco ASIG.", "edition": 5, "hash": "31d8962604135d04584446098c23da5508a63b214ca607edf767c4450fd81dff", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "b2e432e66e80cef147f8fc7c173ea271", "key": "cvss"}, {"hash": "c7052ceb9b55bb21aab9f947744821af", "key": "pluginID"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "cd5414ec394d14565027ce78c17c0b89", "key": "cvelist"}, {"hash": "a46921baa87ed5faf72951674036eac0", "key": "published"}, {"hash": "2425a8102deb20f0b74d666494ff8b85", "key": "references"}, {"hash": "e3c493b77e5944ae5833baabe5f61f29", "key": "modified"}, {"hash": "01b23aa13064d8d455a86a4ec0f50c2d", "key": "title"}, {"hash": "d989a8ffebd0f198c2f8d92e04f9d922", "key": "description"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "5e96d51657e9f1339c41f5bc06a3dae0", "key": "sourceData"}, {"hash": "747273411ce452783cb5a0399d4c5909", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=88068", "id": "FREEBSD_PKG_5237F5D7C02011E5B397D050996490D0.NASL", "lastseen": "2017-02-14T03:03:04", "modified": "2017-02-10T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.2", "pluginID": "88068", "published": "2016-01-22T00:00:00", "references": ["http://www.nessus.org/u?5469abda", "http://www.nessus.org/u?d42322ca"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2017 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88068);\n script_version(\"$Revision: 2.12 $\");\n script_cvs_date(\"$Date: 2017/02/13 20:45:09 $\");\n\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n script_xref(name:\"FreeBSD\", value:\"SA-16:09.ntp\");\n\n script_name(english:\"FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and\nmedium-severity vulnerabilities that are fixed in ntp-4.2.8p6,\nreleased on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported\nby Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on\nauthenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of\nrestriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported\nby Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous\ncharacters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported\nby Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows\nimpersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated\nbroadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\norigin. Reported by Cisco ASIG.\"\n );\n # http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d42322ca\"\n );\n # http://www.freebsd.org/ports/portaudit/5237f5d7-c020-11e5-b397-d050996490d0.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5469abda\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"ntp<4.2.8p6\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ntp-devel<4.3.90\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)", "type": "nessus", "viewCount": 1}, "differentElements": ["modified"], "edition": 5, "lastseen": "2017-02-14T03:03:04"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p6, released on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported by Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported by Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported by Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. Reported by Cisco ASIG.", "edition": 1, "hash": "86d407f0efefc18b80dc8a04324aa54e4927f3fd300fe586960630f1c7caa1ea", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "b2e432e66e80cef147f8fc7c173ea271", "key": "cvss"}, {"hash": "c7052ceb9b55bb21aab9f947744821af", "key": "pluginID"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "cd5414ec394d14565027ce78c17c0b89", "key": "cvelist"}, {"hash": "a46921baa87ed5faf72951674036eac0", "key": "published"}, {"hash": "f225b89808fbc109976f790eac8f7563", "key": "sourceData"}, {"hash": "2425a8102deb20f0b74d666494ff8b85", "key": "references"}, {"hash": "01b23aa13064d8d455a86a4ec0f50c2d", "key": "title"}, {"hash": "d989a8ffebd0f198c2f8d92e04f9d922", "key": "description"}, {"hash": "7fb370b46ea00e1bb3d4bc7ba580a058", "key": "modified"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "747273411ce452783cb5a0399d4c5909", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=88068", "id": "FREEBSD_PKG_5237F5D7C02011E5B397D050996490D0.NASL", "lastseen": "2016-09-26T17:25:26", "modified": "2016-08-10T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.2", "pluginID": "88068", "published": "2016-01-22T00:00:00", "references": ["http://www.nessus.org/u?5469abda", "http://www.nessus.org/u?d42322ca"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2016 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88068);\n script_version(\"$Revision: 2.8 $\");\n script_cvs_date(\"$Date: 2016/08/10 13:36:30 $\");\n\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n script_xref(name:\"FreeBSD\", value:\"SA-16:09.ntp\");\n\n script_name(english:\"FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and\nmedium-severity vulnerabilities that are fixed in ntp-4.2.8p6,\nreleased on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported\nby Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on\nauthenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of\nrestriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported\nby Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous\ncharacters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported\nby Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows\nimpersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated\nbroadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\norigin. Reported by Cisco ASIG.\"\n );\n # http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d42322ca\"\n );\n # http://www.freebsd.org/ports/portaudit/5237f5d7-c020-11e5-b397-d050996490d0.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5469abda\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:S/C:N/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"ntp<4.2.8p6\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ntp-devel<4.3.90\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:pkg_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2016-09-26T17:25:26"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:ntp-devel", "p-cpe:/a:freebsd:freebsd:ntp"], "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "description": "Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p6, released on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported by Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported by Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported by Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. Reported by Cisco ASIG.", "edition": 11, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "e43ff9cf4a94f9683d5e6e6debafc0d42f8ac6997be06f64d8a803e21456acd6", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "c7052ceb9b55bb21aab9f947744821af", "key": "pluginID"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "cd5414ec394d14565027ce78c17c0b89", "key": "cvelist"}, {"hash": "8a28889787508bab047d7fa94ce9a58c", "key": "cvss"}, {"hash": "a46921baa87ed5faf72951674036eac0", "key": "published"}, {"hash": "97f850be5572a5f06849203ef2207876", "key": "references"}, {"hash": "01b23aa13064d8d455a86a4ec0f50c2d", "key": "title"}, {"hash": "d989a8ffebd0f198c2f8d92e04f9d922", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "3c764d4cf584f9ded7aa4dcca57c78ff", "key": "modified"}, {"hash": "6f57025f4d47eee3d7db93c8902555ff", "key": "cpe"}, {"hash": "66dc716ad484b32b2bc62b6669785e69", "key": "sourceData"}, {"hash": "747273411ce452783cb5a0399d4c5909", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=88068", "id": "FREEBSD_PKG_5237F5D7C02011E5B397D050996490D0.NASL", "lastseen": "2018-11-13T17:00:41", "modified": "2018-11-10T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.3", "pluginID": "88068", "published": "2016-01-22T00:00:00", "references": ["http://www.nessus.org/u?d42322ca", "http://www.nessus.org/u?ac5aee1a"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88068);\n script_version(\"2.13\");\n script_cvs_date(\"Date: 2018/11/10 11:49:45\");\n\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n script_xref(name:\"FreeBSD\", value:\"SA-16:09.ntp\");\n\n script_name(english:\"FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and\nmedium-severity vulnerabilities that are fixed in ntp-4.2.8p6,\nreleased on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported\nby Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on\nauthenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of\nrestriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported\nby Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous\ncharacters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported\nby Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows\nimpersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated\nbroadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\norigin. Reported by Cisco ASIG.\"\n );\n # http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d42322ca\"\n );\n # https://vuxml.freebsd.org/freebsd/5237f5d7-c020-11e5-b397-d050996490d0.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ac5aee1a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"ntp<4.2.8p6\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ntp-devel<4.3.90\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)", "type": "nessus", "viewCount": 2}, "differentElements": ["description"], "edition": 11, "lastseen": "2018-11-13T17:00:41"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p6, released on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported by Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported by Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported by Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. Reported by Cisco ASIG.", "edition": 4, "hash": "436ab1b29e4590712ce08005394cc0338fb55ee20b86694c5940ee1b38546ef7", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "b2e432e66e80cef147f8fc7c173ea271", "key": "cvss"}, {"hash": "c7052ceb9b55bb21aab9f947744821af", "key": "pluginID"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "cd5414ec394d14565027ce78c17c0b89", "key": "cvelist"}, {"hash": "a46921baa87ed5faf72951674036eac0", "key": "published"}, {"hash": "2425a8102deb20f0b74d666494ff8b85", "key": "references"}, {"hash": "e3c493b77e5944ae5833baabe5f61f29", "key": "modified"}, {"hash": "01b23aa13064d8d455a86a4ec0f50c2d", "key": "title"}, {"hash": "d989a8ffebd0f198c2f8d92e04f9d922", "key": "description"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "84b694c800598095019bc38b5164dcf5", "key": "sourceData"}, {"hash": "747273411ce452783cb5a0399d4c5909", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=88068", "id": "FREEBSD_PKG_5237F5D7C02011E5B397D050996490D0.NASL", "lastseen": "2017-02-10T23:03:01", "modified": "2017-02-10T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.2", "pluginID": "88068", "published": "2016-01-22T00:00:00", "references": ["http://www.nessus.org/u?5469abda", "http://www.nessus.org/u?d42322ca"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2017 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88068);\n script_version(\"$Revision: 2.11 $\");\n script_cvs_date(\"$Date: 2017/02/10 14:51:43 $\");\n\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n script_xref(name:\"FreeBSD\", value:\"SA-16:09.ntp\");\n\n script_name(english:\"FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and\nmedium-severity vulnerabilities that are fixed in ntp-4.2.8p6,\nreleased on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported\nby Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on\nauthenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of\nrestriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported\nby Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous\ncharacters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported\nby Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows\nimpersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated\nbroadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\norigin. Reported by Cisco ASIG.\"\n );\n # http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d42322ca\"\n );\n # http://www.freebsd.org/ports/portaudit/5237f5d7-c020-11e5-b397-d050996490d0.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5469abda\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"ntp<4.2.8p6\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ntp-devel<4.3.90\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)", "type": "nessus", "viewCount": 1}, "differentElements": ["sourceData"], "edition": 4, "lastseen": "2017-02-10T23:03:01"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p6, released on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported by Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported by Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported by Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. Reported by Cisco ASIG.", "edition": 3, "hash": "b5fd0b2e9683051c12a4f44050c2a3fa01bbe7d1541de6b02f9ce9897fdaa6c1", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "b2e432e66e80cef147f8fc7c173ea271", "key": "cvss"}, {"hash": "c7052ceb9b55bb21aab9f947744821af", "key": "pluginID"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "cd5414ec394d14565027ce78c17c0b89", "key": "cvelist"}, {"hash": "acd91b9981a40fa4be858442c30a95af", "key": "modified"}, {"hash": "a46921baa87ed5faf72951674036eac0", "key": "published"}, {"hash": "2425a8102deb20f0b74d666494ff8b85", "key": "references"}, {"hash": "73340de1cdf74e899df2860329aa4460", "key": "sourceData"}, {"hash": "01b23aa13064d8d455a86a4ec0f50c2d", "key": "title"}, {"hash": "d989a8ffebd0f198c2f8d92e04f9d922", "key": "description"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "747273411ce452783cb5a0399d4c5909", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=88068", "id": "FREEBSD_PKG_5237F5D7C02011E5B397D050996490D0.NASL", "lastseen": "2017-02-08T21:03:11", "modified": "2017-02-08T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.2", "pluginID": "88068", "published": "2016-01-22T00:00:00", "references": ["http://www.nessus.org/u?5469abda", "http://www.nessus.org/u?d42322ca"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2017 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88068);\n script_version(\"$Revision: 2.10 $\");\n script_cvs_date(\"$Date: 2017/02/08 14:51:05 $\");\n\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n script_xref(name:\"FreeBSD\", value:\"SA-16:09.ntp\");\n\n script_name(english:\"FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and\nmedium-severity vulnerabilities that are fixed in ntp-4.2.8p6,\nreleased on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported\nby Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on\nauthenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of\nrestriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported\nby Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous\ncharacters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported\nby Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows\nimpersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated\nbroadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\norigin. Reported by Cisco ASIG.\"\n );\n # http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d42322ca\"\n );\n # http://www.freebsd.org/ports/portaudit/5237f5d7-c020-11e5-b397-d050996490d0.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5469abda\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"ntp<4.2.8p6\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ntp-devel<4.3.90\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)", "type": "nessus", "viewCount": 1}, "differentElements": ["modified", "sourceData"], "edition": 3, "lastseen": "2017-02-08T21:03:11"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:ntp-devel", "p-cpe:/a:freebsd:freebsd:ntp"], "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "description": "Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p6, released on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported by Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported by Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported by Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. Reported by Cisco ASIG.", "edition": 10, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "8e5cf22d76d7bfe7fe39ad3fc64707b7afb4a05c8ee3e92bbdb0b2c8ee19e078", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "c7052ceb9b55bb21aab9f947744821af", "key": "pluginID"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "cd5414ec394d14565027ce78c17c0b89", "key": "cvelist"}, {"hash": "8a28889787508bab047d7fa94ce9a58c", "key": "cvss"}, {"hash": "a46921baa87ed5faf72951674036eac0", "key": "published"}, {"hash": "2425a8102deb20f0b74d666494ff8b85", "key": "references"}, {"hash": "01b23aa13064d8d455a86a4ec0f50c2d", "key": "title"}, {"hash": "d989a8ffebd0f198c2f8d92e04f9d922", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "5e96d51657e9f1339c41f5bc06a3dae0", "key": "sourceData"}, {"hash": "6f57025f4d47eee3d7db93c8902555ff", "key": "cpe"}, {"hash": "a1c25e5b791538873d6d51c25a02b8ff", "key": "modified"}, {"hash": "747273411ce452783cb5a0399d4c5909", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=88068", "id": "FREEBSD_PKG_5237F5D7C02011E5B397D050996490D0.NASL", "lastseen": "2018-09-01T23:55:23", "modified": "2017-02-13T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.3", "pluginID": "88068", "published": "2016-01-22T00:00:00", "references": ["http://www.nessus.org/u?5469abda", "http://www.nessus.org/u?d42322ca"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2017 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88068);\n script_version(\"$Revision: 2.12 $\");\n script_cvs_date(\"$Date: 2017/02/13 20:45:09 $\");\n\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n script_xref(name:\"FreeBSD\", value:\"SA-16:09.ntp\");\n\n script_name(english:\"FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and\nmedium-severity vulnerabilities that are fixed in ntp-4.2.8p6,\nreleased on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported\nby Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on\nauthenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of\nrestriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported\nby Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous\ncharacters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported\nby Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows\nimpersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated\nbroadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\norigin. Reported by Cisco ASIG.\"\n );\n # http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d42322ca\"\n );\n # http://www.freebsd.org/ports/portaudit/5237f5d7-c020-11e5-b397-d050996490d0.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5469abda\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"ntp<4.2.8p6\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ntp-devel<4.3.90\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)", "type": "nessus", "viewCount": 2}, "differentElements": ["references", "modified", "sourceData"], "edition": 10, "lastseen": "2018-09-01T23:55:23"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:ntp-devel", "p-cpe:/a:freebsd:freebsd:ntp"], "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p6, released on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported by Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported by Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported by Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. Reported by Cisco ASIG.", "edition": 9, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "04a347882fa5d003be3870ed6d761e849f0cf4dc4293dbdfee0d6277d1e87bec", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "c7052ceb9b55bb21aab9f947744821af", "key": "pluginID"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "cd5414ec394d14565027ce78c17c0b89", "key": "cvelist"}, {"hash": "a46921baa87ed5faf72951674036eac0", "key": "published"}, {"hash": "2425a8102deb20f0b74d666494ff8b85", "key": "references"}, {"hash": "01b23aa13064d8d455a86a4ec0f50c2d", "key": "title"}, {"hash": "d989a8ffebd0f198c2f8d92e04f9d922", "key": "description"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "5e96d51657e9f1339c41f5bc06a3dae0", "key": "sourceData"}, {"hash": "6f57025f4d47eee3d7db93c8902555ff", "key": "cpe"}, {"hash": "a1c25e5b791538873d6d51c25a02b8ff", "key": "modified"}, {"hash": "747273411ce452783cb5a0399d4c5909", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=88068", "id": "FREEBSD_PKG_5237F5D7C02011E5B397D050996490D0.NASL", "lastseen": "2018-08-30T19:48:39", "modified": "2017-02-13T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.3", "pluginID": "88068", "published": "2016-01-22T00:00:00", "references": ["http://www.nessus.org/u?5469abda", "http://www.nessus.org/u?d42322ca"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2017 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88068);\n script_version(\"$Revision: 2.12 $\");\n script_cvs_date(\"$Date: 2017/02/13 20:45:09 $\");\n\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n script_xref(name:\"FreeBSD\", value:\"SA-16:09.ntp\");\n\n script_name(english:\"FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and\nmedium-severity vulnerabilities that are fixed in ntp-4.2.8p6,\nreleased on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported\nby Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on\nauthenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of\nrestriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported\nby Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous\ncharacters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported\nby Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows\nimpersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated\nbroadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\norigin. Reported by Cisco ASIG.\"\n );\n # http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d42322ca\"\n );\n # http://www.freebsd.org/ports/portaudit/5237f5d7-c020-11e5-b397-d050996490d0.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5469abda\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"ntp<4.2.8p6\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ntp-devel<4.3.90\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)", "type": "nessus", "viewCount": 1}, "differentElements": ["cvss"], "edition": 9, "lastseen": "2018-08-30T19:48:39"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:ntp-devel", "p-cpe:/a:freebsd:freebsd:ntp"], "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "description": "Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p6, released on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported by Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported by Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported by Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. Reported by Cisco ASIG.", "edition": 8, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "8e5cf22d76d7bfe7fe39ad3fc64707b7afb4a05c8ee3e92bbdb0b2c8ee19e078", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "c7052ceb9b55bb21aab9f947744821af", "key": "pluginID"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "cd5414ec394d14565027ce78c17c0b89", "key": "cvelist"}, {"hash": "8a28889787508bab047d7fa94ce9a58c", "key": "cvss"}, {"hash": "a46921baa87ed5faf72951674036eac0", "key": "published"}, {"hash": "2425a8102deb20f0b74d666494ff8b85", "key": "references"}, {"hash": "01b23aa13064d8d455a86a4ec0f50c2d", "key": "title"}, {"hash": "d989a8ffebd0f198c2f8d92e04f9d922", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "5e96d51657e9f1339c41f5bc06a3dae0", "key": "sourceData"}, {"hash": "6f57025f4d47eee3d7db93c8902555ff", "key": "cpe"}, {"hash": "a1c25e5b791538873d6d51c25a02b8ff", "key": "modified"}, {"hash": "747273411ce452783cb5a0399d4c5909", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=88068", "id": "FREEBSD_PKG_5237F5D7C02011E5B397D050996490D0.NASL", "lastseen": "2017-10-29T13:41:06", "modified": "2017-02-13T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.3", "pluginID": "88068", "published": "2016-01-22T00:00:00", "references": ["http://www.nessus.org/u?5469abda", "http://www.nessus.org/u?d42322ca"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2017 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88068);\n script_version(\"$Revision: 2.12 $\");\n script_cvs_date(\"$Date: 2017/02/13 20:45:09 $\");\n\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n script_xref(name:\"FreeBSD\", value:\"SA-16:09.ntp\");\n\n script_name(english:\"FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and\nmedium-severity vulnerabilities that are fixed in ntp-4.2.8p6,\nreleased on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported\nby Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on\nauthenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of\nrestriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported\nby Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous\ncharacters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported\nby Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows\nimpersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated\nbroadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\norigin. Reported by Cisco ASIG.\"\n );\n # http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d42322ca\"\n );\n # http://www.freebsd.org/ports/portaudit/5237f5d7-c020-11e5-b397-d050996490d0.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5469abda\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"ntp<4.2.8p6\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ntp-devel<4.3.90\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)", "type": "nessus", "viewCount": 1}, "differentElements": ["cvss"], "edition": 8, "lastseen": "2017-10-29T13:41:06"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p6, released on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported by Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported by Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported by Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. Reported by Cisco ASIG.", "edition": 2, "hash": "4beca4534311e4a902b06355d9eac40071ecc4fcf2e6690bf84164f3ef52ec6b", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "b2e432e66e80cef147f8fc7c173ea271", "key": "cvss"}, {"hash": "c7052ceb9b55bb21aab9f947744821af", "key": "pluginID"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "cd5414ec394d14565027ce78c17c0b89", "key": "cvelist"}, {"hash": "a46921baa87ed5faf72951674036eac0", "key": "published"}, {"hash": "2425a8102deb20f0b74d666494ff8b85", "key": "references"}, {"hash": "01b23aa13064d8d455a86a4ec0f50c2d", "key": "title"}, {"hash": "d989a8ffebd0f198c2f8d92e04f9d922", "key": "description"}, {"hash": "6121f5926f1f78f92943567a02b73674", "key": "sourceData"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "1473cc95d97afe32f88497f5af8e9307", "key": "modified"}, {"hash": "747273411ce452783cb5a0399d4c5909", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=88068", "id": "FREEBSD_PKG_5237F5D7C02011E5B397D050996490D0.NASL", "lastseen": "2016-10-19T21:25:51", "modified": "2016-10-19T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.2", "pluginID": "88068", "published": "2016-01-22T00:00:00", "references": ["http://www.nessus.org/u?5469abda", "http://www.nessus.org/u?d42322ca"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2016 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88068);\n script_version(\"$Revision: 2.9 $\");\n script_cvs_date(\"$Date: 2016/10/19 14:02:54 $\");\n\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n script_xref(name:\"FreeBSD\", value:\"SA-16:09.ntp\");\n\n script_name(english:\"FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and\nmedium-severity vulnerabilities that are fixed in ntp-4.2.8p6,\nreleased on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported\nby Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on\nauthenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of\nrestriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported\nby Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous\ncharacters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported\nby Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows\nimpersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated\nbroadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\norigin. Reported by Cisco ASIG.\"\n );\n # http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d42322ca\"\n );\n # http://www.freebsd.org/ports/portaudit/5237f5d7-c020-11e5-b397-d050996490d0.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5469abda\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:H/Au:S/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"ntp<4.2.8p6\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ntp-devel<4.3.90\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_note(port:0, extra:pkg_report_get());\n else security_note(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)", "type": "nessus", "viewCount": 0}, "differentElements": ["modified", "sourceData"], "edition": 2, "lastseen": "2016-10-19T21:25:51"}, {"bulletin": {"bulletinFamily": "exploit", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "description": "Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p6, released on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported by Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported by Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported by Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. Reported by Cisco ASIG.", "edition": 6, "hash": "d641501791acd1db846947013f8a156f89c25799ae288966eae8014849b1282f", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "b2e432e66e80cef147f8fc7c173ea271", "key": "cvss"}, {"hash": "c7052ceb9b55bb21aab9f947744821af", "key": "pluginID"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "cd5414ec394d14565027ce78c17c0b89", "key": "cvelist"}, {"hash": "a46921baa87ed5faf72951674036eac0", "key": "published"}, {"hash": "2425a8102deb20f0b74d666494ff8b85", "key": "references"}, {"hash": "01b23aa13064d8d455a86a4ec0f50c2d", "key": "title"}, {"hash": "d989a8ffebd0f198c2f8d92e04f9d922", "key": "description"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "5e96d51657e9f1339c41f5bc06a3dae0", "key": "sourceData"}, {"hash": "a1c25e5b791538873d6d51c25a02b8ff", "key": "modified"}, {"hash": "747273411ce452783cb5a0399d4c5909", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=88068", "id": "FREEBSD_PKG_5237F5D7C02011E5B397D050996490D0.NASL", "lastseen": "2017-02-17T01:04:00", "modified": "2017-02-13T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.2", "pluginID": "88068", "published": "2016-01-22T00:00:00", "references": ["http://www.nessus.org/u?5469abda", "http://www.nessus.org/u?d42322ca"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2017 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88068);\n script_version(\"$Revision: 2.12 $\");\n script_cvs_date(\"$Date: 2017/02/13 20:45:09 $\");\n\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n script_xref(name:\"FreeBSD\", value:\"SA-16:09.ntp\");\n\n script_name(english:\"FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and\nmedium-severity vulnerabilities that are fixed in ntp-4.2.8p6,\nreleased on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported\nby Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on\nauthenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of\nrestriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported\nby Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous\ncharacters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported\nby Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows\nimpersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated\nbroadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\norigin. Reported by Cisco ASIG.\"\n );\n # http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d42322ca\"\n );\n # http://www.freebsd.org/ports/portaudit/5237f5d7-c020-11e5-b397-d050996490d0.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5469abda\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"ntp<4.2.8p6\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ntp-devel<4.3.90\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)", "type": "nessus", "viewCount": 1}, "differentElements": ["cvss"], "edition": 6, "lastseen": "2017-02-17T01:04:00"}, {"bulletin": {"bulletinFamily": "scanner", "cpe": [], "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "description": "Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p6, released on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported by Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported by Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported by Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. Reported by Cisco ASIG.", "edition": 7, "enchantments": {}, "hash": "a6513a0d13aaccf7223867cc31808827a400954d866e0ff5a2b62759d9da1456", "hashmap": [{"hash": "fe45aa727b58c1249bf04cfb7b4e6ae0", "key": "naslFamily"}, {"hash": "c7052ceb9b55bb21aab9f947744821af", "key": "pluginID"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "cd5414ec394d14565027ce78c17c0b89", "key": "cvelist"}, {"hash": "8a28889787508bab047d7fa94ce9a58c", "key": "cvss"}, {"hash": "a46921baa87ed5faf72951674036eac0", "key": "published"}, {"hash": "2425a8102deb20f0b74d666494ff8b85", "key": "references"}, {"hash": "01b23aa13064d8d455a86a4ec0f50c2d", "key": "title"}, {"hash": "d989a8ffebd0f198c2f8d92e04f9d922", "key": "description"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "5e96d51657e9f1339c41f5bc06a3dae0", "key": "sourceData"}, {"hash": "a1c25e5b791538873d6d51c25a02b8ff", "key": "modified"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "747273411ce452783cb5a0399d4c5909", "key": "href"}], "history": [], "href": "https://www.tenable.com/plugins/index.php?view=single&id=88068", "id": "FREEBSD_PKG_5237F5D7C02011E5B397D050996490D0.NASL", "lastseen": "2017-04-18T16:31:48", "modified": "2017-02-13T00:00:00", "naslFamily": "FreeBSD Local Security Checks", "objectVersion": "1.2", "pluginID": "88068", "published": "2016-01-22T00:00:00", "references": ["http://www.nessus.org/u?5469abda", "http://www.nessus.org/u?d42322ca"], "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2017 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88068);\n script_version(\"$Revision: 2.12 $\");\n script_cvs_date(\"$Date: 2017/02/13 20:45:09 $\");\n\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n script_xref(name:\"FreeBSD\", value:\"SA-16:09.ntp\");\n\n script_name(english:\"FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and\nmedium-severity vulnerabilities that are fixed in ntp-4.2.8p6,\nreleased on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported\nby Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on\nauthenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of\nrestriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported\nby Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous\ncharacters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported\nby Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows\nimpersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated\nbroadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\norigin. Reported by Cisco ASIG.\"\n );\n # http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d42322ca\"\n );\n # http://www.freebsd.org/ports/portaudit/5237f5d7-c020-11e5-b397-d050996490d0.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5469abda\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"ntp<4.2.8p6\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ntp-devel<4.3.90\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "title": "FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)", "type": "nessus", "viewCount": 1}, "differentElements": ["cpe"], "edition": 7, "lastseen": "2017-04-18T16:31:48"}], "edition": 12, "hashmap": [{"key": "bulletinFamily", "hash": "bbdaea376f500d25f6b0c1050311dd07"}, {"key": "cpe", "hash": "6f57025f4d47eee3d7db93c8902555ff"}, {"key": "cvelist", "hash": "cd5414ec394d14565027ce78c17c0b89"}, {"key": "cvss", "hash": "8a28889787508bab047d7fa94ce9a58c"}, {"key": "description", "hash": "e1b5761cd62df4d3235bde8c9fa8b21d"}, {"key": "href", "hash": "747273411ce452783cb5a0399d4c5909"}, {"key": "modified", "hash": "3c764d4cf584f9ded7aa4dcca57c78ff"}, {"key": "naslFamily", "hash": "fe45aa727b58c1249bf04cfb7b4e6ae0"}, {"key": "pluginID", "hash": "c7052ceb9b55bb21aab9f947744821af"}, {"key": "published", "hash": "a46921baa87ed5faf72951674036eac0"}, {"key": "references", "hash": "97f850be5572a5f06849203ef2207876"}, {"key": "reporter", "hash": "9cf00d658b687f030ebe173a0528c567"}, {"key": "sourceData", "hash": "66dc716ad484b32b2bc62b6669785e69"}, {"key": "title", "hash": "01b23aa13064d8d455a86a4ec0f50c2d"}, {"key": "type", "hash": "5e0bd03bec244039678f2b955a2595aa"}], "hash": "c42696000c963878f8938750db9a3bdee315429da42b648393fc5dcac75976cc", "viewCount": 2, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "dependencies": {"references": [{"type": "paloalto", "idList": ["PAN-SA-2016-0019"]}, {"type": "f5", "idList": ["F5:K06288381", "SOL06288381", "F5:K00329831", "SOL00329831", "F5:K32790144", "F5:K13304944", "F5:K71245322", "F5:K01324833", "F5:K05046514", "F5:K74363721"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:1292-1", "SUSE-SU-2016:1175-1", "SUSE-SU-2016:1177-1", "SUSE-SU-2016:1247-1", "SUSE-SU-2016:1311-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105726", "OPENVAS:1361412562310105666", "OPENVAS:1361412562310851310", "OPENVAS:1361412562310120639", "OPENVAS:1361412562310131203", "OPENVAS:1361412562310807227", "OPENVAS:1361412562310807567", "OPENVAS:1361412562310842905", "OPENVAS:1361412562310703629", "OPENVAS:703629"]}, {"type": "nessus", "idList": ["SUSE_SU-2016-1175-1.NASL", "SUSE_SU-2016-1177-1.NASL", "OPENSUSE-2016-578.NASL", "NTP_4_2_8P6.NASL", "AIX_IV83993.NASL", "AIX_IV83994.NASL", "AIX_IV83984.NASL", "FEDORA_2016-8BB1932088.NASL", "AIX_NTP_V4_ADVISORY6.NASL", "AIX_IV83995.NASL"]}, {"type": "cisco", "idList": ["CISCO-SA-20160127-NTPD"]}, {"type": "freebsd", "idList": ["5237F5D7-C020-11E5-B397-D050996490D0"]}, {"type": "aix", "idList": ["NTP_ADVISORY6.ASC"]}, {"type": "slackware", "idList": ["SSA-2016-054-04"]}, {"type": "cve", "idList": ["CVE-2015-8139", "CVE-2015-8140", "CVE-2015-8158", "CVE-2015-7977", "CVE-2015-7978", "CVE-2015-7979", "CVE-2015-7973", "CVE-2015-7976", "CVE-2015-7974", "CVE-2015-8138"]}, {"type": "amazon", "idList": ["ALAS-2016-649"]}, {"type": "ubuntu", "idList": ["USN-3096-1"]}, {"type": "cert", "idList": ["VU:718152"]}, {"type": "debian", "idList": ["DEBIAN:DSA-3629-1:3CA50", "DEBIAN:DLA-559-1:E64BA"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:0B67E4FF46553AC705FD601C96C1A6B6"]}, {"type": "talos", "idList": ["TALOS-2016-0078", "TALOS-2016-0203", "TALOS-2016-0073", "TALOS-2016-0079"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-2583"]}, {"type": "seebug", "idList": ["SSV:96647"]}, {"type": "centos", "idList": ["CESA-2016:2583"]}, {"type": "redhat", "idList": ["RHSA-2016:2583"]}, {"type": "gentoo", "idList": ["GLSA-201607-15"]}], "modified": "2019-01-16T20:23:08"}, "vulnersScore": 5.0}, "objectVersion": "1.3", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88068);\n script_version(\"2.13\");\n script_cvs_date(\"Date: 2018/11/10 11:49:45\");\n\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n script_xref(name:\"FreeBSD\", value:\"SA-16:09.ntp\");\n\n script_name(english:\"FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and\nmedium-severity vulnerabilities that are fixed in ntp-4.2.8p6,\nreleased on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported\nby Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on\nauthenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of\nrestriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported\nby Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous\ncharacters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported\nby Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows\nimpersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated\nbroadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\norigin. Reported by Cisco ASIG.\"\n );\n # http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d42322ca\"\n );\n # https://vuxml.freebsd.org/freebsd/5237f5d7-c020-11e5-b397-d050996490d0.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ac5aee1a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:ntp-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"ntp<4.2.8p6\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"ntp-devel<4.3.90\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "FreeBSD Local Security Checks", "pluginID": "88068", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:ntp-devel", "p-cpe:/a:freebsd:freebsd:ntp"]}
{"paloalto": [{"lastseen": "2018-08-31T00:11:40", "bulletinFamily": "software", "description": "The open source ntp project has been found to contain several vulnerabilities (CVE-2015-8158, CVE-2015-8138, CVE-2015-7979, CVE-2015-7978, CVE-2015-7977, CVE-2015-7976, CVE-2015-7975, CVE-2015-7974, CVE-2015-7973, all released in January 2016). Palo Alto...\n", "modified": "2016-10-18T00:00:00", "published": "2016-08-15T00:00:00", "id": "PAN-SA-2016-0019", "href": "https://securityadvisories.paloaltonetworks.com/Home/Detail/52", "title": "NTP Vulnerabilities", "type": "paloalto", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "f5": [{"lastseen": "2017-06-08T00:16:04", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 573343 (BIG-IP), ID 573411 (BIG-IQ), ID 573413 (Enterprise Manager), and ID 507785 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H574750 on the **Diagnostics** > **Identified** > **Low** screen. \n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP AAM| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP AFM| 12.0.0 - 12.1.1 \n11.3.0 - 11.6.1| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP Analytics| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP APM| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP ASM| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP DNS| 12.0.0 - 12.1.1| 12.1.2| Low| ntpd \nBIG-IP Edge Gateway| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpd \nBIG-IP GTM| 11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP Link Controller| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP PEM| 12.0.0 - 12.1.1 \n11.3.0 - 11.6.1| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP PSM| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| None| Low| ntpd \nBIG-IP WebAccelerator| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpd \nBIG-IP WOM| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpd \nARX| 6.0.0 - 6.4.0| None| Low| ntpq and ntpd \nEnterprise Manager| 3.0.0 - 3.1.1| None| Low| ntpd \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Low| ntpd \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Low| ntpd \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Low| ntpd \nBIG-IQ ADC| 4.5.0| None| Low| ntpd \nBIG-IQ Centralized Management| 4.6.0| None| Low| ntpd \nBIG-IQ Cloud and Orchestration| 1.0.0| None| Low| ntpd \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| Not vulnerable| None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nTo mitigate this vulnerability for affected BIG-IP, BIG-IQ, and Enterprise Manager systems, ensure that there are no more than 500 'restrict' directives in the **/config/ntp.conf** configuration file.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n", "modified": "2017-05-03T22:46:00", "published": "2016-02-23T02:20:00", "href": "https://support.f5.com/csp/article/K06288381", "id": "F5:K06288381", "type": "f5", "title": "NTP vulnerabilities CVE-2015-7977 and CVE-2015-7978", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2019-02-20T09:06:22", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 575629 (BIG-IP), ID 575702 (BIG-IQ), ID 575704 (Enterprise Manager), and INSTALLER-2226 (Traffix SDC) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H00329831 on the **Diagnostics** > **Identified** > **Low** screen.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table.\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, Edge Gateway, GTM, Link Controller, PEM, PSM, WebAccelerator, WOM, WebSafe) | 13.x | None | 13.0.0 | Low | [6.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>) (CVE-2015-8139) \n[5.0](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L>) (CVE-2015-8140) | NTP Package \n12.x | 12.0.0 - 12.1.1 | 12.1.2 \n11.x | 11.6.0 - 11.6.3 \n11.5.1 - 11.5.5 \n11.2.1 | None \nARX | 6.x | None | Not applicable | Not vulnerable | None | None \nEnterprise Manager | 3.x | 3.1.1 | None | Low | [6.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>) (CVE-2015-8139) \n[5.0](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L>) (CVE-2015-8140) \n | NTP Package \nBIG-IQ Centralized Management | 5.x | 5.0.0 - 5.4.0 | None | Low | [6.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>) (CVE-2015-8139) \n[5.0](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L>) (CVE-2015-8140) | NTP Package \n4.x | 4.6.0 | None \nBIG-IQ Cloud and Orchestration | 1.x | 1.0.0 | None | Low | [6.5](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N>) (CVE-2015-8139) \n[5.0](<https://first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L>) (CVE-2015-8140) | NTP Package \nLineRate | 2.x | None | Not applicable | Not vulnerable | None | None \nTraffix SDC | 5.x | 5.0.0 - 5.1.0 | None | Low | None | NTP Package \n4.x | 4.0.5 - 4.4.0 | None \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the** Fixes introduced in** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\n**Note**: For details about how Security Advisory articles are versioned, and what versions are listed in the table, refer to [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>).\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nTo mitigate this vulnerability, you can perform one of the following recommended modifications to the NTP service:\n\n * [Configure the NTP service to use multiple time sources](<https://support.f5.com/csp/article/K00329831#p1>)\n * [Configure the NTP service to restrict the use of **ntpq** queries with the restrict **noquery** directive](<https://support.f5.com/csp/article/K00329831#p2>)\n * [Configure restrict network access to the NTP service](<https://support.f5.com/csp/article/K00329831#p3>)\n\nConfigure the NTP service to use multiple time sources\n\nTo add multiple time sources for the NTP service using the Configuration utility, perform the following procedure:\n\n**Impact of procedure**: Performing the following procedure should not have a negative impact on your system.\n\n 1. Log in to the Configuration utility.\n 2. Navigate to **System** > **Configuration** > **Device** > **NTP.**\n 3. In the **Address **box, type the IP address of the NTP server you want.\n 4. In the **Time Server List** box, click **Add** to include the desired NTP server.\n 5. Repeat step 3 and step 4 for each NTP server you want.\n 6. To save the changes, click **Update**.\n\nConfigure the NTP service to restrict the use of ntpq queries with the restrict noquery directive\n\n**Impact of procedure**: Performing the following procedure should not have a negative impact on your system.\n\n 1. Log in to the Traffic Management Shell (**tmsh**) by typing the following command: \n\ntmsh\n\n 2. Depending on your existing configuration, choose one of the following: \n * If you already have an access restriction configured, but the **noquery** directive is disabled, use the following command syntax: \n\nmodify sys ntp restrict modify { <Name> { no-query enabled } }\n\nFor example, to modify an existing access restriction name called **ntp_restriction** to enable **noquery**, type the following command:\n\nmodify sys ntp restrict modify { ntp_restriction { no-query enabled } }\n\n * If you do not have an existing access restriction configured, use the following command syntax: \n\nmodify sys ntp restrict add { <Name> { address <Network> mask <Mask> no-trap enabled no-modify enabled no-query enabled }\n\nFor example, to configure an access restriction named **ntp_restriction,** for the 192.168.1.0/24 subnet, with **notrap**, **nomodify,** and **noquery** enabled, type the following command:\n\nmodify sys ntp restrict add { ntp_restriction { address 192.168.1.0 mask 255.255.255.0 no-trap enabled no-modify enabled no-query enabled }\n\n 3. Save the configuration by typing the following command: \n\nsave /sys config\n\nConfigure restrict network access to the NTP service\n\nFor information about restricting network access to the NTP service, refer to [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K10025: Managing BIG-IP product hotfixes (10.x)](<https://support.f5.com/csp/article/K10025>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n * [K15106: Managing BIG-IQ product hotfixes](<https://support.f5.com/csp/article/K15106>)\n * [K15113: BIG-IQ hotfix matrix](<https://support.f5.com/csp/article/K15113>)\n", "modified": "2018-03-01T21:15:00", "published": "2016-02-29T23:10:00", "id": "F5:K00329831", "href": "https://support.f5.com/csp/article/K00329831", "title": "NTP vulnerabilities CVE-2015-8139 and CVE-2015-8140", "type": "f5", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-11-28T21:27:45", "bulletinFamily": "software", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability for affected BIG-IP, BIG-IQ, and Enterprise Manager systems, ensure that there are no more than 500 'restrict' directives in the **/config/ntp.conf** configuration file.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n * SOL10025: Managing BIG-IP product hotfixes (10.x)\n * SOL9502: BIG-IP hotfix matrix\n * SOL15106: Managing BIG-IQ product hotfixes\n * SOL15113: BIG-IQ hotfix matrix\n * SOL12766: ARX hotfix matrix\n", "modified": "2016-11-28T00:00:00", "published": "2016-02-22T00:00:00", "id": "SOL06288381", "href": "http://support.f5.com/kb/en-us/solutions/public/k/06/sol06288381.html", "type": "f5", "title": "SOL06288381 - NTP vulnerabilities CVE-2015-7977 and CVE-2015-7978", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2016-09-26T17:23:29", "bulletinFamily": "software", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the** Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity **values published in the previous table. The **Severity **values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\nTo mitigate this vulnerability, you can perform one of the following recommended modifications to the NTP service:\n\n * Configure the NTP service to use multiple time sources\n * Configure the NTP service to restrict the use of **ntpq** queries with the restrict **noquery** directive\n * Configure restrict network access to the NTP service\n\nConfigure the NTP service to use multiple time sources\n\nTo add multiple time sources for the NTP service using the Configuration Utility, perform the following procedure:\n\n**Impact of procedure**: Performing the following procedure should not have a negative impact on your system.\n\n 1. Log in to the Configuration utility.\n 2. Navigate to **System** > **Configuration** > **Device** > **NTP.**\n 3. In the **Address **box, type the IP address of the NTP server you want.\n 4. In the **Time Server List** box, click **Add** to include the desired NTP server.\n 5. Repeat step 3 and step 4 for each NTP server you want.\n 6. To save the changes, click **Update**.\n\nConfigure the NTP service to restrict the use of ntpq queries with the restrict noquery directive\n\nTo configure the NTP service to restrict the use of **ntpq** with **noquery** directive, perform the following procedure.\n\n**Impact of procedure**: Performing the following procedure should not have a negative impact on your system.\n\n 1. Log in to the **tmsh** utility.\n 2. Depending on your existing configuration, choose one of the following: \n * If you already have an access restriction configured, but the **noquery** directive is disabled, use the following command syntax: \n \nmodify sys ntp restrict modify { <Name> { no-query enabled } } \n \nFor example, to modify an existing access restriction name called **ntp_restriction** to enable **noquery**, type the following command: \n \nmodify sys ntp restrict modify { ntp_restriction { no-query enabled } }\n * If you do not have an existing access restriction configured, use the following command syntax: \n \nmodify sys ntp restrict add { <Name> { address <Network> mask <Mask> no-trap enabled no-modify enabled no-query enabled } \n \nFor example, to configure an access restriction named **ntp_restriction,** for the 192.168.1.0/24 subnet, with **notrap**, **nomodify,** and **noquery** enabled, type the following command: \n \nmodify sys ntp restrict add { ntp_restriction { address 192.168.1.0 mask 255.255.255.0 no-trap enabled no-modify enabled no-query enabled }\n 3. Save the configuration by typing the following command: \nsave /sys config\n\nConfigure restrict network access to the NTP service\n\nFor information about restricting network access to the NTP service, refer to SOL13092: Overview of securing access to the BIG-IP system.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n * SOL10025: Managing BIG-IP product hotfixes (10.x)\n * SOL9502: BIG-IP hotfix matrix\n * SOL15106: Managing BIG-IQ product hotfixes\n * SOL15113: BIG-IQ hotfix matrix\n", "modified": "2016-02-29T00:00:00", "published": "2016-02-29T00:00:00", "id": "SOL00329831", "href": "http://support.f5.com/kb/en-us/solutions/public/k/00/sol00329831.html", "type": "f5", "title": "SOL00329831 - Multiple NTP vulnerabilities CVE-2015-8139 and CVE-2015-8140", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-06-08T00:16:30", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 572824 (BIG-IP), ID 573413 (Enterprise Manager), ID 573411 (BIG-IQ), and ID 507785 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| None| Low| ntpq and ntpd \nBIG-IP AAM| 12.0.0 \n11.4.0 - 11.6.0| None| Low| ntpq and ntpd \nBIG-IP AFM| 12.0.0 \n11.3.0 - 11.6.0| None| Low| ntpq and ntpd \nBIG-IP Analytics| 12.0.0 \n11.0.0 - 11.6.0| None| Low| ntpq and ntpd \nBIG-IP APM| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| None| Low| ntpq and ntpd \nBIG-IP ASM| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| None| Low| ntpq and ntpd \nBIG-IP DNS| 12.0.0| None| Low| ntpq and ntpd \nBIG-IP Edge Gateway| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpq and ntpd \nBIG-IP GTM| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| None| Low| ntpq and ntpd \nBIG-IP Link Controller| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| None| Low| ntpq and ntpd \nBIG-IP PEM| 12.0.0 \n11.3.0 - 11.6.0| None| Low| ntpq and ntpd \nBIG-IP PSM| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| None| Low| ntpq and ntpd \nBIG-IP WebAccelerator| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpq and ntpd \nBIG-IP WOM| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpq and ntpd \nARX| 6.0.0 - 6.4.0| None| Low| ntpq and ntpd \nEnterprise Manager| 3.0.0 - 3.1.1| None| Low| ntpq and ntpd \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Low| ntpq and ntpd \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Low| ntpq and ntpd \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Low| ntpq and ntpd \nBIG-IQ ADC| 4.5.0| None| Low| ntpq and ntpd \nBIG-IQ Centralized Management| 4.6.0| None| Low| ntpq and ntpd \nBIG-IQ Cloud and Orchestration| 1.0.0| None| Low| ntpq and ntpd \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| Not vulnerable| None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the** Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nBIG-IP, BIG-IQ, and Enterprise Manager\n\nTo mitigate this vulnerability for the BIG-IP system, do not configure NTP to accept broadcast packets by enabling any \"broadcast\" or \"broadcastclient\" directives in the **/etc/ntp.conf** file. By default, the BIG-IP system is not configured to accept NTP broadcast packets.\n\nARX\n\nTo mitigate this vulnerability, you can disable NTP functionality on the ARX system.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 12.x)](<https://support.f5.com/csp/article/K13123>)\n * [K10025: Managing BIG-IP product hotfixes (10.x)](<https://support.f5.com/csp/article/K10025>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n * [K15106: Managing BIG-IQ product hotfixes](<https://support.f5.com/csp/article/K15106>)\n * [K15113: BIG-IQ hotfix matrix](<https://support.f5.com/csp/article/K15113>)\n * [K12766: ARX hotfix matrix](<https://support.f5.com/csp/article/K12766>)\n", "modified": "2017-03-14T19:23:00", "published": "2016-02-22T21:36:00", "href": "https://support.f5.com/csp/article/K32790144", "id": "F5:K32790144", "title": "NTP vulnerability CVE-2015-7973", "type": "f5", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-02-20T09:05:57", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 572824 (BIG-IP), ID 573413 (Enterprise Manager), ID 573411 (BIG-IQ), and ID 507785 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H574747 on the **Diagnostics** > **Identified** > **Low** screen. \n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.1.0 - 10.2.4| None| Low| ntpd \nBIG-IP AAM| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| None| Low| ntpd \nBIG-IP AFM| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| None| Low| ntpd \nBIG-IP Analytics| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1| None| Low| ntpd \nBIG-IP APM| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.1.0 - 10.2.4| None| Low| ntpd \nBIG-IP ASM| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.1.0 - 10.2.4| None| Low| ntpd \nBIG-IP DNS| 12.0.0 - 12.1.1| None| Low| ntpd \nBIG-IP Edge Gateway| 11.2.1 \n10.1.0 - 10.2.4| None| Low| ntpd \nBIG-IP GTM| 11.4.0 - 11.6.1 \n11.2.1 \n10.1.0 - 10.2.4| None| Low| ntpd \nBIG-IP Link Controller| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.1.0 - 10.2.4| None| Low| ntpd \nBIG-IP PEM| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| None| Low| ntpd \nBIG-IP PSM| 11.4.0 - 11.4.1 \n11.2.1 \n10.1.0 - 10.2.4| None| Low| ntpd \nBIG-IP WebAccelerator| 11.2.1 \n10.1.0 - 10.2.4| None| Low| ntpd \nBIG-IP WOM| 11.2.1 \n10.1.0 - 10.2.4| None| Low| ntpd \nARX| 6.2.0 - 6.4.0| None| Low| ntpd and ntpq \nEnterprise Manager| 3.0.0 - 3.1.1| None| Low| ntpd \nFirePass| None| 7.0.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Low| ntpd \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Low| ntpd \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Low| ntpd \nBIG-IQ ADC| 4.5.0| None| Low| ntpd \nBIG-IQ Centralized Management| 5.0.0 - 5.1.0 \n4.6.0| None| Low| ntpd \nBIG-IQ Cloud and Orchestration| 1.0.0| None| Low| ntpd \nLineRate| 2.5.0 - 2.6.1| None| Low| ntp \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| None| Low| ntpd\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nBIG-IP, BIG-IQ, and Enterprise Manager\n\nTo mitigate this vulnerability, do not configure NTP to accept symmetric key encryption.\n\nLineRate\n\nIf you choose to use symmetric keys to authenticate time packets in an untrusted environment where ephemeral time servers can be created, or if it is expected that malicious time servers will participate in an NTP broadcast domain, limit the number of systems that participate in the shared-key group.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 12.x)](<https://support.f5.com/csp/article/K13123>)\n * [K10025: Managing BIG-IP product hotfixes (10.x)](<https://support.f5.com/csp/article/K10025>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n * [K10322: FirePass hotfix matrix](<https://support.f5.com/csp/article/K10322>)\n * [K12766: ARX hotfix matrix](<https://support.f5.com/csp/article/K12766>)\n", "modified": "2017-03-14T19:23:00", "published": "2016-02-24T00:23:00", "id": "F5:K13304944", "href": "https://support.f5.com/csp/article/K13304944", "title": "NTP vulnerability CVE-2015-7974", "type": "f5", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-06-08T00:16:40", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 570697 (BIG-IP), ID 573411 (BIG-IQ), ID 507785 (ARX), LRS-60602 (LineRate), and INSTALLER-2199 (Traffix SDC) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 12.0.0 - 12.1.0 \n11.6.0 - 11.6.1 \n11.5.3 - 11.5.4 \n11.5.0 HF7 \n11.4.1 HF9 - HF11 \n11.4.0 HF10| 12.1.1 - 12.1.2 \n11.5.1 - 11.5.2 \n11.5.0 - 11.5.0 HF6 \n11.4.1 - 11.4.1 HF8 \n11.4.0 - 11.4.0 HF9 \n11.2.1 \n10.1.0 - 10.2.4| Medium| ntpd \nBIG-IP AAM| 12.0.0 - 12.1.0 \n11.6.0 - 11.6.1 \n11.5.3 - 11.5.4 \n11.5.0 HF7 \n11.4.1 HF9 \n11.4.0 HF10| 12.1.1 - 12.1.2 \n11.5.1 - 11.5.2 \n11.5.0 - 11.5.0 HF6 \n11.4.1 - 11.4.1 HF8 \n11.4.0 - 11.4.0 HF9| Medium| ntpd \nBIG-IP AFM| 12.0.0 - 12.1.0 \n11.6.0 - 11.6.1 \n11.5.3 - 11.5.4 \n11.5.0 HF7 \n11.4.1 HF9 \n11.4.0 HF10| 12.1.1 - 12.1.2 \n11.5.1 - 11.5.2 \n11.5.0 - 11.5.0 HF6 \n11.4.1 - 11.4.1 HF8 \n11.4.0 - 11.4.0 HF9| Medium| ntpd \nBIG-IP Analytics| 12.0.0 - 12.1.0 \n11.6.0 - 11.6.1 \n11.5.3 - 11.5.4 \n11.5.0 HF7 \n11.4.1 HF9 \n11.4.0 HF10| 12.1.1 - 12.1.2 \n11.5.1 - 11.5.2 \n11.5.0 - 11.5.0 HF6 \n11.4.1 - 11.4.1 HF8 \n11.4.0 - 11.4.0 HF9 \n11.2.1| Medium| ntpd \nBIG-IP APM| 12.0.0 - 12.1.0 \n11.6.0 - 11.6.1 \n11.5.3 - 11.5.4 \n11.5.0 HF7 \n11.4.1 HF9 \n11.4.0 HF10| 12.1.1 - 12.1.2 \n11.5.1 - 11.5.2 \n11.5.0 - 11.5.0 HF6 \n11.4.1 - 11.4.1 HF8 \n11.4.0 - 11.4.0 HF9 \n11.2.1 \n10.1.0 - 10.2.4| Medium| ntpd \nBIG-IP ASM| 12.0.0 - 12.1.0 \n11.6.0 - 11.6.1 \n11.5.3 - 11.5.4 \n11.5.0 HF7 \n11.4.1 HF9 \n11.4.0 HF10| 12.1.1 - 12.1.2 \n11.5.1 - 11.5.2 \n11.5.0 - 11.5.0 HF6 \n11.4.1 - 11.4.1 HF8 \n11.4.0 - 11.4.0 HF9 \n11.2.1 \n10.1.0 - 10.2.4| Medium| ntpd \nBIG-IP DNS| 12.0.0 - 12.1.0| 12.1.1 - 12.1.2| Medium| ntpd \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| 11.6.0 - 11.6.1 \n11.5.3 - 11.5.4 \n11.5.0 HF7 \n11.4.1 HF9 \n11.4.0 HF10| 11.5.1 - 11.5.2 \n11.5.0 - 11.5.0 HF6 \n11.4.1 - 11.4.1 HF8 \n11.4.0 - 11.4.0 HF9 \n11.2.1 \n10.1.0 - 10.2.4| Medium| ntpd \nBIG-IP Link Controller| 12.0.0 - 12.1.0 \n11.6.0 - 11.6.1 \n11.5.3 - 11.5.4 \n11.5.0 HF7 \n11.4.1 HF9 \n11.4.0 HF10| 12.1.1 - 12.1.2 \n11.5.1 - 11.5.2 \n11.5.0 - 11.5.0 HF6 \n11.4.1 - 11.4.1 HF8 \n11.4.0 - 11.4.0 HF9 \n11.2.1 \n10.1.0 - 10.2.4| Medium| ntpd \nBIG-IP PEM| 12.0.0 - 12.1.0 \n11.6.0 - 11.6.1 \n11.5.3 - 11.5.4 \n11.5.0 HF7 \n11.4.1 HF9 \n11.4.0 HF10| 12.1.1 - 12.1.2 \n11.5.1 - 11.5.2 \n11.5.0 - 11.5.0 HF6 \n11.4.1 - 11.4.1 HF8 \n11.4.0 - 11.4.0 HF9| Medium| ntpd \nBIG-IP PSM| 11.4.1 HF9 \n11.4.0 HF10| 11.4.1 - 11.4.1 HF8 \n11.4.0 - 11.4.0 HF9 \n11.2.1 \n10.1.0 - 10.2.4| Medium| ntpd \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nARX| 6.0.0 - 6.4.0| None| Low| ntpd \nEnterprise Manager| None| 3.0.0 - 3.1.1| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Medium| ntpd \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Medium| ntpd \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Medium| ntpd \nBIG-IQ ADC| 4.5.0| None| Medium| ntpd \nBIG-IQ Centralized Management| 4.6.0| None| Medium| ntpd \nBIG-IQ Cloud and Orchestration| 1.0.0| None| Medium| ntpd \nLineRate| 2.5.0 - 2.6.1| None| Medium| ntpd \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| None| Low| ntpd\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2017-03-14T19:23:00", "published": "2016-02-22T22:22:00", "href": "https://support.f5.com/csp/article/K71245322", "id": "F5:K71245322", "title": "NTP vulnerability CVE-2015-8138", "type": "f5", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-07-21T02:17:01", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 572824 (BIG-IP), ID 573411(BIG-IQ), ID 573413 (Enterprise Manager), and ID 507785 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H21230183 on the **Diagnostics** > **Identified** > **Low** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| None| Low| ntpq \nBIG-IP AAM| 12.0.0 \n11.4.0 - 11.6.0| None| Low| ntpq \nBIG-IP AFM| 12.0.0 \n11.3.0 - 11.6.0| None| Low| ntpq \nBIG-IP Analytics| 12.0.0 \n11.0.0 - 11.6.0| None| Low| ntpq \nBIG-IP APM| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| None| Low| ntpq \nBIG-IP ASM| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| None| Low| ntpq \nBIG-IP DNS| 12.0.0| None| Low| ntpq \nBIG-IP Edge Gateway| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpq \nBIG-IP GTM| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| None| Low| ntpq \nBIG-IP Link Controller| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| None| Low| ntpq \nBIG-IP PEM| 12.0.0 \n11.3.0 - 11.6.0| None| Low| ntpq \nBIG-IP PSM| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| None| Low| ntpq \nBIG-IP WebAccelerator| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpq \nBIG-IP WOM| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpq \nARX| 6.0.0 - 6.4.0| None| Low| ntpq and ntpd \nEnterprise Manager| 3.0.0 - 3.1.1| None| Low| ntpq \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Low| ntpq \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Low| ntpq \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Low| ntpq \nBIG-IQ ADC| 4.5.0| None| Low| ntpq \nBIG-IQ Centralized Management| 4.6.0| None| Low| ntpq \nBIG-IQ Cloud and Orchestration| 1.0.0| None| Low| ntpq \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| Not vulnerable| None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nFor the ntpd component\n\nBy default, the BIG-IP, BIG-IQ, or Enterprise Manager system's NTP configuration does not permit the source to query or modify the NTP service on the system. If you have modified the default NTP configuration to allow changes by remote client, you can use the directive \"restrict default nomodify\" and not allow untrusted hosts to make modifications.\n\nFor the ntpq component \n\nTo prevent a local user from exploiting this vulnerability when they are querying a remote NTP server, you can allow access to the BIG-IP or Enterprise Manager system over a secure network, and limit login access to only trusted users. For more information, refer to [K13092: Overview of securing access to the BIG-IP system](<https://support.f5.com/csp/article/K13092>).\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K10025: Managing BIG-IP product hotfixes (10.x)](<https://support.f5.com/csp/article/K10025>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n * [K15106: Managing BIG-IQ product hotfixes](<https://support.f5.com/csp/article/K15106>)\n * [K15113: BIG-IQ hotfix matrix](<https://support.f5.com/csp/article/K15113>)\n * [K12766: ARX hotfix matrix](<https://support.f5.com/csp/article/K12766>)\n", "modified": "2017-04-04T22:20:00", "published": "2016-02-23T01:59:00", "id": "F5:K21230183", "href": "https://support.f5.com/csp/article/K21230183", "title": "NTP vulnerability CVE-2015-7976", "type": "f5", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-06-08T00:16:14", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 573343 (BIG-IP), ID 573411 (BIG-IQ), ID 573413 (Enterprise Manager), ID 507785 (ARX), and INSTALLER-2198 (Traffix SDC) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H01324833 on the **Diagnostics** > **Identified** > **Low** screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpq \nBIG-IP AAM| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpq \nBIG-IP AFM| 12.0.0 - 12.1.1 \n11.3.0 - 11.6.1| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpq \nBIG-IP Analytics| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpq \nBIG-IP APM| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpq \nBIG-IP ASM| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpq \nBIG-IP DNS| 12.0.0 - 12.1.1| 12.1.2| Low| ntpq \nBIG-IP Edge Gateway| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpq \nBIG-IP GTM| 11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 11.6.1 HF2 \n11.5.4 HF3| Low| ntpq \nBIG-IP Link Controller| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpq \nBIG-IP PEM| 12.0.0 - 12.1.1 \n11.3.0 - 11.6.1| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpq \nBIG-IP PSM| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| None| Low| ntpq \nBIG-IP WebAccelerator| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpq \nBIG-IP WOM| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpq \nARX| 6.0.0 - 6.4.0| None| Low| ntpq \nEnterprise Manager| 3.0.0 - 3.1.1| None| Low| ntpq \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Low| ntpq \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Low| ntpq \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Low| ntpq \nBIG-IQ ADC| 4.5.0| None| Low| ntpq \nBIG-IQ Centralized Management| 4.6.0| None| Low| ntpq \nBIG-IQ Cloud and Orchestration| 1.0.0| None| Low| ntpq \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| None| Low| ntpq\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nTo mitigate this vulnerability, you should avoid using the **ntpq** utility. If you must use the **ntpq** utility, you should use it with trusted NTP servers that are not subjected to man-in-the-middle (MitM) impersonation.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n", "modified": "2017-04-03T22:07:00", "published": "2016-02-22T22:00:00", "href": "https://support.f5.com/csp/article/K01324833", "id": "F5:K01324833", "type": "f5", "title": "NTP vulnerability CVE-2015-8158", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-06-08T00:16:34", "bulletinFamily": "software", "description": "\nF5 Product Development has assigned ID 573343 (BIG-IP), ID 573411(BIG-IQ), ID 573413 (Enterprise Manager), and ID 507785 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H574753 on the **Diagnostics** > **Identified** >** Low **screen.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP AAM| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP AFM| 12.0.0 - 12.1.1 \n11.3.0 - 11.6.1| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP Analytics| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP APM| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP ASM| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP DNS| 12.0.0 - 12.1.1| 12.1.2| Low| ntpd \nBIG-IP Edge Gateway| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpd \nBIG-IP GTM| 11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP Link Controller| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP PEM| 12.0.0 - 12.1.1 \n11.3.0 - 11.6.1| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP PSM| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| None| Low| ntpd \nBIG-IP WebAccelerator| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpd \nBIG-IP WOM| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpd \nARX| 6.0.0 - 6.4.0| None| Low| ntpq and ntpd \nEnterprise Manager| 3.0.0 - 3.1.1| None| Low| ntpd \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Low| ntpd \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Low| ntpd \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Low| ntpd \nBIG-IQ ADC| 4.5.0| None| Low| ntpd \nBIG-IQ Centralized Management| 4.6.0| None| Low| ntpd \nBIG-IQ Cloud and Orchestration| 1.0.0| None| Low| ntpd \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| Not vulnerable| None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nBy default, a BIG-IP, BIG-IQ, or Enterprise Manager system's NTP configuration does not accept broadcast NTP packets. If you have modified the default NTP configuration to accept broadcast packets, you can modify the NTP configuration to not accept broadcast packets by not configuring the \"broadcast\" directive in the **/config/ntp.conf** file.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n", "modified": "2017-05-03T22:47:00", "published": "2016-02-23T02:29:00", "href": "https://support.f5.com/csp/article/K05046514", "id": "F5:K05046514", "type": "f5", "title": "NTP vulnerability CVE-2015-7979", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "openvas": [{"lastseen": "2018-10-22T16:37:35", "bulletinFamily": "scanner", "description": "Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package.\n Versions of this package are affected by one or more vulnerabilities that could allow an\n unauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time\n being advertised by a device acting as a Network Time Protocol (NTP) server.\n\n On January 19, 2016, NTP Consortium at Network Time Foundation released a security advisory\n detailing 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities,\n and logic issues that may allow an attacker to shift a client", "modified": "2018-10-16T00:00:00", "published": "2016-05-18T00:00:00", "id": "OPENVAS:1361412562310105726", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105726", "title": "Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_ipics_cisco-sa-20160127-ntpd.nasl 11922 2018-10-16 10:24:25Z asteins $\n#\n# Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:ip_interoperability_and_collaboration_system\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105726\");\n script_cve_id(\"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7978\", \"CVE-2015-7977\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\", \"CVE-2015-7973\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_version(\"$Revision: 11922 $\");\n\n script_name(\"Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016\");\n\n script_xref(name:\"URL\", value:\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n script_tag(name:\"summary\", value:\"Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package.\n Versions of this package are affected by one or more vulnerabilities that could allow an\n unauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time\n being advertised by a device acting as a Network Time Protocol (NTP) server.\n\n On January 19, 2016, NTP Consortium at Network Time Foundation released a security advisory\n detailing 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities,\n and logic issues that may allow an attacker to shift a client's time. The vulnerabilities covered in\n this document are as follows: CVE-2015-7973: Network Time Protocol Replay Attack on Authenticated\n Broadcast Mode Vulnerability CVE-2015-7974: Network Time Protocol Missing Trusted Key Check CVE-2015-\n 7975: Standard Network Time Protocol Query Program nextvar() Missing Length Check CVE-2015-7976:\n Standard Network Time Protocol Query Program saveconfig Command Allows Dangerous Characters in\n Filenames CVE-2015-7978: Network Time Protocol Daemon reslist NULL Pointer Deference Denial of\n Service Vulnerability CVE-2015-7977: Network Time Protocol Stack Exhaustion Denial of Service CVE-2015-\n 7979: Network Time Protocol Off-Path Broadcast Mode Denial of Service CVE-2015-8138: Network Time\n Protocol Zero Origin Timestamp Bypass CVE-2015-8139: Network Time Protocol Information Disclosure of\n Origin Timestamp CVE-2015-8140: Standard Network Time Protocol Query Program Replay Attack CVE-2015-\n 8158: Standard and Special Network Time Protocol Query Program Infinite loop\n\n Cisco has released software updates that address these vulnerabilities.\n\n Workarounds that address some of these vulnerabilities may be available. Available workarounds will\n be documented in the corresponding Cisco bug for each affected product.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-16 12:24:25 +0200 (Tue, 16 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-18 10:53:18 +0200 (Wed, 18 May 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_ipics_version.nasl\");\n script_mandatory_keys(\"cisco/ipics/version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) ) exit( 0 );\n\naffected = make_list(\n\t\t'1.0(1.1)',\n\t\t'4.0(1)',\n\t\t'4.5(1)',\n\t\t'4.6(1)',\n\t\t'4.7(1)',\n\t\t'4.8(2)' );\n\nforeach af ( affected )\n{\n if( version == af )\n {\n report = report_fixed_ver( installed_version:version, fixed_version: \"See advisory\" );\n security_message( port:0, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-30T12:37:59", "bulletinFamily": "scanner", "description": "Multiple Cisco products incorporate a version of the Network Time Protocol\n daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow\n an unauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time being\n advertised by a device acting as a Network Time Protocol (NTP) server.\n\n On January 19, 2016, NTP Consortium at Network Time Foundation released a security advisory detailing\n 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities,\n and logic issues that may allow an attacker to shift a client", "modified": "2018-10-29T00:00:00", "published": "2016-05-09T00:00:00", "id": "OPENVAS:1361412562310105666", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105666", "title": "Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_ios_xe_cisco-sa-20160127-ntpd.nasl 12149 2018-10-29 10:48:30Z asteins $\n#\n# Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/o:cisco:ios_xe\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105666\");\n script_cve_id(\"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7978\", \"CVE-2015-7977\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\", \"CVE-2015-7973\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_version(\"$Revision: 12149 $\");\n\n script_name(\"Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016\");\n\n script_xref(name:\"URL\", value:\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n script_tag(name:\"summary\", value:\"Multiple Cisco products incorporate a version of the Network Time Protocol\n daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow\n an unauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time being\n advertised by a device acting as a Network Time Protocol (NTP) server.\n\n On January 19, 2016, NTP Consortium at Network Time Foundation released a security advisory detailing\n 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities,\n and logic issues that may allow an attacker to shift a client's time. The vulnerabilities covered in this document are as follows:\n\n - CVE-2015-7973: Network Time Protocol Replay Attack on Authenticated Broadcast Mode Vulnerability\n\n - CVE-2015-7974: Network Time Protocol Missing Trusted Key Check\n\n - CVE-2015-7975: Standard Network Time Protocol Query Program nextvar() Missing Length Check\n\n - CVE-2015-7976: Standard Network Time Protocol Query Program saveconfig Command Allows Dangerous Characters in Filenames\n\n - CVE-2015-7978: Network Time Protocol Daemon reslist NULL Pointer Deference Denial of Service Vulnerability\n\n - CVE-2015-7977: Network Time Protocol Stack Exhaustion Denial of Service\n\n - CVE-2015-7979: Network Time Protocol Off-Path Broadcast Mode Denial of Service\n\n - CVE-2015-8138: Network Time Protocol Zero Origin Timestamp Bypass\n\n - CVE-2015-8139: Network Time Protocol Information Disclosure of Origin Timestamp\n\n - CVE-2015-8140: Standard Network Time Protocol Query Program Replay Attack\n\n - CVE-2015-8158: Standard and Special Network Time Protocol Query Program Infinite loop\n\n\n Cisco has released software updates that address these vulnerabilities.\n\n Workarounds that address some of these vulnerabilities may be available. Available workarounds will be documented in the corresponding Cisco bug for each affected product.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-29 11:48:30 +0100 (Mon, 29 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-09 17:40:21 +0200 (Mon, 09 May 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_ios_xe_version.nasl\");\n script_mandatory_keys(\"cisco_ios_xe/version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) ) exit( 0 );\n\naffected = make_list(\n\t\t'2.1.0',\n\t\t'2.1.1',\n\t\t'2.1.2',\n\t\t'2.2.1',\n\t\t'2.2.2',\n\t\t'2.2.3',\n\t\t'2.3.0',\n\t\t'2.3.0t',\n\t\t'2.3.1t',\n\t\t'2.3.2',\n\t\t'2.4.0',\n\t\t'2.4.1',\n\t\t'2.5.0',\n\t\t'2.5.1',\n\t\t'2.5.2',\n\t\t'2.6.0',\n\t\t'2.6.1',\n\t\t'2.6.2',\n\t\t'3.1.0S',\n\t\t'3.1.1S',\n\t\t'3.1.2S',\n\t\t'3.1.3S',\n\t\t'3.1.4S',\n\t\t'3.1.5S',\n\t\t'3.1.6S',\n\t\t'3.1.0SG',\n\t\t'3.1.1SG',\n\t\t'3.2.0S',\n\t\t'3.2.1S',\n\t\t'3.2.2S',\n\t\t'3.2.3S',\n\t\t'3.2.0SE',\n\t\t'3.2.1SE',\n\t\t'3.2.2SE',\n\t\t'3.2.3SE',\n\t\t'3.2.0SG',\n\t\t'3.2.1SG',\n\t\t'3.2.2SG',\n\t\t'3.2.3SG',\n\t\t'3.2.4SG',\n\t\t'3.2.5SG',\n\t\t'3.2.6SG',\n\t\t'3.2.7SG',\n\t\t'3.2.8SG',\n\t\t'3.2.9SG',\n\t\t'3.2.0XO',\n\t\t'3.2.1XO',\n\t\t'3.3.0S',\n\t\t'3.3.1S',\n\t\t'3.3.2S',\n\t\t'3.3.0SE',\n\t\t'3.3.1SE',\n\t\t'3.3.2SE',\n\t\t'3.3.3SE',\n\t\t'3.3.4SE',\n\t\t'3.3.5SE',\n\t\t'3.3.0SG',\n\t\t'3.3.1SG',\n\t\t'3.3.2SG',\n\t\t'3.3.0SQ',\n\t\t'3.3.1SQ',\n\t\t'3.3.0XO',\n\t\t'3.3.1XO',\n\t\t'3.3.2XO',\n\t\t'3.4.0S',\n\t\t'3.4.1S',\n\t\t'3.4.2S',\n\t\t'3.4.3S',\n\t\t'3.4.4S',\n\t\t'3.4.5S',\n\t\t'3.4.6S',\n\t\t'3.4.0SG',\n\t\t'3.4.1SG',\n\t\t'3.4.2SG',\n\t\t'3.4.3SG',\n\t\t'3.4.4SG',\n\t\t'3.4.5SG',\n\t\t'3.4.0SQ',\n\t\t'3.4.1SQ',\n\t\t'3.5.0E',\n\t\t'3.5.1E',\n\t\t'3.5.2E',\n\t\t'3.5.3E',\n\t\t'3.5.0S',\n\t\t'3.5.1S',\n\t\t'3.5.2S',\n\t\t'3.6.0E',\n\t\t'3.6.1E',\n\t\t'3.6.0S',\n\t\t'3.6.1S',\n\t\t'3.6.2S',\n\t\t'3.7.0E',\n\t\t'3.7.0S',\n\t\t'3.7.1S',\n\t\t'3.7.2S',\n\t\t'3.7.3S',\n\t\t'3.7.4S',\n\t\t'3.7.5S',\n\t\t'3.7.6S',\n\t\t'3.7.7S',\n\t\t'3.8.0S',\n\t\t'3.8.1S',\n\t\t'3.8.2S',\n\t\t'3.9.0S',\n\t\t'3.9.1S',\n\t\t'3.9.2S',\n\t\t'3.10.0S',\n\t\t'3.10.0aS',\n\t\t'3.10.1S',\n\t\t'3.10.2S',\n\t\t'3.10.3S',\n\t\t'3.10.4S',\n\t\t'3.10.5S',\n\t\t'3.10.6S',\n\t\t'3.11.0S',\n\t\t'3.11.1S',\n\t\t'3.11.2S',\n\t\t'3.11.3S',\n\t\t'3.11.4S',\n\t\t'3.12.0S',\n\t\t'3.12.1S',\n\t\t'3.12.2S',\n\t\t'3.12.3S',\n\t\t'3.13.0S',\n\t\t'3.13.1S',\n\t\t'3.13.2S',\n\t\t'3.14.0S',\n\t\t'3.14.1S',\n\t\t'3.14.2S',\n\t\t'3.14.3S',\n\t\t'3.14.4S',\n\t\t'3.15.0S' );\n\nforeach af ( affected )\n{\n if( version == af )\n {\n report = report_fixed_ver( installed_version:version, fixed_version: \"See advisory\" );\n security_message( port:0, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-19T12:59:29", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2016-05-17T00:00:00", "id": "OPENVAS:1361412562310851310", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851310", "title": "SuSE Update for ntp openSUSE-SU-2016:1292-1 (ntp)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2016_1292_1.nasl 12381 2018-11-16 11:16:30Z cfischer $\n#\n# SuSE Update for ntp openSUSE-SU-2016:1292-1 (ntp)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851310\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-17 13:40:09 +0200 (Tue, 17 May 2016)\");\n script_cve_id(\"CVE-2015-5300\", \"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\",\n \"CVE-2015-7976\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\",\n \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for ntp openSUSE-SU-2016:1292-1 (ntp)\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ntp'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n These security issues were fixed:\n\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n\n These non-security issues were fixed:\n\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n\n - bsc#782060: Speedup ntpq.\n\n - bsc#916617: Add /var/db/ntp-kod.\n\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n\n - bsc#951559, bsc#975496: Fix the TZ offset output of sntp during DST.\n\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n\n This update was imported from the SUSE:SLE-12-SP1:Update update project.\");\n script_tag(name:\"affected\", value:\"ntp on openSUSE Leap 42.1\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2016:1292_1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.1\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\nres = \"\";\n\nif(release == \"openSUSELeap42.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.8p6~15.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ntp-debuginfo\", rpm:\"ntp-debuginfo~4.2.8p6~15.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ntp-debugsource\", rpm:\"ntp-debugsource~4.2.8p6~15.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ntp-doc\", rpm:\"ntp-doc~4.2.8p6~15.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"yast2-ntp-client\", rpm:\"yast2-ntp-client~3.1.22~6.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"yast2-ntp-client-devel-doc\", rpm:\"yast2-ntp-client-devel-doc~3.1.22~6.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-10-02T14:29:47", "bulletinFamily": "scanner", "description": "Amazon Linux Local Security Checks", "modified": "2018-10-01T00:00:00", "published": "2016-02-11T00:00:00", "id": "OPENVAS:1361412562310120639", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120639", "title": "Amazon Linux Local Check: alas-2016-649", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: alas-2016-649.nasl 6574 2017-07-06 13:41:26Z cfischer$\n#\n# Amazon Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@iki.fi>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.120639\");\n script_version(\"$Revision: 11711 $\");\n script_tag(name:\"creation_date\", value:\"2016-02-11 07:16:47 +0200 (Thu, 11 Feb 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-01 14:30:57 +0200 (Mon, 01 Oct 2018) $\");\n script_name(\"Amazon Linux Local Check: alas-2016-649\");\n script_tag(name:\"insight\", value:\"Multiple flaws were found in NTP. Please see the references for more information.\");\n script_tag(name:\"solution\", value:\"Run yum update ntp to update your system.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://alas.aws.amazon.com/ALAS-2016-649.html\");\n script_cve_id(\"CVE-2015-7977\", \"CVE-2015-7974\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8158\", \"CVE-2015-8138\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Amazon Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~36.29.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~36.29.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"ntp-debuginfo\", rpm:\"ntp-debuginfo~4.2.6p5~36.29.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"ntp-doc\", rpm:\"ntp-doc~4.2.6p5~36.29.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"ntp-perl\", rpm:\"ntp-perl~4.2.6p5~36.29.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-10-01T10:26:51", "bulletinFamily": "scanner", "description": "Mageia Linux Local Security Checks mgasa-2016-0039", "modified": "2018-09-28T00:00:00", "published": "2016-02-02T00:00:00", "id": "OPENVAS:1361412562310131203", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310131203", "title": "Mageia Linux Local Check: mgasa-2016-0039", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: mgasa-2016-0039.nasl 11692 2018-09-28 16:55:19Z cfischer $\n#\n# Mageia Linux security check\n#\n# Authors:\n# Eero Volotinen <eero.volotinen@solinor.com>\n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://www.solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.131203\");\n script_version(\"$Revision: 11692 $\");\n script_tag(name:\"creation_date\", value:\"2016-02-02 07:44:19 +0200 (Tue, 02 Feb 2016)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-28 18:55:19 +0200 (Fri, 28 Sep 2018) $\");\n script_name(\"Mageia Linux Local Check: mgasa-2016-0039\");\n script_tag(name:\"solution\", value:\"Update the affected packages to the latest available version.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://advisories.mageia.org/MGASA-2016-0039.html\");\n script_cve_id(\"CVE-2015-7974\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8158\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\", re:\"ssh/login/release=MAGEIA5\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"summary\", value:\"Mageia Linux Local Security Checks mgasa-2016-0039\");\n script_copyright(\"Eero Volotinen\");\n script_family(\"Mageia Linux Local Security Checks\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release) exit(0);\n\nres = \"\";\n\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~24.4.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:45:29", "bulletinFamily": "scanner", "description": "Check the version of ntp", "modified": "2017-07-10T00:00:00", "published": "2016-02-05T00:00:00", "id": "OPENVAS:1361412562310807227", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807227", "title": "Fedora Update for ntp FEDORA-2016-8", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for ntp FEDORA-2016-8\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807227\");\n script_version(\"$Revision: 6631 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:36:10 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2016-02-05 13:14:22 +0530 (Fri, 05 Feb 2016)\");\n script_cve_id(\"CVE-2015-7974\", \"CVE-2015-8138\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8158\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for ntp FEDORA-2016-8\");\n script_tag(name: \"summary\", value: \"Check the version of ntp\");\n\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help\n of detect NVT and check if the version is vulnerable or not.\");\n\n script_tag(name: \"insight\", value: \"The Network Time Protocol (NTP) is used\n to synchronize a computer's time with another reference time source. This\n package includes ntpd (a daemon which continuously adjusts system time) and\n utilities used to query and configure the ntpd daemon.\n\n Perl scripts ntp-wait and ntptrace are in the ntp-perl package,\n ntpdate is in the ntpdate package and sntp is in the sntp package.\n The documentation is in the ntp-doc package.\");\n\n script_tag(name: \"affected\", value: \"ntp on Fedora 23\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n\n script_xref(name: \"FEDORA\", value: \"2016-8\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2016-January/176434.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~36.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-11-13T12:48:54", "bulletinFamily": "scanner", "description": "The host is running NTP.org", "modified": "2018-11-12T00:00:00", "published": "2016-04-28T00:00:00", "id": "OPENVAS:1361412562310807567", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807567", "title": "NTP.org 'ntpd' Multiple Vulnerabilities", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ntp_mult_vuln_apr16.nasl 12313 2018-11-12 08:53:51Z asteins $\n#\n# NTP.org 'ntpd' Multiple Vulnerabilities\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807567\");\n script_version(\"$Revision: 12313 $\");\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\",\n \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\",\n \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\", \"CVE-2016-1547\",\n \"CVE-2016-1548\", \"CVE-2015-7705\", \"CVE-2016-1550\", \"CVE-2016-1551\",\n \"CVE-2016-2516\", \"CVE-2016-2517\", \"CVE-2016-2518\", \"CVE-2016-2519\",\n \"CVE-2015-7704\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-12 09:53:51 +0100 (Mon, 12 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-04-28 15:41:24 +0530 (Thu, 28 Apr 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_name(\"NTP.org 'ntpd' Multiple Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"The host is running NTP.org's reference\n implementation of NTP server, ntpd and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n\n - The ntpd does not filter IPv4 bogon packets received from the network.\n\n - The duplicate IPs on unconfig directives will cause an assertion botch.\n\n - Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC.\n\n - An improper Restriction of Operations within the Bounds of a Memory Buffer.\n\n - Replay attack on authenticated broadcast mode.\n\n - The nextvar() function does not properly validate length.\n\n - The ntpq saveconfig command allows dangerous characters in filenames.\n\n - Restriction list NULL pointer dereference.\n\n - Uncontrolled Resource Consumption in recursive traversal of restriction list.\n\n - An off-path attacker can send broadcast packets with bad authentication to\n broadcast clients.\n\n - An improper sanity check for the origin timestamp.\n\n - Origin Leak: ntpq and ntpdc Disclose Origin Timestamp to Unauthenticated Clients.\n\n - The sequence number being included under the signature fails to prevent\n replay attacks in ntpq protocol.\n\n - An uncontrolled Resource Consumption in ntpq.\n\n - An off-path attacker can deny service to ntpd clients by demobilizing\n preemptable associations using spoofed crypto-NAK packets.\n\n - Multiple input validation errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n unauthenticated remote attackers to spoof packets to cause denial of service,\n authentication bypass, or certain configuration changes.\");\n\n script_tag(name:\"affected\", value:\"NTP version before 4.2.8p7\");\n\n script_tag(name:\"solution\", value:\"Upgrade to NTP version 4.2.8p7 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/718152\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"ntp_open.nasl\");\n script_mandatory_keys(\"NTP/Running\", \"NTP/Linux/Ver\");\n script_require_udp_ports(123);\n script_xref(name:\"URL\", value:\"http://www.ntp.org\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\ninclude(\"revisions-lib.inc\");\n\n##Port\nntpPort = 123;\n\nif(\"ntpd\" >!< get_kb_item(\"NTP/Linux/FullVer\")){\n exit(0);\n}\n\nif(!ntpVer = get_kb_item(\"NTP/Linux/Ver\")){\n exit(0);\n}\n\nif (revcomp(a: ntpVer, b: \"4.2.8p7\") < 0)\n{\n report = report_fixed_ver(installed_version:ntpVer, fixed_version:\"4.2.8p7\");\n security_message(data:report, port:ntpPort, proto:\"udp\");\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-11-19T12:59:53", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2018-11-16T00:00:00", "published": "2016-10-06T00:00:00", "id": "OPENVAS:1361412562310842905", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842905", "title": "Ubuntu Update for ntp USN-3096-1", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Ubuntu Update for ntp USN-3096-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.842905\");\n script_version(\"$Revision: 12381 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-11-16 12:16:30 +0100 (Fri, 16 Nov 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-10-06 06:56:04 +0200 (Thu, 06 Oct 2016)\");\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\",\n\t\t\"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\",\n\t\t\"CVE-2015-8158\", \"CVE-2016-0727\", \"CVE-2016-1547\", \"CVE-2016-1548\",\n\t\t\"CVE-2016-1550\", \"CVE-2016-2516\", \"CVE-2016-2518\", \"CVE-2016-4954\",\n\t\t\"CVE-2016-4955\", \"CVE-2016-4956\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for ntp USN-3096-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ntp'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Aanchal Malhotra discovered that NTP\n incorrectly handled authenticated broadcast mode. A remote attacker could use\n this issue to perform a replay attack. (CVE-2015-7973)\n\nMatt Street discovered that NTP incorrectly verified peer associations of\nsymmetric keys. A remote attacker could use this issue to perform an\nimpersonation attack. (CVE-2015-7974)\n\nJonathan Gardner discovered that the NTP ntpq utility incorrectly handled\nmemory. An attacker could possibly use this issue to cause ntpq to crash,\nresulting in a denial of service. This issue only affected Ubuntu 16.04\nLTS. (CVE-2015-7975)\n\nJonathan Gardner discovered that the NTP ntpq utility incorrectly handled\ndangerous characters in filenames. An attacker could possibly use this\nissue to overwrite arbitrary files. (CVE-2015-7976)\n\nStephen Gray discovered that NTP incorrectly handled large restrict lists.\nAn attacker could use this issue to cause NTP to crash, resulting in a\ndenial of service. (CVE-2015-7977, CVE-2015-7978)\n\nAanchal Malhotra discovered that NTP incorrectly handled authenticated\nbroadcast mode. A remote attacker could use this issue to cause NTP to\ncrash, resulting in a denial of service. (CVE-2015-7979)\n\nJonathan Gardner discovered that NTP incorrectly handled origin timestamp\nchecks. A remote attacker could use this issue to spoof peer servers.\n(CVE-2015-8138)\n\nJonathan Gardner discovered that the NTP ntpq utility did not properly\nhandle certain incorrect values. An attacker could possibly use this issue\nto cause ntpq to hang, resulting in a denial of service. (CVE-2015-8158)\n\nIt was discovered that the NTP cronjob incorrectly cleaned up the\nstatistics directory. A local attacker could possibly use this to escalate\nprivileges. (CVE-2016-0727)\n\nStephen Gray and Matthew Van Gundy discovered that NTP incorrectly\nvalidated crypto-NAKs. A remote attacker could possibly use this issue to\nprevent clients from synchronizing. (CVE-2016-1547)\n\nMiroslav Lichvar and Jonathan Gardner discovered that NTP incorrectly\nhandled switching to interleaved symmetric mode. A remote attacker could\npossibly use this issue to prevent clients from synchronizing.\n(CVE-2016-1548)\n\nMatthew Van Gundy, Stephen Gray and Loganaden Velvindron discovered that\nNTP incorrectly handled message authentication. A remote attacker could\npossibly use this issue to recover the message digest key. (CVE-2016-1550)\n\nYihan Lian discovered that NTP incorrectly handled duplicate IPs on\nunconfig directives. An authenticated remote attacker could possibly use\nthis issue to cause NTP to crash, resulting in a denial of service.\n(CVE-2016 ...\n\n Description truncated, please see the referenced URL(s) for more information.\");\n script_tag(name:\"affected\", value:\"ntp on Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS,\n Ubuntu 12.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3096-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3096-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|12\\.04 LTS|16\\.04 LTS)\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.6.p5+dfsg-3ubuntu2.14.04.10\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU12.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.6.p3+dfsg-1ubuntu3.11\", rls:\"UBUNTU12.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.8p4+dfsg-3ubuntu5.3\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:47:33", "bulletinFamily": "scanner", "description": "Several vulnerabilities were discovered\nin the Network Time Protocol daemon and utility programs:\n\nCVE-2015-7974 \nMatt Street discovered that insufficient key validation allows\nimpersonation attacks between authenticated peers.\n\nCVE-2015-7977CVE-2015-7978Stephen Gray discovered that a NULL pointer dereference\nand a buffer overflow in the handling of ntpdc reslist \ncommands may\nresult in denial of service.\n\nCVE-2015-7979 \nAanchal Malhotra discovered that if NTP is configured for broadcast\nmode, an attacker can send malformed authentication packets which\nbreak associations with the server for other broadcast clients.\n\nCVE-2015-8138 \nMatthew van Gundy and Jonathan Gardner discovered that missing\nvalidation of origin timestamps in ntpd clients may result in denial\nof service.\n\nCVE-2015-8158 \nJonathan Gardner discovered that missing input sanitising in ntpq\nmay result in denial of service.\n\nCVE-2016-1547 \nStephen Gray and Matthew van Gundy discovered that incorrect handling\nof crypto NAK packets may result in denial of service.\n\nCVE-2016-1548 \nJonathan Gardner and Miroslav Lichvar discovered that ntpd clients\ncould be forced to change from basic client/server mode to interleaved\nsymmetric mode, preventing time synchronisation.\n\nCVE-2016-1550 \nMatthew van Gundy, Stephen Gray and Loganaden Velvindron discovered\nthat timing leaks in the the packet authentication code could result\nin recovery of a message digest.\n\nCVE-2016-2516Yihan Lian discovered that duplicate IPs on unconfig \ndirectives will\ntrigger an assert.\n\nCVE-2016-2518 \nYihan Lian discovered that an OOB memory access could potentially\ncrash ntpd.", "modified": "2017-12-15T00:00:00", "published": "2016-08-02T00:00:00", "id": "OPENVAS:1361412562310703629", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703629", "title": "Debian Security Advisory DSA 3629-1 (ntp - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3629.nasl 8131 2017-12-15 07:30:28Z teissa $\n# Auto-generated from advisory DSA 3629-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703629\");\n script_version(\"$Revision: 8131 $\");\n script_cve_id(\"CVE-2015-7974\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\",\n \"CVE-2015-8138\", \"CVE-2015-8158\", \"CVE-2016-1547\", \"CVE-2016-1548\",\n \"CVE-2016-1550\", \"CVE-2016-2516\", \"CVE-2016-2518\");\n script_name(\"Debian Security Advisory DSA 3629-1 (ntp - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-12-15 08:30:28 +0100 (Fri, 15 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-02 10:56:41 +0530 (Tue, 02 Aug 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3629.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"ntp on Debian Linux\");\n script_tag(name: \"insight\", value: \"NTP, the Network Time Protocol,\nis used to keep computer clocks accurate by synchronizing them over the Internet\nor a local network, or by following an accurate hardware receiver that interprets\nGPS, DCF-77, NIST or similar time signals.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie),\nthese problems have been fixed in version 1:4.2.6.p5+dfsg-7+deb8u2.\n\nFor the testing distribution (stretch), these problems have been fixed\nin version 1:4.2.8p7+dfsg-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1:4.2.8p7+dfsg-1.\n\nWe recommend that you upgrade your ntp packages.\");\n script_tag(name: \"summary\", value: \"Several vulnerabilities were discovered\nin the Network Time Protocol daemon and utility programs:\n\nCVE-2015-7974 \nMatt Street discovered that insufficient key validation allows\nimpersonation attacks between authenticated peers.\n\nCVE-2015-7977CVE-2015-7978Stephen Gray discovered that a NULL pointer dereference\nand a buffer overflow in the handling of ntpdc reslist \ncommands may\nresult in denial of service.\n\nCVE-2015-7979 \nAanchal Malhotra discovered that if NTP is configured for broadcast\nmode, an attacker can send malformed authentication packets which\nbreak associations with the server for other broadcast clients.\n\nCVE-2015-8138 \nMatthew van Gundy and Jonathan Gardner discovered that missing\nvalidation of origin timestamps in ntpd clients may result in denial\nof service.\n\nCVE-2015-8158 \nJonathan Gardner discovered that missing input sanitising in ntpq\nmay result in denial of service.\n\nCVE-2016-1547 \nStephen Gray and Matthew van Gundy discovered that incorrect handling\nof crypto NAK packets may result in denial of service.\n\nCVE-2016-1548 \nJonathan Gardner and Miroslav Lichvar discovered that ntpd clients\ncould be forced to change from basic client/server mode to interleaved\nsymmetric mode, preventing time synchronisation.\n\nCVE-2016-1550 \nMatthew van Gundy, Stephen Gray and Loganaden Velvindron discovered\nthat timing leaks in the the packet authentication code could result\nin recovery of a message digest.\n\nCVE-2016-2516Yihan Lian discovered that duplicate IPs on unconfig \ndirectives will\ntrigger an assert.\n\nCVE-2016-2518 \nYihan Lian discovered that an OOB memory access could potentially\ncrash ntpd.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.8p7+dfsg-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntp-doc\", ver:\"1:4.2.8p7+dfsg-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntpdate\", ver:\"1:4.2.8p7+dfsg-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.6.p5+dfsg-7+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntp-doc\", ver:\"1:4.2.6.p5+dfsg-7+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntpdate\", ver:\"1:4.2.6.p5+dfsg-7+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:55:11", "bulletinFamily": "scanner", "description": "Several vulnerabilities were discovered\nin the Network Time Protocol daemon and utility programs:\n\nCVE-2015-7974 \nMatt Street discovered that insufficient key validation allows\nimpersonation attacks between authenticated peers.\n\nCVE-2015-7977CVE-2015-7978Stephen Gray discovered that a NULL pointer dereference\nand a buffer overflow in the handling of ntpdc reslist \ncommands may\nresult in denial of service.\n\nCVE-2015-7979 \nAanchal Malhotra discovered that if NTP is configured for broadcast\nmode, an attacker can send malformed authentication packets which\nbreak associations with the server for other broadcast clients.\n\nCVE-2015-8138 \nMatthew van Gundy and Jonathan Gardner discovered that missing\nvalidation of origin timestamps in ntpd clients may result in denial\nof service.\n\nCVE-2015-8158 \nJonathan Gardner discovered that missing input sanitising in ntpq\nmay result in denial of service.\n\nCVE-2016-1547 \nStephen Gray and Matthew van Gundy discovered that incorrect handling\nof crypto NAK packets may result in denial of service.\n\nCVE-2016-1548 \nJonathan Gardner and Miroslav Lichvar discovered that ntpd clients\ncould be forced to change from basic client/server mode to interleaved\nsymmetric mode, preventing time synchronisation.\n\nCVE-2016-1550 \nMatthew van Gundy, Stephen Gray and Loganaden Velvindron discovered\nthat timing leaks in the the packet authentication code could result\nin recovery of a message digest.\n\nCVE-2016-2516Yihan Lian discovered that duplicate IPs on unconfig \ndirectives will\ntrigger an assert.\n\nCVE-2016-2518 \nYihan Lian discovered that an OOB memory access could potentially\ncrash ntpd.", "modified": "2017-07-07T00:00:00", "published": "2016-08-02T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703629", "id": "OPENVAS:703629", "title": "Debian Security Advisory DSA 3629-1 (ntp - security update)", "type": "openvas", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3629.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3629-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703629);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2015-7974\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\",\n \"CVE-2015-8138\", \"CVE-2015-8158\", \"CVE-2016-1547\", \"CVE-2016-1548\",\n \"CVE-2016-1550\", \"CVE-2016-2516\", \"CVE-2016-2518\");\n script_name(\"Debian Security Advisory DSA 3629-1 (ntp - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-02 10:56:41 +0530 (Tue, 02 Aug 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3629.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"ntp on Debian Linux\");\n script_tag(name: \"insight\", value: \"NTP, the Network Time Protocol,\nis used to keep computer clocks accurate by synchronizing them over the Internet\nor a local network, or by following an accurate hardware receiver that interprets\nGPS, DCF-77, NIST or similar time signals.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie),\nthese problems have been fixed in version 1:4.2.6.p5+dfsg-7+deb8u2.\n\nFor the testing distribution (stretch), these problems have been fixed\nin version 1:4.2.8p7+dfsg-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1:4.2.8p7+dfsg-1.\n\nWe recommend that you upgrade your ntp packages.\");\n script_tag(name: \"summary\", value: \"Several vulnerabilities were discovered\nin the Network Time Protocol daemon and utility programs:\n\nCVE-2015-7974 \nMatt Street discovered that insufficient key validation allows\nimpersonation attacks between authenticated peers.\n\nCVE-2015-7977CVE-2015-7978Stephen Gray discovered that a NULL pointer dereference\nand a buffer overflow in the handling of ntpdc reslist \ncommands may\nresult in denial of service.\n\nCVE-2015-7979 \nAanchal Malhotra discovered that if NTP is configured for broadcast\nmode, an attacker can send malformed authentication packets which\nbreak associations with the server for other broadcast clients.\n\nCVE-2015-8138 \nMatthew van Gundy and Jonathan Gardner discovered that missing\nvalidation of origin timestamps in ntpd clients may result in denial\nof service.\n\nCVE-2015-8158 \nJonathan Gardner discovered that missing input sanitising in ntpq\nmay result in denial of service.\n\nCVE-2016-1547 \nStephen Gray and Matthew van Gundy discovered that incorrect handling\nof crypto NAK packets may result in denial of service.\n\nCVE-2016-1548 \nJonathan Gardner and Miroslav Lichvar discovered that ntpd clients\ncould be forced to change from basic client/server mode to interleaved\nsymmetric mode, preventing time synchronisation.\n\nCVE-2016-1550 \nMatthew van Gundy, Stephen Gray and Loganaden Velvindron discovered\nthat timing leaks in the the packet authentication code could result\nin recovery of a message digest.\n\nCVE-2016-2516Yihan Lian discovered that duplicate IPs on unconfig \ndirectives will\ntrigger an assert.\n\nCVE-2016-2518 \nYihan Lian discovered that an OOB memory access could potentially\ncrash ntpd.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.8p7+dfsg-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntp-doc\", ver:\"1:4.2.8p7+dfsg-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntpdate\", ver:\"1:4.2.8p7+dfsg-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.6.p5+dfsg-7+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntp-doc\", ver:\"1:4.2.6.p5+dfsg-7+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntpdate\", ver:\"1:4.2.6.p5+dfsg-7+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T12:22:35", "bulletinFamily": "unix", "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n\n This update was imported from the SUSE:SLE-12-SP1:Update update project.\n\n", "modified": "2016-05-12T21:07:47", "published": "2016-05-12T21:07:47", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00038.html", "id": "OPENSUSE-SU-2016:1292-1", "title": "Security update for ntp (important)", "type": "suse", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T11:47:01", "bulletinFamily": "unix", "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n - bsc#784760: Remove local clock from default configuration\n\n", "modified": "2016-04-28T19:09:34", "published": "2016-04-28T19:09:34", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00059.html", "id": "SUSE-SU-2016:1175-1", "title": "Security update for ntp (important)", "type": "suse", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T12:46:49", "bulletinFamily": "unix", "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n\n", "modified": "2016-04-28T19:13:09", "published": "2016-04-28T19:13:09", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00060.html", "id": "SUSE-SU-2016:1177-1", "title": "Security update for ntp (important)", "type": "suse", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T12:27:22", "bulletinFamily": "unix", "description": "ntp was updated to version 4.2.8p6 to fix 28 security issues.\n\n Major functional changes:\n - The "sntp" commandline tool changed its option handling in a major way,\n some options have been renamed or dropped.\n - "controlkey 1" is added during update to ntp.conf to allow sntp to work.\n - The local clock is being disabled during update.\n - ntpd is no longer running chrooted.\n\n Other functional changes:\n - ntp-signd is installed.\n - "enable mode7" can be added to the configuration to allow ntdpc to work\n as compatibility mode option.\n - "kod" was removed from the default restrictions.\n - SHA1 keys are used by default instead of MD5 keys.\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n - CVE-2015-7871: NAK to the Future: Symmetric association authentication\n bypass via crypto-NAK (bsc#951608).\n - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning\n FAIL on some bogus values (bsc#951608).\n - CVE-2015-7854: Password Length Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7853: Invalid length data provided by a custom refclock driver\n could cause a buffer overflow (bsc#951608).\n - CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#951608).\n - CVE-2015-7850: remote config logfile-keyfile (bsc#951608).\n - CVE-2015-7849: trusted key use-after-free (bsc#951608).\n - CVE-2015-7848: mode 7 loop counter underrun (bsc#951608).\n - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#951608).\n - CVE-2015-7703: configuration directives "pidfile" and "driftfile" should\n only be allowed locally (bsc#951608).\n - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD should validate\n the origin timestamp field (bsc#951608).\n - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete autokey data\n packet length checks (bsc#951608).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n - Add a controlkey line to /etc/ntp.conf if one does not already exist to\n allow runtime configuuration via ntpq.\n - bsc#946386: Temporarily disable memlock to avoid problems due to high\n memory usage during name resolution.\n - bsc#905885: Use SHA1 instead of MD5 for symmetric keys.\n - Improve runtime configuration:\n * Read keytype from ntp.conf\n * Don't write ntp keys to syslog.\n - Fix legacy action scripts to pass on command line arguments.\n - bsc#944300: Remove "kod" from the restrict line in ntp.conf.\n - bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.\n - Add a controlkey to ntp.conf to make the above work.\n - Don't let "keysdir" lines in ntp.conf trigger the "keys" parser.\n - Disable mode 7 (ntpdc) again, now that we don't use it anymore.\n - Add "addserver" as a new legacy action.\n - bsc#910063: Fix the comment regarding addserver in ntp.conf.\n - bsc#926510: Disable chroot by default.\n - bsc#920238: Enable ntpdc for backwards compatibility.\n\n", "modified": "2016-05-06T13:07:50", "published": "2016-05-06T13:07:50", "id": "SUSE-SU-2016:1247-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00020.html", "title": "Security update for ntp (important)", "type": "suse", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T12:46:49", "bulletinFamily": "unix", "description": "This network time protocol server ntp was updated to 4.2.8p6 to fix the\n following issues:\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n Major functional changes:\n - The "sntp" commandline tool changed its option handling in a major way.\n - "controlkey 1" is added during update to ntp.conf to allow sntp to work.\n - The local clock is being disabled during update.\n - ntpd is no longer running chrooted.\n\n\n Other functional changes:\n - ntp-signd is installed.\n - "enable mode7" can be added to the configuration to allow ntdpc to work\n as compatibility mode option.\n - "kod" was removed from the default restrictions.\n - SHA1 keys are used by default instead of MD5 keys.\n\n These security issues were fixed:\n - CVE-2015-5219: An endless loop due to incorrect precision to double\n conversion (bsc#943216).\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n - CVE-2015-7871: NAK to the Future: Symmetric association authentication\n bypass via crypto-NAK (bsc#951608).\n - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning\n FAIL on some bogus values (bsc#951608).\n - CVE-2015-7854: Password Length Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7853: Invalid length data provided by a custom refclock driver\n could cause a buffer overflow (bsc#951608).\n - CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#951608).\n - CVE-2015-7850: remote config logfile-keyfile (bsc#951608).\n - CVE-2015-7849: trusted key use-after-free (bsc#951608).\n - CVE-2015-7848: mode 7 loop counter underrun (bsc#951608).\n - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#951608).\n - CVE-2015-7703: configuration directives "pidfile" and "driftfile" should\n only be allowed locally (bsc#951608).\n - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD should validate\n the origin timestamp field (bsc#951608).\n - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete autokey data\n packet length checks (bsc#951608).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n - Add a controlkey line to /etc/ntp.conf if one does not already exist to\n allow runtime configuuration via ntpq.\n - bsc#946386: Temporarily disable memlock to avoid problems due to high\n memory usage during name resolution.\n - bsc#905885: Use SHA1 instead of MD5 for symmetric keys.\n - Improve runtime configuration:\n * Read keytype from ntp.conf\n * Don't write ntp keys to syslog.\n - Fix legacy action scripts to pass on command line arguments.\n - bsc#944300: Remove "kod" from the restrict line in ntp.conf.\n - bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.\n - Don't let "keysdir" lines in ntp.conf trigger the "keys" parser.\n - Disable mode 7 (ntpdc) again, now that we don't use it anymore.\n - Add "addserver" as a new legacy action.\n - bsc#910063: Fix the comment regarding addserver in ntp.conf.\n - bsc#926510: Disable chroot by default.\n - bsc#920238: Enable ntpdc for backwards compatibility.\n - bsc#784760: Remove local clock from default configuration.\n - bsc#942441/fate#319496: Require perl-Socket6.\n - Improve runtime configuration:\n * Read keytype from ntp.conf\n * Don't write ntp keys to syslog.\n - bsc#920183: Allow -4 and -6 address qualifiers in "server" directives.\n - Use upstream ntp-wait, because our version is incompatible with the new\n ntpq command line syntax.\n\n", "modified": "2016-05-17T15:09:17", "published": "2016-05-17T15:09:17", "id": "SUSE-SU-2016:1311-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00048.html", "type": "suse", "title": "Security update for ntp (important)", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}], "nessus": [{"lastseen": "2019-01-16T20:23:55", "bulletinFamily": "scanner", "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\nThese security issues were fixed :\n\n - CVE-2015-8158: Fixed potential infinite loop in ntpq\n (bsc#962966).\n\n - CVE-2015-8138: Zero Origin Timestamp Bypass\n (bsc#963002).\n\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack\n on authenticated broadcast mode (bsc#962784).\n\n - CVE-2015-7978: Stack exhaustion in recursive traversal\n of restriction list (bsc#963000).\n\n - CVE-2015-7977: reslist NULL pointer dereference\n (bsc#962970).\n\n - CVE-2015-7976: ntpq saveconfig command allows dangerous\n characters in filenames (bsc#962802).\n\n - CVE-2015-7975: nextvar() missing length check\n (bsc#962988).\n\n - CVE-2015-7974: Skeleton Key: Missing key check allows\n impersonation between authenticated peers (bsc#962960).\n\n - CVE-2015-7973: Replay attack on authenticated broadcast\n mode (bsc#962995).\n\n - CVE-2015-8140: ntpq vulnerable to replay attacks\n (bsc#962994).\n\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\n origin (bsc#962997).\n\n - CVE-2015-5300: MITM attacker could have forced ntpd to\n make a step larger than the panic threshold\n (bsc#951629).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2018-11-29T00:00:00", "published": "2016-05-02T00:00:00", "id": "SUSE_SU-2016-1175-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=90820", "title": "SUSE SLES11 Security Update : ntp (SUSE-SU-2016:1175-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:1175-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(90820);\n script_version(\"2.17\");\n script_cvs_date(\"Date: 2018/11/29 12:03:39\");\n\n script_cve_id(\"CVE-2015-5300\", \"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n\n script_name(english:\"SUSE SLES11 Security Update : ntp (SUSE-SU-2016:1175-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\nThese security issues were fixed :\n\n - CVE-2015-8158: Fixed potential infinite loop in ntpq\n (bsc#962966).\n\n - CVE-2015-8138: Zero Origin Timestamp Bypass\n (bsc#963002).\n\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack\n on authenticated broadcast mode (bsc#962784).\n\n - CVE-2015-7978: Stack exhaustion in recursive traversal\n of restriction list (bsc#963000).\n\n - CVE-2015-7977: reslist NULL pointer dereference\n (bsc#962970).\n\n - CVE-2015-7976: ntpq saveconfig command allows dangerous\n characters in filenames (bsc#962802).\n\n - CVE-2015-7975: nextvar() missing length check\n (bsc#962988).\n\n - CVE-2015-7974: Skeleton Key: Missing key check allows\n impersonation between authenticated peers (bsc#962960).\n\n - CVE-2015-7973: Replay attack on authenticated broadcast\n mode (bsc#962995).\n\n - CVE-2015-8140: ntpq vulnerable to replay attacks\n (bsc#962994).\n\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\n origin (bsc#962997).\n\n - CVE-2015-5300: MITM attacker could have forced ntpd to\n make a step larger than the panic threshold\n (bsc#951629).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=782060\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=784760\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=916617\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=951559\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=951629\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=956773\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962318\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962784\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962802\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962960\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962966\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962970\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962988\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962994\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962995\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962997\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=963000\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=963002\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=975496\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=975981\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-5300/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7973/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7974/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7975/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7976/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7977/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7978/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7979/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-8138/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-8139/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-8140/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-8158/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20161175-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?03dcd829\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 11-SP4 :\n\nzypper in -t patch slessp4-ntp-12533=1\n\nSUSE Linux Enterprise Debuginfo 11-SP4 :\n\nzypper in -t patch dbgsp4-ntp-12533=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! ereg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"ntp-4.2.8p6-8.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"ntp-doc-4.2.8p6-8.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:23:55", "bulletinFamily": "scanner", "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\nAlso yast2-ntp-client was updated to match some sntp syntax changes.\n(bsc#937837)\n\nThese security issues were fixed :\n\n - CVE-2015-8158: Fixed potential infinite loop in ntpq\n (bsc#962966).\n\n - CVE-2015-8138: Zero Origin Timestamp Bypass\n (bsc#963002).\n\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack\n on authenticated broadcast mode (bsc#962784).\n\n - CVE-2015-7978: Stack exhaustion in recursive traversal\n of restriction list (bsc#963000).\n\n - CVE-2015-7977: reslist NULL pointer dereference\n (bsc#962970).\n\n - CVE-2015-7976: ntpq saveconfig command allows dangerous\n characters in filenames (bsc#962802).\n\n - CVE-2015-7975: nextvar() missing length check\n (bsc#962988).\n\n - CVE-2015-7974: Skeleton Key: Missing key check allows\n impersonation between authenticated peers (bsc#962960).\n\n - CVE-2015-7973: Replay attack on authenticated broadcast\n mode (bsc#962995).\n\n - CVE-2015-8140: ntpq vulnerable to replay attacks\n (bsc#962994).\n\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\n origin (bsc#962997).\n\n - CVE-2015-5300: MITM attacker could have forced ntpd to\n make a step larger than the panic threshold\n (bsc#951629).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2018-11-29T00:00:00", "published": "2016-05-02T00:00:00", "id": "SUSE_SU-2016-1177-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=90821", "title": "SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1177-1)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:1177-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(90821);\n script_version(\"2.17\");\n script_cvs_date(\"Date: 2018/11/29 12:03:39\");\n\n script_cve_id(\"CVE-2015-5300\", \"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n\n script_name(english:\"SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1177-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\nAlso yast2-ntp-client was updated to match some sntp syntax changes.\n(bsc#937837)\n\nThese security issues were fixed :\n\n - CVE-2015-8158: Fixed potential infinite loop in ntpq\n (bsc#962966).\n\n - CVE-2015-8138: Zero Origin Timestamp Bypass\n (bsc#963002).\n\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack\n on authenticated broadcast mode (bsc#962784).\n\n - CVE-2015-7978: Stack exhaustion in recursive traversal\n of restriction list (bsc#963000).\n\n - CVE-2015-7977: reslist NULL pointer dereference\n (bsc#962970).\n\n - CVE-2015-7976: ntpq saveconfig command allows dangerous\n characters in filenames (bsc#962802).\n\n - CVE-2015-7975: nextvar() missing length check\n (bsc#962988).\n\n - CVE-2015-7974: Skeleton Key: Missing key check allows\n impersonation between authenticated peers (bsc#962960).\n\n - CVE-2015-7973: Replay attack on authenticated broadcast\n mode (bsc#962995).\n\n - CVE-2015-8140: ntpq vulnerable to replay attacks\n (bsc#962994).\n\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\n origin (bsc#962997).\n\n - CVE-2015-5300: MITM attacker could have forced ntpd to\n make a step larger than the panic threshold\n (bsc#951629).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=782060\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=916617\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=937837\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=951559\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=951629\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=956773\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962318\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962784\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962802\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962960\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962966\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962970\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962988\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962994\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962995\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=962997\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=963000\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=963002\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=975496\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=975981\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-5300/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7973/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7974/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7975/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7976/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7977/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7978/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7979/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-8138/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-8139/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-8140/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-8158/\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20161177-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b19cd5f6\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Software Development Kit 12-SP1 :\n\nzypper in -t patch SUSE-SLE-SDK-12-SP1-2016-694=1\n\nSUSE Linux Enterprise Server 12-SP1 :\n\nzypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-694=1\n\nSUSE Linux Enterprise Desktop 12-SP1 :\n\nzypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-694=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:12\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLED12|SLES12)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED12 / SLES12\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES12\" && (! ereg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES12 SP1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED12\" && (! ereg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED12 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"ntp-4.2.8p6-8.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"ntp-debuginfo-4.2.8p6-8.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"ntp-debugsource-4.2.8p6-8.2\")) flag++;\nif (rpm_check(release:\"SLES12\", sp:\"1\", reference:\"ntp-doc-4.2.8p6-8.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"ntp-4.2.8p6-8.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"ntp-debuginfo-4.2.8p6-8.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"ntp-debugsource-4.2.8p6-8.2\")) flag++;\nif (rpm_check(release:\"SLED12\", sp:\"1\", cpu:\"x86_64\", reference:\"ntp-doc-4.2.8p6-8.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:24:03", "bulletinFamily": "scanner", "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\nAlso yast2-ntp-client was updated to match some sntp syntax changes.\n(bsc#937837)\n\nThese security issues were fixed :\n\n - CVE-2015-8158: Fixed potential infinite loop in ntpq\n (bsc#962966).\n\n - CVE-2015-8138: Zero Origin Timestamp Bypass\n (bsc#963002).\n\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack\n on authenticated broadcast mode (bsc#962784).\n\n - CVE-2015-7978: Stack exhaustion in recursive traversal\n of restriction list (bsc#963000).\n\n - CVE-2015-7977: reslist NULL pointer dereference\n (bsc#962970).\n\n - CVE-2015-7976: ntpq saveconfig command allows dangerous\n characters in filenames (bsc#962802).\n\n - CVE-2015-7975: nextvar() missing length check\n (bsc#962988).\n\n - CVE-2015-7974: Skeleton Key: Missing key check allows\n impersonation between authenticated peers (bsc#962960).\n\n - CVE-2015-7973: Replay attack on authenticated broadcast\n mode (bsc#962995).\n\n - CVE-2015-8140: ntpq vulnerable to replay attacks\n (bsc#962994).\n\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\n origin (bsc#962997).\n\n - CVE-2015-5300: MITM attacker could have forced ntpd to\n make a step larger than the panic threshold\n (bsc#951629).\n\nThese non-security issues were fixed :\n\n - fate#320758 bsc#975981: Enable compile-time support for\n MS-SNTP (--enable-ntp-signd). This replaces the w32\n patches in 4.2.4 that added the authreg directive.\n\n - bsc#962318: Call /usr/sbin/sntp with full path to\n synchronize in start-ntpd. When run as cron job,\n /usr/sbin/ is not in the path, which caused the\n synchronization to fail.\n\n - bsc#782060: Speedup ntpq.\n\n - bsc#916617: Add /var/db/ntp-kod.\n\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning\n that might happen quite a lot on loaded systems.\n\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp\n during DST.\n\n - Add ntp-fork.patch and build with threads disabled to\n allow name resolution even when running chrooted.\n\nThis update was imported from the SUSE:SLE-12-SP1:Update update\nproject.", "modified": "2017-02-13T00:00:00", "published": "2016-05-13T00:00:00", "id": "OPENSUSE-2016-578.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=91111", "title": "openSUSE Security Update : ntp (openSUSE-2016-578)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-578.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91111);\n script_version(\"$Revision: 2.7 $\");\n script_cvs_date(\"$Date: 2017/02/13 20:45:10 $\");\n\n script_cve_id(\"CVE-2015-5300\", \"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n\n script_name(english:\"openSUSE Security Update : ntp (openSUSE-2016-578)\");\n script_summary(english:\"Check for the openSUSE-2016-578 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\nAlso yast2-ntp-client was updated to match some sntp syntax changes.\n(bsc#937837)\n\nThese security issues were fixed :\n\n - CVE-2015-8158: Fixed potential infinite loop in ntpq\n (bsc#962966).\n\n - CVE-2015-8138: Zero Origin Timestamp Bypass\n (bsc#963002).\n\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack\n on authenticated broadcast mode (bsc#962784).\n\n - CVE-2015-7978: Stack exhaustion in recursive traversal\n of restriction list (bsc#963000).\n\n - CVE-2015-7977: reslist NULL pointer dereference\n (bsc#962970).\n\n - CVE-2015-7976: ntpq saveconfig command allows dangerous\n characters in filenames (bsc#962802).\n\n - CVE-2015-7975: nextvar() missing length check\n (bsc#962988).\n\n - CVE-2015-7974: Skeleton Key: Missing key check allows\n impersonation between authenticated peers (bsc#962960).\n\n - CVE-2015-7973: Replay attack on authenticated broadcast\n mode (bsc#962995).\n\n - CVE-2015-8140: ntpq vulnerable to replay attacks\n (bsc#962994).\n\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\n origin (bsc#962997).\n\n - CVE-2015-5300: MITM attacker could have forced ntpd to\n make a step larger than the panic threshold\n (bsc#951629).\n\nThese non-security issues were fixed :\n\n - fate#320758 bsc#975981: Enable compile-time support for\n MS-SNTP (--enable-ntp-signd). This replaces the w32\n patches in 4.2.4 that added the authreg directive.\n\n - bsc#962318: Call /usr/sbin/sntp with full path to\n synchronize in start-ntpd. When run as cron job,\n /usr/sbin/ is not in the path, which caused the\n synchronization to fail.\n\n - bsc#782060: Speedup ntpq.\n\n - bsc#916617: Add /var/db/ntp-kod.\n\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning\n that might happen quite a lot on loaded systems.\n\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp\n during DST.\n\n - Add ntp-fork.patch and build with threads disabled to\n allow name resolution even when running chrooted.\n\nThis update was imported from the SUSE:SLE-12-SP1:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=782060\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=916617\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=937837\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=951559\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=951629\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=956773\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=962318\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=962784\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=962802\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=962960\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=962966\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=962970\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=962988\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=962994\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=962995\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=962997\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=963000\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=963002\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=975496\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=975981\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected ntp packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ntp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ntp-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:yast2-ntp-client\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"ntp-4.2.8p6-15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"ntp-debuginfo-4.2.8p6-15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"ntp-debugsource-4.2.8p6-15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"yast2-ntp-client-3.1.22-6.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp / ntp-debuginfo / ntp-debugsource / yast2-ntp-client\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:23:08", "bulletinFamily": "scanner", "description": "The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p6.\nIt is, therefore, affected by the following vulnerabilities :\n\n - A flaw exists in the receive() function due to the use\n of authenticated broadcast mode. A man-in-the-middle\n attacker can exploit this to conduct a replay attack.\n (CVE-2015-7973)\n\n - A time serving flaw exists in the trusted key system\n due to improper key checks. An authenticated, remote\n attacker can exploit this to perform impersonation\n attacks between authenticated peers. (CVE-2015-7974)\n\n - An overflow condition exists in the nextvar() function\n due to improper validation of user-supplied input. A\n local attacker can exploit this to cause a buffer\n overflow, resulting in a denial of service condition.\n (CVE-2015-7975)\n\n - A flaw exists in ntp_control.c due to improper filtering\n of special characters in filenames by the saveconfig\n command. An authenticated, remote attacker can exploit\n this to inject arbitrary content. (CVE-2015-7976)\n\n - A NULL pointer dereference flaw exists in ntp_request.c\n that is triggered when handling ntpdc relist commands.\n A remote attacker can exploit this, via a specially\n crafted request, to crash the service, resulting in a\n denial of service condition. (CVE-2015-7977)\n\n - A flaw exists in ntpdc that is triggered during the\n handling of the relist command. A remote attacker can\n exploit this, via recursive traversals of the\n restriction list, to exhaust available space on the call\n stack, resulting in a denial of service condition.\n CVE-2015-7978)\n\n - An unspecified flaw exists in authenticated broadcast\n mode. A remote attacker can exploit this, via specially\n crafted packets, to cause a denial of service condition.\n (CVE-2015-7979)\n\n - A flaw exists in the receive() function that allows\n packets with an origin timestamp of zero to bypass\n security checks. A remote attacker can exploit this to\n spoof arbitrary content. (CVE-2015-8138)\n\n - A flaw exists in ntpq and ntpdc that allows a remote\n attacker to disclose sensitive information in\n timestamps. (CVE-2015-8139)\n\n - A flaw exists in the ntpq protocol that is triggered\n during the handling of an improper sequence of numbers.\n A man-in-the-middle attacker can exploit this to conduct\n a replay attack. (CVE-2015-8140)\n\n - A flaw exists in the ntpq client that is triggered when\n handling packets that cause a loop in the getresponse()\n function. A remote attacker can exploit this to cause an\n infinite loop, resulting in a denial of service\n condition. (CVE-2015-8158)", "modified": "2018-09-17T00:00:00", "published": "2016-01-21T00:00:00", "id": "NTP_4_2_8P6.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=88054", "title": "Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p6 Multiple Vulnerabilities", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88054);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2018/09/17 21:46:53\");\n\n script_cve_id(\n \"CVE-2015-7973\",\n \"CVE-2015-7974\",\n \"CVE-2015-7975\",\n \"CVE-2015-7976\",\n \"CVE-2015-7977\",\n \"CVE-2015-7978\",\n \"CVE-2015-7979\",\n \"CVE-2015-8138\",\n \"CVE-2015-8139\",\n \"CVE-2015-8140\",\n \"CVE-2015-8158\"\n );\n script_bugtraq_id(\n 81963,\n 81811,\n 81814,\n 81815,\n 81816,\n 81959,\n 81960,\n 81962,\n 82102,\n 82105\n );\n script_xref(name:\"CERT\", value:\"718152\");\n\n script_name(english:\"Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p6 Multiple Vulnerabilities\");\n script_summary(english:\"Checks for a vulnerable NTP server.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote NTP server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p6.\nIt is, therefore, affected by the following vulnerabilities :\n\n - A flaw exists in the receive() function due to the use\n of authenticated broadcast mode. A man-in-the-middle\n attacker can exploit this to conduct a replay attack.\n (CVE-2015-7973)\n\n - A time serving flaw exists in the trusted key system\n due to improper key checks. An authenticated, remote\n attacker can exploit this to perform impersonation\n attacks between authenticated peers. (CVE-2015-7974)\n\n - An overflow condition exists in the nextvar() function\n due to improper validation of user-supplied input. A\n local attacker can exploit this to cause a buffer\n overflow, resulting in a denial of service condition.\n (CVE-2015-7975)\n\n - A flaw exists in ntp_control.c due to improper filtering\n of special characters in filenames by the saveconfig\n command. An authenticated, remote attacker can exploit\n this to inject arbitrary content. (CVE-2015-7976)\n\n - A NULL pointer dereference flaw exists in ntp_request.c\n that is triggered when handling ntpdc relist commands.\n A remote attacker can exploit this, via a specially\n crafted request, to crash the service, resulting in a\n denial of service condition. (CVE-2015-7977)\n\n - A flaw exists in ntpdc that is triggered during the\n handling of the relist command. A remote attacker can\n exploit this, via recursive traversals of the\n restriction list, to exhaust available space on the call\n stack, resulting in a denial of service condition.\n CVE-2015-7978)\n\n - An unspecified flaw exists in authenticated broadcast\n mode. A remote attacker can exploit this, via specially\n crafted packets, to cause a denial of service condition.\n (CVE-2015-7979)\n\n - A flaw exists in the receive() function that allows\n packets with an origin timestamp of zero to bypass\n security checks. A remote attacker can exploit this to\n spoof arbitrary content. (CVE-2015-8138)\n\n - A flaw exists in ntpq and ntpdc that allows a remote\n attacker to disclose sensitive information in\n timestamps. (CVE-2015-8139)\n\n - A flaw exists in the ntpq protocol that is triggered\n during the handling of an improper sequence of numbers.\n A man-in-the-middle attacker can exploit this to conduct\n a replay attack. (CVE-2015-8140)\n\n - A flaw exists in the ntpq client that is triggered when\n handling packets that cause a loop in the getresponse()\n function. A remote attacker can exploit this to cause an\n infinite loop, resulting in a denial of service\n condition. (CVE-2015-8158)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.ntp.org/bin/view/Main/SecurityNotice\");\n # http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d42322ca\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to NTP version 4.2.8p6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-8140\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ntp:ntp\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ntp_open.nasl\");\n script_require_keys(\"NTP/Running\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Make sure NTP server is running\nget_kb_item_or_exit('NTP/Running');\n\napp_name = \"NTP Server\";\n\nport = get_kb_item(\"Services/udp/ntp\");\nif (!port) port = 123;\n\nversion = get_kb_item_or_exit(\"Services/ntp/version\");\nif (version == 'unknown') audit(AUDIT_UNKNOWN_APP_VER, app_name);\n\nmatch = eregmatch(string:version, pattern:\"([0-9a-z.]+)\");\nif (isnull(match) || empty_or_null(match[1])) exit(AUDIT_UNKNOWN_APP_VER, app_name);\n\n# Paranoia check\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nver = match[1];\nverfields = split(ver, sep:\".\", keep:FALSE);\nmajor = int(verfields[0]);\nminor = int(verfields[1]);\nif ('p' >< verfields[2])\n{\n revpatch = split(verfields[2], sep:\"p\", keep:FALSE);\n rev = int(revpatch[0]);\n patch = int(revpatch[1]);\n}\nelse\n{\n rev = verfields[2];\n patch = 0;\n}\n\n# This vulnerability affects NTP 3.x / 4.x < 4.2.8p6\nif (\n (major == 3) ||\n (major == 4 && minor < 2) ||\n (major == 4 && minor == 2 && rev < 8) ||\n (major == 4 && minor == 2 && rev == 8 && patch < 6)\n)\n{\n fix = \"4.2.8p6\";\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n\nreport =\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n\nsecurity_report_v4(\n port : port,\n proto : \"udp\",\n extra : report,\n severity : SECURITY_WARNING\n);\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-10-29T13:45:11", "bulletinFamily": "scanner", "description": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop.\n\nThis plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.", "modified": "2017-01-19T00:00:00", "published": "2016-06-09T00:00:00", "id": "AIX_IV83984.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=91516", "type": "nessus", "title": "AIX 6.1 TL 9 : ntp (IV83984) (deprecated)", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory ntp_advisory6.asc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2017/01/20. Deprecated by aix_ntp_v3_advisory6.nasl.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91516);\n script_version(\"$Revision: 2.4 $\");\n script_cvs_date(\"$Date: 2017/01/19 19:35:23 $\");\n\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7977\", \"CVE-2015-7979\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n\n script_name(english:\"AIX 6.1 TL 9 : ntp (IV83984) (deprecated)\");\n script_summary(english:\"Check for APAR IV83984\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could\nallow a remote attacker to launch a replay attack. An attacker could\nexploit this vulnerability using authenticated broadcast mode packets\nto conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by a NULL pointer\ndereference. By sending a specially crafted ntpdc reslist command, an\nattacker could exploit this vulnerability to cause a segmentation\nfault. NTP could allow a remote attacker to bypass security\nrestrictions. By sending specially crafted broadcast packets with bad\nauthentication, an attacker could exploit this vulnerability to cause\nthe target broadcast client to tear down the association with the\nbroadcast server. NTP could allow a remote attacker to obtain\nsensitive information, caused by an origin leak in ntpq and ntpdc. An\nattacker could exploit this vulnerability to obtain sensitive\ninformation. NTP could allow a remote attacker to launch a replay\nattack. An attacker could exploit this vulnerability using ntpq to\nconduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by the improper\nprocessing of incoming packets by ntpq. By sending specially crafted\ndata, an attacker could exploit this vulnerability to cause the\napplication to enter into an infinite loop.\n\nThis plugin has been deprecated due to manual logic changes and\nadvisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356)\ninstead.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"n/a\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:6.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"6.1\", ml:\"09\", sp:\"04\", patch:\"IV83984m4a\", package:\"bos.net.tcp.client\", minfilesetver:\"6.1.9.0\", maxfilesetver:\"6.1.9.102\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"09\", sp:\"05\", patch:\"IV83984m5a\", package:\"bos.net.tcp.client\", minfilesetver:\"6.1.9.0\", maxfilesetver:\"6.1.9.102\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"09\", sp:\"06\", patch:\"IV83984m6a\", package:\"bos.net.tcp.client\", minfilesetver:\"6.1.9.0\", maxfilesetver:\"6.1.9.102\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"09\", sp:\"07\", patch:\"IV83984s7a\", package:\"bos.net.tcp.client\", minfilesetver:\"6.1.9.0\", maxfilesetver:\"6.1.9.102\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-10-29T13:37:58", "bulletinFamily": "scanner", "description": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop.\n\nThis plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.", "modified": "2017-01-19T00:00:00", "published": "2016-06-09T00:00:00", "id": "AIX_IV83994.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=91518", "type": "nessus", "title": "AIX 7.1 TL 4 : ntp (IV83994) (deprecated)", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory ntp_advisory6.asc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2017/01/20. Deprecated by aix_ntp_v3_advisory6.nasl.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91518);\n script_version(\"$Revision: 2.4 $\");\n script_cvs_date(\"$Date: 2017/01/19 19:35:23 $\");\n\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7977\", \"CVE-2015-7979\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n\n script_name(english:\"AIX 7.1 TL 4 : ntp (IV83994) (deprecated)\");\n script_summary(english:\"Check for APAR IV83994\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could\nallow a remote attacker to launch a replay attack. An attacker could\nexploit this vulnerability using authenticated broadcast mode packets\nto conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by a NULL pointer\ndereference. By sending a specially crafted ntpdc reslist command, an\nattacker could exploit this vulnerability to cause a segmentation\nfault. NTP could allow a remote attacker to bypass security\nrestrictions. By sending specially crafted broadcast packets with bad\nauthentication, an attacker could exploit this vulnerability to cause\nthe target broadcast client to tear down the association with the\nbroadcast server. NTP could allow a remote attacker to obtain\nsensitive information, caused by an origin leak in ntpq and ntpdc. An\nattacker could exploit this vulnerability to obtain sensitive\ninformation. NTP could allow a remote attacker to launch a replay\nattack. An attacker could exploit this vulnerability using ntpq to\nconduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by the improper\nprocessing of incoming packets by ntpq. By sending specially crafted\ndata, an attacker could exploit this vulnerability to cause the\napplication to enter into an infinite loop.\n\nThis plugin has been deprecated due to manual logic changes and\nadvisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356)\ninstead.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"n/a\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:7.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"7.1\", ml:\"04\", sp:\"00\", patch:\"IV83994m1a\", package:\"bos.net.tcp.client\", minfilesetver:\"7.1.4.0\", maxfilesetver:\"7.1.4.1\") < 0) flag++;\nif (aix_check_ifix(release:\"7.1\", ml:\"04\", sp:\"01\", patch:\"IV83994m1a\", package:\"bos.net.tcp.client\", minfilesetver:\"7.1.4.0\", maxfilesetver:\"7.1.4.1\") < 0) flag++;\nif (aix_check_ifix(release:\"7.1\", ml:\"04\", sp:\"02\", patch:\"IV83994s2a\", package:\"bos.net.tcp.client\", minfilesetver:\"7.1.4.0\", maxfilesetver:\"7.1.4.1\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-10-29T13:34:46", "bulletinFamily": "scanner", "description": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop.\n\nThis plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.", "modified": "2017-01-19T00:00:00", "published": "2016-06-09T00:00:00", "id": "AIX_IV83993.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=91517", "type": "nessus", "title": "AIX 7.1 TL 3 : ntp (IV83993) (deprecated)", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory ntp_advisory6.asc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2017/01/20. Deprecated by aix_ntp_v3_advisory6.nasl.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91517);\n script_version(\"$Revision: 2.4 $\");\n script_cvs_date(\"$Date: 2017/01/19 19:35:23 $\");\n\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7977\", \"CVE-2015-7979\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n\n script_name(english:\"AIX 7.1 TL 3 : ntp (IV83993) (deprecated)\");\n script_summary(english:\"Check for APAR IV83993\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could\nallow a remote attacker to launch a replay attack. An attacker could\nexploit this vulnerability using authenticated broadcast mode packets\nto conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by a NULL pointer\ndereference. By sending a specially crafted ntpdc reslist command, an\nattacker could exploit this vulnerability to cause a segmentation\nfault. NTP could allow a remote attacker to bypass security\nrestrictions. By sending specially crafted broadcast packets with bad\nauthentication, an attacker could exploit this vulnerability to cause\nthe target broadcast client to tear down the association with the\nbroadcast server. NTP could allow a remote attacker to obtain\nsensitive information, caused by an origin leak in ntpq and ntpdc. An\nattacker could exploit this vulnerability to obtain sensitive\ninformation. NTP could allow a remote attacker to launch a replay\nattack. An attacker could exploit this vulnerability using ntpq to\nconduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by the improper\nprocessing of incoming packets by ntpq. By sending specially crafted\ndata, an attacker could exploit this vulnerability to cause the\napplication to enter into an infinite loop.\n\nThis plugin has been deprecated due to manual logic changes and\nadvisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356)\ninstead.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"n/a\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:7.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"7.1\", ml:\"03\", sp:\"04\", patch:\"IV83993m4b\", package:\"bos.net.tcp.client\", minfilesetver:\"7.1.3.0\", maxfilesetver:\"7.1.3.47\") < 0) flag++;\nif (aix_check_ifix(release:\"7.1\", ml:\"03\", sp:\"05\", patch:\"IV83993m5a\", package:\"bos.net.tcp.client\", minfilesetver:\"7.1.3.0\", maxfilesetver:\"7.1.3.47\") < 0) flag++;\nif (aix_check_ifix(release:\"7.1\", ml:\"03\", sp:\"06\", patch:\"IV83993m6a\", package:\"bos.net.tcp.client\", minfilesetver:\"7.1.3.0\", maxfilesetver:\"7.1.3.47\") < 0) flag++;\nif (aix_check_ifix(release:\"7.1\", ml:\"03\", sp:\"07\", patch:\"IV83993s7a\", package:\"bos.net.tcp.client\", minfilesetver:\"7.1.3.0\", maxfilesetver:\"7.1.3.47\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:24:30", "bulletinFamily": "scanner", "description": "The version of NTP installed on the remote AIX host is affected by\nthe following vulnerabilities :\n\n - A flaw exists in the receive() function due to the use\n of authenticated broadcast mode. A man-in-the-middle\n attacker can exploit this to conduct a replay attack.\n (CVE-2015-7973)\n\n - A NULL pointer dereference flaw exists in ntp_request.c\n that is triggered when handling ntpdc relist commands.\n A remote attacker can exploit this, via a specially\n crafted request, to crash the service, resulting in a\n denial of service condition. (CVE-2015-7977)\n\n - An unspecified flaw exists in authenticated broadcast\n mode. A remote attacker can exploit this, via specially\n crafted packets, to cause a denial of service condition.\n (CVE-2015-7979)\n\n - A flaw exists in ntpq and ntpdc that allows a remote\n attacker to disclose sensitive information in\n timestamps. (CVE-2015-8139)\n\n - A flaw exists in the ntpq protocol that is triggered\n during the handling of an improper sequence of numbers.\n A man-in-the-middle attacker can exploit this to conduct\n a replay attack. (CVE-2015-8140)\n\n - A flaw exists in the ntpq client that is triggered when\n handling packets that cause a loop in the getresponse()\n function. A remote attacker can exploit this to cause an\n infinite loop, resulting in a denial of service\n condition. (CVE-2015-8158)", "modified": "2018-07-17T00:00:00", "published": "2016-07-18T00:00:00", "id": "AIX_NTP_V4_ADVISORY6.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=92357", "title": "AIX NTP v4 Advisory : ntp_advisory6.asc (IV83983) (IV83992)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92357);\n script_version(\"1.11\");\n script_cvs_date(\"Date: 2018/07/17 12:00:06\");\n\n script_cve_id(\n \"CVE-2015-7973\",\n \"CVE-2015-7977\",\n \"CVE-2015-7979\",\n \"CVE-2015-8139\",\n \"CVE-2015-8140\",\n \"CVE-2015-8158\"\n );\n script_bugtraq_id(\n 81814,\n 81815,\n 81816,\n 81963,\n 82102,\n 82105\n );\n script_xref(name:\"CERT\", value:\"718152\");\n\n script_name(english:\"AIX NTP v4 Advisory : ntp_advisory6.asc (IV83983) (IV83992)\");\n script_summary(english:\"Checks the version of the ntp packages for appropriate iFixes.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote AIX host has a version of NTP installed that is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of NTP installed on the remote AIX host is affected by\nthe following vulnerabilities :\n\n - A flaw exists in the receive() function due to the use\n of authenticated broadcast mode. A man-in-the-middle\n attacker can exploit this to conduct a replay attack.\n (CVE-2015-7973)\n\n - A NULL pointer dereference flaw exists in ntp_request.c\n that is triggered when handling ntpdc relist commands.\n A remote attacker can exploit this, via a specially\n crafted request, to crash the service, resulting in a\n denial of service condition. (CVE-2015-7977)\n\n - An unspecified flaw exists in authenticated broadcast\n mode. A remote attacker can exploit this, via specially\n crafted packets, to cause a denial of service condition.\n (CVE-2015-7979)\n\n - A flaw exists in ntpq and ntpdc that allows a remote\n attacker to disclose sensitive information in\n timestamps. (CVE-2015-8139)\n\n - A flaw exists in the ntpq protocol that is triggered\n during the handling of an improper sequence of numbers.\n A man-in-the-middle attacker can exploit this to conduct\n a replay attack. (CVE-2015-8140)\n\n - A flaw exists in the ntpq client that is triggered when\n handling packets that cause a loop in the getresponse()\n function. A remote attacker can exploit this to cause an\n infinite loop, resulting in a denial of service\n condition. (CVE-2015-8158)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc\");\n script_set_attribute(attribute:\"solution\", value:\n\"A fix is available and can be downloaded from the IBM AIX website.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/10/17\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/08/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ntp:ntp\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"AIX Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\ninclude(\"aix.inc\");\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\noslevel = get_kb_item(\"Host/AIX/version\");\nif (isnull(oslevel)) audit(AUDIT_UNKNOWN_APP_VER, \"AIX\");\noslevel = oslevel - \"AIX-\";\n\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This AIX package check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\naix_ntp_vulns = {\n \"6.1\": {\n \"minfilesetver\":\"6.1.6.0\",\n \"maxfilesetver\":\"6.1.6.5\",\n \"patch\":\"(IV83992s5a|IV87278s7a|IV92287m5a|IV96311m5a)\"\n },\n \"7.1\": {\n \"minfilesetver\":\"7.1.0.0\",\n \"maxfilesetver\":\"7.1.0.5\",\n \"patch\":\"(IV83983s5a|IV87279s7a|IV92287m5a|IV96312m5a)\"\n },\n \"7.2\": {\n \"minfilesetver\":\"7.1.0.0\",\n \"maxfilesetver\":\"7.1.0.5\",\n \"patch\":\"(IV83983s5a|IV87279s7a|IV92126m3a|IV96312m5a)\"\n }\n};\n\nversion_report = \"AIX \" + oslevel;\nif ( empty_or_null(aix_ntp_vulns[oslevel]) ) {\n os_options = join( sort( keys(aix_ntp_vulns) ), sep:' / ' );\n audit(AUDIT_OS_NOT, os_options, version_report);\n}\n\nforeach oslevel ( keys(aix_ntp_vulns) ) {\n package_info = aix_ntp_vulns[oslevel];\n minfilesetver = package_info[\"minfilesetver\"];\n maxfilesetver = package_info[\"maxfilesetver\"];\n patch = package_info[\"patch\"];\n if (aix_check_ifix(release:oslevel, patch:patch, package:\"ntp.rte\", minfilesetver:minfilesetver, maxfilesetver:maxfilesetver) < 0) flag++;\n}\n\nif (flag)\n{\n aix_report_extra = ereg_replace(string:aix_report_get(), pattern:\"[()]\", replace:\"\");\n aix_report_extra = ereg_replace(string:aix_report_extra, pattern:\"[|]\", replace:\" or \");\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : aix_report_extra\n );\n}\nelse\n{\n tested = aix_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp.rte\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-01-16T20:23:31", "bulletinFamily": "scanner", "description": "Security fix for CVE-2015-7974, CVE-2015-8138, CVE-2015-7977,\nCVE-2015-7978, CVE-2015-7979, CVE-2015-8158\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "modified": "2017-02-15T00:00:00", "published": "2016-03-04T00:00:00", "id": "FEDORA_2016-8BB1932088.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=89577", "title": "Fedora 23 : ntp-4.2.6p5-36.fc23 (2016-8bb1932088)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2016-8bb1932088.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(89577);\n script_version(\"$Revision: 1.7 $\");\n script_cvs_date(\"$Date: 2017/02/15 14:34:00 $\");\n\n script_cve_id(\"CVE-2015-7974\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8158\");\n script_xref(name:\"FEDORA\", value:\"2016-8bb1932088\");\n\n script_name(english:\"Fedora 23 : ntp-4.2.6p5-36.fc23 (2016-8bb1932088)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2015-7974, CVE-2015-8138, CVE-2015-7977,\nCVE-2015-7978, CVE-2015-7979, CVE-2015-8158\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1297471\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1299442\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1300269\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1300270\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1300271\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1300273\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-January/176434.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b6201181\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected ntp package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"ntp-4.2.6p5-36.fc23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2017-10-29T13:38:29", "bulletinFamily": "scanner", "description": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop.\n\nThis plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.", "modified": "2017-01-19T00:00:00", "published": "2016-06-09T00:00:00", "id": "AIX_IV84269.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=91520", "type": "nessus", "title": "AIX 5.3 TL 12 : ntp (IV84269) (deprecated)", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory ntp_advisory6.asc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2017/01/20. Deprecated by aix_ntp_v3_advisory6.nasl.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91520);\n script_version(\"$Revision: 2.3 $\");\n script_cvs_date(\"$Date: 2017/01/19 19:35:23 $\");\n\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7977\", \"CVE-2015-7979\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n\n script_name(english:\"AIX 5.3 TL 12 : ntp (IV84269) (deprecated)\");\n script_summary(english:\"Check for APAR IV84269\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could\nallow a remote attacker to launch a replay attack. An attacker could\nexploit this vulnerability using authenticated broadcast mode packets\nto conduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by a NULL pointer\ndereference. By sending a specially crafted ntpdc reslist command, an\nattacker could exploit this vulnerability to cause a segmentation\nfault. NTP could allow a remote attacker to bypass security\nrestrictions. By sending specially crafted broadcast packets with bad\nauthentication, an attacker could exploit this vulnerability to cause\nthe target broadcast client to tear down the association with the\nbroadcast server. NTP could allow a remote attacker to obtain\nsensitive information, caused by an origin leak in ntpq and ntpdc. An\nattacker could exploit this vulnerability to obtain sensitive\ninformation. NTP could allow a remote attacker to launch a replay\nattack. An attacker could exploit this vulnerability using ntpq to\nconduct a replay attack and gain unauthorized access to the system.\nNTP is vulnerable to a denial of service, caused by the improper\nprocessing of incoming packets by ntpq. By sending specially crafted\ndata, an attacker could exploit this vulnerability to cause the\napplication to enter into an infinite loop.\n\nThis plugin has been deprecated due to manual logic changes and\nadvisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356)\ninstead.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"n/a\"\n );\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:5.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"5.3\", ml:\"12\", sp:\"09\", patch:\"IV84269m9a\", package:\"bos.net.tcp.client\", minfilesetver:\"5.3.12.0\", maxfilesetver:\"5.3.12.10\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "cisco": [{"lastseen": "2019-01-28T19:05:59", "bulletinFamily": "software", "description": "A vulnerability in the Network Time Protocol daemon (ntpd) could allow an authenticated, remote attacker to leverage any trusted key, not just the trusted key for its address.\n\nThe vulnerability is exists because ntpd does not properly verify that the key being used matches the proper servers' key. An attacker could exploit this vulnerability by sending packets with any trusted key, as long as the keyid references another key the systems share and that key is used to compute the message authentication code (MAC). An exploit could allow the attacker to masquerade as another configured trusted association.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow an unauthenticated, adjacent attacker to replay broadcast server packets.\n\nThe vulnerability is due to no replay protection on NTP broadcast packets. An attacker could exploit this vulnerability by capturing and retransmiting NTP broadcast packets to a targeted system. An exploit could allow the attacker to cause time settings on a targeted system to stop updating and maintain a particular time value.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow an unauthenticated, remote attacker to modify time settings on a targeted system.\n\nThe vulnerability is due to incorrect processing of NTP update packets. An attacker could exploit this vulnerability by sending crafted updates that contain an a zero-origin timestamp to the clients' peer server. An exploit could allow the attacker to modify the time values received by the client, preventing client systems from receiving further updates from its legitimately configured time server.\n\nA vulnerability in the Standard Network Time Protocol query program (ntpq) could allow an unauthenticated, remote attacker to replay a previously captured ntpq command.\n\nThe vulnerability is due to an invalid checking of the sequence number. An attacker could exploit this vulnerability by capturing an authenticated ntpq command that was executed and then replaying back the command at a later stage. An exploit could allow the attacker to replay previously captured ntpq commands.\n\nA vulnerability in the list_restrict4() and list_restrict6() routines of the Network Time Protocol daemon (ntpd) could allow an authenticated, remote attacker to cause the ntpd to crash.\n\nThe vulnerability is due to a null pointer dereference in the list_restrict4() and list_restrict6() routines. An attacker could exploit this vulnerability by performing an ntpdc reslist command against a device that has a large number of NTP restrictions in place. An exploit could allow the attacker to cause the ntpd to crash.\n\nA vulnerability in the standard Network Time Protocol query program (ntpq) could allow a unauthenticated, local attacker to execute a buffer overflow attack.\n\nThe vulnerability is due to the function nextvar() executing a memcpy() into the name buffer without a proper length check. An attacker could exploit this vulnerability by calling ntpq to read variable names from an untrusted source, such as a user or environment variable. An exploit could allow the attacker to trigger a buffer overflow.\n\nA vulnerability in the standard and special Network Time Protocol query program (ntpq and ntpdc) could allow an unauthenticated, remote attacker to cause the ntpq or ntpdc program to remain in a processing loop.\n\nThe vulnerability is due to a loop that is not exited under certain conditions in the ntpq and ntpdc processes. An attacker could exploit this vulnerability by sending malicious packets to an ntpq or ntpdc client from a malicious NTP server or from a privileged network position by conducting a man-in-the-middle attack between a targeted client and the NTP server. An exploit could allow the attacker to cause the ntpq or ntpdc process to enter an infinite loop, resulting in a denial of service (DoS) condition.\n\nA vulnerability in the standard and the special Network Time Protocol query program (ntpq and ntpdc) could allow an unauthenticated, remote attacker to obtain the value of the origin timestamp expected in the next peer response.\n\nThe vulnerability is due to ntpq and ntpdc providing this information without requiring authentication. An attacker could exploit this issue by querying the client with the appropriate ntpq or ntpdc commands. An exploit could allow the attacker to obtain the next peer response origin timestamp, which could be leveraged in further attacks.\n\nA vulnerability of the Network Time Protocol daemon (ntpd) could allow an authenticated, remote attacker to cause the ntpd to crash by exhausting the call stack.\n\nThe vulnerability exists because function calls to list_restrict4() or list_restrict6() can be made to exhaust space on the call stack. An attacker could exploit this vulnerability by performing an ntpdc reslist command against a device that has a large number of NTP restrictions in place. An exploit could allow the attacker to cause the ntpd to crash.\n\nA vulnerability the Network Time Protocol daemon (ntpd) could allow an unauthenticated, remote attacker to prevent clients from synchronizing to a time server.\n\nThe vulnerability is due to the improper handling of malicious packets by the broadcast server. An attacker could exploit this vulnerability by sending malicious, authenticated packets to the broadcast network. An exploit could allow the attacker to prevent the broadcast clients from synchronizing with configured time servers.\n\nAn issue in the standard Network Time Protocol query program (ntpq) could allow an authenticated, remote attacker to create files on the system with dangerous characters in the filename.\n\nThe issue is due to to improper validation of characters within filenames. An attacker could exploit this issue by saving a filename with the saveconfig command. An exploit could allow the attacker to write filenames to the system that may contain potentially dangerous character sequences.\n\nMultiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.\n\nOn January 19, 2016, NTP Consortium at Network Time Foundation released a security advisory detailing 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities, and logic issues that may allow an attacker to shift a client's time. The vulnerabilities covered in this document are as follows:\n\n CVE-2015-7973: Network Time Protocol Replay Attack on Authenticated Broadcast Mode Vulnerability \n CVE-2015-7974: Network Time Protocol Missing Trusted Key Check\n CVE-2015-7975: Standard Network Time Protocol Query Program nextvar() Missing Length Check\n CVE-2015-7976: Standard Network Time Protocol Query Program saveconfig Command Allows Dangerous Characters in Filenames\n CVE-2015-7978: Network Time Protocol Daemon reslist NULL Pointer Deference Denial of Service Vulnerability\n CVE-2015-7977: Network Time Protocol Stack Exhaustion Denial of Service\n CVE-2015-7979: Network Time Protocol Off-Path Broadcast Mode Denial of Service \n CVE-2015-8138: Network Time Protocol Zero Origin Timestamp Bypass\n CVE-2015-8139: Network Time Protocol Information Disclosure of Origin Timestamp\n CVE-2015-8140: Standard Network Time Protocol Query Program Replay Attack\n CVE-2015-8158: Standard and Special Network Time Protocol Query Program Infinite loop\n\nAdditional details on each of the vulnerabilities are in the official security advisory from the NTP Consortium at Network Time Foundation at the following link: Security Notice[\"http://nwtime.org/security-policy/\"]\n\nCisco has released software updates that address these vulnerabilities.\n\nWorkarounds that address some of these vulnerabilities may be available. Available workarounds will be documented in the corresponding Cisco bug for each affected product. \n\nThis advisory is available at the following link:\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd", "modified": "2016-03-07T14:02:40", "published": "2016-01-27T20:00:00", "id": "CISCO-SA-20160127-NTPD", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd", "type": "cisco", "title": "Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "freebsd": [{"lastseen": "2018-08-31T01:14:25", "bulletinFamily": "unix", "description": "\nNetwork Time Foundation reports:\n\nNTF's NTP Project has been notified of the following low-\n\t and medium-severity vulnerabilities that are fixed in\n\t ntp-4.2.8p6, released on Tuesday, 19 January 2016:\n\nBug 2948 / CVE-2015-8158: Potential Infinite Loop\n\t in ntpq. Reported by Cisco ASIG.\nBug 2945 / CVE-2015-8138: origin: Zero Origin\n\t Timestamp Bypass. Reported by Cisco ASIG.\nBug 2942 / CVE-2015-7979: Off-path Denial of\n\t Service (DoS) attack on authenticated broadcast\n\t mode. Reported by Cisco ASIG.\nBug 2940 / CVE-2015-7978: Stack exhaustion in\n\t recursive traversal of restriction list.\n\t Reported by Cisco ASIG.\nBug 2939 / CVE-2015-7977: reslist NULL pointer\n\t dereference. Reported by Cisco ASIG.\nBug 2938 / CVE-2015-7976: ntpq saveconfig command\n\t allows dangerous characters in filenames.\n\t Reported by Cisco ASIG.\nBug 2937 / CVE-2015-7975: nextvar() missing length\n\t check. Reported by Cisco ASIG.\nBug 2936 / CVE-2015-7974: Skeleton Key: Missing\n\t key check allows impersonation between authenticated\n\t peers. Reported by Cisco ASIG.\nBug 2935 / CVE-2015-7973: Deja Vu: Replay attack on\n\t authenticated broadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following\n\t two issues:\n\nBug 2947 / CVE-2015-8140: ntpq vulnerable to replay\n\t attacks. Reported by Cisco ASIG.\nBug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc,\n\t disclose origin. Reported by Cisco ASIG.\n\n\n", "modified": "2016-08-09T00:00:00", "published": "2016-01-20T00:00:00", "id": "5237F5D7-C020-11E5-B397-D050996490D0", "href": "https://vuxml.freebsd.org/freebsd/5237f5d7-c020-11e5-b397-d050996490d0.html", "title": "ntp -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "aix": [{"lastseen": "2018-08-31T00:08:34", "bulletinFamily": "unix", "description": "ntp_advisory6.asc: Version 6\nVersion 6 Issued: Tue Aug 16 11:41:45 CDT 2016 \nVersion 6 Changes: Fix added for AIX 7.2.0.2 and is now included in the \n tar file, ntp_fix6.tar.\n AIX 7.2.0.2 iFix for NTPv3: IV83995s2b.160713.epkg.Z \n\nIBM SECURITY ADVISORY\n\nFirst Issued: Wed Jun 8 13:17:48 CDT 2016 \n|Updated: Tue Aug 16 11:41:45 CDT 2016 \n|Update: Added iFix for AIX 7.2.0.2. \n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc\nhttps://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc\nftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc\n\n\nSecurity Bulletin: Vulnerabilities in NTP affect AIX\n CVE-2015-7973 CVE-2015-7977 CVE-2015-7979 CVE-2015-8158 \n CVE-2015-8139 CVE-2015-8140\n\n===============================================================================\n\nSUMMARY:\n\n There are multiple vulnerabilities in NTP that impact AIX. \n\n\n===============================================================================\n\nVULNERABILITY DETAILS:\n\n CVEID: CVE-2015-7973\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 \n DESCRIPTION: NTP could allow a remote attacker to launch a replay attack.\n An attacker could exploit this vulnerability using authenticated\n broadcast mode packets to conduct a replay attack and gain\n unauthorized access to the system. \n CVSS Base Score: 5.4 \n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/110018 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)\n \n CVEID: CVE-2015-7977\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977\n DESCRIPTION: NTP is vulnerable to a denial of service, caused by a NULL\n pointer dereference. By sending a specially crafted ntpdc reslist\n command, an attacker could exploit this vulnerability to cause a\n segmentation fault.\n CVSS Base Score: 5.3\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/110022 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n CVEID: CVE-2015-7979\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979\n DESCRIPTION: NTP could allow a remote attacker to bypass security\n restrictions. By sending specially crafted broadcast packets with bad\n authentication, an attacker could exploit this vulnerability to cause\n the target broadcast client to tear down the association with the\n broadcast server.\n CVSS Base Score: 6.5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/110024 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n CVEID: CVE-2015-8139\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8139\n DESCRIPTION: NTP could allow a remote attacker to obtain sensitive\n information, caused by an origin leak in ntpq and ntpdc. An attacker\n could exploit this vulnerability to obtain sensitive information. \n CVSS Base Score: 5.3\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/110027 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n CVEID: CVE-2015-8140\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8140\n DESCRIPTION: NTP could allow a remote attacker to launch a replay attack.\n An attacker could exploit this vulnerability using ntpq to conduct a\n replay attack and gain unauthorized access to the system. \n CVSS Base Score: 5.3\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/110028 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n CVEID: CVE-2015-8158\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158\n DESCRIPTION: NTP is vulnerable to a denial of service, caused by the\n improper processing of incoming packets by ntpq. By sending specially\n crafted data, an attacker could exploit this vulnerability to cause\n the application to enter into an infinite loop.\n CVSS Base Score: 5.3\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/110026 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n \n\n AFFECTED PRODUCTS AND VERSIONS:\n \n AIX 5.3, 6.1, 7.1, 7.2\n VIOS 2.2.x\n\n The following fileset levels are vulnerable:\n \n key_fileset = aix\n \n For NTPv3:\n\n Fileset Lower Level Upper Level KEY PRODUCT(S)\n -----------------------------------------------------------------\n bos.net.tcp.client 5.3.12.0 5.3.12.10 key_w_fs NTPv3\n bos.net.tcp.client 6.1.9.0 6.1.9.102 key_w_fs NTPv3\n bos.net.tcp.client 7.1.3.0 7.1.3.47 key_w_fs NTPv3\n bos.net.tcp.client 7.1.4.0 7.1.4.1 key_w_fs NTPv3\n bos.net.tcp.ntp 7.2.0.0 7.2.0.2 key_w_fs NTPv3\n bos.net.tcp.ntpd 7.2.0.0 7.2.0.2 key_w_fs NTPv3\n\n\n For NTPv4:\n\n Fileset Lower Level Upper Level KEY PRODUCT(S)\n -----------------------------------------------------------------\n ntp.rte 6.1.6.0 6.1.6.5 key_w_fs NTPv4\n ntp.rte 7.1.0.0 7.1.0.5 key_w_fs NTPv4\n \n Note: to find out whether the affected filesets are installed \n on your systems, refer to the lslpp command found in AIX user's guide.\n\n Example: lslpp -L | grep -i ntp.rte \n\n\n REMEDIATION:\n\n A. APARS\n \n IBM has assigned the following APARs to this problem:\n\n For NTPv3:\n\n AIX Level APAR Availability SP KEY PRODUCT(S)\n ------------------------------------------------------------\n 5.3.12 IV84269 N/A key_w_apar NTPv3\n 6.1.9 IV83984 10/21/16 SP8 key_w_apar NTPv3\n 7.1.3 IV83993 1/27/17 SP8 key_w_apar NTPv3\n 7.1.4 IV83994 10/21/16 SP3 key_w_apar NTPv3\n 7.2.0 IV83995 1/27/17 SP3 key_w_apar NTPv3\n\n For NTPv4:\n\n AIX Level APAR Availability SP KEY PRODUCT(S)\n ------------------------------------------------------------\n 6.1.9 IV83992 10/21/16 SP8 key_w_apar NTPv4\n 7.1.3 IV83983 1/27/17 SP8 key_w_apar NTPv4\n 7.1.4 IV83983 10/21/16 SP3 key_w_apar NTPv4\n 7.2.0 IV83983 1/27/17 SP3 key_w_apar NTPv4\n\n Subscribe to the APARs here:\n\n http://www.ibm.com/support/docview.wss?uid=isg1IV83983\n http://www.ibm.com/support/docview.wss?uid=isg1IV83984\n http://www.ibm.com/support/docview.wss?uid=isg1IV83992\n http://www.ibm.com/support/docview.wss?uid=isg1IV83993\n http://www.ibm.com/support/docview.wss?uid=isg1IV83994\n http://www.ibm.com/support/docview.wss?uid=isg1IV83995\n http://www.ibm.com/support/docview.wss?uid=isg1IV84269\n\n By subscribing, you will receive periodic email alerting you\n to the status of the APAR, and a link to download the fix once\n it becomes available.\n\n B. FIXES\n\n Fixes are available.\n\n The fixes can be downloaded via ftp or http from:\n\n ftp://aix.software.ibm.com/aix/efixes/security/ntp_fix6.tar\n http://aix.software.ibm.com/aix/efixes/security/ntp_fix6.tar\n https://aix.software.ibm.com/aix/efixes/security/ntp_fix6.tar \n\n The link above is to a tar file containing this signed\n advisory, fix packages, and OpenSSL signatures for each package.\n The fixes below include prerequisite checking. This will\n enforce the correct mapping between the fixes and AIX\n Technology Levels.\n\n For NTPv3:\n\n AIX Level Interim Fix (*.Z) KEY PRODUCT(S)\n ----------------------------------------------------------\n 5.3.12.9 IV84269m9a.160522.epkg.Z key_w_fix NTPv3\n 6.1.9.4 IV83984m4a.160506.epkg.Z key_w_fix NTPv3\n 6.1.9.5 IV83984m5a.160510.epkg.Z key_w_fix NTPv3\n 6.1.9.6 IV83984m6a.160504.epkg.Z key_w_fix NTPv3\n 6.1.9.7 IV83984s7a.160622.epkg.Z key_w_fix NTPv3\n 7.1.3.4 IV83993m4b.160510.epkg.Z key_w_fix NTPv3\n 7.1.3.5 IV83993m5a.160510.epkg.Z key_w_fix NTPv3\n 7.1.3.6 IV83993m6a.160505.epkg.Z key_w_fix NTPv3\n 7.1.3.7 IV83993s7a.160714.epkg.Z key_w_fix NTPv3\n 7.1.4.0 IV83994m1a.160505.epkg.Z key_w_fix NTPv3\n 7.1.4.1 IV83994m1a.160505.epkg.Z key_w_fix NTPv3\n 7.1.4.2 IV83994s2a.160620.epkg.Z key_w_fix NTPv3\n 7.2.0.0 IV83995m0a.160510.epkg.Z key_w_fix NTPv3\n 7.2.0.1 IV83995m1a.160601.epkg.Z key_w_fix NTPv3\n| 7.2.0.2 IV83995s2b.160713.epkg.Z key_w_fix NTPv3\n\n VIOS Level Interim Fix (*.Z) KEY PRODUCT(S)\n -----------------------------------------------------------\n 2.2.4.0 IV83984m6a.160504.epkg.Z key_w_fix NTPv3\n 2.2.4.2x IV83984s7a.160622.epkg.Z key_w_fix NTPv3\n\n For NTPv4:\n\n AIX Level Interim Fix (*.Z) KEY PRODUCT(S)\n ----------------------------------------------------------\n 6.1.x IV83992s5a.160602.epkg.Z key_w_fix NTPv4\n 7.1.x IV83983s5a.160602.epkg.Z key_w_fix NTPv4\n 7.2.x IV83983s5a.160602.epkg.Z key_w_fix NTPv4\n \n VIOS Level Interim Fix (*.Z) KEY PRODUCT(S)\n -----------------------------------------------------------\n 2.2.x IV83992s5a.160602.epkg.Z key_w_fix NTPv4\n \n All fixes included are cumulative and address previously\n issued AIX NTP security bulletins with respect to SP and TL. \n\n To extract the fixes from the tar file:\n\n tar xvf ntp_fix6.tar\n cd ntp_fix6\n\n Verify you have retrieved the fixes intact:\n\n The checksums below were generated using the\n \"openssl dgst -sha256 file\" command as the followng:\n\n openssl dgst -sha256 filename KEY\n -----------------------------------------------------------------------------------------------------\n 1dde048eab83d5519a8331f2db377a010f6adccb24665eaebabf2d8fb55decda IV83983s5a.160602.epkg.Z key_w_csum\n afbe3f7603602dc81f7a55dd68f7e00f6d6c90672cc91dca6d647a5e9455f470 IV83984m4a.160506.epkg.Z key_w_csum\n 1df47de2dc201ac958da849a126b68f9c58c88ec4bd11ab0874465f25ba92878 IV83984m5a.160510.epkg.Z key_w_csum\n 7b26d3a1e5e420e2c93febbd87f73806cdef506793abe7508d189ef6ee2596a7 IV83984m6a.160504.epkg.Z key_w_csum\n 14ec9d1beab7335c197662ad57e112b17c25f2ffc13bb9b9767416b5dda9251b IV83984s7a.160622.epkg.Z key_w_csum\n 657a259c37c99aa990933f1ecd7719fcb07c7852acd3236bc33f932c45ad5bee IV83992s5a.160602.epkg.Z key_w_csum\n cb890c4c7d3a0ab09fe10da469721737d2a4cbd3baa4da5214e68ce467a6b1b0 IV83993m4b.160510.epkg.Z key_w_csum\n 3b78ac22352ec959be91a561f23b13912f7fbda00974d818c5a66bc332e85abc IV83993m5a.160510.epkg.Z key_w_csum\n 0c73bb6b7da724d29400c4398fb98bc3cfb45a88e9744879fcde6c421108bee6 IV83993m6a.160505.epkg.Z key_w_csum\n 86998a1cb16cc5d5f941fe737709cd210754d85449a4cb280662026f6ef5bf09 IV83993s7a.160714.epkg.Z key_w_csum\n c3abfb2272f6a6793f2ef9c4d5e8a54cf5d60c20d49b65414a9c5d2d28b9c964 IV83994m1a.160505.epkg.Z key_w_csum\n 540fcf0df555219d88619bac9e7de276010d26fad5957d5bac8decd19798bd93 IV83994s2a.160620.epkg.Z key_w_csum\n 7b214849e3d46c41498eef287497e7576f89fe274ca4305a6b3e5eb7e2be63dd IV83995m0a.160510.epkg.Z key_w_csum\n 97c9b857e023d89fdfc22730938ea4127c7efce25628d76abdc86337f64f7a03 IV83995m1a.160601.epkg.Z key_w_csum\n| ef7f0f4a205af86be406ed7b1258080f8e916e5e6fbc86a8b7cdd927f670cd29 IV83995s2b.160713.epkg.Z key_w_csum\n 732f0254ace2786f5e7ddadef10e1e64cc381ecf5d6ebb9131b64115f87e8d52 IV84269m9a.160522.epkg.Z key_w_csum\n\n\n These sums should match exactly. The OpenSSL signatures in the tar\n file and on this advisory can also be used to verify the\n integrity of the fixes. If the sums or signatures cannot be\n confirmed, contact IBM AIX Security at\n security-alert@austin.ibm.com and describe the discrepancy.\n \n openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>\n\n openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>\n\n Published advisory OpenSSL signature file location:\n \n http://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc.sig \n\n C. FIX AND INTERIM FIX INSTALLATION\n\n IMPORTANT: If possible, it is recommended that a mksysb backup\n of the system be created. Verify it is both bootable and\n readable before proceeding.\n\n The fix will not take affect until any running xntpd servers\n have been stopped and restarted with the following commands:\n\n stopsrc -s xntpd\n startsrc -s xntpd\n\n To preview a fix installation:\n\n installp -a -d fix_name -p all # where fix_name is the name of the\n # fix package being previewed.\n To install a fix package:\n\n installp -a -d fix_name -X all # where fix_name is the name of the\n # fix package being installed.\n\n After installation the ntp daemon must be restarted:\n\n stopsrc -s xntpd\n\n startsrc -s xntpd\n\n Interim fixes have had limited functional and regression\n testing but not the full regression testing that takes place\n for Service Packs; however, IBM does fully support them.\n\n Interim fix management documentation can be found at:\n\n http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html\n\n To preview an interim fix installation:\n\n emgr -e ipkg_name -p # where ipkg_name is the name of the\n # interim fix package being previewed.\n\n To install an interim fix package:\n\n emgr -e ipkg_name -X # where ipkg_name is the name of the\n # interim fix package being installed.\n\n WORKAROUNDS AND MITIGATIONS:\n\n For CVE-2015-8139 and CVE-2015-8140:\n Monitor your ntpd instances.\n If this sort of attack is an active problem for you, you have deeper\n problems to investigate. Also consider having smaller NTP broadcast \n domains. \n If you must enable mode 7: \n configure the use of a requestkey to control who can issue mode 7\n requests. \n configure restrict noquery to further limit mode 7 requests to\n trusted sources.\n Don't use broadcast mode if you cannot monitor your client servers. \n\n\n===============================================================================\n\nCONTACT US:\n\n Note: Keywords labeled as KEY in this document are used for parsing\n purposes.\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n To obtain the PGP public key that can be used to communicate\n securely with the AIX Security Team via security-alert@austin.ibm.com you\n can either:\n\n A. Download the key from our web page:\n\nhttp://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n \n Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide\n On-line Calculator v3:\n http://www.first.org/cvss/calculator/3.0\n\n\nACKNOWLEDGEMENTS:\n\n None \n\n\nCHANGE HISTORY:\n\n First Issued: Wed Jun 8 13:17:48 CDT 2016 \n Updated: Thu Jun 9 11:04:06 CDT 2016\n Update: CVE-2015-8139 and CVE-2015-8140 added with clarified Workarounds\n and Mitigations section.\n Updated: Mon Jun 20 10:45:48 CDT 2016\n Update: Added iFix for AIX 7.1.4.2.\n Updated: Wed Jun 22 10:25:29 CDT 2016 \n Update: Added iFix for AIX 6.1.9.7 and VIOS 2.2.4.20.\n Updated: Tue Jul 19 11:47:37 CDT 2016\n Update: Added iFix for AIX 7.1.3.7.\n| Updated: Tue Aug 16 11:41:45 CDT 2016\n| Update: Added iFix for AIX 7.2.0.2.\n\n\n===============================================================================\n\n*The CVSS Environment Score is customer environment specific and will \nultimately impact the Overall CVSS Score. Customers can evaluate the impact \nof this vulnerability in their environments by accessing the links in the \nReference section of this Security Bulletin. \n\nDisclaimer\nAccording to the Forum of Incident Response and Security Teams (FIRST), the \nCommon Vulnerability Scoring System (CVSS) is an \"industry open standard \ndesigned to convey vulnerability severity and help to determine urgency and \npriority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY \nOF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS \nFOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT \nOF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n \n\n", "modified": "2016-08-16T11:41:45", "published": "2016-06-08T13:17:48", "id": "NTP_ADVISORY6.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc", "title": "Vulnerabilities in NTP affect AIX", "type": "aix", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "slackware": [{"lastseen": "2018-08-31T00:36:47", "bulletinFamily": "unix", "description": "New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix security issues.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/ntp-4.2.8p6-i486-1_slack14.1.txz: Upgraded.\n In addition to bug fixes and enhancements, this release fixes\n several low and medium severity vulnerabilities.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ntp-4.2.8p6-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/ntp-4.2.8p6-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ntp-4.2.8p6-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ntp-4.2.8p6-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ntp-4.2.8p6-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ntp-4.2.8p6-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8p6-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8p6-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8p6-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8p6-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8p6-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8p6-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\n31365ae4f12849e65d4ad1c8c7d5f89a ntp-4.2.8p6-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n5a2d24bdacd8dd05ab9e0613c829212b ntp-4.2.8p6-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\ne70f7422bc81c144e6fac1df2c202634 ntp-4.2.8p6-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\nf6637f6d24b94a6b17c68467956a6283 ntp-4.2.8p6-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\n82601e105f95e324dfd1e2f0df513673 ntp-4.2.8p6-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\nd3ba32d46f7eef8f75a3444bbee4c677 ntp-4.2.8p6-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\nc5ff13e58fbbea0b7a677e947449e7b1 ntp-4.2.8p6-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n9e2abfaf0b0b7bf84a8a4db89f60eff6 ntp-4.2.8p6-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\ne1e6b84808b7562314e0e29479153553 ntp-4.2.8p6-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n8db0a4ca68805c7f5e487d5bcd69d098 ntp-4.2.8p6-x86_64-1_slack14.1.txz\n\nSlackware -current package:\nf96f443f54a74c20b5eb67467f5958ea n/ntp-4.2.8p6-i586-1.txz\n\nSlackware x86_64 -current package:\n5e256f2e1906b4c75047a966996a7a41 n/ntp-4.2.8p6-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg ntp-4.2.8p6-i486-1_slack14.1.txz\n\nThen, restart the NTP daemon:\n\n > sh /etc/rc.d/rc.ntpd restart", "modified": "2016-02-23T11:51:20", "published": "2016-02-23T11:51:20", "id": "SSA-2016-054-04", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.546478", "title": "ntp", "type": "slackware", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "cve": [{"lastseen": "2017-11-25T11:37:06", "bulletinFamily": "NVD", "description": "ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors.", "modified": "2017-11-20T21:29:01", "published": "2017-01-30T16:59:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8139", "id": "CVE-2015-8139", "title": "CVE-2015-8139", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-11-25T11:37:06", "bulletinFamily": "NVD", "description": "The ntpq protocol in NTP before 4.2.8p7 allows remote attackers to conduct replay attacks by sniffing the network.", "modified": "2017-11-20T21:29:01", "published": "2017-01-30T16:59:00", "id": "CVE-2015-8140", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8140", "title": "CVE-2015-8140", "type": "cve", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-05-18T11:12:20", "bulletinFamily": "NVD", "description": "NTP before 4.2.8p6 and 4.3.0 before 4.3.90 allows a remote attackers to cause a denial of service (stack exhaustion) via an ntpdc relist command, which triggers recursive traversal of the restriction list.", "modified": "2018-05-17T21:29:02", "published": "2017-01-30T16:59:00", "id": "CVE-2015-7978", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7978", "title": "CVE-2015-7978", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-01-05T11:51:54", "bulletinFamily": "NVD", "description": "The getresponse function in ntpq in NTP versions before 4.2.8p9 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (infinite loop) via crafted packets with incorrect values.", "modified": "2018-01-04T21:30:20", "published": "2017-01-30T16:59:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8158", "id": "CVE-2015-8158", "title": "CVE-2015-8158", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-05-18T11:12:20", "bulletinFamily": "NVD", "description": "ntpd in NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (NULL pointer dereference) via a ntpdc reslist command.", "modified": "2018-05-17T21:29:02", "published": "2017-01-30T16:59:00", "id": "CVE-2015-7977", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7977", "title": "CVE-2015-7977", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-05-18T11:12:20", "bulletinFamily": "NVD", "description": "NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (client-server association tear down) by sending broadcast packets with invalid authentication to a broadcast client.", "modified": "2018-05-17T21:29:02", "published": "2017-01-30T16:59:00", "id": "CVE-2015-7979", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7979", "title": "CVE-2015-7979", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-11-01T05:15:06", "bulletinFamily": "NVD", "description": "The ntpq saveconfig command in NTP 4.1.2, 4.2.x before 4.2.8p6, 4.3, 4.3.25, 4.3.70, and 4.3.77 does not properly filter special characters, which allows attackers to cause unspecified impact via a crafted filename.", "modified": "2018-10-30T12:27:37", "published": "2017-01-30T16:59:00", "id": "CVE-2015-7976", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7976", "title": "CVE-2015-7976", "type": "cve", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-01-05T11:51:53", "bulletinFamily": "NVD", "description": "NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a \"skeleton key.\"", "modified": "2018-01-04T21:30:19", "published": "2016-01-26T14:59:00", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7974", "id": "CVE-2015-7974", "title": "CVE-2015-7974", "type": "cve", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2017-11-25T11:37:05", "bulletinFamily": "NVD", "description": "NTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast mode, allows man-in-the-middle attackers to conduct replay attacks by sniffing the network.", "modified": "2017-11-20T21:29:00", "published": "2017-01-30T16:59:00", "id": "CVE-2015-7973", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7973", "title": "CVE-2015-7973", "type": "cve", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2017-11-25T11:37:06", "bulletinFamily": "NVD", "description": "NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to bypass the origin timestamp validation via a packet with an origin timestamp set to zero.", "modified": "2017-11-20T21:29:01", "published": "2017-01-30T16:59:00", "id": "CVE-2015-8138", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8138", "title": "CVE-2015-8138", "type": "cve", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "amazon": [{"lastseen": "2018-10-02T16:55:10", "bulletinFamily": "unix", "description": "**Issue Overview:**\n\nIt was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client. ([CVE-2015-8138 __](<https://access.redhat.com/security/cve/CVE-2015-8138>))\n\nA NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process. ([CVE-2015-7977 __](<https://access.redhat.com/security/cve/CVE-2015-7977>))\n\nIt was found that NTP does not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key. ([CVE-2015-7974 __](<https://access.redhat.com/security/cve/CVE-2015-7974>))\n\nA stack-based buffer overflow was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process. ([CVE-2015-7978 __](<https://access.redhat.com/security/cve/CVE-2015-7978>))\n\nIt was found that when NTP is configured in broadcast mode, an off-path attacker could broadcast packets with bad authentication (wrong key, mismatched key, incorrect MAC, etc) to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server. This could cause the time on affected clients to become out of sync over a longer period of time. ([CVE-2015-7979 __](<https://access.redhat.com/security/cve/CVE-2015-7979>))\n\nA flaw was found in the way the ntpq client certain processed incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance. ([CVE-2015-8158 __](<https://access.redhat.com/security/cve/CVE-2015-8158>))\n\nA flaw was found in ntpd that allows remote attackers to cause a denial of service (ephemeral-association demobilization) by sending a spoofed crypto-NAK packet with incorrect authentication data at a certain time. ([CVE-2016-4953 __](<https://access.redhat.com/security/cve/CVE-2016-4953>))\n\n(Updated 2016-10-18: [CVE-2016-4953 __](<https://access.redhat.com/security/cve/CVE-2016-4953>) was fixed in this release but was not previously part of this errata.)\n\n \n**Affected Packages:** \n\n\nntp\n\n \n**Issue Correction:** \nRun _yum update ntp_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n ntp-4.2.6p5-36.29.amzn1.i686 \n ntpdate-4.2.6p5-36.29.amzn1.i686 \n ntp-debuginfo-4.2.6p5-36.29.amzn1.i686 \n \n noarch: \n ntp-doc-4.2.6p5-36.29.amzn1.noarch \n ntp-perl-4.2.6p5-36.29.amzn1.noarch \n \n src: \n ntp-4.2.6p5-36.29.amzn1.src \n \n x86_64: \n ntpdate-4.2.6p5-36.29.amzn1.x86_64 \n ntp-4.2.6p5-36.29.amzn1.x86_64 \n ntp-debuginfo-4.2.6p5-36.29.amzn1.x86_64 \n \n \n", "modified": "2016-10-18T12:15:00", "published": "2016-10-18T12:15:00", "id": "ALAS-2016-649", "href": "https://alas.aws.amazon.com/ALAS-2016-649.html", "title": "Important: ntp", "type": "amazon", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:09:38", "bulletinFamily": "unix", "description": "Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to perform a replay attack. (CVE-2015-7973)\n\nMatt Street discovered that NTP incorrectly verified peer associations of symmetric keys. A remote attacker could use this issue to perform an impersonation attack. (CVE-2015-7974)\n\nJonathan Gardner discovered that the NTP ntpq utility incorrectly handled memory. An attacker could possibly use this issue to cause ntpq to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-7975)\n\nJonathan Gardner discovered that the NTP ntpq utility incorrectly handled dangerous characters in filenames. An attacker could possibly use this issue to overwrite arbitrary files. (CVE-2015-7976)\n\nStephen Gray discovered that NTP incorrectly handled large restrict lists. An attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7977, CVE-2015-7978)\n\nAanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7979)\n\nJonathan Gardner discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could use this issue to spoof peer servers. (CVE-2015-8138)\n\nJonathan Gardner discovered that the NTP ntpq utility did not properly handle certain incorrect values. An attacker could possibly use this issue to cause ntpq to hang, resulting in a denial of service. (CVE-2015-8158)\n\nIt was discovered that the NTP cronjob incorrectly cleaned up the statistics directory. A local attacker could possibly use this to escalate privileges. (CVE-2016-0727)\n\nStephen Gray and Matthew Van Gundy discovered that NTP incorrectly validated crypto-NAKs. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1547)\n\nMiroslav Lichvar and Jonathan Gardner discovered that NTP incorrectly handled switching to interleaved symmetric mode. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1548)\n\nMatthew Van Gundy, Stephen Gray and Loganaden Velvindron discovered that NTP incorrectly handled message authentication. A remote attacker could possibly use this issue to recover the message digest key. (CVE-2016-1550)\n\nYihan Lian discovered that NTP incorrectly handled duplicate IPs on unconfig directives. An authenticated remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2516)\n\nYihan Lian discovered that NTP incorrectly handled certail peer associations. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2518)\n\nJakub Prokes discovered that NTP incorrectly handled certain spoofed packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4954)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain packets when autokey is enabled. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4955)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain spoofed broadcast packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4956)\n\nIn the default installation, attackers would be isolated by the NTP AppArmor profile.", "modified": "2016-10-05T00:00:00", "published": "2016-10-05T00:00:00", "id": "USN-3096-1", "href": "https://usn.ubuntu.com/3096-1/", "title": "NTP vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2018-12-25T20:17:32", "bulletinFamily": "info", "description": "### Overview \n\nThe NTP.org reference implementation of `ntpd` contains multiple vulnerabilities.\n\n### Description \n\nNTP.org's reference implementation of NTP server, `ntpd`, contains multiple vulnerabilities.\n\n[**CWE-294**](<http://cwe.mitre.org/data/definitions/294.html>)**: Authentication Bypass by Capture-replay - **CVE-2015-7973 \n \nAn attacker on the network can record and replay authenticated broadcast mode packets. Also known as the \"Deja Vu\" attack. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7974 \n \nA missing key check allows impersonation between authenticated peers. Also known as the \"Skeleton Key\" attack. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7975 \n \nThe `nextvar()` function does not properly validate length. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7976 \n \n`ntpq saveconfig` command allows dangerous characters in filenames \n \n[**CWE-476**](<http://cwe.mitre.org/data/definitions/476.html>)**: NULL Pointer Dereference - **CVE-2015-7977 \n \n`reslist` NULL pointer dereference \n \n[**CWE-400**](<http://cwe.mitre.org/data/definitions/400.html>)**: Uncontrolled Resource Consumption ('Resource Exhaustion') - **CVE-2015-7978 \n \nStack exhaustion in recursive traversal of restriction list \n \n[**CWE-821**](<http://cwe.mitre.org/data/definitions/821.html>)**: Incorrect Synchronization - **CVE-2015-7979 \n \nOff-path Denial of Service (DoS) attack on authenticated broadcast and other pre-emptable modes \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-8138 \n \nZero Origin Timestamp Bypass \n \n[**CWE-200**](<http://cwe.mitre.org/data/definitions/200.html>)**: Information Exposure - **CVE-2015-8139 \n \nNetwork Time Protocol ntpq and ntpdc Origin Timestamp Disclosure Vulnerability \n<http://support.ntp.org/bin/view/Main/NtpBug2946> \n \n[**CWE-294**](<http://cwe.mitre.org/data/definitions/294.html>)**: Authentication Bypass by Capture-replay - **CVE-2015-8140 \n \nNetwork Time Protocol ntpq Control Protocol Replay Vulnerability \n<http://support.ntp.org/bin/view/Main/NtpBug2947> \n \n[**CWE-400**](<http://cwe.mitre.org/data/definitions/400.html>)**: Uncontrolled Resource Consumption ('Resource Exhaustion') - **CVE-2015-8158 \n \nPotential Infinite Loop in ntpq \n<http://support.ntp.org/bin/view/Main/NtpBug2948> \n \n[**CWE-821**](<http://cwe.mitre.org/data/definitions/821.html>)**: Incorrect Synchronization - **CVE-2016-1547 \n \nAn off-path attacker can deny service to `ntpd` clients by demobilizing preemptable associations using spoofed crypto-NAK packets. This vulnerability involves different code paths than those used by CVE-2015-7979. \n \n[**CWE-290**](<http://cwe.mitre.org/data/definitions/290.html>)**: Authentication Bypass by Spoofing - **CVE-2016-1548 \n \nBy spoofing packets from a legitimate server, an attacker can change the time of an` ntpd` client or deny service to an `ntpd` client by forcing it to change from basic client/server mode to interleaved symmetric mode. \n \n[**CWE-362**](<http://cwe.mitre.org/data/definitions/362.html>)**: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') - **CVE-2016-1549 \n \nntpd does not prevent Sybil attacks from authenticated peers. An malicious authenticated peer can create any number of ephemeral associations in order to win ntpd's clock selection algorithm and modify a victim's clock. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2016-1550 \n \nntpd does not use a constant-time memory comparison function when validating the authentication digest on incoming packets. In some situations this may allow an attacker to conduct a timing attack to compute the value of the valid authentication digest causing forged packets to be accepted by `ntpd`. \n \n[**CWE-290**](<http://cwe.mitre.org/data/definitions/290.html>)**: Authentication Bypass by Spoofing - **CVE-2016-1551 \n \nntpd does not filter IPv4 bogon packets received from the network. This allows unauthenticated network attackers to spoof refclock packets to ntpd processes on systems that do not implement bogon filtering. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2016-2516, CVE-2016-2517 \n \nDuplicate IPs on `unconfig` directives will cause an assertion botch in `ntpd`. A regression caused by the patch for CVE-2016-2516 was fixed and identified as CVE-2016-2517. \n \n[**CWE-125**](<http://cwe.mitre.org/data/definitions/125.html>)**: Out-of-bounds Read - **CVE-2016-2518 \n \nUsing a crafted packet to create a peer association with hmode > 7 causes the MATCH_ASSOC() lookup to make an out-of-bounds reference. \n \n[**CWE-119**](<http://cwe.mitre.org/data/definitions/119.html>)**: Improper Restriction of Operations within the Bounds of a Memory Buffer - **CVE-2016-2519 \n \n`ntpq` and `ntpdc` can be used to store and retrieve information in `ntpd`. It is possible to store a data value that is larger than the size of the buffer that the `ctl_getitem()` function of `ntpd` uses to report the return value. If the length of the requested data value returned by `ctl_getitem()` is too large, the value NULL is returned instead. There are 2 cases where the return value from `ctl_getitem()` was not directly checked to make sure it's not NULL, but there are subsequent INSIST() checks that make sure the return value is not NULL. There are no data values ordinarily stored in `ntpd` that would exceed this buffer length. But if one has permission to store values and one stores a value that is \"too large\", then `ntpd` will abort if an attempt is made to read that oversized value. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7704**, **CVE-2015-7705 \n \nAn ntpd client that honors Kiss-of-Death (KoD) responses will honor KoD messages that have been forged by an attacker, causing it to delay or stop querying its servers for time updates. Also, an attacker can forge packets that claim to be from the target and send them to servers often enough that a server that implements KoD rate limiting will send the target machine a KoD response to attempt to reduce the rate of incoming packets, or it may also trigger a firewall block at the server for packets from the target machine. For either of these attacks to succeed, the attacker must know what servers the target is communicating with. An attacker can be anywhere on the Internet and can frequently learn the identity of the target's time source by sending the target a time query. \n \nFor more information on these vulnerabilities, please see NTP.org's [April 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security>) as well as the [January 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit>). \n \n--- \n \n### Impact \n\nUnauthenticated remote attackers may be able to spoof packets to cause denial of service, authentication bypass on commands, or certain configuration changes. For more information on these vulnerabilities, please see NTP.org's [April 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security>) as well as the [January 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit>). \n \n--- \n \n### Solution \n\n**Apply an update** \n \nPartial patches for some of these issues were initially released in January 2016 as version 4.2.8p6. Complete patches for all of these issues are now available in version [4.2.8p7](<http://www.ntp.org/downloads.html>), released 2016-04-26. Affected users are encouraged to update as soon as possible. \n \n--- \n \n### Vendor Information\n\n718152\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ NTP Project \n\nNotified: January 19, 2016 Updated: April 22, 2016 \n\n**Statement Date: April 19, 2016**\n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### __ ACCESS \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ AT&T \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Alcatel-Lucent \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Apple \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Arista Networks, Inc. \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Aruba Networks \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Avaya, Inc. \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Belkin, Inc. \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Blue Coat Systems \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ CA Technologies \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ CentOS \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Check Point Software Technologies \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Cisco \n\nNotified: January 08, 2016 Updated: January 08, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ CoreOS \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ D-Link Systems, Inc. \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Debian GNU/Linux \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ DesktopBSD \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ DragonFly BSD Project \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ EMC Corporation \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ EfficientIP SAS \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Enterasys Networks \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Ericsson \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Extreme Networks \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ F5 Networks, Inc. \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Fedora Project \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Force10 Networks \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ FreeBSD Project \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Gentoo Linux \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Google \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Hardened BSD \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Hewlett Packard Enterprise \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Hitachi \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Huawei Technologies \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ IBM Corporation \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ IBM eServer \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Infoblox \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Intel Corporation \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Internet Systems Consortium \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Internet Systems Consortium - DHCP \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Juniper Networks \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ McAfee \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Microsoft Corporation \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ NEC Corporation \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ NTPsec \n\nNotified: January 19, 2016 Updated: January 19, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ NetBSD \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Nokia \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Nominum \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ OmniTI \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ OpenBSD \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ OpenDNS \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Openwall GNU/*/Linux \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Oracle Corporation \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Peplink \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Q1 Labs \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ QNX Software Systems Inc. \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Red Hat, Inc. \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ SUSE Linux \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ SafeNet \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Secure64 Software Corporation \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Slackware Linux Inc. \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ SmoothWall \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Snort \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Sony Corporation \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Sourcefire \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Symantec \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ TippingPoint Technologies Inc. \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Turbolinux \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Ubuntu \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Unisys \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ VMware \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ Wind River \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ dnsmasq \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ m0n0wall \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### __ openSUSE project \n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\n__ Unknown\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P \nTemporal | 5.3 | E:POC/RL:OF/RC:C \nEnvironmental | 5.3 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security>\n * <http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit>\n\n### Credit\n\nThanks to Cisco TALOS for reporting many of these issues to us. The Network Time Foundation credits many researchers for these vulnerabilities; see NTP.org's January 2016 and April 2016 security advisories for the complete list. \n\nThis document was written by Garret Wassermann. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2015-7704, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7704>) [CVE-2015-7705, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7705>) [CVE-2015-7973, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7973>) [CVE-2015-7974, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7974>) [CVE-2015-7975, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7975>) [CVE-2015-7976, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7976>) [CVE-2015-7977, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7977>) [CVE-2015-7978, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7978>) [CVE-2015-7979, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7979>) [CVE-2015-8138, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8138>) [CVE-2015-8139, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8139>) [CVE-2015-8140, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8140>) [CVE-2015-8158, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8158>) [CVE-2016-1547, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1547>) [CVE-2016-1548, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1548>) [CVE-2016-1549, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1549>) [CVE-2016-1550, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1550>) [CVE-2016-1551, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1551>) [CVE-2016-2516, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2516>) [CVE-2016-2517, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2517>) [CVE-2016-2518, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2518>) [CVE-2016-2519](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2519>) \n---|--- \n**Date Public:** | 2016-04-26 \n**Date First Published:** | 2016-04-27 \n**Date Last Updated: ** | 2016-04-28 15:15 UTC \n**Document Revision: ** | 48 \n", "modified": "2016-04-28T15:15:00", "published": "2016-04-27T00:00:00", "id": "VU:718152", "href": "https://www.kb.cert.org/vuls/id/718152", "type": "cert", "title": "NTP.org ntpd contains multiple vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "debian": [{"lastseen": "2019-02-16T02:11:07", "bulletinFamily": "unix", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-3629-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nJuly 25, 2016 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : ntp\nCVE ID : CVE-2015-7974 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 \n CVE-2015-8138 CVE-2015-8158 CVE-2016-1547 CVE-2016-1548\n CVE-2016-1550 CVE-2016-2516 CVE-2016-2518\n\nSeveral vulnerabilities were discovered in the Network Time Protocol\ndaemon and utility programs:\n\nCVE-2015-7974\n\n Matt Street discovered that insufficient key validation allows\n impersonation attacks between authenticated peers.\n\nCVE-2015-7977 / CVE-2015-7978\n\n Stephen Gray discovered that a NULL pointer dereference and a\n buffer overflow in the handling of "ntpdc reslist" commands may\n result in denial of service.\n\nCVE-2015-7979\n\n Aanchal Malhotra discovered that if NTP is configured for broadcast\n mode, an attacker can send malformed authentication packets which\n break associations with the server for other broadcast clients.\n\nCVE-2015-8138\n\n Matthew van Gundy and Jonathan Gardner discovered that missing\n validation of origin timestamps in ntpd clients may result in denial\n of service.\n\nCVE-2015-8158\n\n Jonathan Gardner discovered that missing input sanitising in ntpq\n may result in denial of service.\n\nCVE-2016-1547\n\n Stephen Gray and Matthew van Gundy discovered that incorrect handling\n of crypto NAK packets my result in denial of service.\n\nCVE-2016-1548\n\n Jonathan Gardner and Miroslav Lichvar discovered that ntpd clients\n could be forced to change from basic client/server mode to interleaved\n symmetric mode, preventing time synchronisation.\n\nCVE-2016-1550\n\n Matthew van Gundy, Stephen Gray and Loganaden Velvindron discovered\n that timing leaks in the the packet authentication code could result\n in recovery of a message digest.\n\nCVE-2016-2516\n\n Yihan Lian discovered that duplicate IPs on "unconfig" directives will\n trigger an assert.\n\nCVE-2016-2518\n\n Yihan Lian discovered that an OOB memory access could potentially\n crash ntpd.\n\nFor the stable distribution (jessie), these problems have been fixed in\nversion 1:4.2.6.p5+dfsg-7+deb8u2.\n\nFor the testing distribution (stretch), these problems have been fixed\nin version 1:4.2.8p7+dfsg-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1:4.2.8p7+dfsg-1.\n\nWe recommend that you upgrade your ntp packages.\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "modified": "2016-07-25T21:16:04", "published": "2016-07-25T21:16:04", "id": "DEBIAN:DSA-3629-1:3CA50", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2016/msg00207.html", "title": "[SECURITY] [DSA 3629-1] ntp security update", "type": "debian", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-10-18T13:49:02", "bulletinFamily": "unix", "description": "Package : ntp\nVersion : 1:4.2.6.p5+dfsg-2+deb7u7\nCVE ID : CVE-2015-7974 CVE-2015-7977 CVE-2015-7978 CVE-2015-7979 \n CVE-2015-8138 CVE-2015-8158 CVE-2016-1547 CVE-2016-1548\n CVE-2016-1550 CVE-2016-2516 CVE-2016-2518\n\nSeveral vulnerabilities were discovered in the Network Time Protocol\ndaemon and utility programs:\n\nCVE-2015-7974\n\n Matt Street discovered that insufficient key validation allows\n impersonation attacks between authenticated peers.\n\nCVE-2015-7977 / CVE-2015-7978\n\n Stephen Gray discovered that a NULL pointer dereference and a\n buffer overflow in the handling of "ntpdc reslist" commands may\n result in denial of service.\n\nCVE-2015-7979\n\n Aanchal Malhotra discovered that if NTP is configured for broadcast\n mode, an attacker can send malformed authentication packets which\n break associations with the server for other broadcast clients.\n\nCVE-2015-8138\n\n Matthew van Gundy and Jonathan Gardner discovered that missing\n validation of origin timestamps in ntpd clients may result in denial\n of service.\n\nCVE-2015-8158\n\n Jonathan Gardner discovered that missing input sanitising in ntpq\n may result in denial of service.\n\nCVE-2016-1547\n\n Stephen Gray and Matthew van Gundy discovered that incorrect handling\n of crypto NAK packets my result in denial of service.\n\nCVE-2016-1548\n\n Jonathan Gardner and Miroslav Lichvar discovered that ntpd clients\n could be forced to change from basic client/server mode to interleaved\n symmetric mode, preventing time synchronisation.\n\nCVE-2016-1550\n\n Matthew van Gundy, Stephen Gray and Loganaden Velvindron discovered\n that timing leaks in the the packet authentication code could result\n in recovery of a message digest.\n\nCVE-2016-2516\n\n Yihan Lian discovered that duplicate IPs on "unconfig" directives will\n trigger an assert.\n\nCVE-2016-2518\n\n Yihan Lian discovered that an OOB memory access could potentially\n crash ntpd.\n\nFor Debian 7 "Wheezy", these problems have been fixed in version\n1:4.2.6.p5+dfsg-2+deb7u7.\n\nWe recommend that you upgrade your ntp packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "modified": "2016-07-25T21:37:31", "published": "2016-07-25T21:37:31", "id": "DEBIAN:DLA-559-1:E64BA", "href": "https://lists.debian.org/debian-lts-announce/2016/debian-lts-announce-201607/msg00021.html", "title": "[SECURITY] [DLA 559-1] ntp security update", "type": "debian", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "cloudfoundry": [{"lastseen": "2018-09-07T03:26:09", "bulletinFamily": "software", "description": "USN-3096-1 NTP vulnerabilities\n\n# \n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\nCanonical Ubuntu 14.04 LTS\n\n# Description\n\nAanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to perform a replay attack. (CVE-2015-7973)\n\nMatt Street discovered that NTP incorrectly verified peer associations of symmetric keys. A remote attacker could use this issue to perform an impersonation attack. (CVE-2015-7974)\n\nJonathan Gardner discovered that the NTP ntpq utility incorrectly handled dangerous characters in filenames. An attacker could possibly use this issue to overwrite arbitrary files. (CVE-2015-7976)\n\nStephen Gray discovered that NTP incorrectly handled large restrict lists. An attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7977, CVE-2015-7978)\n\nAanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7979)\n\nJonathan Gardner discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could use this issue to spoof peer servers. (CVE-2015-8138)\n\nJonathan Gardner discovered that the NTP ntpq utility did not properly handle certain incorrect values. An attacker could possibly use this issue to cause ntpq to hang, resulting in a denial of service. (CVE-2015-8158)\n\nIt was discovered that the NTP cronjob incorrectly cleaned up the statistics directory. A local attacker could possibly use this to escalate privileges. (CVE-2016-0727)\n\nStephen Gray and Matthew Van Gundy discovered that NTP incorrectly validated crypto-NAKs. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1547)\n\nMiroslav Lichvar and Jonathan Gardner discovered that NTP incorrectly handled switching to interleaved symmetric mode. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1548)\n\nMatthew Van Gundy, Stephen Gray and Loganaden Velvindron discovered that NTP incorrectly handled message authentication. A remote attacker could possibly use this issue to recover the message digest key. (CVE-2016-1550)\n\nYihan Lian discovered that NTP incorrectly handled duplicate IPs on unconfig directives. An authenticated remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2516)\n\nYihan Lian discovered that NTP incorrectly handled certain peer associations. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2518)\n\nJakub Prokes discovered that NTP incorrectly handled certain spoofed packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4954)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain packets when autokey is enabled. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4955)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain spoofed broadcast packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4956)\n\nIn the default installation, attackers would be isolated by the NTP AppArmor profile.\n\n# Affected Cloud Foundry Products and Versions\n\nSeverity is medium unless otherwise noted.\n\nCloud Foundry BOSH stemcells are vulnerable, including:\n\n * All versions prior to 3146.24\n * 3151.x versions prior to 3151.2\n * 3232.x versions prior to 3232.22\n * 3233.x versions prior to 3233.2\n * 3262.x versions prior to 3262.21\n * Other versions prior to 3263.7\n\n# Mitigation\n\nThe Cloud Foundry team recommends upgrading to the following BOSH stemcells:\n\n * Upgrade all versions prior to 3146.x to 3146.24\n * Upgrade 3151.x versions to 3151.2\n * Upgrade 3232.x versions to 3232.22\n * Upgrade 3233.x versions to 3233.2\n * Upgrade 3262.x versions to 3262.21\n * Upgrade other versions to 3263.7\n\n# Credit\n\nMatt Street, Aanchal Malhotra, Jonathan Gardner, Matthew Van Gundy, Stephen Gray, Loganaden Velvindron, Yihan Lian, Jakub Prokes, Miroslav Lichvar\n\n# References\n\n * <https://www.ubuntu.com/usn/usn-3096-1/>\n", "modified": "2016-12-21T00:00:00", "published": "2016-12-21T00:00:00", "id": "CFOUNDRY:0B67E4FF46553AC705FD601C96C1A6B6", "href": "https://www.cloudfoundry.org/blog/usn-3096-1/", "title": "USN-3096-1: NTP vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "talos": [{"lastseen": "2018-08-31T00:36:40", "bulletinFamily": "info", "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0078\n\n## Network Time Protocol ntpq and ntpdc Origin Timestamp Disclosure Vulnerability\n\n##### January 19, 2016\n\n##### CVE Number\n\nCVE-2015-8139\n\nCERT VU#357792\n\n### Summary\n\nTo prevent off-path attackers from impersonating legitimate peers, clients require that the origin timestamp in a received response packet match the transmit timestamp from its last request to a given peer. Under assumption that only the recipient of the request packet will know the value of the transmit timestamp, this prevents an attacker from forging replies.\n\nUnfortunately, ntpq and ntpdc will disclose the value of the origin timestamp expected in the next peer response to any clients that are authorized to make ntpq (respectively ntpdc) queries.\n\nThis vulnerability appears to have been present in ntpd since, at least, 4.0.94 of May 1999. It appears in the earliest commit in the NTP project git repository.\n\n### Tested Versions\n\nntp 4.2.8p3 \nNTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92\n\n### Product URLs\n\n<http://www.ntp.org> \n<http://www.ntpsec.org/>\n\n### CVSS Score\n\nCVSSv2: 5.0 - AV:N/AC:L/Au:N/C:P/I:N/A:N \nCVSSv3: 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N\n\n### Details\n\nHere is an example from ntpq:\n \n \n ntpq> peer\n remote refid st t when poll reach delay offset jitter\n ==============================================================================\n *server .LOCL. 1 u 69 64 76 0.525 35.063 23.483\n ntpq> as\n \n ind assid status conf reach auth condition last_event cnt\n ===========================================================\n 1 43286 965a yes yes none sys.peer sys_peer 5\n ntpq> rv 43286 org\n org=d9c79a63.b05e631b Tue, Oct 13 2015 14:57:39.688\n \n\nHere is an example from ntpdc:\n \n \n ntpdc> showpeer 192.168.33.10\n remote 192.168.33.10, local 192.168.33.11\n ...\n reference time: d9c79a0e.1ef70a98 Tue, Oct 13 2015 14:56:14.120\n originate timestamp: d9c79a63.b05e631b Tue, Oct 13 2015 14:57:39.688\n receive timestamp: d9c79a20.b9d5ee3d Tue, Oct 13 2015 14:56:32.725\n transmit timestamp: d9c79a20.b9d5ee3d Tue, Oct 13 2015 14:56:32.725\n \n\nFor associations that do not employ authentication, response packets are only authenticated using the packet source address and the expected origin timestamp. The necessary ntpq and ntpdc commands do not require authentication. As a result, an unauthenticated off-path attacker that can spoof the source address of a remote peer can forge responses from that peer using this vulnerability.\n\nThere is an interplay between this vulnerability and the 0rigin (zero origin) vulnerability (CVE-2015-8138). Because the 0rigin vulnerability resets the expected origin timestamp from live servers to zero when a response with the correct origin timestamp is received, forging responses from live servers is trivial. This vulnerability gives attackers the additional power to forge responses from unreachable peers and symmetric peers.\n\n### Mitigation\n\nThe peer origin variable is read via ntpq (mode 6) packets with a non-zero association id, opcode equal to READVAR (2), and the variable name \"org\".\n\nIt can also be read with ntpdc (mode 7) packets with a request code of PEER_INFO (2).\n\nThis vulnerability can be mitigated by adding the `noquery` option to all restrict entries as in:\n \n \n restrict -4 default noquery ...\n restrict -6 default noquery ...\n restrict 127.0.0.1 noquery ...\n restrict ::1 noquery ...\n \n\nWARNING: Common configurations allow local users to send ntpq and ntpdc requests to the local ntpd using permissive restrict entries. This will allow malicious, unprivileged, local users to discover the value of the origin timestamp necessary to spoof responses from ntpd peers. Therefore, we DO NOT recommend the common practice of allowing queries from localhost.\n\nUnfortunately, despite the impression given by NTP's documentation, the `notrust` restrict option CANNOT be used to mitigate this vulnerability because it DOES NOT have any effect on ntpq and ntpdc requests.\n\n### Timeline\n\n2015-10-16 - Vendor Disclosure \n2016-01-19 - Public Release\n\n##### Credit\n\nMatthew Van Gundy\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0079\n\nPrevious Report\n\nTALOS-2016-0077\n", "modified": "2016-01-19T00:00:00", "published": "2016-01-19T00:00:00", "id": "TALOS-2016-0078", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0078", "title": "Network Time Protocol ntpq and ntpdc Origin Timestamp Disclosure Vulnerability", "type": "talos", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T00:36:32", "bulletinFamily": "info", "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0203\n\n## Network Time Protocol Control Mode Unauthenticated Trap Information Disclosure and DDoS Amplification Vulnerability\n\n##### November 21, 2016\n\n##### CVE Number\n\nCVE-2016-9310\n\n### Summary\n\nAn exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. A specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, preventing legitimate monitoring. A remote, unauthenticated, network attacker can trigger this vulnerability.\n\n### Tested Versions\n\nNTP 4.2.8p3 \nNTP 4.2.8p8 \nNTPsec 0.9.1 \nNTPsec 0.9.3\n\n### Product URLs\n\nhttp://www.ntp.org \nhttp://www.ntpsec.org/\n\n### CVSS Scores\n\nCVSSv2: 6.4 - (AV:N/AC:L/Au:N/C:P/I:P/A:N) \nCVSSv3: 6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\n\n### Details\n\nntpd provides a `trap` functionality that sends asynchronous notifications to a number of `trap receivers` whenever an event of interest occurs. Example events of interest include: association mobilization and demobilization, authentication failures, reachability changes, etc.\n\nSince at least ntp-4.0.94 (July 21, 1999), ntpd has allowed traps to be configured via control (mode 6) and private (mode 7) NTP modes. Though private mode requires messages modifying trap settings to be be authenticated, control mode allows unauthenticated packets to modify trap settings using the `SETTRAP` and `UNSETTRAP` control messages.\n\nThis vulnerability can be used to achieve several goals:\n\n * Time Shifting: If an attacker controls a host that is allowed to receive traps (i.e. not restricted by `restrict noquery` or `restrict notrap`), the attacker can instruct a victim ntpd instance to send traps to the attacker's host. Whenever a reportable event occurs for some peer, the victim ntpd will send a trap to the attacker leaking all the peer variables associated with that peer. The information leaked includes the peer's org and rec variables allowing the attacker to bypass TEST2 and impersonate said peer in a manner similar to CVE-2015-8139 and CVE-2016-1548.\n\nThe attacker can force the victim ntpd to leak the information for any peer at any time by triggering a reportable event for said peer. There are multiple methods to trigger a reportable event for a peer, among them spoofing an invalid crypto-NAK or incorrectly authenticated packet from the peer.\n\nNOTE: With ntp-4.2.8p8 and earlier the 0rigin attack (CVE-2015-8138) [1] already allows impersonation of reachable peers. In those ntpd versions, this vulnerability provides another method for impersonating unreachable peers.\n\n * DDoS Amplification: An attacker can use an ntpd instance as a DDoS amplifier to DDoS hosts that are allowed to receive traps from the ntpd instance using the following technique. The amplification factor is 12-13x.\n\nThe attacker forges a `SETTRAP` packet from the `victim` to the `amplifier`, causing the `amplifier` to set a trap for the `victim`. The attacker then repeatedly triggers reportable events causing trap messages to be sent to the victim. E.g. the attacker rapidly forges invalid crypto-NAKs and/or bad_auth packets from the `victim`'s `sys_peer`.\n\nntpd attempts to limit the number of consecutive traps sent for events of a single type. To maximize effect, the attacker can alternate between events of different types.\n\nntpd will periodically time out old traps when a new one is set. Therefore, for a long-term attack, the attacker may need to periodically refresh the trap on the `amplifier`.\n\n * Evading Monitoring: In an environment where dynamically configured traps are used to modify an ntpd instance, an unauthenticated attacker can remove traps set by legitimate monitoring systems by spoofing the source address of the `trap receiver` in an `UNSETTRAP` message.\n\nAuthentication should be required in order to modify trap configuration.\n\n### Mitigation\n\nSeveral mitigations can lessen the impact of this vulnerability.\n\n 1. Unauthorized hosts can be prevented from receiving traps using the `restrict default notrap` restriction. This setting is the default on many modern Linux systems.\n\nThis mitigation has no effect on the \"Evading Monitoring\" impact described above because the alleged sender of the packet is an authorized trap receiver.\n\n 2. Block NTP control mode trap configuration commands using a firewall or IPS. It does not appear that support for configuring control mode traps was ever implemented in ntpq, the reference NTP control mode client. As such, on most networks blocking control mode trap configuration commands should have no effect on legitimate traffic. Specifically, firewalls should block packets with the following characteristics:\n\n * UDP Destination Port: 123\n * NTP Mode: 6\n * NTP Control Operation Code: 6 (SETTRAP) or 31 (UNSETTRAP)\n\nTraps specified in ntp.conf cannot be modified using this vulnerability.\n\n[1] http://www.talosintelligence.com/reports/TALOS-2016-0077/\n\n### Timeline\n\n2016-09-20 - Vendor Disclosure \n2016-11-21 - Public Release\n\n##### Credit\n\nDiscovered by Matthew Van Gundy of Cisco ASIG.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0131\n\nPrevious Report\n\nTALOS-2016-0204\n", "modified": "2016-11-21T00:00:00", "published": "2016-11-21T00:00:00", "id": "TALOS-2016-0203", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0203", "title": "Network Time Protocol Control Mode Unauthenticated Trap Information Disclosure and DDoS Amplification Vulnerability", "type": "talos", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-08-31T00:36:22", "bulletinFamily": "info", "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0073\n\n## Network Time Protocol ntpq Special Character Filtering Vulnerability\n\n##### January 19, 2016\n\n##### CVE Number\n\nCVE-2015-7976\n\n### Summary\n\nThe ntpq saveconfig command does not do adequate filtering of special characters from the supplied filename. Only back slash and forward slash are currently filtered out. There are other special characters that are allowed in the filename which can cause issues during globbing.\n\nIn addition to special characters that are passed straight through to the filename, strftime() is called on format specifiers defined by the ntpq user. The %n and %t format specifiers insert a newline and a tab, respectively, into the filename. These could have unintended consequences during globbing as well.\n\nNote that the ntpq user is required to authenticate to run this command.\n\n### Tested Versions\n\nntp 4.2.8p3 \nNTPsec aa48d001683e5b791a743ec9c575aaf7d867a2b0c\n\n### Product URLs\n\n<http://www.ntp.org> \n<http://www.ntpsec.org/>\n\n### CVSS Score\n\nCVSSv2: 3.6 - AV:N/AC:H/Au:S/C:N/I:P/A:P \nCVSSv3: 4.4 - CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L\n\n### Details\n\nFor instance, dash can be the first character in a filename. So if the ntpq user saves the config to a file named \"-rf\", an admin on the ntp server could run \"rm _\" in the directory holding that file and the command would really be \"rm -rf _\" after globbing. This is an extreme and unlikely example, but there are any number of similar issues that could occur with commands an admin would likely run with wildcards from the config directory.\n\n### Recommended Fix\n\nThe save_config() function in ntp_control.c should filter out special characters with the exception of a small number that normally get used in filenames: ._- (dot, underscore, and dash). Filenames should not be allowed to start with these special characters. Also, the %n and %t format specifiers should be disallowed to avoid whitespace in a filename. A more conservative approach would be to completely remove the call to strftime() in case there are other vulnerabilities with strftime() that could be exploited by an ntpq user.\n\n### Timeline\n\n2015-10-07 - Vendor Disclosure \n2016-01-19 - Public Release\n\n##### Credit\n\nJonathan Gardner\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0074\n\nPrevious Report\n\nTALOS-2016-0072\n", "modified": "2016-01-19T00:00:00", "published": "2016-01-19T00:00:00", "id": "TALOS-2016-0073", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0073", "title": "Network Time Protocol ntpq Special Character Filtering Vulnerability", "type": "talos", "cvss": {"score": 4.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2018-08-31T00:36:30", "bulletinFamily": "info", "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0074\n\n## Network Time Protocol Private Mode 'reslist' NULL Pointer Dereference Vulnerability\n\n##### January 19, 2016\n\n##### CVE Number\n\nCVE-2015-7977\n\n### Summary\n\nAn unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by causing a NULL pointer dereference.\n\nThe following conditions must be met: 1\\. Mode 7 must be enabled. By default, mode 7 is disabled. 2\\. A large enough number of entries must exist in the restrict list\n \n \n to cause seqno to be equal to MAXSEQ\n \n\n### Expected Behavior:\n\nThe ntpdc reslist command is used to query the restrictions currently enforced by ntpd. If the number of restrictions is too large to fit into a single packet, the results will be split across a sequence of packets. The reslist command does not require authentication.\n\nThe functions that return the results (list_restrict4() and list_restrict6()) do not correctly handle the case where the number of packets required is greater than the maximum value of the response packet sequence number resulting in a NULL pointer dereference.\n\nIn the event that seqno is equal to MAXSEQ and more_pkt() returns NULL the return value should be checked and ntpd should fail gracefully.\n\n### Actual Behavior:\n\nThe root cause of the crash is a segmentation violation caused by a NULL pointer dereference in list_restrict4() or list_restrict6().\n\nThe IPv4 and IPv6 restriction lists are kept sorted in reverse order. To correctly display the output, the functions list_restrict4() and list_restrict6() traverse the list recursively and dump the lists in reverse.\n\nAfter recursing to the end of the list, the value pointed to by ppir is assigned the result of more_pkt(). Within more_pkt(), if databytes \\+ itemsize > RESP_DATA_SIZE and seqno == MAXSEQ then NULL is returned and assigned to _ppir. The pointer pir is then assigned _ppir and dereferenced, resulting in a segmentation violation.\n\n### Implications of the defect:\n\nAn attacker that can increase the size of the restrict list on a server with request mode enabled can crash ntpd. The attacker might be able to increase the number of restrictions dynamically via the \"restrict source\" mechanism. Additionally, an authenticated user can add restrict lines to the configuration with mode 6 if it is enabled.\n\n### Recommendations:\n\nCheck the return value of more_pkt(), and if it is NULL, fail gracefully. The more_pkt() function is used in several places, and the value should be checked at each invocation.\n\n### Tested Versions\n\nntp 4.2.8p3 \nNTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92\n\n### Product URLs\n\n<http://www.ntp.org> \n<http://www.ntpsec.org/>\n\n### CVSS Score\n\nCVSSv2: 5.4 - AV:N/AC:H/Au:N/C:N/I:N/A:C \nCVSSv3: 5.9 - AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### Timeline\n\n2015-10-07 - Vendor Disclosure \n2016-01-19 - Public Release\n\n##### Credit\n\nStephen Gray\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0075\n\nPrevious Report\n\nTALOS-2016-0073\n", "modified": "2016-01-19T00:00:00", "published": "2016-01-19T00:00:00", "id": "TALOS-2016-0074", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0074", "title": "Network Time Protocol Private Mode 'reslist' NULL Pointer Dereference Vulnerability", "type": "talos", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "oraclelinux": [{"lastseen": "2018-08-31T01:41:05", "bulletinFamily": "unix", "description": "[4.2.6p5-25.0.1]\n- add disable monitor to default ntp.conf [CVE-2013-5211]\n[4.2.6p5-25]\n- don't allow spoofed packet to enable symmetric interleaved mode\n (CVE-2016-1548)\n- check mode of new source in config command (CVE-2016-2518)\n- make MAC check resilient against timing attack (CVE-2016-1550)\n[4.2.6p5-24]\n- fix crash with invalid logconfig command (CVE-2015-5194)\n- fix crash when referencing disabled statistic type (CVE-2015-5195)\n- don't hang in sntp with crafted reply (CVE-2015-5219)\n- don't crash with crafted autokey packet (CVE-2015-7691, CVE-2015-7692,\n CVE-2015-7702)\n- fix memory leak with autokey (CVE-2015-7701)\n- don't allow setting driftfile and pidfile remotely (CVE-2015-7703)\n- don't crash in ntpq with crafted packet (CVE-2015-7852)\n- check key ID in packets authenticated with symmetric key (CVE-2015-7974)\n- fix crash with reslist command (CVE-2015-7977, CVE-2015-7978)\n- don't allow spoofed packets to demobilize associations (CVE-2015-7979,\n CVE-2016-1547)\n- don't accept server/peer packets with zero origin timestamp (CVE-2015-8138)\n- fix infinite loop in ntpq/ntpdc (CVE-2015-8158)\n- fix resetting of leap status (#1242553)\n- extend rawstats log (#1242877)\n- report clock state changes related to leap seconds (#1242935)\n- allow -4/-6 on restrict lines with mask (#1304492)\n- explain synchronised state in ntpstat man page (#1309594)", "modified": "2016-11-09T00:00:00", "published": "2016-11-09T00:00:00", "id": "ELSA-2016-2583", "href": "http://linux.oracle.com/errata/ELSA-2016-2583.html", "title": "ntp security and bug fix update", "type": "oraclelinux", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T12:15:06", "bulletinFamily": "exploit", "description": "### Summary\r\nAn exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. A specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, preventing legitimate monitoring. A remote, unauthenticated, network attacker can trigger this vulnerability.\r\n\r\n### Tested Versions\r\n* NTP 4.2.8p3\r\n* NTP 4.2.8p8\r\n* NTPsec 0.9.1\r\n* NTPsec 0.9.3\r\n\r\n### Product URLs\r\n* http://www.ntp.org\r\n* http://www.ntpsec.org/\r\n\r\n### CVSS Scores\r\n* CVSSv2: 6.4 - (AV:N/AC:L/Au:N/C:P/I:P/A:N)\r\n* CVSSv3: 6.5 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N\r\n\r\n### Details\r\nntpd provides a `trap` functionality that sends asynchronous notifications to a number of `trap receivers` whenever an event of interest occurs. Example events of interest include: association mobilization and demobilization, authentication failures, reachability changes, etc.\r\n\r\nSince at least ntp-4.0.94 (July 21, 1999), ntpd has allowed traps to be configured via control (mode 6) and private (mode 7) NTP modes. Though private mode requires messages modifying trap settings to be be authenticated, control mode allows unauthenticated packets to modify trap settings using the `SETTRAP` and `UNSETTRAP` control messages.\r\n\r\nThis vulnerability can be used to achieve several goals:\r\n\r\n* Time Shifting: If an attacker controls a host that is allowed to receive traps (i.e. not restricted by `restrict noquery` or `restrict notrap`), the attacker can instruct a victim ntpd instance to send traps to the attacker's host. Whenever a reportable event occurs for some peer, the victim ntpd will send a trap to the attacker leaking all the peer variables associated with that peer. The information leaked includes the peer's org and rec variables allowing the attacker to bypass TEST2 and impersonate said peer in a manner similar to CVE-2015-8139 and CVE-2016-1548.\r\nThe attacker can force the victim ntpd to leak the information for any peer at any time by triggering a reportable event for said peer. There are multiple methods to trigger a reportable event for a peer, among them spoofing an invalid crypto-NAK or incorrectly authenticated packet from the peer.\r\nNOTE: With ntp-4.2.8p8 and earlier the 0rigin attack (CVE-2015-8138) [1] already allows impersonation of reachable peers. In those ntpd versions, this vulnerability provides another method for impersonating unreachable peers.\r\n\r\n* DDoS Amplification: An attacker can use an ntpd instance as a DDoS amplifier to DDoS hosts that are allowed to receive traps from the ntpd instance using the following technique. The amplification factor is 12-13x.\r\n\r\nThe attacker forges a `SETTRAP` packet from the `victim` to the `amplifier`, causing the `amplifier` to set a trap for the `victim`. The attacker then repeatedly triggers reportable events causing trap messages to be sent to the victim. E.g. the attacker rapidly forges invalid crypto-NAKs and/or bad_auth packets from the `victim`'s `sys_peer`.\r\nntpd attempts to limit the number of consecutive traps sent for events of a single type. To maximize effect, the attacker can alternate between events of different types.\r\nntpd will periodically time out old traps when a new one is set. Therefore, for a long-term attack, the attacker may need to periodically refresh the trap on the `amplifier`.\r\nEvading Monitoring: In an environment where dynamically configured traps are used to modify an ntpd instance, an unauthenticated attacker can remove traps set by legitimate monitoring systems by spoofing the source address of the `trap receiver` in an `UNSETTRAP` message.\r\n\r\nAuthentication should be required in order to modify trap configuration.\r\n\r\n### Mitigation\r\nSeveral mitigations can lessen the impact of this vulnerability.\r\n\r\n1. Unauthorized hosts can be prevented from receiving traps using the `restrict default notrap` restriction. This setting is the default on many modern Linux systems.\r\nThis mitigation has no effect on the \"Evading Monitoring\" impact described above because the alleged sender of the packet is an authorized trap receiver.\r\n2. Block NTP control mode trap configuration commands using a firewall or IPS. It does not appear that support for configuring control mode traps was ever implemented in ntpq, the reference NTP control mode client. As such, on most networks blocking control mode trap configuration commands should have no effect on legitimate traffic. Specifically, firewalls should block packets with the following characteristics:\r\n\t* UDP Destination Port: 123\r\n\t* NTP Mode: 6\r\n\t* NTP Control Operation Code: 6 (SETTRAP) or 31 (UNSETTRAP)\r\n\r\nTraps specified in ntp.conf cannot be modified using this vulnerability.\r\n[1] http://www.talosintelligence.com/reports/TALOS-2016-0077/\r\n\r\n### Timeline\r\n* 2016-09-20 - Vendor Disclosure\r\n* 2016-11-21 - Public Release", "modified": "2017-10-11T00:00:00", "published": "2017-10-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96647", "id": "SSV:96647", "type": "seebug", "title": "Network Time Protocol Control Mode Unauthenticated Trap Information Disclosure and DDoS Amplification Vulnerability(CVE-2016-9310)", "sourceData": "", "cvss": {"score": 6.4, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "centos": [{"lastseen": "2017-10-03T18:27:01", "bulletinFamily": "unix", "description": "**CentOS Errata and Security Advisory** CESA-2016:2583\n\n\nThe Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.\n\nSecurity Fix(es):\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978)\n\n* It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time. (CVE-2015-7979)\n\n* It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195)\n\n* It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-5196, CVE-2015-7703)\n\n* It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)\n\n* A flaw was found in the way NTP verified trusted keys during symmetric key authentication. An authenticated client (A) could use this flaw to modify a packet sent between a server (B) and a client (C) using a key that is different from the one known to the client (A). (CVE-2015-7974)\n\n* A flaw was found in the way the ntpq client processed certain incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance. (CVE-2015-8158)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichv\u00e1r (Red Hat).\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2016-November/003635.html\n\n**Affected packages:**\nntp\nntp-doc\nntp-perl\nntpdate\nsntp\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-2583.html", "modified": "2016-11-25T16:00:55", "published": "2016-11-25T16:00:55", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2016-November/003635.html", "id": "CESA-2016:2583", "title": "ntp, ntpdate, sntp security update", "type": "centos", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "redhat": [{"lastseen": "2018-12-11T17:45:05", "bulletinFamily": "unix", "description": "The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.\n\nSecurity Fix(es):\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978)\n\n* It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time. (CVE-2015-7979)\n\n* It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195)\n\n* It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-5196, CVE-2015-7703)\n\n* It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)\n\n* A flaw was found in the way NTP verified trusted keys during symmetric key authentication. An authenticated client (A) could use this flaw to modify a packet sent between a server (B) and a client (C) using a key that is different from the one known to the client (A). (CVE-2015-7974)\n\n* A flaw was found in the way the ntpq client processed certain incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance. (CVE-2015-8158)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichv\u00e1r (Red Hat).\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.", "modified": "2018-04-12T03:33:11", "published": "2016-11-03T10:07:15", "id": "RHSA-2016:2583", "href": "https://access.redhat.com/errata/RHSA-2016:2583", "type": "redhat", "title": "(RHSA-2016:2583) Moderate: ntp security and bug fix update", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "gentoo": [{"lastseen": "2016-09-06T19:47:00", "bulletinFamily": "unix", "description": "### Background\n\nNTP contains software for the Network Time Protocol.\n\n### Description\n\nMultiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly cause a Denial of Service condition.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll NTP users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/ntp-4.2.8_p8\"", "modified": "2016-07-20T00:00:00", "published": "2016-07-20T00:00:00", "id": "GLSA-201607-15", "href": "https://security.gentoo.org/glsa/201607-15", "type": "gentoo", "title": "NTP: Multiple vulnerabilities", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}]}
