ID OPENVAS:1361412562310106405 Type openvas Reporter This script is Copyright (C) 2016 Greenbone Networks GmbH Modified 2019-09-24T00:00:00
Description
NTP.org
##############################################################################
# OpenVAS Vulnerability Test
#
# NTP.org 'ntp' Multiple Vulnerabilities (Nov-2016)
#
# Authors:
# Christian Kuersteiner <christian.kuersteiner@greenbone.net>
#
# Copyright:
# Copyright (c) 2016 Greenbone Networks GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################
CPE = "cpe:/a:ntp:ntp";
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.0.106405");
script_version("2019-09-24T10:41:39+0000");
script_cve_id("CVE-2016-7428", "CVE-2016-7427");
script_tag(name:"last_modification", value:"2019-09-24 10:41:39 +0000 (Tue, 24 Sep 2019)");
script_tag(name:"creation_date", value:"2016-06-03 11:18:33 +0700 (Fri, 03 Jun 2016)");
script_tag(name:"cvss_base", value:"3.3");
script_tag(name:"cvss_base_vector", value:"AV:A/AC:L/Au:N/C:N/I:N/A:P");
script_name("NTP.org 'ntpd' Multiple Vulnerabilities - Nov16 - 1");
script_category(ACT_GATHER_INFO);
script_copyright("This script is Copyright (C) 2016 Greenbone Networks GmbH");
script_family("General");
script_dependencies("gb_ntp_detect_lin.nasl");
script_mandatory_keys("ntpd/version/detected");
script_xref(name:"URL", value:"https://www.kb.cert.org/vuls/id/633847");
script_tag(name:"summary", value:"NTP.org's reference implementation of NTP server, ntpd, is prone to
multiple vulnerabilities.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable version is present on the target host.");
script_tag(name:"insight", value:"NTP.org's ntpd is prone to multiple vulnerabilities:
- The broadcast mode of NTP is expected to only be used in a trusted network. If the broadcast network is
accessible to an attacker, a potentially exploitable denial of service vulnerability in ntpd's broadcast mode
replay prevention functionality can be abused. An attacker with access to the NTP broadcast domain can
periodically inject specially crafted broadcast mode NTP packets into the broadcast domain which, while being
logged by ntpd, can cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers.
(CVE-2016-7427)
- The broadcast mode of NTP is expected to only be used in a trusted network. If the broadcast network is
accessible to an attacker, a potentially exploitable denial of service vulnerability in ntpd's broadcast mode
poll interval enforcement functionality can be abused. To limit abuse, ntpd restricts the rate at which each
broadcast association will process incoming packets. ntpd will reject broadcast mode packets that arrive before
the poll interval specified in the preceding broadcast packet expires. An attacker with access to the NTP
broadcast domain can send specially crafted broadcast mode NTP packets to the broadcast domain which, while
being logged by ntpd, will cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers.
(CVE-2016-7428)");
script_tag(name:"impact", value:"A remote unauthenticated attacker may be able to perform a denial of
service on ntpd.");
script_tag(name:"affected", value:"Version 4.2.8p6 up to 4.2.8p8, 4.3.90 up to 4.3.93.");
script_tag(name:"solution", value:"Upgrade to NTP.org's ntpd version 4.2.8p9, 4.3.94 or later.");
script_tag(name:"qod_type", value:"remote_banner_unreliable");
script_tag(name:"solution_type", value:"VendorFix");
exit(0);
}
include("version_func.inc");
include("revisions-lib.inc");
include("host_details.inc");
if(isnull(port = get_app_port(cpe:CPE)))
exit(0);
if(!infos = get_app_full(cpe:CPE, port:port))
exit(0);
if(!version = infos["version"])
exit(0);
location = infos["location"];
proto = infos["proto"];
if((revcomp(a:version, b:"4.2.8p6") >= 0) && (revcomp(a:version, b:"4.2.8p9") < 0)) {
report = report_fixed_ver(installed_version:version, fixed_version:"4.2.8p9", install_path:location);
security_message(port:port, data:report, proto:proto);
exit(0);
}
if((revcomp(a:version, b:"4.3.90") >= 0) && (revcomp(a:version, b:"4.3.94") < 0)) {
report = report_fixed_ver(installed_version:version, fixed_version:"4.3.94", install_path:location);
security_message(port:port, data:report, proto:proto);
exit(0);
}
exit(99);
{"id": "OPENVAS:1361412562310106405", "type": "openvas", "bulletinFamily": "scanner", "title": "NTP.org 'ntpd' Multiple Vulnerabilities - Nov16 - 1", "description": "NTP.org", "published": "2016-06-03T00:00:00", "modified": "2019-09-24T00:00:00", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:P"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106405", "reporter": "This script is Copyright (C) 2016 Greenbone Networks GmbH", "references": ["https://www.kb.cert.org/vuls/id/633847"], "cvelist": ["CVE-2016-7427", "CVE-2016-7428"], "lastseen": "2019-09-25T13:22:22", "viewCount": 2, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-7427", "CVE-2016-7428"]}, {"type": "nessus", "idList": ["AIX_IV92193.NASL", "EULEROS_SA-2020-1611.NASL", "AIX_IV91951.NASL", "EULEROS_SA-2020-2225.NASL", "EULEROS_SA-2020-1547.NASL", "EULEROS_SA-2020-1723.NASL", "AIX_IV92067.NASL", "AIX_NTP_V4_ADVISORY8.NASL", "AIX_IV92192.NASL", "AIX_IV91803.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201611", "OPENVAS:1361412562310843238", "OPENVAS:1361412562311220201723", "OPENVAS:1361412562311220201547", "OPENVAS:1361412562310106754"]}, {"type": "seebug", "idList": ["SSV:96650", "SSV:96648"]}, {"type": "aix", "idList": ["NTP_ADVISORY8.ASC"]}, {"type": "f5", "idList": ["F5:K80996302"]}, {"type": "freebsd", "idList": ["8DB8D62A-B08B-11E6-8EBA-D050996490D0", "FCEDCDBB-C86E-11E6-B1CF-14DAE9D210B8"]}, {"type": "talos", "idList": ["TALOS-2016-0130", "TALOS-2016-0131"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20171129-01-NTPD"]}, {"type": "archlinux", "idList": ["ASA-201611-28"]}, {"type": "ubuntu", "idList": ["USN-3349-1", "USN-3707-2"]}, {"type": "symantec", "idList": ["SMNTC-1393"]}, {"type": "cert", "idList": ["VU:633847"]}, {"type": "slackware", "idList": ["SSA-2016-326-01"]}, {"type": "cisco", "idList": ["CISCO-SA-20161123-NTPD"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:8722C197C1671303FFCA9E919368B734"]}], "modified": "2019-09-25T13:22:22", "rev": 2}, "score": {"value": 7.5, "vector": "NONE", "modified": "2019-09-25T13:22:22", "rev": 2}, "vulnersScore": 7.5}, "pluginID": "1361412562310106405", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# NTP.org 'ntp' Multiple Vulnerabilities (Nov-2016)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:ntp:ntp\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106405\");\n script_version(\"2019-09-24T10:41:39+0000\");\n script_cve_id(\"CVE-2016-7428\", \"CVE-2016-7427\");\n script_tag(name:\"last_modification\", value:\"2019-09-24 10:41:39 +0000 (Tue, 24 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-06-03 11:18:33 +0700 (Fri, 03 Jun 2016)\");\n script_tag(name:\"cvss_base\", value:\"3.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"NTP.org 'ntpd' Multiple Vulnerabilities - Nov16 - 1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_ntp_detect_lin.nasl\");\n script_mandatory_keys(\"ntpd/version/detected\");\n\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/633847\");\n\n script_tag(name:\"summary\", value:\"NTP.org's reference implementation of NTP server, ntpd, is prone to\n multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"NTP.org's ntpd is prone to multiple vulnerabilities:\n\n - The broadcast mode of NTP is expected to only be used in a trusted network. If the broadcast network is\n accessible to an attacker, a potentially exploitable denial of service vulnerability in ntpd's broadcast mode\n replay prevention functionality can be abused. An attacker with access to the NTP broadcast domain can\n periodically inject specially crafted broadcast mode NTP packets into the broadcast domain which, while being\n logged by ntpd, can cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers.\n (CVE-2016-7427)\n\n - The broadcast mode of NTP is expected to only be used in a trusted network. If the broadcast network is\n accessible to an attacker, a potentially exploitable denial of service vulnerability in ntpd's broadcast mode\n poll interval enforcement functionality can be abused. To limit abuse, ntpd restricts the rate at which each\n broadcast association will process incoming packets. ntpd will reject broadcast mode packets that arrive before\n the poll interval specified in the preceding broadcast packet expires. An attacker with access to the NTP\n broadcast domain can send specially crafted broadcast mode NTP packets to the broadcast domain which, while\n being logged by ntpd, will cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers.\n (CVE-2016-7428)\");\n\n script_tag(name:\"impact\", value:\"A remote unauthenticated attacker may be able to perform a denial of\n service on ntpd.\");\n\n script_tag(name:\"affected\", value:\"Version 4.2.8p6 up to 4.2.8p8, 4.3.90 up to 4.3.93.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to NTP.org's ntpd version 4.2.8p9, 4.3.94 or later.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"revisions-lib.inc\");\ninclude(\"host_details.inc\");\n\nif(isnull(port = get_app_port(cpe:CPE)))\n exit(0);\n\nif(!infos = get_app_full(cpe:CPE, port:port))\n exit(0);\n\nif(!version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif((revcomp(a:version, b:\"4.2.8p6\") >= 0) && (revcomp(a:version, b:\"4.2.8p9\") < 0)) {\n report = report_fixed_ver(installed_version:version, fixed_version:\"4.2.8p9\", install_path:location);\n security_message(port:port, data:report, proto:proto);\n exit(0);\n}\n\nif((revcomp(a:version, b:\"4.3.90\") >= 0) && (revcomp(a:version, b:\"4.3.94\") < 0)) {\n report = report_fixed_ver(installed_version:version, fixed_version:\"4.3.94\", install_path:location);\n security_message(port:port, data:report, proto:proto);\n exit(0);\n}\n\nexit(99);\n", "naslFamily": "General"}
{"cve": [{"lastseen": "2020-10-03T12:10:50", "description": "ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via the poll interval in a broadcast packet.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "baseScore": 4.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2017-01-13T16:59:00", "title": "CVE-2016-7428", "type": "cve", "cwe": ["CWE-400"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7428"], "modified": "2019-01-24T11:29:00", "cpe": ["cpe:/a:ntp:ntp:4.2.8"], "id": "CVE-2016-7428", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7428", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:ntp:ntp:4.2.8:p8:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p7:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p6:*:*:*:*:*:*"]}, {"lastseen": "2020-10-03T12:10:50", "description": "The broadcast mode replay prevention functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via a crafted broadcast mode packet.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "baseScore": 4.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2017-01-13T16:59:00", "title": "CVE-2016-7427", "type": "cve", "cwe": ["CWE-400"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7427"], "modified": "2019-01-24T11:29:00", "cpe": ["cpe:/a:ntp:ntp:4.2.8"], "id": "CVE-2016-7427", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7427", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:ntp:ntp:4.2.8:p8:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p7:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p6:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2020-06-04T15:50:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7427", "CVE-2016-7428"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-06-03T00:00:00", "published": "2020-06-03T00:00:00", "id": "OPENVAS:1361412562311220201611", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201611", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1611)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1611\");\n script_version(\"2020-06-03T06:06:02+0000\");\n script_cve_id(\"CVE-2016-7427\", \"CVE-2016-7428\");\n script_tag(name:\"cvss_base\", value:\"3.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-06-03 06:06:02 +0000 (Wed, 03 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-03 06:06:02 +0000 (Wed, 03 Jun 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1611)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1611\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1611\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ntp' package(s) announced via the EulerOS-SA-2020-1611 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via the poll interval in a broadcast packet.(CVE-2016-7428)\n\nThe broadcast mode replay prevention functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via a crafted broadcast mode packet.(CVE-2016-7427)\");\n\n script_tag(name:\"affected\", value:\"'ntp' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~28.h15.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~28.h15.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"sntp\", rpm:\"sntp~4.2.6p5~28.h15.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-07-21T19:55:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5211", "CVE-2016-7427", "CVE-2016-7428"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-07-03T00:00:00", "published": "2020-07-03T00:00:00", "id": "OPENVAS:1361412562311220201723", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201723", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1723)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1723\");\n script_version(\"2020-07-03T06:18:48+0000\");\n script_cve_id(\"CVE-2013-5211\", \"CVE-2016-7427\", \"CVE-2016-7428\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-07-03 06:18:48 +0000 (Fri, 03 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-03 06:18:48 +0000 (Fri, 03 Jul 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1723)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-3\\.0\\.6\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1723\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1723\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ntp' package(s) announced via the EulerOS-SA-2020-1723 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.(CVE-2013-5211)\n\nThe broadcast mode replay prevention functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via a crafted broadcast mode packet.(CVE-2016-7427)\n\nntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via the poll interval in a broadcast packet.(CVE-2016-7428)\");\n\n script_tag(name:\"affected\", value:\"'ntp' package(s) on Huawei EulerOS Virtualization 3.0.6.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-3.0.6.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~28.h15.eulerosv2r7\", rls:\"EULEROSVIRT-3.0.6.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~28.h15.eulerosv2r7\", rls:\"EULEROSVIRT-3.0.6.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"sntp\", rpm:\"sntp~4.2.6p5~28.h15.eulerosv2r7\", rls:\"EULEROSVIRT-3.0.6.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-05-06T01:07:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5211", "CVE-2016-7427", "CVE-2016-7428"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-04-30T00:00:00", "published": "2020-04-30T00:00:00", "id": "OPENVAS:1361412562311220201547", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201547", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1547)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1547\");\n script_version(\"2020-04-30T12:13:13+0000\");\n script_cve_id(\"CVE-2013-5211\", \"CVE-2016-7427\", \"CVE-2016-7428\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-30 12:13:13 +0000 (Thu, 30 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-30 12:13:13 +0000 (Thu, 30 Apr 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1547)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.2\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1547\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1547\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ntp' package(s) announced via the EulerOS-SA-2020-1547 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.(CVE-2013-5211)\n\nThe broadcast mode replay prevention functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via a crafted broadcast mode packet.(CVE-2016-7427)\n\nntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via the poll interval in a broadcast packet.(CVE-2016-7428)\");\n\n script_tag(name:\"affected\", value:\"'ntp' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.2.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.2.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~28.h15\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~28.h15\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"sntp\", rpm:\"sntp~4.2.6p5~28.h15\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2019-05-29T18:34:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7434", "CVE-2016-9311", "CVE-2017-6460", "CVE-2016-7433", "CVE-2017-6458", "CVE-2016-7427", "CVE-2016-9042", "CVE-2017-6462", "CVE-2016-7429", "CVE-2017-6463", "CVE-2016-2519", "CVE-2016-7428", "CVE-2016-9310", "CVE-2017-6464", "CVE-2016-7426", "CVE-2016-7431"], "description": "The remote host is missing an update for the ", "modified": "2019-03-13T00:00:00", "published": "2017-07-14T00:00:00", "id": "OPENVAS:1361412562310843238", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843238", "type": "openvas", "title": "Ubuntu Update for ntp USN-3349-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3349_1.nasl 14140 2019-03-13 12:26:09Z cfischer $\n#\n# Ubuntu Update for ntp USN-3349-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843238\");\n script_version(\"$Revision: 14140 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-13 13:26:09 +0100 (Wed, 13 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-07-14 15:54:52 +0530 (Fri, 14 Jul 2017)\");\n script_cve_id(\"CVE-2016-2519\", \"CVE-2016-7426\", \"CVE-2016-7427\", \"CVE-2016-7428\",\n \"CVE-2016-7429\", \"CVE-2016-7431\", \"CVE-2016-7433\", \"CVE-2016-7434\", \"CVE-2016-9042\",\n \"CVE-2016-9310\", \"CVE-2016-9311\", \"CVE-2017-6458\", \"CVE-2017-6460\", \"CVE-2017-6462\",\n \"CVE-2017-6463\", \"CVE-2017-6464\");\n script_tag(name:\"cvss_base\", value:\"7.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for ntp USN-3349-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'ntp'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Yihan Lian discovered that NTP incorrectly\n handled certain large request data values. A remote attacker could possibly use\n this issue to cause NTP to crash, resulting in a denial of service. This issue\n only affected Ubuntu 16.04 LTS. (CVE-2016-2519) Miroslav Lichvar discovered that\n NTP incorrectly handled certain spoofed addresses when performing rate limiting.\n A remote attacker could possibly use this issue to perform a denial of service.\n This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10.\n (CVE-2016-7426) Matthew Van Gundy discovered that NTP incorrectly handled\n certain crafted broadcast mode packets. A remote attacker could possibly use\n this issue to perform a denial of service. This issue only affected Ubuntu 14.04\n LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7427, CVE-2016-7428) Miroslav\n Lichvar discovered that NTP incorrectly handled certain responses. A remote\n attacker could possibly use this issue to perform a denial of service. This\n issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10.\n (CVE-2016-7429) Sharon Goldberg and Aanchal Malhotra discovered that NTP\n incorrectly handled origin timestamps of zero. A remote attacker could possibly\n use this issue to bypass the origin timestamp protection mechanism. This issue\n only affected Ubuntu 16.10. (CVE-2016-7431) Brian Utterback, Sharon Goldberg and\n Aanchal Malhotra discovered that NTP incorrectly performed initial sync\n calculations. This issue only applied to Ubuntu 16.04 LTS and Ubuntu 16.10.\n (CVE-2016-7433) Magnus Stubman discovered that NTP incorrectly handled certain\n mrulist queries. A remote attacker could possibly use this issue to cause NTP to\n crash, resulting in a denial of service. This issue only affected Ubuntu 16.04\n LTS and Ubuntu 16.10. (CVE-2016-7434) Matthew Van Gund discovered that NTP\n incorrectly handled origin timestamp checks. A remote attacker could possibly\n use this issue to perform a denial of service. This issue only affected Ubuntu\n Ubuntu 16.10, and Ubuntu 17.04. (CVE-2016-9042) Matthew Van Gundy discovered\n that NTP incorrectly handled certain control mode packets. A remote attacker\n could use this issue to set or unset traps. This issue only applied to Ubuntu\n 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9310) Matthew Van Gundy\n discovered that NTP incorrectly handled the trap service. A remote attacker\n could possibly use this issue to cause NTP to crash, resulting in a denial of\n service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and\n Ubuntu 16.10. (CVE-2016-9311) It was di ... Description truncated, for more\n information please check the Reference URL\");\n script_tag(name:\"affected\", value:\"ntp on Ubuntu 17.04,\n Ubuntu 16.10,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please Install the Updated Packages.\");\n\n script_xref(name:\"USN\", value:\"3349-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3349-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|17\\.04|16\\.10|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.6.p5+dfsg-3ubuntu2.14.04.11\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU17.04\")\n{\n\n if ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.8p9+dfsg-2ubuntu1.1\", rls:\"UBUNTU17.04\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.8p8+dfsg-1ubuntu2.1\", rls:\"UBUNTU16.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.8p4+dfsg-3ubuntu5.5\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:34:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9311", "CVE-2015-7973", "CVE-2015-8158", "CVE-2015-7979", "CVE-2016-7427", "CVE-2016-7429", "CVE-2016-9310", "CVE-2016-7431"], "description": "Junos OS is prone to multiple vulnerabilities in NTP.", "modified": "2018-10-26T00:00:00", "published": "2017-04-13T00:00:00", "id": "OPENVAS:1361412562310106754", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106754", "type": "openvas", "title": "Junos Multiple NTP Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_junos_jsa10776.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Junos Multiple NTP Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/o:juniper:junos';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106754\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-13 08:24:49 +0200 (Thu, 13 Apr 2017)\");\n script_tag(name:\"cvss_base\", value:\"7.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n\n script_cve_id(\"CVE-2016-9311\", \"CVE-2016-9310\", \"CVE-2015-7973\", \"CVE-2015-7979\", \"CVE-2016-7431\",\n\"CVE-2015-8158\", \"CVE-2016-7429\", \"CVE-2016-7427\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Junos Multiple NTP Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_family(\"JunOS Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_ssh_junos_get_version.nasl\", \"gb_junos_snmp_version.nasl\");\n script_mandatory_keys(\"Junos/Version\");\n\n script_tag(name:\"summary\", value:\"Junos OS is prone to multiple vulnerabilities in NTP.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable OS build is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"NTP.org and FreeBSD have published security advisories for vulnerabilities\nresolved in ntpd which impact Junos OS.\");\n\n script_tag(name:\"affected\", value:\"Junos OS 12.3X48, 14.1, 14.2, 15.1, 16.1 and 16.2\");\n\n script_tag(name:\"solution\", value:\"New builds of Junos OS software are available from Juniper.\");\n\n script_xref(name:\"URL\", value:\"http://kb.juniper.net/JSA10776\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"revisions-lib.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE, nofork: TRUE))\n exit(0);\n\nif (version =~ \"^12\") {\n if ((revcomp(a: version, b: \"12.3X48-D45\") < 0) &&\n (revcomp(a: version, b: \"12.3X48\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"12.3X48-D45\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^14\") {\n if (revcomp(a: version, b: \"14.1R8-S3\") < 0) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"14.1R8-S3\");\n security_message(port: 0, data: report);\n exit(0);\n }\n else if ((revcomp(a: version, b: \"14.2R7-S6\") < 0) &&\n (revcomp(a: version, b: \"14.2\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"14.2R7-S6\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^15\") {\n if ((revcomp(a: version, b: \"15.1F7\") < 0) &&\n (revcomp(a: version, b: \"15.1F\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"15.1F7\");\n security_message(port: 0, data: report);\n exit(0);\n }\n else if ((revcomp(a: version, b: \"15.1R6\") < 0) &&\n (revcomp(a: version, b: \"15.1R\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"15.1R6\");\n security_message(port: 0, data: report);\n exit(0);\n }\n else if ((revcomp(a: version, b: \"15.1X49-D80\") < 0) &&\n (revcomp(a: version, b: \"15.1X49\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"15.1X49-D80\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^16\") {\n if (revcomp(a: version, b: \"16.1R3-S3\") < 0) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"16.1R3-S3\");\n security_message(port: 0, data: report);\n exit(0);\n }\n else if ((revcomp(a: version, b: \"16.2R1-S3\") < 0) &&\n (revcomp(a: version, b: \"16.2\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"16.2R1-S3\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "nessus": [{"lastseen": "2021-01-07T09:04:34", "description": "According to the versions of the ntp packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via the poll interval in a broadcast\n packet.(CVE-2016-7428)\n\n - The broadcast mode replay prevention functionality in\n ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via a crafted broadcast mode\n packet.(CVE-2016-7427)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 4, "cvss3": {"score": 4.3, "vector": "AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "published": "2020-06-02T00:00:00", "title": "EulerOS 2.0 SP5 : ntp (EulerOS-SA-2020-1611)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7427", "CVE-2016-7428"], "modified": "2020-06-02T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:ntpdate", "p-cpe:/a:huawei:euleros:ntp", "p-cpe:/a:huawei:euleros:sntp", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2020-1611.NASL", "href": "https://www.tenable.com/plugins/nessus/137029", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137029);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-7427\",\n \"CVE-2016-7428\"\n );\n\n script_name(english:\"EulerOS 2.0 SP5 : ntp (EulerOS-SA-2020-1611)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the ntp packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via the poll interval in a broadcast\n packet.(CVE-2016-7428)\n\n - The broadcast mode replay prevention functionality in\n ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via a crafted broadcast mode\n packet.(CVE-2016-7427)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1611\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3fdb0465\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected ntp packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ntpdate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:sntp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"ntp-4.2.6p5-28.h15.eulerosv2r7\",\n \"ntpdate-4.2.6p5-28.h15.eulerosv2r7\",\n \"sntp-4.2.6p5-28.h15.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T09:04:16", "description": "According to the versions of the ntp packages installed, the EulerOS\nVirtualization for ARM 64 installation on the remote host is affected\nby the following vulnerabilities :\n\n - The monlist feature in ntp_request.c in ntpd in NTP\n before 4.2.7p26 allows remote attackers to cause a\n denial of service (traffic amplification) via forged\n (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests,\n as exploited in the wild in December\n 2013.(CVE-2013-5211)\n\n - The broadcast mode replay prevention functionality in\n ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via a crafted broadcast mode\n packet.(CVE-2016-7427)\n\n - ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via the poll interval in a broadcast\n packet.(CVE-2016-7428)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 5, "cvss3": {"score": 4.3, "vector": "AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "published": "2020-05-01T00:00:00", "title": "EulerOS Virtualization for ARM 64 3.0.2.0 : ntp (EulerOS-SA-2020-1547)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5211", "CVE-2016-7427", "CVE-2016-7428"], "modified": "2020-05-01T00:00:00", "cpe": ["cpe:/o:huawei:euleros:uvp:3.0.2.0", "p-cpe:/a:huawei:euleros:ntpdate", "p-cpe:/a:huawei:euleros:ntp", "p-cpe:/a:huawei:euleros:sntp"], "id": "EULEROS_SA-2020-1547.NASL", "href": "https://www.tenable.com/plugins/nessus/136250", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136250);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2013-5211\",\n \"CVE-2016-7427\",\n \"CVE-2016-7428\"\n );\n script_bugtraq_id(\n 64692\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.2.0 : ntp (EulerOS-SA-2020-1547)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the ntp packages installed, the EulerOS\nVirtualization for ARM 64 installation on the remote host is affected\nby the following vulnerabilities :\n\n - The monlist feature in ntp_request.c in ntpd in NTP\n before 4.2.7p26 allows remote attackers to cause a\n denial of service (traffic amplification) via forged\n (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests,\n as exploited in the wild in December\n 2013.(CVE-2013-5211)\n\n - The broadcast mode replay prevention functionality in\n ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via a crafted broadcast mode\n packet.(CVE-2016-7427)\n\n - ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via the poll interval in a broadcast\n packet.(CVE-2016-7428)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1547\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bfe5fbf2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected ntp packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ntpdate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:sntp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"ntp-4.2.6p5-28.h15\",\n \"ntpdate-4.2.6p5-28.h15\",\n \"sntp-4.2.6p5-28.h15\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T09:05:07", "description": "According to the versions of the ntp packages installed, the EulerOS\nVirtualization installation on the remote host is affected by the\nfollowing vulnerabilities :\n\n - The monlist feature in ntp_request.c in ntpd in NTP\n before 4.2.7p26 allows remote attackers to cause a\n denial of service (traffic amplification) via forged\n (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests,\n as exploited in the wild in December\n 2013.(CVE-2013-5211)\n\n - The broadcast mode replay prevention functionality in\n ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via a crafted broadcast mode\n packet.(CVE-2016-7427)\n\n - ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via the poll interval in a broadcast\n packet.(CVE-2016-7428)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 7, "cvss3": {"score": 4.3, "vector": "AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "published": "2020-07-01T00:00:00", "title": "EulerOS Virtualization 3.0.6.0 : ntp (EulerOS-SA-2020-1723)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5211", "CVE-2016-7427", "CVE-2016-7428"], "modified": "2020-07-01T00:00:00", "cpe": ["cpe:/o:huawei:euleros:uvp:3.0.6.0", "p-cpe:/a:huawei:euleros:ntpdate", "p-cpe:/a:huawei:euleros:ntp", "p-cpe:/a:huawei:euleros:sntp"], "id": "EULEROS_SA-2020-1723.NASL", "href": "https://www.tenable.com/plugins/nessus/137942", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137942);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2013-5211\",\n \"CVE-2016-7427\",\n \"CVE-2016-7428\"\n );\n script_bugtraq_id(\n 64692\n );\n\n script_name(english:\"EulerOS Virtualization 3.0.6.0 : ntp (EulerOS-SA-2020-1723)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the ntp packages installed, the EulerOS\nVirtualization installation on the remote host is affected by the\nfollowing vulnerabilities :\n\n - The monlist feature in ntp_request.c in ntpd in NTP\n before 4.2.7p26 allows remote attackers to cause a\n denial of service (traffic amplification) via forged\n (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests,\n as exploited in the wild in December\n 2013.(CVE-2013-5211)\n\n - The broadcast mode replay prevention functionality in\n ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via a crafted broadcast mode\n packet.(CVE-2016-7427)\n\n - ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via the poll interval in a broadcast\n packet.(CVE-2016-7428)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1723\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fb360c82\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected ntp packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-5211\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ntpdate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:sntp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.6.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.6.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.6.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"ntp-4.2.6p5-28.h15.eulerosv2r7\",\n \"ntpdate-4.2.6p5-28.h15.eulerosv2r7\",\n \"sntp-4.2.6p5-28.h15.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T09:06:40", "description": "According to the versions of the ntp packages installed, the EulerOS\nVirtualization installation on the remote host is affected by the\nfollowing vulnerabilities :\n\n - The monlist feature in ntp_request.c in ntpd in NTP\n before 4.2.7p26 allows remote attackers to cause a\n denial of service (traffic amplification) via forged\n (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests,\n as exploited in the wild in December\n 2013.(CVE-2013-5211)\n\n - The broadcast mode replay prevention functionality in\n ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via a crafted broadcast mode\n packet.(CVE-2016-7427)\n\n - ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via the poll interval in a broadcast\n packet.(CVE-2016-7428)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 6, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2020-10-21T00:00:00", "title": "EulerOS Virtualization 3.0.2.2 : ntp (EulerOS-SA-2020-2225)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5211", "CVE-2016-7427", "CVE-2016-7428"], "modified": "2020-10-21T00:00:00", "cpe": ["cpe:/o:huawei:euleros:uvp:3.0.2.2", "p-cpe:/a:huawei:euleros:ntpdate", "p-cpe:/a:huawei:euleros:ntp"], "id": "EULEROS_SA-2020-2225.NASL", "href": "https://www.tenable.com/plugins/nessus/141678", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141678);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2013-5211\",\n \"CVE-2016-7427\",\n \"CVE-2016-7428\"\n );\n script_bugtraq_id(\n 64692\n );\n\n script_name(english:\"EulerOS Virtualization 3.0.2.2 : ntp (EulerOS-SA-2020-2225)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the ntp packages installed, the EulerOS\nVirtualization installation on the remote host is affected by the\nfollowing vulnerabilities :\n\n - The monlist feature in ntp_request.c in ntpd in NTP\n before 4.2.7p26 allows remote attackers to cause a\n denial of service (traffic amplification) via forged\n (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests,\n as exploited in the wild in December\n 2013.(CVE-2013-5211)\n\n - The broadcast mode replay prevention functionality in\n ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via a crafted broadcast mode\n packet.(CVE-2016-7427)\n\n - ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via the poll interval in a broadcast\n packet.(CVE-2016-7428)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-2225\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b45ced1b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected ntp packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-5211\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ntpdate\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.2\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.2\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"ntp-4.2.6p5-28.h15.eulerosv2r7\",\n \"ntpdate-4.2.6p5-28.h15.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2017-10-29T13:44:18", "edition": 11, "description": "NTPv3 and NTPv4 are vulnerable to :\n\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427 NTP is vulnerable to a denial of service, caused by an error in broadcast mode replay prevention functionality. By sending specially crafted NTP packets, a local attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by an error in broadcast mode poll interval enforcement functionality. By sending specially crafted NTP packets, a remote attacker from within the local network could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by an error in the control mode (mode 6) functionality. By sending specially crafted control mode packets, a remote attacker could exploit this vulnerability to obtain sensitive information and cause the application to crash. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference when trap service has been enabled. By sending specially crafted packets, a remote attacker could exploit this vulnerability to cause the application to crash.\n\nThis plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory8.nasl (plugin id 102129).", "published": "2017-02-14T00:00:00", "title": "AIX 7.2 TL 0 : ntp (IV92192) (deprecated)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9311", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-9310"], "modified": "2017-08-03T00:00:00", "cpe": ["cpe:/o:ibm:aix:7.2"], "id": "AIX_IV92192.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=97133", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory ntp_advisory8.asc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2017/07/20. Deprecated by aix_ntp_v3_advisory8.nasl.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97133);\n script_version(\"$Revision: 3.7 $\");\n script_cvs_date(\"$Date: 2017/08/03 16:49:17 $\");\n\n script_cve_id(\"CVE-2016-7427\", \"CVE-2016-7428\", \"CVE-2016-9310\", \"CVE-2016-9311\");\n\n script_name(english:\"AIX 7.2 TL 0 : ntp (IV92192) (deprecated)\");\n script_summary(english:\"Check for APAR IV92192\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"NTPv3 and NTPv4 are vulnerable to :\n\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427 NTP is\nvulnerable to a denial of service, caused by an error in broadcast\nmode replay prevention functionality. By sending specially crafted NTP\npackets, a local attacker could exploit this vulnerability to cause a\ndenial of service. NTP is vulnerable to a denial of service, caused by\nan error in broadcast mode poll interval enforcement functionality. By\nsending specially crafted NTP packets, a remote attacker from within\nthe local network could exploit this vulnerability to cause a denial\nof service. NTP is vulnerable to a denial of service, caused by an\nerror in the control mode (mode 6) functionality. By sending specially\ncrafted control mode packets, a remote attacker could exploit this\nvulnerability to obtain sensitive information and cause the\napplication to crash. NTP is vulnerable to a denial of service, caused\nby a NULL pointer dereference when trap service has been enabled. By\nsending specially crafted packets, a remote attacker could exploit\nthis vulnerability to cause the application to crash.\n\nThis plugin has been deprecated to better accommodate iFix\nsupersedence with replacement plugin aix_ntp_v3_advisory8.nasl (plugin\nid 102129).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"n/a\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:7.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Use aix_ntp_v3_advisory8.nasl (plugin ID 102129) instead.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"7.2\", ml:\"00\", sp:\"00\", patch:\"IV92192m2a\", package:\"bos.net.tcp.ntp\", minfilesetver:\"7.2.0.0\", maxfilesetver:\"7.2.0.2\") < 0) flag++;\nif (aix_check_ifix(release:\"7.2\", ml:\"00\", sp:\"00\", patch:\"IV92192m2a\", package:\"bos.net.tcp.ntpd\", minfilesetver:\"7.2.0.0\", maxfilesetver:\"7.2.0.2\") < 0) flag++;\nif (aix_check_ifix(release:\"7.2\", ml:\"00\", sp:\"01\", patch:\"IV92192m2a\", package:\"bos.net.tcp.ntp\", minfilesetver:\"7.2.0.0\", maxfilesetver:\"7.2.0.2\") < 0) flag++;\nif (aix_check_ifix(release:\"7.2\", ml:\"00\", sp:\"01\", patch:\"IV92192m2a\", package:\"bos.net.tcp.ntpd\", minfilesetver:\"7.2.0.0\", maxfilesetver:\"7.2.0.2\") < 0) flag++;\nif (aix_check_ifix(release:\"7.2\", ml:\"00\", sp:\"02\", patch:\"IV92192m2a\", package:\"bos.net.tcp.ntp\", minfilesetver:\"7.2.0.0\", maxfilesetver:\"7.2.0.2\") < 0) flag++;\nif (aix_check_ifix(release:\"7.2\", ml:\"00\", sp:\"02\", patch:\"IV92192m2a\", package:\"bos.net.tcp.ntpd\", minfilesetver:\"7.2.0.0\", maxfilesetver:\"7.2.0.2\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-10-29T13:45:03", "edition": 9, "description": "NTPv3 and NTPv4 are vulnerable to :\n\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427 NTP is vulnerable to a denial of service, caused by an error in broadcast mode replay prevention functionality. By sending specially crafted NTP packets, a local attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by an error in broadcast mode poll interval enforcement functionality. By sending specially crafted NTP packets, a remote attacker from within the local network could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by an error in the control mode (mode 6) functionality. By sending specially crafted control mode packets, a remote attacker could exploit this vulnerability to obtain sensitive information and cause the application to crash. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference when trap service has been enabled. By sending specially crafted packets, a remote attacker could exploit this vulnerability to cause the application to crash.\n\nThis plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory8.nasl (plugin id 102129).", "published": "2017-02-21T00:00:00", "type": "nessus", "title": "AIX 5.3 TL 12 : ntp (IV92194) (deprecated)", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9311", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-9310"], "cpe": ["cpe:/o:ibm:aix:5.3"], "modified": "2017-08-03T00:00:00", "href": "https://www.tenable.com/plugins/index.php?view=single&id=97230", "id": "AIX_IV92194.NASL", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory ntp_advisory8.asc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2017/07/20. Deprecated by aix_ntp_v3_advisory8.nasl.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97230);\n script_version(\"$Revision: 3.5 $\");\n script_cvs_date(\"$Date: 2017/08/03 16:49:17 $\");\n\n script_cve_id(\"CVE-2016-7427\", \"CVE-2016-7428\", \"CVE-2016-9310\", \"CVE-2016-9311\");\n\n script_name(english:\"AIX 5.3 TL 12 : ntp (IV92194) (deprecated)\");\n script_summary(english:\"Check for APAR IV92194\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"NTPv3 and NTPv4 are vulnerable to :\n\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427 NTP is\nvulnerable to a denial of service, caused by an error in broadcast\nmode replay prevention functionality. By sending specially crafted NTP\npackets, a local attacker could exploit this vulnerability to cause a\ndenial of service. NTP is vulnerable to a denial of service, caused by\nan error in broadcast mode poll interval enforcement functionality. By\nsending specially crafted NTP packets, a remote attacker from within\nthe local network could exploit this vulnerability to cause a denial\nof service. NTP is vulnerable to a denial of service, caused by an\nerror in the control mode (mode 6) functionality. By sending specially\ncrafted control mode packets, a remote attacker could exploit this\nvulnerability to obtain sensitive information and cause the\napplication to crash. NTP is vulnerable to a denial of service, caused\nby a NULL pointer dereference when trap service has been enabled. By\nsending specially crafted packets, a remote attacker could exploit\nthis vulnerability to cause the application to crash.\n\nThis plugin has been deprecated to better accommodate iFix\nsupersedence with replacement plugin aix_ntp_v3_advisory8.nasl (plugin\nid 102129).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"n/a\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:5.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Use aix_ntp_v3_advisory8.nasl (plugin ID 102129) instead.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"5.3\", ml:\"12\", sp:\"09\", patch:\"IV92194m9a\", package:\"bos.net.tcp.client\", minfilesetver:\"5.3.12.0\", maxfilesetver:\"5.3.12.10\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-10-29T13:42:40", "edition": 11, "description": "NTPv3 and NTPv4 are vulnerable to :\n\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427 NTP is vulnerable to a denial of service, caused by an error in broadcast mode replay prevention functionality. By sending specially crafted NTP packets, a local attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by an error in broadcast mode poll interval enforcement functionality. By sending specially crafted NTP packets, a remote attacker from within the local network could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by an error in the control mode (mode 6) functionality. By sending specially crafted control mode packets, a remote attacker could exploit this vulnerability to obtain sensitive information and cause the application to crash. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference when trap service has been enabled. By sending specially crafted packets, a remote attacker could exploit this vulnerability to cause the application to crash.\n\nThis plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory8.nasl (plugin id 102129).", "published": "2017-02-14T00:00:00", "title": "AIX 6.1 TL 9 : ntp (IV91803) (deprecated)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9311", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-9310"], "modified": "2017-08-03T00:00:00", "cpe": ["cpe:/o:ibm:aix:6.1"], "href": "https://www.tenable.com/plugins/index.php?view=single&id=97131", "id": "AIX_IV91803.NASL", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory ntp_advisory8.asc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2017/07/20. Deprecated by aix_ntp_v3_advisory8.nasl.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97131);\n script_version(\"$Revision: 3.7 $\");\n script_cvs_date(\"$Date: 2017/08/03 16:49:17 $\");\n\n script_cve_id(\"CVE-2016-7427\", \"CVE-2016-7428\", \"CVE-2016-9310\", \"CVE-2016-9311\");\n\n script_name(english:\"AIX 6.1 TL 9 : ntp (IV91803) (deprecated)\");\n script_summary(english:\"Check for APAR IV91803\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"NTPv3 and NTPv4 are vulnerable to :\n\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427 NTP is\nvulnerable to a denial of service, caused by an error in broadcast\nmode replay prevention functionality. By sending specially crafted NTP\npackets, a local attacker could exploit this vulnerability to cause a\ndenial of service. NTP is vulnerable to a denial of service, caused by\nan error in broadcast mode poll interval enforcement functionality. By\nsending specially crafted NTP packets, a remote attacker from within\nthe local network could exploit this vulnerability to cause a denial\nof service. NTP is vulnerable to a denial of service, caused by an\nerror in the control mode (mode 6) functionality. By sending specially\ncrafted control mode packets, a remote attacker could exploit this\nvulnerability to obtain sensitive information and cause the\napplication to crash. NTP is vulnerable to a denial of service, caused\nby a NULL pointer dereference when trap service has been enabled. By\nsending specially crafted packets, a remote attacker could exploit\nthis vulnerability to cause the application to crash.\n\nThis plugin has been deprecated to better accommodate iFix\nsupersedence with replacement plugin aix_ntp_v3_advisory8.nasl (plugin\nid 102129).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"n/a\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:6.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Use aix_ntp_v3_advisory8.nasl (plugin ID 102129) instead.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"6.1\", ml:\"09\", sp:\"06\", patch:\"IV91803m6a\", package:\"bos.net.tcp.client\", minfilesetver:\"6.1.9.0\", maxfilesetver:\"6.1.9.200\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"09\", sp:\"07\", patch:\"IV91803m6a\", package:\"bos.net.tcp.client\", minfilesetver:\"6.1.9.0\", maxfilesetver:\"6.1.9.200\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"09\", sp:\"08\", patch:\"IV91803m6a\", package:\"bos.net.tcp.client\", minfilesetver:\"6.1.9.0\", maxfilesetver:\"6.1.9.200\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2021-01-06T09:18:34", "description": "The version of NTP installed on the remote AIX host is affected by\nthe following vulnerabilities :\n\n - A denial of service vulnerability exists in the\n broadcast mode replay prevention functionality. An\n unauthenticated, adjacent attacker can exploit this, via\n specially crafted broadcast mode NTP packets\n periodically injected into the broadcast domain, to\n cause ntpd to reject broadcast mode packets from\n legitimate NTP broadcast servers. (CVE-2016-7427)\n\n - A denial of service vulnerability exists in the\n broadcast mode poll interval functionality. An\n unauthenticated, adjacent attacker can exploit this, via\n specially crafted broadcast mode NTP packets, to cause\n ntpd to reject packets from a legitimate NTP broadcast\n server. (CVE-2016-7428)\n\n - A flaw exists in the control mode (mode 6) functionality\n when handling specially crafted control mode packets. An\n unauthenticated, adjacent attacker can exploit this to\n set or disable ntpd traps, resulting in the disclosure\n of potentially sensitive information, disabling of\n legitimate monitoring, or DDoS amplification.\n (CVE-2016-9310)\n\n - A NULL pointer dereference flaw exists in the\n report_event() function within file ntpd/ntp_control.c\n when the trap service handles certain peer events. An\n unauthenticated, remote attacker can exploit this, via\n a specially crafted packet, to cause a denial of service\n condition. (CVE-2016-9311)", "edition": 35, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-04-04T00:00:00", "title": "AIX NTP v4 Advisory : ntp_advisory8.asc (IV92126) (IV92287)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9311", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-9310"], "modified": "2017-04-04T00:00:00", "cpe": ["cpe:/a:ntp:ntp", "cpe:/o:ibm:aix"], "id": "AIX_NTP_V4_ADVISORY8.NASL", "href": "https://www.tenable.com/plugins/nessus/99184", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99184);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2016-7427\",\n \"CVE-2016-7428\",\n \"CVE-2016-9310\",\n \"CVE-2016-9311\"\n );\n script_bugtraq_id(\n 94444,\n 94446,\n 94447,\n 94452\n );\n script_xref(name:\"CERT\", value:\"633847\");\n\n script_name(english:\"AIX NTP v4 Advisory : ntp_advisory8.asc (IV92126) (IV92287)\");\n script_summary(english:\"Checks the version of the ntp packages for appropriate iFixes.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote AIX host has a version of NTP installed that is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of NTP installed on the remote AIX host is affected by\nthe following vulnerabilities :\n\n - A denial of service vulnerability exists in the\n broadcast mode replay prevention functionality. An\n unauthenticated, adjacent attacker can exploit this, via\n specially crafted broadcast mode NTP packets\n periodically injected into the broadcast domain, to\n cause ntpd to reject broadcast mode packets from\n legitimate NTP broadcast servers. (CVE-2016-7427)\n\n - A denial of service vulnerability exists in the\n broadcast mode poll interval functionality. An\n unauthenticated, adjacent attacker can exploit this, via\n specially crafted broadcast mode NTP packets, to cause\n ntpd to reject packets from a legitimate NTP broadcast\n server. (CVE-2016-7428)\n\n - A flaw exists in the control mode (mode 6) functionality\n when handling specially crafted control mode packets. An\n unauthenticated, adjacent attacker can exploit this to\n set or disable ntpd traps, resulting in the disclosure\n of potentially sensitive information, disabling of\n legitimate monitoring, or DDoS amplification.\n (CVE-2016-9310)\n\n - A NULL pointer dereference flaw exists in the\n report_event() function within file ntpd/ntp_control.c\n when the trap service handles certain peer events. An\n unauthenticated, remote attacker can exploit this, via\n a specially crafted packet, to cause a denial of service\n condition. (CVE-2016-9311)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc\");\n script_set_attribute(attribute:\"solution\", value:\n\"A fix is available and can be downloaded from the IBM AIX website.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/09/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ntp:ntp\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"AIX Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\ninclude(\"aix.inc\");\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\noslevel = get_kb_item(\"Host/AIX/version\");\nif (isnull(oslevel)) audit(AUDIT_UNKNOWN_APP_VER, \"AIX\");\noslevel = oslevel - \"AIX-\";\n\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This AIX package check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\naix_ntp_vulns = {\n \"6.1\": {\n \"minfilesetver\":\"6.1.6.0\",\n \"maxfilesetver\":\"6.1.6.7\",\n \"patch\":\"(IV92287m5a|IV96311m5a)\"\n },\n \"7.1\": {\n \"minfilesetver\":\"7.1.0.0\",\n \"maxfilesetver\":\"7.1.0.7\",\n \"patch\":\"(IV92287m5a|IV96312m5a)\"\n },\n \"7.2\": {\n \"minfilesetver\":\"7.1.0.0\",\n \"maxfilesetver\":\"7.1.0.7\",\n \"patch\":\"(IV92126m3a|IV96312m5a)\"\n }\n};\n\nversion_report = \"AIX \" + oslevel;\nif ( empty_or_null(aix_ntp_vulns[oslevel]) ) {\n os_options = join( sort( keys(aix_ntp_vulns) ), sep:' / ' );\n audit(AUDIT_OS_NOT, os_options, version_report);\n}\n\nforeach oslevel ( keys(aix_ntp_vulns) ) {\n package_info = aix_ntp_vulns[oslevel];\n minfilesetver = package_info[\"minfilesetver\"];\n maxfilesetver = package_info[\"maxfilesetver\"];\n patch = package_info[\"patch\"];\n if (aix_check_ifix(release:oslevel, patch:patch, package:\"ntp.rte\", minfilesetver:minfilesetver, maxfilesetver:maxfilesetver) < 0) flag++;\n}\n\nif (flag)\n{\n aix_report_extra = ereg_replace(string:aix_report_get(), pattern:\"[()]\", replace:\"\");\n aix_report_extra = ereg_replace(string:aix_report_extra, pattern:\"[|]\", replace:\" or \");\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : aix_report_extra\n );\n}\nelse\n{\n tested = aix_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp.rte\");\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2017-10-29T13:36:56", "edition": 9, "description": "NTPv3 and NTPv4 are vulnerable to :\n\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427 NTP is vulnerable to a denial of service, caused by an error in broadcast mode replay prevention functionality. By sending specially crafted NTP packets, a local attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by an error in broadcast mode poll interval enforcement functionality. By sending specially crafted NTP packets, a remote attacker from within the local network could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by an error in the control mode (mode 6) functionality. By sending specially crafted control mode packets, a remote attacker could exploit this vulnerability to obtain sensitive information and cause the application to crash. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference when trap service has been enabled. By sending specially crafted packets, a remote attacker could exploit this vulnerability to cause the application to crash.\n\nThis plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory8.nasl (plugin id 102129).", "published": "2017-02-21T00:00:00", "type": "nessus", "title": "AIX 7.1 TL 3 : ntp (IV92193) (deprecated)", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9311", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-9310"], "cpe": ["cpe:/o:ibm:aix:7.1"], "modified": "2017-08-03T00:00:00", "href": "https://www.tenable.com/plugins/index.php?view=single&id=97229", "id": "AIX_IV92193.NASL", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory ntp_advisory8.asc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2017/07/20. Deprecated by aix_ntp_v3_advisory8.nasl.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97229);\n script_version(\"$Revision: 3.5 $\");\n script_cvs_date(\"$Date: 2017/08/03 16:49:17 $\");\n\n script_cve_id(\"CVE-2016-7427\", \"CVE-2016-7428\", \"CVE-2016-9310\", \"CVE-2016-9311\");\n\n script_name(english:\"AIX 7.1 TL 3 : ntp (IV92193) (deprecated)\");\n script_summary(english:\"Check for APAR IV92193\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"NTPv3 and NTPv4 are vulnerable to :\n\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427 NTP is\nvulnerable to a denial of service, caused by an error in broadcast\nmode replay prevention functionality. By sending specially crafted NTP\npackets, a local attacker could exploit this vulnerability to cause a\ndenial of service. NTP is vulnerable to a denial of service, caused by\nan error in broadcast mode poll interval enforcement functionality. By\nsending specially crafted NTP packets, a remote attacker from within\nthe local network could exploit this vulnerability to cause a denial\nof service. NTP is vulnerable to a denial of service, caused by an\nerror in the control mode (mode 6) functionality. By sending specially\ncrafted control mode packets, a remote attacker could exploit this\nvulnerability to obtain sensitive information and cause the\napplication to crash. NTP is vulnerable to a denial of service, caused\nby a NULL pointer dereference when trap service has been enabled. By\nsending specially crafted packets, a remote attacker could exploit\nthis vulnerability to cause the application to crash.\n\nThis plugin has been deprecated to better accommodate iFix\nsupersedence with replacement plugin aix_ntp_v3_advisory8.nasl (plugin\nid 102129).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"n/a\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:7.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Use aix_ntp_v3_advisory8.nasl (plugin ID 102129) instead.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"7.1\", ml:\"03\", sp:\"05\", patch:\"IV92193m5a\", package:\"bos.net.tcp.client\", minfilesetver:\"7.1.3.0\", maxfilesetver:\"7.1.3.48\") < 0) flag++;\nif (aix_check_ifix(release:\"7.1\", ml:\"03\", sp:\"06\", patch:\"IV92193m5a\", package:\"bos.net.tcp.client\", minfilesetver:\"7.1.3.0\", maxfilesetver:\"7.1.3.48\") < 0) flag++;\nif (aix_check_ifix(release:\"7.1\", ml:\"03\", sp:\"07\", patch:\"IV92193m5a\", package:\"bos.net.tcp.client\", minfilesetver:\"7.1.3.0\", maxfilesetver:\"7.1.3.48\") < 0) flag++;\nif (aix_check_ifix(release:\"7.1\", ml:\"03\", sp:\"08\", patch:\"IV92193m5a\", package:\"bos.net.tcp.client\", minfilesetver:\"7.1.3.0\", maxfilesetver:\"7.1.3.48\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2021-01-06T09:18:33", "description": "The version of NTP installed on the remote AIX host is affected by\nthe following vulnerabilities :\n\n - A denial of service vulnerability exists in the\n broadcast mode replay prevention functionality. An\n unauthenticated, adjacent attacker can exploit this, via\n specially crafted broadcast mode NTP packets\n periodically injected into the broadcast domain, to\n cause ntpd to reject broadcast mode packets from\n legitimate NTP broadcast servers. (CVE-2016-7427)\n\n - A denial of service vulnerability exists in the\n broadcast mode poll interval functionality. An\n unauthenticated, adjacent attacker can exploit this, via\n specially crafted broadcast mode NTP packets, to cause\n ntpd to reject packets from a legitimate NTP broadcast\n server. (CVE-2016-7428)\n\n - A flaw exists in the control mode (mode 6) functionality\n when handling specially crafted control mode packets. An\n unauthenticated, adjacent attacker can exploit this to\n set or disable ntpd traps, resulting in the disclosure\n of potentially sensitive information, disabling of\n legitimate monitoring, or DDoS amplification.\n (CVE-2016-9310)\n\n - A NULL pointer dereference flaw exists in the\n report_event() function within file ntpd/ntp_control.c\n when the trap service handles certain peer events. An\n unauthenticated, remote attacker can exploit this, via\n a specially crafted packet, to cause a denial of service\n condition. (CVE-2016-9311)", "edition": 30, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-08-03T00:00:00", "title": "AIX NTP v3 Advisory : ntp_advisory8.asc (IV92194) (IV91803) (IV92193) (IV91951) (IV92192) (IV92067)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9311", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-9310"], "modified": "2017-08-03T00:00:00", "cpe": ["cpe:/a:ntp:ntp", "cpe:/o:ibm:aix"], "id": "AIX_NTP_V3_ADVISORY8.NASL", "href": "https://www.tenable.com/plugins/nessus/102129", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102129);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2016-7427\",\n \"CVE-2016-7428\",\n \"CVE-2016-9310\",\n \"CVE-2016-9311\"\n );\n script_bugtraq_id(\n 94444,\n 94446,\n 94447,\n 94452\n );\n script_xref(name:\"CERT\", value:\"633847\");\n\n script_name(english:\"AIX NTP v3 Advisory : ntp_advisory8.asc (IV92194) (IV91803) (IV92193) (IV91951) (IV92192) (IV92067)\");\n script_summary(english:\"Checks the version of the ntp packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote AIX host has a version of NTP installed that is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of NTP installed on the remote AIX host is affected by\nthe following vulnerabilities :\n\n - A denial of service vulnerability exists in the\n broadcast mode replay prevention functionality. An\n unauthenticated, adjacent attacker can exploit this, via\n specially crafted broadcast mode NTP packets\n periodically injected into the broadcast domain, to\n cause ntpd to reject broadcast mode packets from\n legitimate NTP broadcast servers. (CVE-2016-7427)\n\n - A denial of service vulnerability exists in the\n broadcast mode poll interval functionality. An\n unauthenticated, adjacent attacker can exploit this, via\n specially crafted broadcast mode NTP packets, to cause\n ntpd to reject packets from a legitimate NTP broadcast\n server. (CVE-2016-7428)\n\n - A flaw exists in the control mode (mode 6) functionality\n when handling specially crafted control mode packets. An\n unauthenticated, adjacent attacker can exploit this to\n set or disable ntpd traps, resulting in the disclosure\n of potentially sensitive information, disabling of\n legitimate monitoring, or DDoS amplification.\n (CVE-2016-9310)\n\n - A NULL pointer dereference flaw exists in the\n report_event() function within file ntpd/ntp_control.c\n when the trap service handles certain peer events. An\n unauthenticated, remote attacker can exploit this, via\n a specially crafted packet, to cause a denial of service\n condition. (CVE-2016-9311)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc\");\n script_set_attribute(attribute:\"solution\", value:\n\"A fix is available and can be downloaded from the IBM AIX website.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/09/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ntp:ntp\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"AIX Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\ninclude(\"aix.inc\");\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\noslevel = get_kb_item(\"Host/AIX/version\");\nif (isnull(oslevel)) audit(AUDIT_UNKNOWN_APP_VER, \"AIX\");\noslevel = oslevel - \"AIX-\";\n\noslevelcomplete = chomp(get_kb_item(\"Host/AIX/oslevelsp\"));\nif (isnull(oslevelcomplete)) audit(AUDIT_UNKNOWN_APP_VER, \"AIX\");\noslevelparts = split(oslevelcomplete, sep:'-', keep:0);\nif ( max_index(oslevelparts) != 4 ) audit(AUDIT_UNKNOWN_APP_VER, \"AIX\");\nml = oslevelparts[1];\nsp = oslevelparts[2];\n\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This AIX package check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\naix_ntp_vulns = {\n \"5.3\": {\n \"12\": {\n \"09\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"5.3.12.0\",\n \"maxfilesetver\":\"5.3.12.10\",\n \"patch\":\"(IV92194m9a|IV96305m9a)\"\n }\n }\n }\n },\n \"6.1\": {\n \"09\": {\n \"06\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"6.1.9.0\",\n \"maxfilesetver\":\"6.1.9.200\",\n \"patch\":\"(IV91803m6a)\"\n }\n },\n \"07\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"6.1.9.0\",\n \"maxfilesetver\":\"6.1.9.200\",\n \"patch\":\"(IV91803m6a|IV96306m9a)\"\n }\n },\n \"08\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"6.1.9.0\",\n \"maxfilesetver\":\"6.1.9.200\",\n \"patch\":\"(IV91803m6a|IV96306m9a)\"\n }\n }\n }\n },\n \"7.1\": {\n \"03\": {\n \"05\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"7.1.3.0\",\n \"maxfilesetver\":\"7.1.3.45\",\n \"patch\":\"(IV92193m5a)\"\n }\n },\n \"06\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"7.1.3.0\",\n \"maxfilesetver\":\"7.1.3.46\",\n \"patch\":\"(IV92193m5a)\"\n }\n },\n \"07\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"7.1.3.0\",\n \"maxfilesetver\":\"7.1.3.47\",\n \"patch\":\"(IV92193m5a|IV96307m9a)\"\n }\n },\n \"08\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"7.1.3.0\",\n \"maxfilesetver\":\"7.1.3.48\",\n \"patch\":\"(IV92193m5a|IV96307m9a)\"\n }\n }\n },\n \"04\": {\n \"01\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"7.1.4.0\",\n \"maxfilesetver\":\"7.1.4.30\",\n \"patch\":\"(IV91951m3a)\"\n }\n },\n \"02\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"7.1.4.0\",\n \"maxfilesetver\":\"7.1.4.30\",\n \"patch\":\"(IV91951m3a|IV96308m4a)\"\n }\n },\n \"03\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"7.1.4.0\",\n \"maxfilesetver\":\"7.1.4.30\",\n \"patch\":\"(IV91951m3a|IV96308m4a)\"\n }\n }\n }\n },\n \"7.2\": {\n \"00\": {\n \"00\": {\n \"bos.net.tcp.ntp\": {\n \"minfilesetver\":\"7.2.0.0\",\n \"maxfilesetver\":\"7.2.0.2\",\n \"patch\":\"(IV92192m2a)\"\n },\n \"bos.net.tcp.ntpd\": {\n \"minfilesetver\":\"7.2.0.0\",\n \"maxfilesetver\":\"7.2.0.2\",\n \"patch\":\"(IV92192m2a)\"\n }\n },\n \"01\": {\n \"bos.net.tcp.ntp\": {\n \"minfilesetver\":\"7.2.0.0\",\n \"maxfilesetver\":\"7.2.0.2\",\n \"patch\":\"(IV92192m2a)\"\n },\n \"bos.net.tcp.ntpd\": {\n \"minfilesetver\":\"7.2.0.0\",\n \"maxfilesetver\":\"7.2.0.2\",\n \"patch\":\"(IV92192m2a)\"\n }\n },\n \"02\": {\n \"bos.net.tcp.ntp\": {\n \"minfilesetver\":\"7.2.0.0\",\n \"maxfilesetver\":\"7.2.0.2\",\n \"patch\":\"(IV92192m2a|IV96309m4a)\"\n },\n \"bos.net.tcp.ntpd\": {\n \"minfilesetver\":\"7.2.0.0\",\n \"maxfilesetver\":\"7.2.0.2\",\n \"patch\":\"(IV92192m2a|IV96309m4a)\"\n }\n }\n },\n \"01\": {\n \"00\": {\n \"bos.net.tcp.ntp\": {\n \"minfilesetver\":\"7.2.1.0\",\n \"maxfilesetver\":\"7.2.1.0\",\n \"patch\":\"(IV92067s1a|IV96310m2a)\"\n },\n \"bos.net.tcp.ntpd\": {\n \"minfilesetver\":\"7.2.1.0\",\n \"maxfilesetver\":\"7.2.1.0\",\n \"patch\":\"(IV92067s1a|IV96310m2a)\"\n }\n },\n \"01\": {\n \"bos.net.tcp.ntp\": {\n \"minfilesetver\":\"7.2.1.0\",\n \"maxfilesetver\":\"7.2.1.0\",\n \"patch\":\"(IV92067s1a|IV96310m2a)\"\n },\n \"bos.net.tcp.ntpd\": {\n \"minfilesetver\":\"7.2.1.0\",\n \"maxfilesetver\":\"7.2.1.0\",\n \"patch\":\"(IV92067s1a|IV96310m2a)\"\n }\n }\n }\n }\n};\n\nversion_report = \"AIX \" + oslevel;\nif ( empty_or_null(aix_ntp_vulns[oslevel]) ) {\n os_options = join( sort( keys(aix_ntp_vulns) ), sep:' / ' );\n audit(AUDIT_OS_NOT, os_options, version_report);\n}\n\nversion_report = version_report + \" ML \" + ml;\nif ( empty_or_null(aix_ntp_vulns[oslevel][ml]) ) {\n ml_options = join( sort( keys(aix_ntp_vulns[oslevel]) ), sep:' / ' );\n audit(AUDIT_OS_NOT, \"ML \" + ml_options, version_report);\n}\n\nversion_report = version_report + \" SP \" + sp;\nif ( empty_or_null(aix_ntp_vulns[oslevel][ml][sp]) ) {\n sp_options = join( sort( keys(aix_ntp_vulns[oslevel][ml]) ), sep:' / ' );\n audit(AUDIT_OS_NOT, \"SP \" + sp_options, version_report);\n}\n\nforeach package ( keys(aix_ntp_vulns[oslevel][ml][sp]) ) {\n package_info = aix_ntp_vulns[oslevel][ml][sp][package];\n minfilesetver = package_info[\"minfilesetver\"];\n maxfilesetver = package_info[\"maxfilesetver\"];\n patch = package_info[\"patch\"];\n if (aix_check_ifix(release:oslevel, ml:ml, sp:sp, patch:patch, package:package, minfilesetver:minfilesetver, maxfilesetver:maxfilesetver) < 0) flag++;\n}\n\nif (flag)\n{\n aix_report_extra = ereg_replace(string:aix_report_get(), pattern:\"[()]\", replace:\"\");\n aix_report_extra = ereg_replace(string:aix_report_extra, pattern:\"[|]\", replace:\" or \");\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : aix_report_extra\n );\n}\nelse\n{\n tested = aix_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bos.net.tcp.ntp / bos.net.tcp.ntpd / bos.net.tcp.client\");\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "seebug": [{"lastseen": "2017-11-19T12:01:01", "description": "### Summary\r\nAn exploitable denial of service vulnerability exists in the broadcast mode replay prevention functionality of ntpd. To prevent replay of broadcast mode packets, ntpd rejects broadcast mode packets with non-monotonically increasing transmit timestamps. Remote unauthenticated attackers can send specially crafted broadcast mode NTP packets to cause ntpd to reject all broadcast mode packets from legitimate NTP broadcast servers.\r\n\r\n### Tested Versions\r\nNTP 4.2.8p6\r\n\r\n### Product URLs\r\nhttp://www.ntp.org/\r\n\r\n### CVSS Scores\r\nCVSSv2: 5.0 - (AV:N/AC:L/Au:N/C:N/I:N/A:P)\r\nCVSSv3: 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\r\n\r\n### Details\r\nIn response to the NTP Deja Vu vulnerability (CVE-2015-7973), ntp-4.2.8p6 introduced several new integrity checks on incoming broadcast mode packets. Upon receipt of a broadcast mode packet, before authentication is enforced, ntpd will reject the packet if any of the following conditions hold:\r\n\r\n1. The packet poll value is out of bounds for the broadcast association, i.e.\r\n```\r\n pkt->ppoll < peer->minpoll || pkt->ppoll > peer->maxpoll\r\n```\r\n2. The packet was received before a full poll interval has elapsed since the last broadcast packet was received from the packet's sender. i.e. A server cannot ingress packets more frequently than `peer->minpoll`.\r\n\r\n3. The packet transmit timestamp is less than the last seen broadcast packet transmit timestamp from the packet's sender. i.e. Broadcast packet transmit timestamps must be monotonically increasing.\r\n\r\nThe following logic is used to ensure that packet transmit timestamps are monotonically increasing:\r\n```\r\n/* ntp-4.2.8p6 ntpd/ntp_proto.c */\r\n1305 if (MODE_BROADCAST == hismode) {\r\n...\r\n1351 tdiff = p_xmt;\r\n1352 L_SUB(&tdiff, &peer->bxmt);\r\n1353 if (tdiff.l_i < 0) {\r\n1354 msyslog(LOG_INFO, \"receive: broadcast packet from %s contains non-monotonic timestamp: %#010x.%08x -> %#010x.%08x\",\r\n1355 stoa(&rbufp->recv_srcadr),\r\n1356 peer->bxmt.l_ui, peer->bxmt.l_uf,\r\n1357 p_xmt.l_ui, p_xmt.l_uf\r\n1358 );\r\n1359 ++bail;\r\n1360 }\r\n1361\r\n1362 peer->bxmt = p_xmt;\r\n1363\r\n1364 if (bail) {\r\n1365 peer->timelastrec = current_time;\r\n1366 sys_declined++;\r\n1367 return;\r\n1368 }\r\n1369 }\r\n```\r\n\r\nIf the packet transmit timestamp is less than the transmit timestamp on the last received broadcast packet from this association (`p_xmt - peer->bxmt < 0`), the packet will be discarded.\r\n\r\nUnfortunately, line 1362 updates the saved transmit timestamp for alleged sender of the packet (`peer->bxmt`) before the packet is discarded. The update takes place even if the packet is unauthenticated and fails the previous integrity checks.\r\n\r\nThis leads to a trivial denial of service attack. The attacker:\r\n\r\n1. Discovers the IP address of the victim's broadcast server. e.g. Send the victim a client mode NTP packet and discover the broadcast server from the refid field of the victim's reply.\r\n2. Every poll period, send the victim a spoofed broadcast mode packet from the broadcast server with a transmit timestamp in the future. This will move `peer->bxmt` forward so that any legitimate packet will be rejected by the non-monotonic timestamp check.\r\n\t* The attacker does not need to be on the same subnet as the victim. The attacker can address the spoofed broadcast NTP packet directly to the victim's IP address.\r\n\t* The attacker can choose any reasonably small estimate for the poll period. Because the `peer->bxmt` update happens even when a packet fails the poll period checks, there is no penalty for sending packets too frequently.\r\n\r\nTo prevent this vulnerability, `peer->bxmt` should only be updated when a packet authenticates correctly. This is the approach taken in the patch below.\r\n\r\n### Mitigation\r\nThere is no workaround for this issue. Because the vulnerable logic is executed before authentication is enforced, authentication and the `restrict notrust` ntpd.conf directive have no effect. An attacker can bypass `notrust` restrictions by sending incorrectly authenticated packets.\r\n\r\nIn order to succeed in an attack, the attacker must send at least one spoofed packet per poll period. Therefore observing more than one NTP broadcast packet from the same sender address per poll period indicates a possible attack.\r\n\r\nThe following patch can be used to fix this vulnerability:\r\n```\r\nFrom 097fd4dae9ac4927d7cfa8011fd42f704bd02c45 Mon Sep 17 00:00:00 2001\r\nFrom: Matthew Van Gundy <mvangund@cisco.com>\r\nDate: Tue, 26 Jan 2016 15:00:28 -0500\r\nSubject: [PATCH] Fix unauthenticated broadcast mode denial of service (peer->bxmt)\r\n\r\n---\r\n include/ntp_fp.h | 1 +\r\n ntpd/ntp_proto.c | 22 ++++++++++++++++------\r\n 2 files changed, 17 insertions(+), 6 deletions(-)\r\n\r\ndiff --git a/include/ntp_fp.h b/include/ntp_fp.h\r\nindex 7806932..ad7a01d 100644\r\n--- a/include/ntp_fp.h\r\n+++ b/include/ntp_fp.h\r\n@@ -242,6 +242,7 @@ typedef u_int32 u_fp;\r\n #define L_ISGTU(a, b) M_ISGTU((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)\r\n #define L_ISHIS(a, b) M_ISHIS((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)\r\n #define L_ISGEQ(a, b) M_ISGEQ((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)\r\n+#define L_ISGEQU(a, b) L_ISHIS(a, b)\r\n #define L_ISEQU(a, b) M_ISEQU((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)\r\n\r\n /*\r\ndiff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c\r\nindex ad45409..ac469ce 100644\r\n--- a/ntpd/ntp_proto.c\r\n+++ b/ntpd/ntp_proto.c\r\n@@ -1305,7 +1305,6 @@ receive(\r\n if (MODE_BROADCAST == hismode) {\r\n u_char poll;\r\n int bail = 0;\r\n- l_fp tdiff;\r\n\r\n DPRINTF(2, (\"receive: PROCPKT/BROADCAST: prev pkt %ld seconds ago, ppoll: %d, %d secs\\n\",\r\n (current_time - peer->timelastrec),\r\n@@ -1348,9 +1347,8 @@ receive(\r\n ++bail;\r\n }\r\n\r\n- tdiff = p_xmt;\r\n- L_SUB(&tdiff, &peer->bxmt);\r\n- if (tdiff.l_i < 0) {\r\n+ /* Use L_ISGEQU() to ensure unsigned comparison */\r\n+ if (!L_ISGEQU(&p_xmt, &peer->bxmt)) {\r\n msyslog(LOG_INFO, \"receive: broadcast packet from %s contains non-monotonic timestamp: %#010x.%08x -> %#010x.%08x\",\r\n stoa(&rbufp->recv_srcadr),\r\n peer->bxmt.l_ui, peer->bxmt.l_uf,\r\n@@ -1359,8 +1357,6 @@ receive(\r\n ++bail;\r\n }\r\n\r\n- peer->bxmt = p_xmt;\r\n-\r\n if (bail) {\r\n peer->timelastrec = current_time;\r\n sys_declined++;\r\n@@ -1563,6 +1559,14 @@ receive(\r\n peer->xmt = p_xmt;\r\n\r\n /*\r\n+ * Now that we know the packet is correctly authenticated,\r\n+ * update peer->bxmt if needed\r\n+ */\r\n+ if (MODE_BROADCAST == hismode) {\r\n+ peer->bxmt = p_xmt;\r\n+ }\r\n+\r\n+ /*\r\n * Set the peer ppoll to the maximum of the packet ppoll and the\r\n * peer minpoll. If a kiss-o'-death, set the peer minpoll to\r\n * this maximum and advance the headway to give the sender some\r\n@@ -2400,6 +2404,7 @@ peer_clear(\r\n )\r\n {\r\n u_char u;\r\n+ l_fp bxmt = peer->bxmt;\r\n\r\n #ifdef AUTOKEY\r\n /*\r\n@@ -2436,6 +2441,11 @@ peer_clear(\r\n peer->flash = peer_unfit(peer);\r\n peer->jitter = LOGTOD(sys_precision);\r\n\r\n+ /* Don't throw away our broadcast replay protection */\r\n+ if (peer->hmode == MODE_BCLIENT) {\r\n+ peer->bxmt = bxmt;\r\n+ }\r\n+\r\n /*\r\n * If interleave mode, initialize the alternate origin switch.\r\n */\r\n```\r\n\r\n### Timeline\r\n* 2016-09-12 - Vendor Disclosure\r\n* 2016-11-21 - Public Release", "published": "2017-10-11T00:00:00", "type": "seebug", "title": "Network Time Protocol Broadcast Mode Replay Prevention Denial of Service Vulnerability(CVE-2016-7427)", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7973", "CVE-2016-7427"], "modified": "2017-10-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96650", "id": "SSV:96650", "sourceData": "", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}, {"lastseen": "2017-11-19T12:15:04", "description": "### Summary\r\nAn exploitable denial of service vulnerability exists in the broadcast mode poll interval enforcement functionality of ntpd. To limit abuse, ntpd restricts the rate at which each broadcast association will process incoming packets. ntpd will reject broadcast mode packets that arrive before the poll interval specified in the preceding broadcast packet expires. A vulnerability exists which allows remote unauthenticated attackers to send specially crafted broadcast mode NTP packets which will cause ntpd to reject all broadcast mode packets from legitimate NTP broadcast servers.\r\n\r\n### Tested Versions\r\nNTP 4.2.8p6\r\n\r\n### Product URLs\r\nhttp://www.ntp.org/\r\n\r\n### CVSS Scores\r\n* CVSSv2: 5.0 - (AV:N/AC:L/Au:N/C:N/I:N/A:P)\r\n* CVSSv3: 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\r\n\r\n### Details\r\nIn response to the NTP Deja Vu vulnerability (CVE-2015-7973), ntp-4.2.8p6 introduced several new integrity checks on incoming broadcast mode packets. Upon receipt of a broadcast mode packet, before authentication is enforced, ntpd will reject the packet if any of the following conditions hold:\r\n\r\n1. The packet poll value is out of bounds for the broadcast association, i.e.\r\n```\r\n pkt->ppoll < peer->minpoll || pkt->ppoll > peer->maxpoll\r\n```\r\n \r\n2. The packet was received before a full poll interval has elapsed since the last broadcast packet was received from the packet's sender. i.e. A server cannot ingress packets more frequently than `peer->minpoll`.\r\n3. The packet transmit timestamp is less than the last seen broadcast packet transmit timestamp from the packet's sender. i.e. Broadcast packet transmit timestamps must be monotonically increasing.\r\n\r\nThe following logic is used to ensure constraint 2, which ensures that broadcast associations will process only one incoming packet per poll interval:\r\n```\r\n/* ntp-4.2.8p6 ntpd/ntp_proto.c */\r\n1305 if (MODE_BROADCAST == hismode) {\r\n...\r\n1341 if ( (current_time - peer->timelastrec)\r\n1342 < (1 << pkt->ppoll)) {\r\n1343 msyslog(LOG_INFO, \"receive: broadcast packet from %s arrived after %ld, not %d seconds!\",\r\n1344 stoa(&rbufp->recv_srcadr),\r\n1345 (current_time - peer->timelastrec),\r\n1346 (1 << pkt->ppoll)\r\n1347 );\r\n1348 ++bail;\r\n1349 }\r\n...\r\n1361\r\n1362 peer->bxmt = p_xmt;\r\n1363\r\n1364 if (bail) {\r\n1365 peer->timelastrec = current_time;\r\n1366 sys_declined++;\r\n1367 return;\r\n1368 }\r\n1369 }\r\n```\r\n\r\nIf the time elapsed since the last broadcast packet was received from this peer is less than the poll interval declared by the sender (`(current_time - peer->timelastrec) < (1 << pkt->ppoll)`), the packet will be discarded. (A previous check ensures that `pkt->ppoll` is within acceptable bounds.)\r\n\r\nUnfortunately, line 1341 compares the current time against the last time any broadcast mode packet was received with a source IP address of the peer (`peer->timelastrec`). In contrast to `peer->timereceived`, which is updated only when a clean (correctly authenticated and passing integrity checks) packet is received, `peer->timelastrec` is updated by all incoming broadcast packets including spoofed and replayed packets.\r\n\r\nThis leads to a trivial denial of service attack. The attacker:\r\n1. Discovers the IP address of the victim's broadcast server. e.g. Send the victim a client mode NTP packet and discover the broadcast server from the refid field of the victim's reply.\r\n2. At least once per poll period, send the victim a spoofed broadcast mode packet from the broadcast server. This will set `peer->timelastrec = current_time` such that, when a legitimate packet is received, it will appear to have been received too early (`(current_time - peer->timelastrec) < (1 << pkt->ppoll)`) and will be discarded.\r\n\t* The attacker does not need to be on the same subnet as the victim. The attacker can address the spoofed broadcast NTP packet directly to the victim's IP address.\r\n\t* The attacker can choose any reasonably small estimate for the poll period. Because the `peer->timelastrec` update happens even when a packet fails the poll period check, there is no penalty for sending packets too frequently.\r\n\r\n\r\nTo prevent this vulnerability, ntpd should only discard packets broadcast packets when less than one poll interval has elapsed since the last legitimate packet has been received (`peer->timereceived`).\r\n\r\n### Mitigation\r\nThere is no workaround for this issue. Because the vulnerable logic is executed before authentication is enforced, authentication and the `restrict notrust` ntpd.conf directive have no effect. An attacker can bypass `notrust` restrictions by sending incorrectly authenticated packets.\r\n\r\nIn order to succeed in an attack, the attacker must send at least one spoofed packet per poll period. Therefore observing more than one NTP broadcast packet from the same sender address per poll period indicates a possible attack.\r\n\r\nThe following patch can be used to fix this vulnerability:\r\n```\r\nFrom 8522882496d3df2bd764de6d8f7afac4a8d84006 Mon Sep 17 00:00:00 2001\r\nFrom: Matthew Van Gundy <mvangund@cisco.com>\r\nDate: Fri, 5 Feb 2016 17:38:32 -0500\r\nSubject: [PATCH] Fix unauthenticated broadcast mode denial of service (peer->timelastrec)\r\n\r\nDrop packets if they arrive less than one poll interval since the last\r\n**clean** packet received on an association. If we compare against the\r\nlast time that *any* packet was received, even one that will be dropped\r\nfor failing integrity checks, an attacker can DoS the association by\r\nsending incorrectly authenticated packets or replaying old packets to\r\nkeep bumping the peer->timelastrec timer forward.\r\n---\r\n include/ntp.h | 4 +++-\r\n ntpd/ntp_proto.c | 13 +++++++++++--\r\n 2 files changed, 14 insertions(+), 3 deletions(-)\r\n\r\ndiff --git a/include/ntp.h b/include/ntp.h\r\nindex 6a4e9aa..cbf6cec 100644\r\n--- a/include/ntp.h\r\n+++ b/include/ntp.h\r\n@@ -383,7 +383,9 @@ struct peer {\r\n * Statistic counters\r\n */\r\n u_long timereset; /* time stat counters were reset */\r\n- u_long timelastrec; /* last packet received time */\r\n+ u_long timelastrec; /* last packet received time (may\r\n+ * include spoofed, replayed, or other\r\n+ * invalid packets) */\r\n u_long timereceived; /* last (clean) packet received time */\r\n u_long timereachable; /* last reachable/unreachable time */\r\n\r\ndiff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c\r\nindex ad45409..1ea5cee 100644\r\n--- a/ntpd/ntp_proto.c\r\n+++ b/ntpd/ntp_proto.c\r\n@@ -1338,11 +1338,20 @@ receive(\r\n ++bail;\r\n }\r\n\r\n- if ( (current_time - peer->timelastrec)\r\n+ /*\r\n+ * Ensure that at least one poll interval has\r\n+ * elapsed since the last **clean** packet was\r\n+ * received. We limit the check to **clean**\r\n+ * packets to prevent replayed packets and\r\n+ * incorrectly authenticated packets, which\r\n+ * we'll discard, from being used to create a\r\n+ * denial of service condition.\r\n+ */\r\n+ if ( (current_time - peer->timereceived)\r\n < (1 << pkt->ppoll)) {\r\n msyslog(LOG_INFO, \"receive: broadcast packet from %s arrived after %ld, not %d seconds!\",\r\n stoa(&rbufp->recv_srcadr),\r\n- (current_time - peer->timelastrec),\r\n+ (current_time - peer->timereceived),\r\n (1 << pkt->ppoll)\r\n );\r\n ++bail;\r\n--\r\n2.5.2\r\n```\r\n\r\n### Timeline\r\n* 2016-09-12 - Vendor Disclosure\r\n* 2016-11-21 - Public Release", "published": "2017-10-11T00:00:00", "type": "seebug", "title": "Network Time Protocol Broadcast Mode Poll Interval Enforcement Denial of Service Vulnerability(CVE-2016-7428)", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7973", "CVE-2016-7428"], "modified": "2017-10-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96648", "id": "SSV:96648", "sourceData": "", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "aix": [{"lastseen": "2020-04-22T00:52:14", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9311", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-9310"], "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Mon Feb 13 15:32:47 CST 2017\n|Updated: Mon Oct 2 10:47:12 CDT 2017 \n|Update 2: Removed bos.net.tcp.ntp from the impacted fileset list for\n| AIX 7200-01-02. Fileset bos.net.tcp.ntpd is still listed as impacted\n| for AIX 7200-01-02.\n\n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc\nhttps://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc\nftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc\n\n\nSecurity Bulletin: Vulnerabilities in NTP affect AIX\n CVE-2016-7427 CVE-2016-7428 CVE-2016-9310 CVE-2016-9311 \n\n===============================================================================\n\nSUMMARY:\n\n There are multiple vulnerabilities in NTPv3 and NTPv4 that impact AIX. \n\n\n===============================================================================\n\nVULNERABILITY DETAILS:\n\n NTPv3 and NTPv4 are vulnerable to:\n\n CVEID: CVE-2016-7427\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427 \n DESCRIPTION: NTP is vulnerable to a denial of service, caused by an error\n in broadcast mode replay prevention functionality. By sending specially \n crafted NTP packets, a local attacker could exploit this vulnerability to \n cause a denial of service.\n CVSS Base Score: 4\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/119088 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n \n CVEID: CVE-2016-7428 \n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7428\n DESCRIPTION: NTP is vulnerable to a denial of service, caused by an error \n in broadcast mode poll interval enforcement functionality. By sending \n specially crafted NTP packets, a remote attacker from within the local \n network could exploit this vulnerability to cause a denial of service.\n CVSS Base Score: 4.3 \n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/119089 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n CVEID: CVE-2016-9310\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9310\n DESCRIPTION: NTP is vulnerable to a denial of service, caused by an error \n in the control mode (mode 6) functionality. By sending specially crafted \n control mode packets, a remote attacker could exploit this vulnerability \n to obtain sensitive information and cause the application to crash.\n CVSS Base Score: 6.5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/119087 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)\n\n CVEID: CVE-2016-9311\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9311\n DESCRIPTION: NTP is vulnerable to a denial of service, caused by a NULL \n pointer dereference when trap service has been enabled. By sending specially \n crafted packets, a remote attacker could exploit this vulnerability to cause\n the application to crash. \n CVSS Base Score: 4.4\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/119086 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)\n\n \n AFFECTED PRODUCTS AND VERSIONS:\n \n AIX 5.3, 6.1, 7.1, 7.2\n VIOS 2.2\n\n The following fileset levels are vulnerable:\n \n key_fileset = aix\n \n For NTPv3:\n\n Fileset Lower Level Upper Level KEY PRODUCT(S)\n ------------------------------------------------------------------\n bos.net.tcp.client 5.3.12.0 5.3.12.10 key_w_fs NTPv3\n bos.net.tcp.client 6.1.9.0 6.1.9.200 key_w_fs NTPv3\n bos.net.tcp.client 7.1.3.0 7.1.3.48 key_w_fs NTPv3\n bos.net.tcp.client 7.1.4.0 7.1.4.30 key_w_fs NTPv3\n bos.net.tcp.ntp 7.2.0.0 7.2.0.2 key_w_fs NTPv3\n bos.net.tcp.ntpd 7.2.0.0 7.2.0.2 key_w_fs NTPv3\n bos.net.tcp.ntpd 7.2.1.0 7.2.1.0 key_w_fs NTPv3\n\n \n For NTPv4:\n\n Fileset Lower Level Upper Level KEY PRODUCT(S) \n -----------------------------------------------------------------\n ntp.rte 6.1.6.0 6.1.6.7 key_w_fs NTPv4\n ntp.rte 7.1.0.0 7.1.0.7 key_w_fs NTPv4 \n \n Note: To find out whether the affected filesets are installed \n on your systems, refer to the lslpp command found in AIX user's\n guide.\n\n Example: lslpp -L | grep -i ntp.rte \n\n\n REMEDIATION:\n\n A. APARS\n \n IBM has assigned the following APARs to this problem:\n\n For NTPv3:\n\n AIX Level APAR Availability SP KEY PRODUCT(S)\n ------------------------------------------------------------\n 5.3.12 IV92194 NA key_w_apar NTPv3\n 6.1.9 IV91803 ** SP9 key_w_apar NTPv3\n 7.1.3 IV92193 ** SP9 key_w_apar NTPv3\n 7.1.4 IV91951 ** SP4 key_w_apar NTPv3\n 7.2.0 IV92192 ** SP4 key_w_apar NTPv3\n 7.2.1 IV92067 ** SP2 key_w_apar NTPv3\n\n For NTPv4:\n\n AIX Level APAR Availability SP KEY PRODUCT(S)\n ------------------------------------------------------------\n 6.1.9 IV92287 ** SP9 key_w_apar NTPv4\n 7.1.3 IV92126 ** SP9 key_w_apar NTPv4\n 7.1.4 IV92126 ** SP4 key_w_apar NTPv4\n 7.2.0 IV92126 ** SP4 key_w_apar NTPv4\n 7.2.1 IV92126 ** SP2 key_w_apar NTPv4\n\n ** Please refer to AIX support lifecycle information page for availability\n of Service Packs:\n http://www-01.ibm.com/support/docview.wss?uid=isg3T1012517\n\n Subscribe to the APARs here:\n\n http://www.ibm.com/support/docview.wss?uid=isg1IV91803\n http://www.ibm.com/support/docview.wss?uid=isg1IV91951\n http://www.ibm.com/support/docview.wss?uid=isg1IV92192\n http://www.ibm.com/support/docview.wss?uid=isg1IV92287\n http://www.ibm.com/support/docview.wss?uid=isg1IV92126\n http://www.ibm.com/support/docview.wss?uid=isg1IV92194\n http://www.ibm.com/support/docview.wss?uid=isg1IV92193\n http://www.ibm.com/support/docview.wss?uid=isg1IV92067\n \n https://www.ibm.com/support/docview.wss?uid=isg1IV91803\n https://www.ibm.com/support/docview.wss?uid=isg1IV91951\n https://www.ibm.com/support/docview.wss?uid=isg1IV92192\n https://www.ibm.com/support/docview.wss?uid=isg1IV92287\n https://www.ibm.com/support/docview.wss?uid=isg1IV92126\n https://www.ibm.com/support/docview.wss?uid=isg1IV92194\n https://www.ibm.com/support/docview.wss?uid=isg1IV92193\n https://www.ibm.com/support/docview.wss?uid=isg1IV92067\n \n By subscribing, you will receive periodic email alerting you\n to the status of the APAR, and a link to download the fix once\n it becomes available.\n\n B. FIXES\n\n Fixes are available.\n\n The fixes can be downloaded via ftp or http from:\n\n ftp://aix.software.ibm.com/aix/efixes/security/ntp_fix8.tar\n http://aix.software.ibm.com/aix/efixes/security/ntp_fix8.tar\n https://aix.software.ibm.com/aix/efixes/security/ntp_fix8.tar \n\n The links above are to a tar file containing this signed\n advisory, interim fixes, and OpenSSL signatures for each interim fix.\n The fixes below include prerequisite checking. This will\n enforce the correct mapping between the fixes and AIX\n Technology Levels.\n\n For NTPv3:\n\n AIX Level Interim Fix (*.Z) KEY PRODUCT(S)\n ----------------------------------------------------------\n 5.3.12.9 IV92194m9a.170113.epkg.Z key_w_fix NTPv3\n 6.1.9.6 IV91803m6a.170112.epkg.Z key_w_fix NTPv3\n 6.1.9.7 IV91803m6a.170112.epkg.Z key_w_fix NTPv3\n 6.1.9.8 IV91803m6a.170112.epkg.Z key_w_fix NTPv3\n 7.1.3.5 IV92193m5a.170112.epkg.Z key_w_fix NTPv3\n 7.1.3.6 IV92193m5a.170112.epkg.Z key_w_fix NTPv3\n 7.1.3.7 IV92193m5a.170112.epkg.Z key_w_fix NTPv3\n 7.1.3.8 IV92193m5a.170112.epkg.Z key_w_fix NTPv3\n 7.1.4.1 IV91951m3a.170113.epkg.Z key_w_fix NTPv3\n 7.1.4.2 IV91951m3a.170113.epkg.Z key_w_fix NTPv3\n 7.1.4.3 IV91951m3a.170113.epkg.Z key_w_fix NTPv3\n 7.2.0.0 IV92192m2a.170112.epkg.Z key_w_fix NTPv3\n 7.2.0.1 IV92192m2a.170112.epkg.Z key_w_fix NTPv3\n 7.2.0.2 IV92192m2a.170112.epkg.Z key_w_fix NTPv3\n 7.2.1.0 IV92067s1a.170112.epkg.Z key_w_fix NTPv3\n 7.2.1.1 IV92067s1a.170112.epkg.Z key_w_fix NTPv3\n\n\n VIOS Level Interim Fix (*.Z) KEY PRODUCT(S)\n -----------------------------------------------------------\n 2.2.4.2x IV91803m6a.170112.epkg.Z key_w_fix NTPv3\n\n \n For NTPv4:\n\n AIX Level Interim Fix (*.Z) KEY PRODUCT(S)\n ----------------------------------------------------------\n 6.1.x IV92287m5a.170113.epkg.Z key_w_fix NTPv4\n 7.1.x IV92126m3a.170106.epkg.Z key_w_fix NTPv4\n 7.2.x IV92126m3a.170106.epkg.Z key_w_fix NTPv4\n \n \n All fixes included are cumulative and address previously\n issued AIX NTP security bulletins with respect to SP and TL. \n\n To extract the fixes from the tar file:\n\n tar xvf ntp_fix8.tar\n cd ntp_fix8\n\n Verify you have retrieved the fixes intact:\n\n The checksums below were generated using the\n \"openssl dgst -sha256 <filename>\" command as the following:\n\n openssl dgst -sha256 filename KEY\n -----------------------------------------------------------------------------------------------------\n 70044311eab50e798b1a0756b8f7fef368b65ae79c03496c1fbcf5ba8da7b176 IV91803m6a.170112.epkg.Z key_w_csum\n 8ef346dbd1d7f3d8e9c03b21fa6e2cd1dca88de9d0951675a4787f34bf892f30 IV91951m3a.170113.epkg.Z key_w_csum\n f6105a97e957651e8a464cfd6edd0ad50a74ba9dffb974925612f68d21fa7857 IV92192m2a.170112.epkg.Z key_w_csum\n f1ab705600cc8b08dd11a6e12d1b32a2ec89b988557502ffffd6c06dd53936b9 IV92287m5a.170113.epkg.Z key_w_csum\n 57c9db9c53098f21e837a407e2b2dead1c1c754d44812eb0392d050e697ae2bd IV92126m3a.170106.epkg.Z key_w_csum\n f8d9c43a2ae724a7a1e69caab5973aed0bb4b6ddc72bc57d038fad6faa680fa1 IV92194m9a.170113.epkg.Z key_w_csum\n 558db7a325e5d6733bac66f9b01a9dee4a93826163a50992ee99c1cb9f7dfe70 IV92193m5a.170112.epkg.Z key_w_csum\n eee9aec25443fa496168f7c4cfb289dbfaeed96c8be0fc3cb57b888733e4f9d4 IV92067s1a.170112.epkg.Z key_w_csum\n\n \n These sums should match exactly. The OpenSSL signatures in the tar\n file and on this advisory can also be used to verify the\n integrity of the fixes. If the sums or signatures cannot be\n confirmed, contact IBM AIX Security at\n security-alert@austin.ibm.com and describe the discrepancy.\n \n openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>\n\n openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>\n\n Published advisory OpenSSL signature file location:\n \n http://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc.sig \n\n C. FIX AND INTERIM FIX INSTALLATION\n\n IMPORTANT: If possible, it is recommended that a mksysb backup\n of the system be created. Verify it is both bootable and\n readable before proceeding.\n\n The fix will not take affect until any running xntpd servers\n have been stopped and restarted with the following commands:\n\n stopsrc -s xntpd\n startsrc -s xntpd\n\n To preview a fix installation:\n\n installp -a -d fix_name -p all # where fix_name is the name of the\n # fix package being previewed.\n To install a fix package:\n\n installp -a -d fix_name -X all # where fix_name is the name of the\n # fix package being installed.\n\n After installation the ntp daemon must be restarted:\n\n stopsrc -s xntpd\n startsrc -s xntpd\n\n Interim fixes have had limited functional and regression\n testing but not the full regression testing that takes place\n for Service Packs; however, IBM does fully support them.\n\n Interim fix management documentation can be found at:\n\n http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html\n\n To preview an interim fix installation:\n\n emgr -e ipkg_name -p # where ipkg_name is the name of the\n # interim fix package being previewed.\n\n To install an interim fix package:\n\n emgr -e ipkg_name -X # where ipkg_name is the name of the\n # interim fix package being installed.\n\n WORKAROUNDS AND MITIGATIONS:\n\n None.\n\n\n===============================================================================\n\nCONTACT US:\n\n Note: Keywords labeled as KEY in this document are used for parsing\n purposes.\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n https://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n https://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n https://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n To obtain the PGP public key that can be used to communicate\n securely with the AIX Security Team via security-alert@austin.ibm.com you\n can either:\n\n A. Download the key from our web page:\n\nhttp://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\nhttps://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\n\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n \n Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide\n https://www.first.org/cvss/user-guide\n On-line Calculator v3:\n http://www.first.org/cvss/calculator/3.0\n https://www.first.org/cvss/calculator/3.0\n\n\n\nACKNOWLEDGEMENTS:\n\n None \n\n\nCHANGE HISTORY:\n\n First Issued: Mon Feb 13 15:32:47 CST 2017\n Updated:Fri Feb 17 18:40:29 CST 2017\n Update: New iFixes provided for NTPv3 in AIX 5.3.12.9,6.1.9.6,\n 6.1.9.8,7.1.3.5,7.1.3.6,7.1.3.7,7.1.3.8,7.1.4.3,7.2.0.0,7.2.0.2\n 7.2.1.0,7.2.1.1 and VIOS 2.2.4.x.\n| Updated: Mon Oct 2 10:47:12 CDT 2017\n| Update 2: Removed bos.net.tcp.ntp from the impacted fileset list for\n| AIX 7200-01-02. Fileset bos.net.tcp.ntpd is still listed as impacted\n| for AIX 7200-01-02.\n\n===============================================================================\n\n*The CVSS Environment Score is customer environment specific and will \nultimately impact the Overall CVSS Score. Customers can evaluate the impact \nof this vulnerability in their environments by accessing the links in the \nReference section of this Security Bulletin. \n\nDisclaimer\nAccording to the Forum of Incident Response and Security Teams (FIRST), the \nCommon Vulnerability Scoring System (CVSS) is an \"industry open standard \ndesigned to convey vulnerability severity and help to determine urgency and \npriority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY \nOF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS \nFOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT \nOF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n \n\n\n\n\n\n\n", "edition": 25, "modified": "2017-10-02T10:47:12", "published": "2017-02-13T15:32:47", "id": "NTP_ADVISORY8.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc", "title": "There are multiple vulnerabilities in NTPv3 and NTPv4 that impact AIX.", "type": "aix", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "f5": [{"lastseen": "2017-06-08T00:16:02", "bulletinFamily": "software", "cvelist": ["CVE-2016-9312", "CVE-2015-8138", "CVE-2016-7433", "CVE-2016-7427", "CVE-2016-7429", "CVE-2016-7428", "CVE-2016-7431"], "edition": 1, "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebSafe| None| 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.0.2| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2017-03-14T19:23:00", "published": "2016-12-17T02:37:00", "href": "https://support.f5.com/csp/article/K80996302", "id": "F5:K80996302", "type": "f5", "title": "Multiple NTP vulnerabilities", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:24", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7434", "CVE-2016-9311", "CVE-2016-7433", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-9310", "CVE-2016-7426", "CVE-2016-7431"], "description": "\nProblem Description:\nMultiple vulnerabilities have been discovered in the NTP\n\tsuite:\nCVE-2016-9311: Trap crash, Reported by Matthew Van Gundy\n\tof Cisco ASIG.\nCVE-2016-9310: Mode 6 unauthenticated trap information\n\tdisclosure and DDoS vector. Reported by Matthew Van Gundy\n\tof Cisco ASIG.\nCVE-2016-7427: Broadcast Mode Replay Prevention DoS.\n\tReported by Matthew Van Gundy of Cisco ASIG.\nCVE-2016-7428: Broadcast Mode Poll Interval Enforcement\n\tDoS. Reported by Matthew Van Gundy of Cisco ASIG.\nCVE-2016-7431: Regression: 010-origin: Zero Origin\n\tTimestamp Bypass. Reported by Sharon Goldberg and Aanchal\n\tMalhotra of Boston University.\nCVE-2016-7434: Null pointer dereference in\n\t_IO_str_init_static_internal(). Reported by Magnus Stubman.\nCVE-2016-7426: Client rate limiting and server responses.\n\tReported by Miroslav Lichvar of Red Hat.\nCVE-2016-7433: Reboot sync calculation problem. Reported\n\tindependently by Brian Utterback of Oracle, and by Sharon\n\tGoldberg and Aanchal Malhotra of Boston University.\nImpact:\nA remote attacker who can send a specially crafted packet\n\tto cause a NULL pointer dereference that will crash ntpd,\n\tresulting in a Denial of Service. [CVE-2016-9311]\nAn exploitable configuration modification vulnerability\n\texists in the control mode (mode 6) functionality of ntpd.\n\tIf, against long-standing BCP recommendations, \"restrict\n\tdefault noquery ...\" is not specified, a specially crafted\n\tcontrol mode packet can set ntpd traps, providing information\n\tdisclosure and DDoS amplification, and unset ntpd traps,\n\tdisabling legitimate monitoring by an attacker from remote.\n\t[CVE-2016-9310]\nAn attacker with access to the NTP broadcast domain can\n\tperiodically inject specially crafted broadcast mode NTP\n\tpackets into the broadcast domain which, while being logged\n\tby ntpd, can cause ntpd to reject broadcast mode packets\n\tfrom legitimate NTP broadcast servers. [CVE-2016-7427]\nAn attacker with access to the NTP broadcast domain can\n\tsend specially crafted broadcast mode NTP packets to the\n\tbroadcast domain which, while being logged by ntpd, will\n\tcause ntpd to reject broadcast mode packets from legitimate\n\tNTP broadcast servers. [CVE-2016-7428]\nOrigin timestamp problems were fixed in ntp 4.2.8p6.\n\tHowever, subsequent timestamp validation checks introduced\n\ta regression in the handling of some Zero origin timestamp\n\tchecks. [CVE-2016-7431]\nIf ntpd is configured to allow mrulist query requests\n\tfrom a server that sends a crafted malicious packet, ntpd\n\twill crash on receipt of that crafted malicious mrulist\n\tquery packet. [CVE-2016-7434]\nAn attacker who knows the sources (e.g., from an IPv4\n\trefid in server response) and knows the system is (mis)configured\n\tin this way can periodically send packets with spoofed\n\tsource address to keep the rate limiting activated and\n\tprevent ntpd from accepting valid responses from its sources.\n\t[CVE-2016-7426]\nNtp Bug 2085 described a condition where the root delay\n\twas included twice, causing the jitter value to be higher\n\tthan expected. Due to a misinterpretation of a small-print\n\tvariable in The Book, the fix for this problem was incorrect,\n\tresulting in a root distance that did not include the peer\n\tdispersion. The calculations and formulas have been reviewed\n\tand reconciled, and the code has been updated accordingly.\n\t[CVE-2016-7433]\n", "edition": 5, "modified": "2016-12-22T00:00:00", "published": "2016-12-22T00:00:00", "id": "FCEDCDBB-C86E-11E6-B1CF-14DAE9D210B8", "href": "https://vuxml.freebsd.org/freebsd/fcedcdbb-c86e-11e6-b1cf-14dae9d210b8.html", "title": "FreeBSD -- Multiple vulnerabilities of ntp", "type": "freebsd", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:32:28", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9312", "CVE-2016-7434", "CVE-2016-9311", "CVE-2016-7433", "CVE-2016-7427", "CVE-2016-7429", "CVE-2016-7428", "CVE-2016-9310", "CVE-2016-7426", "CVE-2016-7431"], "description": "\nNetwork Time Foundation reports:\n\nNTF's NTP Project is releasing ntp-4.2.8p9, which addresses:\n\n1 HIGH severity vulnerability that only affects Windows\n2 MEDIUM severity vulnerabilities\n2 MEDIUM/LOW severity vulnerabilities\n5 LOW severity vulnerabilities\n28 other non-security fixes and improvements\n\nAll of the security issues in this release are listed in\n\t VU#633847.\n\n", "edition": 5, "modified": "2016-11-21T00:00:00", "published": "2016-11-21T00:00:00", "id": "8DB8D62A-B08B-11E6-8EBA-D050996490D0", "href": "https://vuxml.freebsd.org/freebsd/8db8d62a-b08b-11e6-8eba-d050996490d0.html", "title": "ntp -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "talos": [{"lastseen": "2020-07-01T21:25:07", "bulletinFamily": "info", "cvelist": ["CVE-2015-7973", "CVE-2016-7428"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0130\n\n## Network Time Protocol Broadcast Mode Poll Interval Enforcement Denial of Service Vulnerability\n\n##### November 21, 2016\n\n##### CVE Number\n\nCVE-2016-7428\n\n### Summary\n\nAn exploitable denial of service vulnerability exists in the broadcast mode poll interval enforcement functionality of ntpd. To limit abuse, ntpd restricts the rate at which each broadcast association will process incoming packets. ntpd will reject broadcast mode packets that arrive before the poll interval specified in the preceding broadcast packet expires. A vulnerability exists which allows remote unauthenticated attackers to send specially crafted broadcast mode NTP packets which will cause ntpd to reject all broadcast mode packets from legitimate NTP broadcast servers.\n\n### Tested Versions\n\nNTP 4.2.8p6\n\n### Product URLs\n\nhttp://www.ntp.org/\n\n### CVSS Scores\n\nCVSSv2: 5.0 - (AV:N/AC:L/Au:N/C:N/I:N/A:P) \nCVSSv3: 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\n\n### Details\n\nIn response to the NTP Deja Vu vulnerability (CVE-2015-7973), ntp-4.2.8p6 introduced several new integrity checks on incoming broadcast mode packets. Upon receipt of a broadcast mode packet, before authentication is enforced, ntpd will reject the packet if any of the following conditions hold:\n\n 1. The packet poll value is out of bounds for the broadcast association, i.e.\n \n pkt->ppoll < peer->minpoll || pkt->ppoll > peer->maxpoll\n \n\n 2. The packet was received before a full poll interval has elapsed since the last broadcast packet was received from the packet\u2019s sender. i.e. A server cannot ingress packets more frequently than `peer->minpoll`.\n\n 3. The packet transmit timestamp is less than the last seen broadcast packet transmit timestamp from the packet\u2019s sender. i.e. Broadcast packet transmit timestamps must be monotonically increasing.\n\nThe following logic is used to ensure constraint 2, which ensures that broadcast associations will process only one incoming packet per poll interval:\n \n \n /* ntp-4.2.8p6 ntpd/ntp_proto.c */\n 1305 if (MODE_BROADCAST == hismode) {\n ...\n 1341 if ( (current_time - peer->timelastrec)\n 1342 < (1 << pkt->ppoll)) {\n 1343 msyslog(LOG_INFO, \"receive: broadcast packet from %s arrived after %ld, not %d seconds!\",\n 1344 stoa(&rbufp->recv_srcadr),\n 1345 (current_time - peer->timelastrec),\n 1346 (1 << pkt->ppoll)\n 1347 );\n 1348 ++bail;\n 1349 }\n ...\n 1361\n 1362 peer->bxmt = p_xmt;\n 1363\n 1364 if (bail) {\n 1365 peer->timelastrec = current_time;\n 1366 sys_declined++;\n 1367 return;\n 1368 }\n 1369 }\n \n\nIf the time elapsed since the last broadcast packet was received from this peer is less than the poll interval declared by the sender (`(current_time - peer->timelastrec) < (1 << pkt->ppoll)`), the packet will be discarded. (A previous check ensures that `pkt->ppoll` is within acceptable bounds.)\n\nUnfortunately, line 1341 compares the current time against the last time any broadcast mode packet was received with a source IP address of the peer (`peer->timelastrec`). In contrast to `peer->timereceived`, which is updated only when a _clean_ (correctly authenticated and passing integrity checks) packet is received, `peer->timelastrec` is updated by all incoming broadcast packets including spoofed and replayed packets.\n\nThis leads to a trivial denial of service attack. The attacker:\n\n 1. Discovers the IP address of the victim\u2019s broadcast server. e.g. Send the victim a client mode NTP packet and discover the broadcast server from the refid field of the victim\u2019s reply.\n\n 2. At least once per poll period, send the victim a spoofed broadcast mode packet from the broadcast server. This will set `peer->timelastrec = current_time` such that, when a legitimate packet is received, it will appear to have been received too early (`(current_time - peer->timelastrec) < (1 << pkt->ppoll)`) and will be discarded.\n\n * The attacker does not need to be on the same subnet as the victim. The attacker can address the spoofed broadcast NTP packet directly to the victim\u2019s IP address.\n\n * The attacker can choose any reasonably small estimate for the poll period. Because the `peer->timelastrec` update happens even when a packet fails the poll period check, there is no penalty for sending packets too frequently.\n\nTo prevent this vulnerability, ntpd should only discard packets broadcast packets when less than one poll interval has elapsed since the last legitimate packet has been received (`peer->timereceived`).\n\n### Mitigation\n\nThere is no workaround for this issue. Because the vulnerable logic is executed before authentication is enforced, authentication and the `restrict notrust` ntpd.conf directive have no effect. An attacker can bypass `notrust` restrictions by sending incorrectly authenticated packets.\n\nIn order to succeed in an attack, the attacker must send at least one spoofed packet per poll period. Therefore observing more than one NTP broadcast packet from the same sender address per poll period indicates a possible attack.\n\nThe following patch can be used to fix this vulnerability:\n \n \n From 8522882496d3df2bd764de6d8f7afac4a8d84006 Mon Sep 17 00:00:00 2001\n From: Matthew Van Gundy <mvangund@cisco.com>\n Date: Fri, 5 Feb 2016 17:38:32 -0500\n Subject: [PATCH] Fix unauthenticated broadcast mode denial of service (peer->timelastrec)\n \n Drop packets if they arrive less than one poll interval since the last\n **clean** packet received on an association. If we compare against the\n last time that *any* packet was received, even one that will be dropped\n for failing integrity checks, an attacker can DoS the association by\n sending incorrectly authenticated packets or replaying old packets to\n keep bumping the peer->timelastrec timer forward.\n ---\n include/ntp.h | 4 +++-\n ntpd/ntp_proto.c | 13 +++++++++++--\n 2 files changed, 14 insertions(+), 3 deletions(-)\n \n diff --git a/include/ntp.h b/include/ntp.h\n index 6a4e9aa..cbf6cec 100644\n --- a/include/ntp.h\n +++ b/include/ntp.h\n @@ -383,7 +383,9 @@ struct peer {\n * Statistic counters\n */\n u_long timereset; /* time stat counters were reset */\n - u_long timelastrec; /* last packet received time */\n + u_long timelastrec; /* last packet received time (may\n + * include spoofed, replayed, or other\n + * invalid packets) */\n u_long timereceived; /* last (clean) packet received time */\n u_long timereachable; /* last reachable/unreachable time */\n \n diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c\n index ad45409..1ea5cee 100644\n --- a/ntpd/ntp_proto.c\n +++ b/ntpd/ntp_proto.c\n @@ -1338,11 +1338,20 @@ receive(\n ++bail;\n }\n \n - if ( (current_time - peer->timelastrec)\n + /*\n + * Ensure that at least one poll interval has\n + * elapsed since the last **clean** packet was\n + * received. We limit the check to **clean**\n + * packets to prevent replayed packets and\n + * incorrectly authenticated packets, which\n + * we'll discard, from being used to create a\n + * denial of service condition.\n + */\n + if ( (current_time - peer->timereceived)\n < (1 << pkt->ppoll)) {\n msyslog(LOG_INFO, \"receive: broadcast packet from %s arrived after %ld, not %d seconds!\",\n stoa(&rbufp->recv_srcadr),\n - (current_time - peer->timelastrec),\n + (current_time - peer->timereceived),\n (1 << pkt->ppoll)\n );\n ++bail;\n --\n 2.5.2\n \n\n### Timeline\n\n2016-09-12 - Vendor Disclosure \n2016-11-21 - Public Release\n\n##### Credit\n\nDiscovered by Matthew Van Gundy of Cisco ASIG.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0260\n\nPrevious Report\n\nTALOS-2016-0131\n", "edition": 14, "modified": "2016-11-21T00:00:00", "published": "2016-11-21T00:00:00", "id": "TALOS-2016-0130", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0130", "title": "Network Time Protocol Broadcast Mode Poll Interval Enforcement Denial of Service Vulnerability", "type": "talos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-07-01T21:25:30", "bulletinFamily": "info", "cvelist": ["CVE-2015-7973", "CVE-2016-7427"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0131\n\n## Network Time Protocol Broadcast Mode Replay Prevention Denial of Service Vulnerability\n\n##### November 21, 2016\n\n##### CVE Number\n\nCVE-2016-7427\n\n### Summary\n\nAn exploitable denial of service vulnerability exists in the broadcast mode replay prevention functionality of ntpd. To prevent replay of broadcast mode packets, ntpd rejects broadcast mode packets with non-monotonically increasing transmit timestamps. Remote unauthenticated attackers can send specially crafted broadcast mode NTP packets to cause ntpd to reject all broadcast mode packets from legitimate NTP broadcast servers.\n\n### Tested Versions\n\nNTP 4.2.8p6\n\n### Product URLs\n\nhttp://www.ntp.org/\n\n### CVSS Scores\n\nCVSSv2: 5.0 - (AV:N/AC:L/Au:N/C:N/I:N/A:P) \nCVSSv3: 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\n\n### Details\n\nIn response to the NTP Deja Vu vulnerability (CVE-2015-7973), ntp-4.2.8p6 introduced several new integrity checks on incoming broadcast mode packets. Upon receipt of a broadcast mode packet, before authentication is enforced, ntpd will reject the packet if any of the following conditions hold:\n\n 1. The packet poll value is out of bounds for the broadcast association, i.e.\n \n pkt->ppoll < peer->minpoll || pkt->ppoll > peer->maxpoll\n \n\n 2. The packet was received before a full poll interval has elapsed since the last broadcast packet was received from the packet\u2019s sender. i.e. A server cannot ingress packets more frequently than `peer->minpoll`.\n\n 3. The packet transmit timestamp is less than the last seen broadcast packet transmit timestamp from the packet\u2019s sender. i.e. Broadcast packet transmit timestamps must be monotonically increasing.\n\nThe following logic is used to ensure that packet transmit timestamps are monotonically increasing:\n \n \n /* ntp-4.2.8p6 ntpd/ntp_proto.c */\n 1305 if (MODE_BROADCAST == hismode) {\n ...\n 1351 tdiff = p_xmt;\n 1352 L_SUB(&tdiff, &peer->bxmt);\n 1353 if (tdiff.l_i < 0) {\n 1354 msyslog(LOG_INFO, \"receive: broadcast packet from %s contains non-monotonic timestamp: %#010x.%08x -> %#010x.%08x\",\n 1355 stoa(&rbufp->recv_srcadr),\n 1356 peer->bxmt.l_ui, peer->bxmt.l_uf,\n 1357 p_xmt.l_ui, p_xmt.l_uf\n 1358 );\n 1359 ++bail;\n 1360 }\n 1361\n 1362 peer->bxmt = p_xmt;\n 1363\n 1364 if (bail) {\n 1365 peer->timelastrec = current_time;\n 1366 sys_declined++;\n 1367 return;\n 1368 }\n 1369 }\n \n\nIf the packet transmit timestamp is less than the transmit timestamp on the last received broadcast packet from this association (`p_xmt - peer->bxmt < 0`), the packet will be discarded.\n\nUnfortunately, line 1362 updates the saved transmit timestamp for alleged sender of the packet (`peer->bxmt`) before the packet is discarded. The update takes place even if the packet is unauthenticated and fails the previous integrity checks.\n\nThis leads to a trivial denial of service attack. The attacker:\n\n 1. Discovers the IP address of the victim\u2019s broadcast server. e.g. Send the victim a client mode NTP packet and discover the broadcast server from the refid field of the victim\u2019s reply.\n\n 2. Every poll period, send the victim a spoofed broadcast mode packet from the broadcast server with a transmit timestamp in the future. This will move `peer->bxmt` forward so that any legitimate packet will be rejected by the non-monotonic timestamp check.\n\n * The attacker does not need to be on the same subnet as the victim. The attacker can address the spoofed broadcast NTP packet directly to the victim\u2019s IP address.\n\n * The attacker can choose any reasonably small estimate for the poll period. Because the `peer->bxmt` update happens even when a packet fails the poll period checks, there is no penalty for sending packets too frequently.\n\nTo prevent this vulnerability, `peer->bxmt` should only be updated when a packet authenticates correctly. This is the approach taken in the patch below.\n\n### Mitigation\n\nThere is no workaround for this issue. Because the vulnerable logic is executed before authentication is enforced, authentication and the `restrict notrust` ntpd.conf directive have no effect. An attacker can bypass `notrust` restrictions by sending incorrectly authenticated packets.\n\nIn order to succeed in an attack, the attacker must send at least one spoofed packet per poll period. Therefore observing more than one NTP broadcast packet from the same sender address per poll period indicates a possible attack.\n\nThe following patch can be used to fix this vulnerability:\n \n \n From 097fd4dae9ac4927d7cfa8011fd42f704bd02c45 Mon Sep 17 00:00:00 2001\n From: Matthew Van Gundy <mvangund@cisco.com>\n Date: Tue, 26 Jan 2016 15:00:28 -0500\n Subject: [PATCH] Fix unauthenticated broadcast mode denial of service (peer->bxmt)\n \n ---\n include/ntp_fp.h | 1 +\n ntpd/ntp_proto.c | 22 ++++++++++++++++------\n 2 files changed, 17 insertions(+), 6 deletions(-)\n \n diff --git a/include/ntp_fp.h b/include/ntp_fp.h\n index 7806932..ad7a01d 100644\n --- a/include/ntp_fp.h\n +++ b/include/ntp_fp.h\n @@ -242,6 +242,7 @@ typedef u_int32 u_fp;\n #define L_ISGTU(a, b) M_ISGTU((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)\n #define L_ISHIS(a, b) M_ISHIS((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)\n #define L_ISGEQ(a, b) M_ISGEQ((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)\n +#define L_ISGEQU(a, b) L_ISHIS(a, b)\n #define L_ISEQU(a, b) M_ISEQU((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)\n \n /*\n diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c\n index ad45409..ac469ce 100644\n --- a/ntpd/ntp_proto.c\n +++ b/ntpd/ntp_proto.c\n @@ -1305,7 +1305,6 @@ receive(\n if (MODE_BROADCAST == hismode) {\n u_char poll;\n int bail = 0;\n - l_fp tdiff;\n \n DPRINTF(2, (\"receive: PROCPKT/BROADCAST: prev pkt %ld seconds ago, ppoll: %d, %d secs\\n\",\n (current_time - peer->timelastrec),\n @@ -1348,9 +1347,8 @@ receive(\n ++bail;\n }\n \n - tdiff = p_xmt;\n - L_SUB(&tdiff, &peer->bxmt);\n - if (tdiff.l_i < 0) {\n + /* Use L_ISGEQU() to ensure unsigned comparison */\n + if (!L_ISGEQU(&p_xmt, &peer->bxmt)) {\n msyslog(LOG_INFO, \"receive: broadcast packet from %s contains non-monotonic timestamp: %#010x.%08x -> %#010x.%08x\",\n stoa(&rbufp->recv_srcadr),\n peer->bxmt.l_ui, peer->bxmt.l_uf,\n @@ -1359,8 +1357,6 @@ receive(\n ++bail;\n }\n \n - peer->bxmt = p_xmt;\n -\n if (bail) {\n peer->timelastrec = current_time;\n sys_declined++;\n @@ -1563,6 +1559,14 @@ receive(\n peer->xmt = p_xmt;\n \n /*\n + * Now that we know the packet is correctly authenticated,\n + * update peer->bxmt if needed\n + */\n + if (MODE_BROADCAST == hismode) {\n + peer->bxmt = p_xmt;\n + }\n +\n + /*\n * Set the peer ppoll to the maximum of the packet ppoll and the\n * peer minpoll. If a kiss-o'-death, set the peer minpoll to\n * this maximum and advance the headway to give the sender some\n @@ -2400,6 +2404,7 @@ peer_clear(\n )\n {\n u_char u;\n + l_fp bxmt = peer->bxmt;\n \n #ifdef AUTOKEY\n /*\n @@ -2436,6 +2441,11 @@ peer_clear(\n peer->flash = peer_unfit(peer);\n peer->jitter = LOGTOD(sys_precision);\n \n + /* Don't throw away our broadcast replay protection */\n + if (peer->hmode == MODE_BCLIENT) {\n + peer->bxmt = bxmt;\n + }\n +\n /*\n * If interleave mode, initialize the alternate origin switch.\n */\n \n\n### Timeline\n\n2016-09-12 - Vendor Disclosure \n2016-11-21 - Public Release\n\n##### Credit\n\nDiscovered by Matthew Van Gundy of Cisco ASIG.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0130\n\nPrevious Report\n\nTALOS-2016-0203\n", "edition": 13, "modified": "2016-11-21T00:00:00", "published": "2016-11-21T00:00:00", "id": "TALOS-2016-0131", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0131", "title": "Network Time Protocol Broadcast Mode Replay Prevention Denial of Service Vulnerability", "type": "talos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "huawei": [{"lastseen": "2019-02-01T18:02:17", "bulletinFamily": "software", "cvelist": ["CVE-2016-7434", "CVE-2016-9311", "CVE-2016-7433", "CVE-2016-7427", "CVE-2016-7429", "CVE-2016-7428", "CVE-2016-9310", "CVE-2016-7426", "CVE-2016-7431"], "description": "Products\n\nSwitches\nRouters\nWLAN\nServers\nSee All\n\n\n\nSolutions\n\nCloud Data Center\nEnterprise Networking\nWireless Private Network\nSolutions by Industry\nSee All\n\n\n\nServices\n\nTraining and Certification\nICT Lifecycle Services\nTechnology Services\nIndustry Solution Services\nSee All\n\n\n\nSee all offerings at e.huawei.com\n\n\n\nNeed Support ?\n\nProduct Support\nSoftware Download\nCommunity\nTools\n\nGo to Full Support", "edition": 1, "modified": "2017-11-29T00:00:00", "published": "2017-11-29T00:00:00", "id": "HUAWEI-SA-20171129-01-NTPD", "href": "https://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171129-01-ntpd-en", "title": "Security Advisory - Multiple NTPd Vulnerabilities in Huawei Products", "type": "huawei", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7426", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-7429", "CVE-2016-7431", "CVE-2016-7433", "CVE-2016-7434", "CVE-2016-9310", "CVE-2016-9311"], "description": "Arch Linux Security Advisory ASA-201611-28\n==========================================\n\nSeverity: High\nDate : 2016-11-26\nCVE-ID : CVE-2016-7426 CVE-2016-7427 CVE-2016-7428 CVE-2016-7429\nCVE-2016-7431 CVE-2016-7433 CVE-2016-7434 CVE-2016-9310\nCVE-2016-9311\nPackage : ntp\nType : multiple issues\nRemote : Yes\nLink : https://wiki.archlinux.org/index.php/CVE\n\nSummary\n=======\n\nThe package ntp before version 4.2.8.p9-1 is vulnerable to multiple\nissues including denial of service, insufficient validation and\nincorrect calculation.\n\nResolution\n==========\n\nUpgrade to 4.2.8.p9-1.\n\n# pacman -Syu \"ntp>=4.2.8.p9-1\"\n\nThe problems have been fixed upstream in version 4.2.8.p9.\n\nWorkaround\n==========\n\nA partial fix to some of the issues is to implement BCP-38, use\n\"restrict default noquery ...\" in your ntp.conf file and only allow\nmode 6 queries from trusted networks and hosts.\n\nDescription\n===========\n\n- CVE-2016-7426 (denial of service)\n\nWhen ntpd is configured with rate limiting for all associations\n(restrict default limited in ntp.conf), the limits are applied also to\nresponses received from its configured sources. An attacker who knows\nthe sources (e.g., from an IPv4 refid in server response) and knows the\nsystem is (mis)configured in this way can periodically send packets\nwith spoofed source address to keep the rate limiting activated and\nprevent ntpd from accepting valid responses from its sources.\n\n- CVE-2016-7427 (denial of service)\n\nThe broadcast mode of NTP is expected to only be used in a trusted\nnetwork. If the broadcast network is accessible to an attacker, a\npotentially exploitable denial of service vulnerability in ntpd's\nbroadcast mode replay prevention functionality can be abused. An\nattacker with access to the NTP broadcast domain can periodically\ninject specially crafted broadcast mode NTP packets into the broadcast\ndomain which, while being logged by ntpd, can cause ntpd to reject\nbroadcast mode packets from legitimate NTP broadcast servers.\n\n- CVE-2016-7428 (denial of service)\n\nThe broadcast mode of NTP is expected to only be used in a trusted\nnetwork. If the broadcast network is accessible to an attacker, a\npotentially exploitable denial of service vulnerability in ntpd's\nbroadcast mode poll interval enforcement functionality can be abused.\nTo limit abuse, ntpd restricts the rate at which each broadcast\nassociation will process incoming packets. ntpd will reject broadcast\nmode packets that arrive before the poll interval specified in the\npreceding broadcast packet expires. An attacker with access to the NTP\nbroadcast domain can send specially crafted broadcast mode NTP packets\nto the broadcast domain which, while being logged by ntpd, will cause\nntpd to reject broadcast mode packets from legitimate NTP broadcast\nservers.\n\n- CVE-2016-7429 (denial of service)\n\nWhen ntpd receives a server response on a socket that corresponds to a\ndifferent interface than was used for the request, the peer structure\nis updated to use the interface for new requests. If ntpd is running on\na host with multiple interfaces in separate networks and the operating\nsystem doesn't check source address in received packets (e.g. rp_filter\non Linux is set to 0), an attacker that knows the address of the source\ncan send a packet with spoofed source address which will cause ntpd to\nselect wrong interface for the source and prevent it from sending new\nrequests until the list of interfaces is refreshed, which happens on\nrouting changes or every 5 minutes by default. If the attack is\nrepeated often enough (once per second), ntpd will not be able to\nsynchronize with the source.\n\n- CVE-2016-7431 (insufficient validation)\n\nZero Origin timestamp problems were fixed by Bug 2945 in ntp-4.2.8p6.\nHowever, subsequent timestamp validation checks introduced a regression\nin the handling of some Zero origin timestamp checks.\n\n- CVE-2016-7433 (incorrect calculation)\n\nntpd Bug 2085 described a condition where the root delay was included\ntwice, causing the jitter value to be higher than expected. Due to a\nmisinterpretation of a small-print variable in The Book, the fix for\nthis problem was incorrect, resulting in a root distance that did not\ninclude the peer dispersion. The calculations and formula have been\nreviewed and reconciled, and the code has been updated accordingly.\n\n- CVE-2016-7434 (denial of service)\n\nIf ntpd is configured to allow mrulist query requests from a server\nthat sends a crafted malicious packet, ntpd will crash on receipt of\nthat crafted malicious mrulist query packet.\n\n- CVE-2016-9310 (denial of service)\n\nAn exploitable configuration modification vulnerability exists in the\ncontrol mode (mode 6) functionality of ntpd. If, against long-standing\nBCP recommendations, \"restrict default noquery ...\" is not specified, a\nspecially crafted control mode packet can set ntpd traps, providing\ninformation disclosure and DDoS amplification, and unset ntpd traps,\ndisabling legitimate monitoring. A remote, unauthenticated, network\nattacker can trigger this vulnerability.\n\n- CVE-2016-9311 (denial of service)\n\nntpd does not enable trap service by default. If trap service has been\nexplicitly enabled, an attacker can send a specially crafted packet to\ncause a null pointer dereference that will crash ntpd, resulting in a\ndenial of service.\n\nImpact\n======\n\nA remote unauthenticated attacker may be able to perform a denial of\nservice attack on ntpd via multiple vectors.\n\nReferences\n==========\n\nhttp://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se\nhttp://www.kb.cert.org/vuls/id/633847\nhttp://support.ntp.org/bin/view/Main/NtpBug3071\nhttp://support.ntp.org/bin/view/Main/NtpBug3114\nhttp://support.ntp.org/bin/view/Main/NtpBug3113\nhttp://support.ntp.org/bin/view/Main/NtpBug3072\nhttp://support.ntp.org/bin/view/Main/NtpBug3102\nhttp://support.ntp.org/bin/view/Main/NtpBug3067\nhttp://bugs.ntp.org/show_bug.cgi?id=2085\nhttp://support.ntp.org/bin/view/Main/NtpBug3082\nhttp://support.ntp.org/bin/view/Main/NtpBug3118\nhttp://support.ntp.org/bin/view/Main/NtpBug3119\nhttps://access.redhat.com/security/cve/CVE-2016-7426\nhttps://access.redhat.com/security/cve/CVE-2016-7427\nhttps://access.redhat.com/security/cve/CVE-2016-7428\nhttps://access.redhat.com/security/cve/CVE-2016-7429\nhttps://access.redhat.com/security/cve/CVE-2016-7431\nhttps://access.redhat.com/security/cve/CVE-2016-7433\nhttps://access.redhat.com/security/cve/CVE-2016-7434\nhttps://access.redhat.com/security/cve/CVE-2016-9310\nhttps://access.redhat.com/security/cve/CVE-2016-9311", "modified": "2016-11-26T00:00:00", "published": "2016-11-26T00:00:00", "id": "ASA-201611-28", "href": "https://security.archlinux.org/ASA-201611-28", "type": "archlinux", "title": "[ASA-201611-28] ntp: multiple issues", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "ubuntu": [{"lastseen": "2020-07-02T11:38:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9311", "CVE-2018-7185", "CVE-2018-7183", "CVE-2016-7427", "CVE-2017-6462", "CVE-2017-6463", "CVE-2016-7428", "CVE-2016-9310", "CVE-2016-7426"], "description": "USN-3707-1 and USN-3349-1 fixed several vulnerabilities in NTP. This update \nprovides the corresponding update for Ubuntu 12.04 ESM.\n\nOriginal advisory details:\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain spoofed \naddresses when performing rate limiting. A remote attacker could possibly \nuse this issue to perform a denial of service. (CVE-2016-7426)\n\nMatthew Van Gundy discovered that NTP incorrectly handled certain crafted \nbroadcast mode packets. A remote attacker could possibly use this issue to \nperform a denial of service. (CVE-2016-7427, CVE-2016-7428)\n\nMatthew Van Gundy discovered that NTP incorrectly handled certain control \nmode packets. A remote attacker could use this issue to set or unset traps. \n(CVE-2016-9310)\n\nMatthew Van Gundy discovered that NTP incorrectly handled the trap service. \nA remote attacker could possibly use this issue to cause NTP to crash, resulting \nin a denial of service. (CVE-2016-9311)\n\nIt was discovered that the NTP legacy DPTS refclock driver incorrectly handled \nthe /dev/datum device. A local attacker could possibly use this issue to cause \na denial of service. (CVE-2017-6462)\n\nIt was discovered that NTP incorrectly handled certain invalid settings in a \n:config directive. A remote authenticated user could possibly use this issue \nto cause NTP to crash, resulting in a denial of service. (CVE-2017-6463)\n\nMichael Macnair discovered that NTP incorrectly handled certain responses. \nA remote attacker could possibly use this issue to execute arbitrary code. \n(CVE-2018-7183)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain \nzero-origin timestamps. A remote attacker could possibly use this issue to \ncause a denial of service. (CVE-2018-7185)", "edition": 4, "modified": "2019-01-23T00:00:00", "published": "2019-01-23T00:00:00", "id": "USN-3707-2", "href": "https://ubuntu.com/security/notices/USN-3707-2", "title": "NTP vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-02T11:34:29", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7434", "CVE-2016-9311", "CVE-2017-6460", "CVE-2016-7433", "CVE-2017-6458", "CVE-2016-7427", "CVE-2016-9042", "CVE-2017-6462", "CVE-2016-7429", "CVE-2017-6463", "CVE-2016-2519", "CVE-2016-7428", "CVE-2016-9310", "CVE-2017-6464", "CVE-2016-7426", "CVE-2016-7431"], "description": "Yihan Lian discovered that NTP incorrectly handled certain large request \ndata values. A remote attacker could possibly use this issue to cause NTP \nto crash, resulting in a denial of service. This issue only affected \nUbuntu 16.04 LTS. (CVE-2016-2519)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain spoofed \naddresses when performing rate limiting. A remote attacker could possibly \nuse this issue to perform a denial of service. This issue only affected \nUbuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7426)\n\nMatthew Van Gundy discovered that NTP incorrectly handled certain crafted \nbroadcast mode packets. A remote attacker could possibly use this issue to \nperform a denial of service. This issue only affected Ubuntu 14.04 LTS, \nUbuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7427, CVE-2016-7428)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain responses. \nA remote attacker could possibly use this issue to perform a denial of \nservice. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and \nUbuntu 16.10. (CVE-2016-7429)\n\nSharon Goldberg and Aanchal Malhotra discovered that NTP incorrectly \nhandled origin timestamps of zero. A remote attacker could possibly use \nthis issue to bypass the origin timestamp protection mechanism. This issue \nonly affected Ubuntu 16.10. (CVE-2016-7431)\n\nBrian Utterback, Sharon Goldberg and Aanchal Malhotra discovered that NTP \nincorrectly performed initial sync calculations. This issue only applied \nto Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7433)\n\nMagnus Stubman discovered that NTP incorrectly handled certain mrulist \nqueries. A remote attacker could possibly use this issue to cause NTP to \ncrash, resulting in a denial of service. This issue only affected Ubuntu \n16.04 LTS and Ubuntu 16.10. (CVE-2016-7434)\n\nMatthew Van Gund discovered that NTP incorrectly handled origin timestamp \nchecks. A remote attacker could possibly use this issue to perform a denial \nof service. This issue only affected Ubuntu Ubuntu 16.10, and Ubuntu 17.04. \n(CVE-2016-9042)\n\nMatthew Van Gundy discovered that NTP incorrectly handled certain control \nmode packets. A remote attacker could use this issue to set or unset traps. \nThis issue only applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu \n16.10. (CVE-2016-9310)\n\nMatthew Van Gundy discovered that NTP incorrectly handled the trap service. \nA remote attacker could possibly use this issue to cause NTP to crash, \nresulting in a denial of service. This issue only applied to Ubuntu 14.04 \nLTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9311)\n\nIt was discovered that NTP incorrectly handled memory when processing long \nvariables. A remote authenticated user could possibly use this issue to \ncause NTP to crash, resulting in a denial of service. (CVE-2017-6458)\n\nIt was discovered that NTP incorrectly handled memory when processing long \nvariables. A remote authenticated user could possibly use this issue to \ncause NTP to crash, resulting in a denial of service. This issue only \napplied to Ubuntu 16.04 LTS, Ubuntu 16.10 and Ubuntu 17.04. (CVE-2017-6460)\n\nIt was discovered that the NTP legacy DPTS refclock driver incorrectly \nhandled the /dev/datum device. A local attacker could possibly use this \nissue to cause a denial of service. (CVE-2017-6462)\n\nIt was discovered that NTP incorrectly handled certain invalid settings \nin a :config directive. A remote authenticated user could possibly use \nthis issue to cause NTP to crash, resulting in a denial of service. \n(CVE-2017-6463)\n\nIt was discovered that NTP incorrectly handled certain invalid mode \nconfiguration directives. A remote authenticated user could possibly use \nthis issue to cause NTP to crash, resulting in a denial of service. \n(CVE-2017-6464)", "edition": 5, "modified": "2017-07-05T00:00:00", "published": "2017-07-05T00:00:00", "id": "USN-3349-1", "href": "https://ubuntu.com/security/notices/USN-3349-1", "title": "NTP vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "symantec": [{"lastseen": "2020-12-24T10:41:07", "bulletinFamily": "software", "cvelist": ["CVE-2016-7426", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-7429", "CVE-2016-7431", "CVE-2016-7433", "CVE-2016-7434", "CVE-2016-9310", "CVE-2016-9311", "CVE-2016-9312"], "description": "### SUMMARY\n\nSymantec Network Protection products using affected versions of the NTP reference implementation from ntp.org are susceptible to multiple vulnerabilities. A remote attacker can modify the target's system time, prevent the target from synchronizing its time, cause denial of service through NTP daemon crashes, perform DDoS attack amplification, and evade security monitoring in the NTP daemon. \n \n\n\n### AFFECTED PRODUCTS \n\nThe following products are vulnerable:\n\n**Content Analysis (CA)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 2.2 and later | Not vulnerable, fixed in 2.2.1.1 \nCVE-2016-7429, CVE-2016-7433 | 2.1 | Upgrade to later release with fixes. \n1.3 | Upgrade to later release with fixes. \nCVE-2016-7431 | 2.1 | Upgrade to later release with fixes. \n1.3.7.3, 1.3.7.4 | Upgrade to later release with fixes. \n \n \n\n**Director** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs except CVE-2016-7429 | 6.1 | Upgrade to 6.1.23.1. \n \n \n\n**Mail Threat Defense (MTD)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-7429, CVE-2016-7433 | 1.1 | Not available at this time \n \n \n\n**Management Center (MC)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-7431, CVE-2016-7433 | 1.11 and later | Not vulnerable, fixed in 1.11.1.1. \n1.10 | Upgrade to later release with fixes. \n1.9 | Upgrade to later release with fixes. \n1.8 | Upgrade to later release with fixes. \n \n \n\n**Reporter** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-7429, CVE-2016-7431, \nCVE-2016-7433 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1. \n10.1 | Upgrade to 10.1.5.5. \nAll CVEs | 9.5 | Not vulnerable \nAll CVEs | 9.4 | Not vulnerable \n \n \n\n**Security Analytics** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 7.3 and later | Not vulnerable, fixed in 7.3.1. \nCVE-2016-7426, CVE-2016-7429, \nCVE-2016-7433, CVE-2016-9310, \nCVE-2016-9311 | 7.2 | Upgrade to 7.2.3. \n7.1 | Upgrade to later release with fixes. \n6.6 | Upgrade to later release with fixes. \nCVE-2016-7427, CVE-2016-7428, CVE-2016-7431, CVE-2016-7434 | 7.2.2 | Not available at this time \n7.1 with ntp-4.2.8p8 RPM patch | Upgrade to later release with fixes. \n6.6 with ntp-4.2.8p8 RPM patch | Upgrade to later release with fixes. \n \n \n\n**SSL Visibility (SSLV)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-7431, CVE-2016-7433 | 4.1 and later | Not vulnerable, fixed in 4.1.1.1. \n4.0 | Upgrade to later release with fixes. \n3.8, 3.8.4FC, 3.9, 3.10, 3.12 | Not vulnerable to known vectors of attack. \n \n \n\n**X-Series XOS** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-7426, CVE-2016-7429, \nCVE-2016-7433, CVE-2016-9310, \nCVE-2016-9311 | 11.0 | Not available at this time \n10.0 | Not available at this time \n9.7 | Upgrade to later release with fixes. \n \n \n\nThe following products contain a vulnerable version of the ntp.org NTP reference implementation, but are not vulnerable to known vectors of attack:\n\n**Advanced Secure Gateway (ASG)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 7.1 | Not vulnerable, fixed in 7.1.1.1 \n6.7 | Upgrade to 6.7.3.1. \n6.6 | Upgrade to later release with fixes. \n \n \n\n### ADDITIONAL PRODUCT INFORMATION\n\nSymantec Network Protection products do not enable or use all functionality within the ntp.org NTP reference implementation. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.\n\n * **ASG:** all CVEs\n * **CA:** CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7434, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312\n * **Director:** CVE-2016-7429\n * **MTD:** CVE-2016-7426, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312\n * **MC:** CVE-2016-7426, CVE-2016-7429, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312\n * **Reporter 10.1:** CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7434, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312\n * **Security Analytics:** CVE-2016-9312\n * **SSLV 3.x and 4.x:** CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7429 (4.0 only), CVE-2016-7434, CVE-2016-9310, CVE-2016-9311\n\nThe following products are not vulnerable: \n**Android Mobile Agent \nAuthConnector \nBCAAA \nSymantec HSM Agent for the Luna SP \nCacheFlow \nClient Connector \nCloud Data Protection for Salesforce \nCloud Data Protection for Salesforce Analytics \nCloud Data Protection for ServiceNow \nCloud Data Protection for Oracle CRM On Demand \n**Cloud Data Protection for Oracle Field Service Cloud** \nCloud Data Protection for Oracle Sales Cloud \nCloud Data Protection Integration Server \nCloud Data Protection Communication Server \nCloud Data Protection Policy Builder \nGeneral Auth Connector Login Application \nIntelligenceCenter \nIntelligenceCenter Data Collector \nK9 \nMalware Analysis \nNorman Shark Industrial Control System Protection \nNorman Shark Network Protection \nNorman Shark SCADA Protection \nPacketShaper \nPacketShaper S-Series \nPolicyCenter \nPolicyCenter S-Series \nProxyClient \nProxyAV \nProxyAV ConLog and ConLogXP \nProxySG \nUnified Agent \nWeb Isolation**\n\nSymantec no longer provides vulnerability information for the following products:\n\n**DLP** \nPlease, contact Digital Guardian technical support regarding vulnerability information for DLP. \n \n\n\n### ISSUES \n\n**CVE-2016-7426** \n--- \n**Severity / CVSSv2** | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 94451](<https://www.securityfocus.com/bid/94451>) / NVD: [CVE-2016-7426](<https://nvd.nist.gov/vuln/detail/CVE-2016-7426>) \n**Impact** | Denial of service \n**Description** | A flaw in rate limiting allows a remote attacker to send NTP packets with spoofed source IP addresses and cause the target to reject legitimate packets from configured NTP servers. The attacker can thus prevent the target from synchronizing its system time. \n \n \n\n**CVE-2016-7427** \n--- \n**Severity / CVSSv2** | Low / 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 94447](<https://www.securityfocus.com/bid/94447>) / NVD: [CVE-2016-7427](<https://nvd.nist.gov/vuln/detail/CVE-2016-7427>) \n**Impact** | Denial of service \n**Description** | A flaw in NTP broadcast packet replay prevention allows a remote attacker with access to the NTP broadcast domain to send crafted broadcast packets and cause the target to reject legitimate packets from NTP broadcast servers. The attacker can thus prevent the target from synchronizing its system time. \n \n \n\n**CVE-2016-7428** \n--- \n**Severity / CVSSv2** | Low / 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 94446](<https://www.securityfocus.com/bid/94446>) / NVD: [CVE-2016-7428](<https://nvd.nist.gov/vuln/detail/CVE-2016-7428>) \n**Impact** | Denial of service \n**Description** | A flaw in NTP broadcast packet poll interval enforcement allows a remote attacker with access to the NTP broadcast domain to send crafted broadcast packets and cause the target to reject legitimate packets from NTP broadcast servers. The attacker can thus prevent the target from synchronizing its system time. \n \n \n\n**CVE-2016-7429** \n--- \n**Severity / CVSSv2** | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 94453](<https://www.securityfocus.com/bid/94453>) / NVD: [CVE-2016-7429](<https://nvd.nist.gov/vuln/detail/CVE-2016-7429>) \n**Impact** | Denial of service \n**Description** | There is a flaw in the NTP daemon when it listens on multiple network interfaces and the operating system does not validate the source address of received packets. A remote attacker can send an NTP packet with a spoofed source IP address on an unexpected network interface to corrupt the NTP daemon's internal state and prevent it from synchronizing the system time. \n \n \n\n**CVE-2016-7431** \n--- \n**Severity / CVSSv2** | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n**References** | SecurityFocus: [BID 94454](<https://www.securityfocus.com/bid/94454>) / NVD: [CVE-2016-7431](<https://nvd.nist.gov/vuln/detail/CVE-2016-7431>) \n**Impact** | Denial of service, unauthorized modification of time \n**Description** | A flaw in NTP packet origin timestamp validation allows a remote attacker to send crafted NTP packets and and either modify the target's system time or prevent it from synchronizing its time. \n \n \n\n**CVE-2016-7433** \n--- \n**Severity / CVSSv2** | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 94455](<https://www.securityfocus.com/bid/94455>) / NVD: [CVE-2016-7433](<https://nvd.nist.gov/vuln/detail/CVE-2016-7433>) \n**Impact** | Unauthorized modification of time \n**Description** | A flaw in initial time synchronization allows a remote attacker to send a spoofed NTP response and modify the target's system time. \n \n \n\n**CVE-2016-7434** \n--- \n**Severity / CVSSv2** | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 94448](<https://www.securityfocus.com/bid/94448>) / NVD: [CVE-2016-7434](<https://nvd.nist.gov/vuln/detail/CVE-2016-7434>) \n**Impact** | Denial of service \n**Description** | A flaw in mrulist query handling allows a remote attacker to send crafted query requests to the NTP daemon and cause it to crash, resulting in denial of service. \n \n \n\n**CVE-2016-9310** \n--- \n**Severity / CVSSv2** | Medium / 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P) \n**References** | SecurityFocus: [BID 94452](<https://www.securityfocus.com/bid/94452>) / NVD: [CVE-2016-9310](<https://nvd.nist.gov/vuln/detail/CVE-2016-9310>) \n**Impact** | Information disclosure, DDoS amplification, security control bypass \n**Description** | A missing authorization flaw allows a remote attacker to send query requests and obtain sensitive information, perform DDoS attack amplification, and evade security monitoring in the target's NTP daemon. \n \n \n\n**CVE-2016-9311** \n--- \n**Severity / CVSSv2** | High / 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C) \n**References** | SecurityFocus: [BID 94444](<https://www.securityfocus.com/bid/94444>) / NVD: [CVE-2016-9311](<https://nvd.nist.gov/vuln/detail/CVE-2016-9311>) \n**Impact** | Denial of service \n**Description** | A flaw in remote query handling allows a remote attacker to send crafted query requests to the NTP daemon and cause it to crash, resulting in denial of service. \n \n \n\n**CVE-2016-9312** \n--- \n**Severity / CVSSv2** | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 94450](<https://www.securityfocus.com/bid/94450>) / NVD: [CVE-2016-9312](<https://nvd.nist.gov/vuln/detail/CVE-2016-9312>) \n**Impact** | Denial of service \n**Description** | A flaw in oversized packet handling on Windows platforms allows a remote attacker to send crafted NTP packets to the NTP daemon and cause it to crash, resulting in denial of service. \n \n \n\n### MITIGATION\n\nThese vulnerabilities can be exploited only through the management network port for CA, Director, MTD, MC, Security Analytics, SSLV, and XOS. Allowing only machines, IP addresses and subnets from a trusted network to access to the management network port reduces the threat of exploiting the vulnerabilities.\n\nBy default, Director does not enable unrestricted rate limiting, NTP broadcast mode, and remote querying in the NTP daemon. Customers who leave these NTP features disabled prevent attacks against Director using CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7434, CVE-2016-9310, and CVE-2016-9311.\n\nBy default, Security Analytics does not enable unrestricted rate limiting, NTP broadcast mode, and remote querying in the NTP daemon. The Security Analytics NTP daemon also does not listen by default on multiple network interfaces. Customers who leave these NTP features disabled prevent attacks against Security Analytics using CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7429, CVE-2016-7434, CVE-2016-9310, and CVE-2016-9311.\n\nBy default, XOS does not enable unrestricted rate limiting and remote querying in the NTP daemon. Customers who leave this behavior unchanged prevent attacks against XOS using CVE-2016-7426, CVE-2016-9310, and CVE-2016-9311. \n \n\n\n### REFERENCES\n\nNTP.org Security Notice - <https://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se> \nVulnerability Note VU#633847 - [http://www.kb.cert.org/vuls/id/633847](<https://www.kb.cert.org/vuls/id/633847>) \n \n\n\n### REVISION \n\n2020-04-26 Advanced Secure Gateway (ASG) 7.1 and later versions are not vulnerable because a fix is available in 7.1.1.1. Advisory status changed to Closed. \n2019-10-02 Web Isolation is not vulnerable. \n2019-08-10 SSLV 3.x has a vulnerable version of the NTP reference implementation, but is not vulnerable to known vectors of attack. \n2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2019-01-21 Security Analytics 8.0 is not vulnerable because a fix is available in SA 8.0.1. \n2019-01-12 A fix for Security Analytics 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2019-01-11 A fix for CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2018-08-07 A fix for CA 1.3 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2018-06-25 A fix for SSLV 3.11 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2018-04-26 A fix for SSLV 4.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2018-04-22 CAS 2.3 is not vulnerable. Reporter 10.1 prior to 10.1.5.5 is vulnerable to CVE-2016-7429, CVE-2016-7431, and CVE-2016-7433. Reporter 10.2 is not vulnerable because a fix is available in 10.2.1.1. \n2018-01-31 A fix for ASG 6.7 is avaialble in 6.7.3.1. \n2017-11-16 A fix for SSLV 3.9 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2017-11-09 MC 1.11 is not vulnerable because a fix is available in 1.11.1.1. A fix for MC 1.10 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2017-11-08 CA 2.2 is not vulnerable because a fix is available in 2.2.1.1. \n2017-11-06 ASG 6.7 has a vulnerable version of the NTP reference implementation, but is not vulnerable to known vectors of attack. \n2017-08-03 SSLV 4.1 is not vulnerable because a fix is available in 4.1.1.1. \n2017-03-30 MC 1.10 is vulnerable to CVE-2016-7431 and CVE-2016-7433. It also has a vulnerable version of the NTP reference implementation for CVE-2016-7426, CVE-2016-7429, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312 but is not vulnerable to known vectors of attack. A fix for MC 1.9 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2017-06-22 Security Analytics 7.3 is not vulnerable. \n2016-06-10 Corrected advisory to say that SSLV 3.9, 3.10, and 3.11 are not vulnerable to CVE-2016-7431. Also, CA, MC, and SSLV are not vulnerable to known vectors of attack for CVE-2016-9312. SSLV 3.8.4FC is vulnerable to CVE-2016-7433. SSLV 3.8.4FC also has a vulnerable version of the ntp.org NTP reference implementation for CVE-2016-7426, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312, but is not vulnerable to known vectors of attack. \n2017-05-29 A fix for Security Analytics 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2017-05-18 CAS 2.1 is vulnerable to CVE-2016-7429, CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312. \n2017-04-30 A fix for Director 6.1 is available in 6.1.23.1. \n2017-03-30 MC 1.9 is vulnerable to CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312. \n2017-03-09 A fix for Security Analytics 7.2 is available in 7.2.3. \n2017-03-08 SSLV 4.0 is vulnerable to CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312. \n2017-01-12 initial public release \n2016-01-23 Added CVSS v2 base scores from National Vulnerability Database (NVD)\n", "modified": "2020-04-26T14:52:52", "published": "2017-01-12T08:00:00", "id": "SMNTC-1393", "href": "", "type": "symantec", "title": "SA139 : November 2016 NTP Security Vulnerabilities", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "cert": [{"lastseen": "2020-09-18T20:41:19", "bulletinFamily": "info", "cvelist": ["CVE-2016-7426", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-7429", "CVE-2016-7431", "CVE-2016-7433", "CVE-2016-7434", "CVE-2016-9310", "CVE-2016-9311", "CVE-2016-9312"], "description": "### Overview \n\nNTP.org ntpd versions ntp-4.2.7p385 up to but not including ntp-4.2.8p9 and ntp-4.3.0 up to but not including ntp-4.3.94 contain multiple denial of service vulnerabilities.\n\n### Description \n\nNTP.org's ntpd, versions ntp-4.2.7p385 up to but not including ntp-4.2.8p9 and ntp-4.3.0 up to but not including ntp-4.3.94, contain multiple denial of service vulnerabilities.\n\n[**CWE-476**](<http://cwe.mitre.org/data/definitions/476.html>)**: NULL Pointer Dereference - **CVE-2016-9311 \n \nAccording to NTP.org, \"ntpd does not enable trap service by default. If trap service has been explicitly enabled, an attacker can send a specially crafted packet to cause a null pointer dereference that will crash ntpd, resulting in a denial of service. Affects Windows only.\" \n \n[**CWE-400**](<http://cwe.mitre.org/data/definitions/400.html>)**: Uncontrolled Resource Consumption ('Resource Exhaustion') - **CVE-2016-9310 \n \nAccording to NTP.org, \"An exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. If, against long-standing BCP recommendations, \"restrict default noquery ...\" is not specified, a specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, disabling legitimate monitoring. A remote, unauthenticated, network attacker can trigger this vulnerability.\" \n \n[**CWE-400**](<http://cwe.mitre.org/data/definitions/400.html>)**: Uncontrolled Resource Consumption ('Resource Exhaustion') - **CVE-2016-7427 \n \nAccording to NTP.org, \"The broadcast mode of NTP is expected to only be used in a trusted network. If the broadcast network is accessible to an attacker, a potentially exploitable denial of service vulnerability in ntpd's broadcast mode replay prevention functionality can be abused. An attacker with access to the NTP broadcast domain can periodically inject specially crafted broadcast mode NTP packets into the broadcast domain which, while being logged by ntpd, can cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers.\" \n \n \n[**CWE-400**](<http://cwe.mitre.org/data/definitions/400.html>)**: Uncontrolled Resource Consumption ('Resource Exhaustion') - **CVE-2016-7428 \n \nAccording to NTP.org, \"The broadcast mode of NTP is expected to only be used in a trusted network. If the broadcast network is accessible to an attacker, a potentially exploitable denial of service vulnerability in ntpd's broadcast mode poll interval enforcement functionality can be abused. To limit abuse, ntpd restricts the rate at which each broadcast association will process incoming packets. ntpd will reject broadcast mode packets that arrive before the poll interval specified in the preceding broadcast packet expires. An attacker with access to the NTP broadcast domain can send specially crafted broadcast mode NTP packets to the broadcast domain which, while being logged by ntpd, will cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers.\" \n \n[**CWE-410**](<http://cwe.mitre.org/data/definitions/410.html>)**: Insufficient Resource Pool - **CVE-2016-9312 \n \nAccording to NTP.org, \"If a vulnerable instance of ntpd on Windows receives a crafted malicious packet that is \"too big\", ntpd will stop working.\" \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2016-7431 \n \nAccording to NTP.org, \"Zero Origin timestamp problems were fixed by Bug 2945 in ntp-4.2.8p6. However, subsequent timestamp validation checks introduced a regression in the handling of some Zero origin timestamp checks.\" \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2016-7434 \n \nAccording to NTP.org, \"If ntpd is configured to allow mrulist query requests from a server that sends a crafted malicious packet, ntpd will crash on receipt of that crafted malicious mrulist query packet.\" \n \n[**CWE-605**](<http://cwe.mitre.org/data/definitions/605.html>)**: Multiple Binds to the Same Port -** CVE-2016-7429 \n \nAccording to NTP.org, \"When ntpd receives a server response on a socket that corresponds to a different interface than was used for the request, the peer structure is updated to use the interface for new requests. If ntpd is running on a host with multiple interfaces in separate networks and the operating system doesn't check source address in received packets (e.g. rp_filter on Linux is set to 0), an attacker that knows the address of the source can send a packet with spoofed source address which will cause ntpd to select wrong interface for the source and prevent it from sending new requests until the list of interfaces is refreshed, which happens on routing changes or every 5 minutes by default. If the attack is repeated often enough (once per second), ntpd will not be able to synchronize with the source.\" \n \n[**CWE-410**](<http://cwe.mitre.org/data/definitions/410.html>)**: Insufficient Resource Pool - **CVE-2016-7426 \n \nAccording to NTP.org, \"When ntpd is configured with rate limiting for all associations (restrict default limited in ntp.conf), the limits are applied also to responses received from its configured sources. An attacker who knows the sources (e.g., from an IPv4 refid in server response) and knows the system is (mis)configured in this way can periodically send packets with spoofed source address to keep the rate limiting activated and prevent ntpd from accepting valid responses from its sources.\" \n \n[**CWE-682**](<http://cwe.mitre.org/data/definitions/682.html>)**: Incorrect Calculation - **CVE-2016-7433 \n \nAccording to NTP.org, \"Bug 2085 described a condition where the root delay was included twice, causing the jitter value to be higher than expected. Due to a misinterpretation of a small-print variable in The Book, the fix for this problem was incorrect, resulting in a root distance that did not include the peer dispersion. The calculations and formulae have been reviewed and reconciled, and the code has been updated accordingly.\" \n \nFor more information, please see NTP.org's [security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se>).[](<http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NT>)[](<nwtime.org/ntp428p9_release>) \n \nThe CVSS score below is based on CVE-2016-9312. \n \n--- \n \n### Impact \n\nA remote unauthenticated attacker may be able to perform a denial of service on ntpd. \n \n--- \n \n### Solution \n\n**Implement BCP-38.** \n \nUse \"`restrict default noquery ...`\" in your `ntp.conf` file. Only allow mode 6 queries from trusted networks and hosts. \n \n**Apply an update** \n \nUpgrade to [4.2.8p9](<nwtime.org/ntp428p9_release>), or later, from the NTP Project Download Page or the NTP Public Services Project Download Page. \n \n**Monitor ntpd** \n \nProperly monitor your ntpd instances, and auto-restart ntpd (without -g) if it stops running. \n \n--- \n \n### Vendor Information\n\n633847\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### NTP Project Affected\n\nUpdated: November 18, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### CoreOS __ Not Affected\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n**Statement Date: November 21, 2016**\n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n`CoreOS Container Linux, by default, is not affected by this since ntpd is disabled.`\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### ACCESS Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### AT&T Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Alcatel-Lucent Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Apple Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Arch Linux Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Arista Networks, Inc. Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Aruba Networks Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Avaya, Inc. Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Barracuda Networks Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Belkin, Inc. Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Blue Coat Systems Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Brocade Communication Systems Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### CA Technologies Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### CMX Systems Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### CentOS Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Check Point Software Technologies Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Cisco Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Contiki OS Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### D-Link Systems, Inc. Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Debian GNU/Linux Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### DesktopBSD Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### DragonFly BSD Project Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### EMC Corporation Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### EfficientIP SAS Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Enterasys Networks Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Ericsson Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### European Registry for Internet Domains Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Extreme Networks Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### F5 Networks, Inc. Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Fedora Project Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Force10 Networks Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Fortinet, Inc. Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Foundry Brocade Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### FreeBSD Project Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### GNU adns Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### GNU glibc Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Gentoo Linux Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Google Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Hardened BSD Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Hewlett Packard Enterprise Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Hitachi Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Huawei Technologies Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### IBM Corporation Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Infoblox Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Intel Corporation Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Internet Systems Consortium Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Internet Systems Consortium - DHCP Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### JH Software Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Juniper Networks Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Lenovo Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Lynx Software Technologies Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### McAfee Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Microchip Technology Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Microsoft Corporation Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### NEC Corporation Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### NLnet Labs Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### NetBSD Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Nokia Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Nominum Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### OmniTI Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### OpenBSD Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### OpenDNS Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Openwall GNU/*/Linux Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Oracle Corporation Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Oryx Embedded Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Peplink Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### PowerDNS Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Q1 Labs Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### QNX Software Systems Inc. Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Quadros Systems Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Red Hat, Inc. Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Rocket RTOS Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### SUSE Linux Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### SafeNet Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Secure64 Software Corporation Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Slackware Linux Inc. Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### SmoothWall Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Snort Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Sony Corporation Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Sourcefire Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Symantec Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### TCPWave Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### TippingPoint Technologies Inc. Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Tizen Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### TrueOS Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Turbolinux Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Ubuntu Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Unisys Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### VMware Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Wind River Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### WizNET Technology Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Xilinx Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Zephyr Project Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### ZyXEL Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### dnsmasq Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### gdnsd Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### m0n0wall Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### openSUSE project Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\nView all 100 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.8 | AV:N/AC:L/Au:N/C:N/I:N/A:C \nTemporal | 6.1 | E:POC/RL:OF/RC:C \nEnvironmental | 6.1 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se>\n * [nwtime.org/ntp428p9_release](<nwtime.org/ntp428p9_release>)\n\n### Acknowledgements\n\nNTP.org thanks Matthew Van Gundy of Cisco, Robert Pajak, Sharon Goldberg and Aanchal Malhotra of Boston University, Magnus Stubman, Miroslav Lichvar of Red Hat, and Brian Utterback of Oracle for reporting these vulnerabilities.\n\nThis document was written by Garret Wassermann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2016-7426](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-7426>), [CVE-2016-7427](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-7427>), [CVE-2016-7428](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-7428>), [CVE-2016-7429](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-7429>), [CVE-2016-7431](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-7431>), [CVE-2016-7433](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-7433>), [CVE-2016-7434](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-7434>), [CVE-2016-9310](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-9310>), [CVE-2016-9312](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-9312>) \n---|--- \n**Date Public:** | 2016-11-21 \n**Date First Published:** | 2016-11-21 \n**Date Last Updated: ** | 2017-11-20 15:38 UTC \n**Document Revision: ** | 26 \n", "modified": "2017-11-20T15:38:00", "published": "2016-11-21T00:00:00", "id": "VU:633847", "href": "https://www.kb.cert.org/vuls/id/633847", "type": "cert", "title": "NTP.org ntpd contains multiple denial of service vulnerabilities", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "slackware": [{"lastseen": "2020-10-25T16:36:06", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7426", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-7429", "CVE-2016-7431", "CVE-2016-7433", "CVE-2016-7434", "CVE-2016-9310", "CVE-2016-9311", "CVE-2016-9312"], "description": "New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\n14.2, and -current to fix security issues.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/ntp-4.2.8p9-i586-1_slack14.2.txz: Upgraded.\n In addition to bug fixes and enhancements, this release fixes the\n following 1 high- (Windows only :-), 2 medium-, 2 medium-/low, and\n 5 low-severity vulnerabilities, and provides 28 other non-security\n fixes and improvements.\n CVE-2016-9311: Trap crash\n CVE-2016-9310: Mode 6 unauthenticated trap info disclosure and DDoS vector\n CVE-2016-7427: Broadcast Mode Replay Prevention DoS\n CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS\n CVE-2016-9312: Windows: ntpd DoS by oversized UDP packet\n CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp Bypass\n CVE-2016-7434: Null pointer dereference in _IO_str_init_static_internal()\n CVE-2016-7429: Interface selection attack\n CVE-2016-7426: Client rate limiting and server responses\n CVE-2016-7433: Reboot sync calculation problem\n For more information, see:\n https://www.kb.cert.org/vuls/id/633847\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9311\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9310\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7428\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9312\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7431\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7434\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7429\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7426\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7433\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ntp-4.2.8p9-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/ntp-4.2.8p9-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ntp-4.2.8p9-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ntp-4.2.8p9-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ntp-4.2.8p9-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ntp-4.2.8p9-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8p9-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8p9-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8p9-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8p9-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/ntp-4.2.8p9-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/ntp-4.2.8p9-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8p9-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8p9-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\nde30f660b0bdcf5d395d58fe95baebaf ntp-4.2.8p9-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\ncf19e17e609553bdac6bed7a5463a652 ntp-4.2.8p9-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\n366967036495ace2e4ee27c28737fb39 ntp-4.2.8p9-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n70535cbef8c11188ad965c8c6890c7a5 ntp-4.2.8p9-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\nea3caede15d6879d83e9727bb706eb4b ntp-4.2.8p9-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\n08921ff8cf9f68539e12d586765adb5b ntp-4.2.8p9-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\nc787e7e9c2b813af7d1d1260a5572f71 ntp-4.2.8p9-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\nd2b1608fc009dac1c68dc710004f26f3 ntp-4.2.8p9-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n4329419d697ce523da2bf24c060c650f ntp-4.2.8p9-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\nacdb54929957393f6957c28716867bbf ntp-4.2.8p9-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\n1118e86610a5ceea6f86901e4306dc1a ntp-4.2.8p9-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n9a6db91e52972e7e6ea902acefef1198 ntp-4.2.8p9-x86_64-1_slack14.2.txz\n\nSlackware -current package:\nb098a4bafbb0d07ace6e976624d54a7a n/ntp-4.2.8p9-i586-1.txz\n\nSlackware x86_64 -current package:\n2a08f8963d13804c467cec22603d69e4 n/ntp-4.2.8p9-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg ntp-4.2.8p9-i586-1_slack14.2.txz\n\nThen, restart the NTP daemon:\n\n > sh /etc/rc.d/rc.ntpd restart", "modified": "2016-11-21T19:25:10", "published": "2016-11-21T19:25:10", "id": "SSA-2016-326-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.641761", "type": "slackware", "title": "[slackware-security] ntp", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "cisco": [{"lastseen": "2020-12-24T11:41:14", "bulletinFamily": "software", "cvelist": ["CVE-2015-8138", "CVE-2016-7426", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-7429", "CVE-2016-7431", "CVE-2016-7433", "CVE-2016-7434", "CVE-2016-9310", "CVE-2016-9311", "CVE-2016-9312"], "description": "A vulnerability in Network Time Protocol (NTP) could allow an unauthenticated, remote attacker to modify the system clock on a targeted system.\n\nThe vulnerability is due to insufficient checks of user-supplied data by the affected software. An attacker could exploit this vulnerability by sending a crafted packet to a targeted NTP client. A successful exploit could disable server synchronization, resulting in the ability to modify the system clock on the targeted client system.\n\nA vulnerability in the Network Time Protocol (NTP) service could allow a local attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to improper initial sync calculations that are performed by the affected software. The vulnerability was introduced as the result of an attempt to fix NTP Bug 2085, involving a condition where the root delay was included twice, causing a higher than expected jitter value. Because of a misinterpretation of a small-print variable, a root distance would not include the peer dispersion. An attacker could exploit this vulnerability to cause a partial DoS condition on an affected system.\n\nA vulnerability in the Network Time Protocol (NTP) service could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to improper handling of crafted packets by the affected software when the trap service is enabled. An attacker could exploit this vulnerability by sending crafted packets to a targeted system. An exploit could cause a NULL pointer dereference that could cause the ntpd service to crash, resulting in a DoS condition.\n\nA vulnerability in the Network Time Protocol (NTP) service could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to insufficient resource pooling when rate limiting for all associations is configured within the affected software. An attacker could exploit this vulnerability by sending crafted packets with a spoofed source address to the targeted system. An exploit could prevent the affected software from accepting valid responses from its configured sources, resulting in a DoS condition.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow a local attacker to cause a denial of service (DoS) condition on a targeted system.\n\nThe vulnerability is due to improper validation of user-supplied data by the affected software. An attacker could exploit the vulnerability by sending a malicious packet to a targeted system. A successful exploit could cause the ntpd to stop functioning, resulting in a DoS condition.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.\n\nThe vulnerability is due to improper validation of user-supplied data by the affected software. An unauthenticated, remote attacker could exploit the vulnerability by sending a malicious packet to a targeted system. A successful exploit could cause the ntpd to stop functioning, resulting in a DoS condition.\n\nA vulnerability in the broadcast-mode, poll-interval enforcement functionality of the Network Time Protocol (NTP) service could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to improper resource management by the affected software. An attacker who has access to the broadcast domain of a targeted system could exploit this vulnerability by injecting crafted, broadcast-mode NTP packets into the broadcast domain in which the targeted system resides. A successful exploit could cause the NTP daemon to reject broadcast-mode packets from legitimate broadcast servers, resulting in a DoS condition.\n\nA vulnerability in the broadcast-mode, replay prevention functionality of the Network Time Protocol (NTP) service could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to improper resource management by the affected software. An attacker who has access to the broadcast domain of a targeted system could exploit this vulnerability by injecting crafted, broadcast-mode NTP packets into the broadcast domain in which the targeted system resides. A successful exploit could cause the NTP daemon to reject broadcast-mode packets from legitimate broadcast servers, resulting in a DoS condition.\n\nA vulnerability in the control mode (mode 6) functionality of the Network Time Protocol (NTP) service could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to improper security restrictions that could lead to configuration modification. If the restrict default noquery best current practices recommendation for NTP is not specified, an attacker could exploit this vulnerability by sending a crafted control mode packet to an affected system. An exploit could allow the attacker to modify the affected software. The attacker could set ntpd traps, which could be leveraged to disclose sensitive information or aid in DDoS amplification. In addition, an attacker could unset ntpd traps, which could disable monitoring, resulting in a DoS condition.\n\nMultiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.\n\nOn November 21, 2016, the NTP Consortium of the Network Time Foundation released a security notice that details ten issues regarding DoS vulnerabilities and logic issues that may allow an attacker to shift a system's time.\n\nThe new vulnerabilities disclosed in this document are as follows:\n\nNetwork Time Protocol Trap Service Denial of Service Vulnerability\nNetwork Time Protocol Broadcast Mode Denial of Service Vulnerability\nNetwork Time Protocol Broadcast Mode Denial of Service Vulnerability\nNetwork Time Protocol Insufficient Resource Pool Denial of Service Vulnerability\nNetwork Time Protocol Configuration Modification Denial of Service Vulnerability\nNetwork Time Protocol mrulist Query Requests Denial of Service Vulnerability\nNetwork Time Protocol Multiple Binds to the Same Port Vulnerability\nNetwork Time Protocol Rate Limiting Denial of Service Vulnerability\n\nAs well as:\n\nRegression of CVE-2015-8138\nNetwork Time Protocol Reboot sync calculation problem\n Additional details about each vulnerability are in the NTP Consortium Security Notice [\"http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se\"].\n\nWorkarounds that address one or more of these vulnerabilities may be available and are documented in the Cisco bug for each affected product.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161123-ntpd [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161123-ntpd\"]", "modified": "2017-01-23T14:51:48", "published": "2016-11-23T16:00:00", "id": "CISCO-SA-20161123-NTPD", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161123-ntpd", "type": "cisco", "title": "Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: November 2016", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:33:04", "bulletinFamily": "software", "cvelist": ["CVE-2016-7434", "CVE-2016-9311", "CVE-2017-6460", "CVE-2016-7433", "CVE-2017-6458", "CVE-2016-7427", "CVE-2016-9042", "CVE-2017-6462", "CVE-2016-7429", "CVE-2017-6463", "CVE-2016-2519", "CVE-2016-7428", "CVE-2016-9310", "CVE-2017-6464", "CVE-2016-7426", "CVE-2016-7431"], "description": "# \n\n# Severity\n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nYihan Lian discovered that NTP incorrectly handled certain large request data values. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. ([CVE-2016-2519](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2519>))\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain spoofed addresses when performing rate limiting. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. ([CVE-2016-7426](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7426>))\n\nMatthew Van Gundy discovered that NTP incorrectly handled certain crafted broadcast mode packets. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. ([CVE-2016-7427](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7427>), [CVE-2016-7428](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7428>))\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain responses. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. ([CVE-2016-7429](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7429>))\n\nSharon Goldberg and Aanchal Malhotra discovered that NTP incorrectly handled origin timestamps of zero. A remote attacker could possibly use this issue to bypass the origin timestamp protection mechanism. This issue only affected Ubuntu 16.10. ([CVE-2016-7431](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7431>))\n\nBrian Utterback, Sharon Goldberg and Aanchal Malhotra discovered that NTP incorrectly performed initial sync calculations. This issue only applied to Ubuntu 16.04 LTS and Ubuntu 16.10. ([CVE-2016-7433](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7433>))\n\nMagnus Stubman discovered that NTP incorrectly handled certain mrulist queries. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. ([CVE-2016-7434](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7434>))\n\nMatthew Van Gund discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu Ubuntu 16.10, and Ubuntu 17.04. ([CVE-2016-9042](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9042>))\n\nMatthew Van Gundy discovered that NTP incorrectly handled certain control mode packets. A remote attacker could use this issue to set or unset traps. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. ([CVE-2016-9310](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9310>))\n\nMatthew Van Gundy discovered that NTP incorrectly handled the trap service. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. ([CVE-2016-9311](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9311>))\n\nIt was discovered that NTP incorrectly handled memory when processing long variables. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. ([CVE-2017-6458](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6458>))\n\nIt was discovered that NTP incorrectly handled memory when processing long variables. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only applied to Ubuntu 16.04 LTS, Ubuntu 16.10 and Ubuntu 17.04. ([CVE-2017-6460](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6460>))\n\nIt was discovered that the NTP legacy DPTS refclock driver incorrectly handled the /dev/datum device. A local attacker could possibly use this issue to cause a denial of service. ([CVE-2017-6462](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6462>))\n\nIt was discovered that NTP incorrectly handled certain invalid settings in a :config directive. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. ([CVE-2017-6463](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6463>))\n\nIt was discovered that NTP incorrectly handled certain invalid mode configuration directives. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. ([CVE-2017-6464](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6464>))\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * Cloud Foundry BOSH stemcells are vulnerable, including: \n * 3312.x versions prior to 3312.32\n * 3363.x versions prior to 3363.29\n * 3421.x versions prior to 3421.18\n * All other stemcells not listed.\n * All versions of Cloud Foundry cflinuxfs2 prior to 1.137.0\n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH stemcells: \n * Upgrade 3312.x versions prior to 3312.32\n * Upgrade 3363.x versions prior to 3363.29\n * Upgrade 3421.x versions prior to 3421.18\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io>).\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 version 1.137.0 or later.\n\n# References\n\n * [USN-3349-1](<http://www.ubuntu.com/usn/usn-3349-1/>)\n * [CVE-2016-2519](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2519>)\n * [CVE-2016-7426](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7426>)\n * [CVE-2016-7427](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7427>)\n * [CVE-2016-7428](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7428>)\n * [CVE-2016-7429](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7429>)\n * [CVE-2016-7431](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7431>)\n * [CVE-2016-7433](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7433>)\n * [CVE-2016-7434](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7434>)\n * [CVE-2016-9042](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9042>)\n * [CVE-2016-9310](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9310>)\n * [CVE-2016-9311](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9311>)\n * [CVE-2017-6458](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6458>)\n * [CVE-2017-6460](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6460>)\n * [CVE-2017-6462](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6462>)\n * [CVE-2017-6463](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6463>)\n * [CVE-2017-6464](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6464>)\n", "edition": 5, "modified": "2017-08-04T00:00:00", "published": "2017-08-04T00:00:00", "id": "CFOUNDRY:8722C197C1671303FFCA9E919368B734", "href": "https://www.cloudfoundry.org/blog/usn-3349-1/", "title": "USN-3349-1: NTP vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}]}
