Search...

Network Time Protocol Broadcast Mode Replay Prevention Denial of Service Vulnerability(CVE-2016-7427)

2017-10-11T00:00:00

ID SSV:96650
Type seebug
Reporter Root
Modified 2017-10-11T00:00:00

Description

Summary

An exploitable denial of service vulnerability exists in the broadcast mode replay prevention functionality of ntpd. To prevent replay of broadcast mode packets, ntpd rejects broadcast mode packets with non-monotonically increasing transmit timestamps. Remote unauthenticated attackers can send specially crafted broadcast mode NTP packets to cause ntpd to reject all broadcast mode packets from legitimate NTP broadcast servers.

Tested Versions

NTP 4.2.8p6

Product URLs

http://www.ntp.org/

CVSS Scores

CVSSv2: 5.0 - (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVSSv3: 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Details

In response to the NTP Deja Vu vulnerability (CVE-2015-7973), ntp-4.2.8p6 introduced several new integrity checks on incoming broadcast mode packets. Upon receipt of a broadcast mode packet, before authentication is enforced, ntpd will reject the packet if any of the following conditions hold:

The packet poll value is out of bounds for the broadcast association, i.e. pkt->ppoll < peer->minpoll || pkt->ppoll > peer->maxpoll
The packet was received before a full poll interval has elapsed since the last broadcast packet was received from the packet's sender. i.e. A server cannot ingress packets more frequently than peer->minpoll.
The packet transmit timestamp is less than the last seen broadcast packet transmit timestamp from the packet's sender. i.e. Broadcast packet transmit timestamps must be monotonically increasing.

The following logic is used to ensure that packet transmit timestamps are monotonically increasing: /* ntp-4.2.8p6 ntpd/ntp_proto.c */ 1305 if (MODE_BROADCAST == hismode) { ... 1351 tdiff = p_xmt; 1352 L_SUB(&tdiff, &peer->bxmt); 1353 if (tdiff.l_i < 0) { 1354 msyslog(LOG_INFO, "receive: broadcast packet from %s contains non-monotonic timestamp: %#010x.%08x -> %#010x.%08x", 1355 stoa(&rbufp->recv_srcadr), 1356 peer->bxmt.l_ui, peer->bxmt.l_uf, 1357 p_xmt.l_ui, p_xmt.l_uf 1358 ); 1359 ++bail; 1360 } 1361 1362 peer->bxmt = p_xmt; 1363 1364 if (bail) { 1365 peer->timelastrec = current_time; 1366 sys_declined++; 1367 return; 1368 } 1369 }

If the packet transmit timestamp is less than the transmit timestamp on the last received broadcast packet from this association (p_xmt - peer->bxmt < 0), the packet will be discarded.

Unfortunately, line 1362 updates the saved transmit timestamp for alleged sender of the packet (peer->bxmt) before the packet is discarded. The update takes place even if the packet is unauthenticated and fails the previous integrity checks.

This leads to a trivial denial of service attack. The attacker:

Discovers the IP address of the victim's broadcast server. e.g. Send the victim a client mode NTP packet and discover the broadcast server from the refid field of the victim's reply.
Every poll period, send the victim a spoofed broadcast mode packet from the broadcast server with a transmit timestamp in the future. This will move peer->bxmt forward so that any legitimate packet will be rejected by the non-monotonic timestamp check.
- The attacker does not need to be on the same subnet as the victim. The attacker can address the spoofed broadcast NTP packet directly to the victim's IP address.
- The attacker can choose any reasonably small estimate for the poll period. Because the peer->bxmt update happens even when a packet fails the poll period checks, there is no penalty for sending packets too frequently.

To prevent this vulnerability, peer->bxmt should only be updated when a packet authenticates correctly. This is the approach taken in the patch below.

Mitigation

There is no workaround for this issue. Because the vulnerable logic is executed before authentication is enforced, authentication and the restrict notrust ntpd.conf directive have no effect. An attacker can bypass notrust restrictions by sending incorrectly authenticated packets.

In order to succeed in an attack, the attacker must send at least one spoofed packet per poll period. Therefore observing more than one NTP broadcast packet from the same sender address per poll period indicates a possible attack.

The following patch can be used to fix this vulnerability: ``` From 097fd4dae9ac4927d7cfa8011fd42f704bd02c45 Mon Sep 17 00:00:00 2001 From: Matthew Van Gundy <mvangund@cisco.com> Date: Tue, 26 Jan 2016 15:00:28 -0500 Subject: [PATCH] Fix unauthenticated broadcast mode denial of service (peer->bxmt)

include/ntp_fp.h | 1 + ntpd/ntp_proto.c | 22 ++++++++++++++++------ 2 files changed, 17 insertions(+), 6 deletions(-)

diff --git a/include/ntp_fp.h b/include/ntp_fp.h index 7806932..ad7a01d 100644 --- a/include/ntp_fp.h +++ b/include/ntp_fp.h @@ -242,6 +242,7 @@ typedef u_int32 u_fp; #define L_ISGTU(a, b) M_ISGTU((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf) #define L_ISHIS(a, b) M_ISHIS((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf) #define L_ISGEQ(a, b) M_ISGEQ((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf) +#define L_ISGEQU(a, b) L_ISHIS(a, b) #define L_ISEQU(a, b) M_ISEQU((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)

/* diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c index ad45409..ac469ce 100644 --- a/ntpd/ntp_proto.c +++ b/ntpd/ntp_proto.c @@ -1305,7 +1305,6 @@ receive( if (MODE_BROADCAST == hismode) { u_char poll; int bail = 0; - l_fp tdiff;

  DPRINTF(2, ("receive: PROCPKT/BROADCAST: prev pkt %ld seconds ago, ppoll: %d, %d secs\n",
        (current_time - peer-&gt;timelastrec),

@@ -1348,9 +1347,8 @@ receive( ++bail; }

tdiff = p_xmt;
L_SUB(&tdiff, &peer->bxmt);
if (tdiff.l_i < 0) {
/ Use L_ISGEQU() to ensure unsigned comparison /
if (!L_ISGEQU(&p_xmt, &peer->bxmt)) { msyslog(LOG_INFO, "receive: broadcast packet from %s contains non-monotonic timestamp: %#010x.%08x -> %#010x.%08x", stoa(&rbufp->recv_srcadr), peer->bxmt.l_ui, peer->bxmt.l_uf, @@ -1359,8 +1357,6 @@ receive( ++bail; }

- peer->bxmt = p_xmt;

  if (bail) {
    peer-&gt;timelastrec = current_time;
    sys_declined++;

@@ -1563,6 +1559,14 @@ receive( peer->xmt = p_xmt;

/ + * Now that we know the packet is correctly authenticated, + * update peer->bxmt if needed + / + if (MODE_BROADCAST == hismode) { + peer->bxmt = p_xmt; + } + + /* * Set the peer ppoll to the maximum of the packet ppoll and the * peer minpoll. If a kiss-o'-death, set the peer minpoll to * this maximum and advance the headway to give the sender some @@ -2400,6 +2404,7 @@ peer_clear( ) { u_char u; + l_fp bxmt = peer->bxmt;

#ifdef AUTOKEY /* @@ -2436,6 +2441,11 @@ peer_clear( peer->flash = peer_unfit(peer); peer->jitter = LOGTOD(sys_precision);

/ Don't throw away our broadcast replay protection /
if (peer->hmode == MODE_BCLIENT) {
peer->bxmt = bxmt;
} + /*
If interleave mode, initialize the alternate origin switch. */ ```

Timeline

2016-09-12 - Vendor Disclosure
2016-11-21 - Public Release

JSON Vulners Source

Initial Source

{"type": "seebug", "lastseen": "2017-11-19T12:01:01", "href": "https://www.seebug.org/vuldb/ssvid-96650", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "modified": "2017-10-11T00:00:00", "reporter": "Root", "description": "### Summary\r\nAn exploitable denial of service vulnerability exists in the broadcast mode replay prevention functionality of ntpd. To prevent replay of broadcast mode packets, ntpd rejects broadcast mode packets with non-monotonically increasing transmit timestamps. Remote unauthenticated attackers can send specially crafted broadcast mode NTP packets to cause ntpd to reject all broadcast mode packets from legitimate NTP broadcast servers.\r\n\r\n### Tested Versions\r\nNTP 4.2.8p6\r\n\r\n### Product URLs\r\nhttp://www.ntp.org/\r\n\r\n### CVSS Scores\r\nCVSSv2: 5.0 - (AV:N/AC:L/Au:N/C:N/I:N/A:P)\r\nCVSSv3: 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\r\n\r\n### Details\r\nIn response to the NTP Deja Vu vulnerability (CVE-2015-7973), ntp-4.2.8p6 introduced several new integrity checks on incoming broadcast mode packets. Upon receipt of a broadcast mode packet, before authentication is enforced, ntpd will reject the packet if any of the following conditions hold:\r\n\r\n1. The packet poll value is out of bounds for the broadcast association, i.e.\r\n```\r\n pkt->ppoll < peer->minpoll || pkt->ppoll > peer->maxpoll\r\n```\r\n2. The packet was received before a full poll interval has elapsed since the last broadcast packet was received from the packet's sender. i.e. A server cannot ingress packets more frequently than `peer->minpoll`.\r\n\r\n3. The packet transmit timestamp is less than the last seen broadcast packet transmit timestamp from the packet's sender. i.e. Broadcast packet transmit timestamps must be monotonically increasing.\r\n\r\nThe following logic is used to ensure that packet transmit timestamps are monotonically increasing:\r\n```\r\n/* ntp-4.2.8p6 ntpd/ntp_proto.c */\r\n1305 if (MODE_BROADCAST == hismode) {\r\n...\r\n1351 tdiff = p_xmt;\r\n1352 L_SUB(&tdiff, &peer->bxmt);\r\n1353 if (tdiff.l_i < 0) {\r\n1354 msyslog(LOG_INFO, \"receive: broadcast packet from %s contains non-monotonic timestamp: %#010x.%08x -> %#010x.%08x\",\r\n1355 stoa(&rbufp->recv_srcadr),\r\n1356 peer->bxmt.l_ui, peer->bxmt.l_uf,\r\n1357 p_xmt.l_ui, p_xmt.l_uf\r\n1358 );\r\n1359 ++bail;\r\n1360 }\r\n1361\r\n1362 peer->bxmt = p_xmt;\r\n1363\r\n1364 if (bail) {\r\n1365 peer->timelastrec = current_time;\r\n1366 sys_declined++;\r\n1367 return;\r\n1368 }\r\n1369 }\r\n```\r\n\r\nIf the packet transmit timestamp is less than the transmit timestamp on the last received broadcast packet from this association (`p_xmt - peer->bxmt < 0`), the packet will be discarded.\r\n\r\nUnfortunately, line 1362 updates the saved transmit timestamp for alleged sender of the packet (`peer->bxmt`) before the packet is discarded. The update takes place even if the packet is unauthenticated and fails the previous integrity checks.\r\n\r\nThis leads to a trivial denial of service attack. The attacker:\r\n\r\n1. Discovers the IP address of the victim's broadcast server. e.g. Send the victim a client mode NTP packet and discover the broadcast server from the refid field of the victim's reply.\r\n2. Every poll period, send the victim a spoofed broadcast mode packet from the broadcast server with a transmit timestamp in the future. This will move `peer->bxmt` forward so that any legitimate packet will be rejected by the non-monotonic timestamp check.\r\n\t* The attacker does not need to be on the same subnet as the victim. The attacker can address the spoofed broadcast NTP packet directly to the victim's IP address.\r\n\t* The attacker can choose any reasonably small estimate for the poll period. Because the `peer->bxmt` update happens even when a packet fails the poll period checks, there is no penalty for sending packets too frequently.\r\n\r\nTo prevent this vulnerability, `peer->bxmt` should only be updated when a packet authenticates correctly. This is the approach taken in the patch below.\r\n\r\n### Mitigation\r\nThere is no workaround for this issue. Because the vulnerable logic is executed before authentication is enforced, authentication and the `restrict notrust` ntpd.conf directive have no effect. An attacker can bypass `notrust` restrictions by sending incorrectly authenticated packets.\r\n\r\nIn order to succeed in an attack, the attacker must send at least one spoofed packet per poll period. Therefore observing more than one NTP broadcast packet from the same sender address per poll period indicates a possible attack.\r\n\r\nThe following patch can be used to fix this vulnerability:\r\n```\r\nFrom 097fd4dae9ac4927d7cfa8011fd42f704bd02c45 Mon Sep 17 00:00:00 2001\r\nFrom: Matthew Van Gundy <mvangund@cisco.com>\r\nDate: Tue, 26 Jan 2016 15:00:28 -0500\r\nSubject: [PATCH] Fix unauthenticated broadcast mode denial of service (peer->bxmt)\r\n\r\n---\r\n include/ntp_fp.h | 1 +\r\n ntpd/ntp_proto.c | 22 ++++++++++++++++------\r\n 2 files changed, 17 insertions(+), 6 deletions(-)\r\n\r\ndiff --git a/include/ntp_fp.h b/include/ntp_fp.h\r\nindex 7806932..ad7a01d 100644\r\n--- a/include/ntp_fp.h\r\n+++ b/include/ntp_fp.h\r\n@@ -242,6 +242,7 @@ typedef u_int32 u_fp;\r\n #define L_ISGTU(a, b) M_ISGTU((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)\r\n #define L_ISHIS(a, b) M_ISHIS((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)\r\n #define L_ISGEQ(a, b) M_ISGEQ((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)\r\n+#define L_ISGEQU(a, b) L_ISHIS(a, b)\r\n #define L_ISEQU(a, b) M_ISEQU((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)\r\n\r\n /*\r\ndiff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c\r\nindex ad45409..ac469ce 100644\r\n--- a/ntpd/ntp_proto.c\r\n+++ b/ntpd/ntp_proto.c\r\n@@ -1305,7 +1305,6 @@ receive(\r\n if (MODE_BROADCAST == hismode) {\r\n u_char poll;\r\n int bail = 0;\r\n- l_fp tdiff;\r\n\r\n DPRINTF(2, (\"receive: PROCPKT/BROADCAST: prev pkt %ld seconds ago, ppoll: %d, %d secs\\n\",\r\n (current_time - peer->timelastrec),\r\n@@ -1348,9 +1347,8 @@ receive(\r\n ++bail;\r\n }\r\n\r\n- tdiff = p_xmt;\r\n- L_SUB(&tdiff, &peer->bxmt);\r\n- if (tdiff.l_i < 0) {\r\n+ /* Use L_ISGEQU() to ensure unsigned comparison */\r\n+ if (!L_ISGEQU(&p_xmt, &peer->bxmt)) {\r\n msyslog(LOG_INFO, \"receive: broadcast packet from %s contains non-monotonic timestamp: %#010x.%08x -> %#010x.%08x\",\r\n stoa(&rbufp->recv_srcadr),\r\n peer->bxmt.l_ui, peer->bxmt.l_uf,\r\n@@ -1359,8 +1357,6 @@ receive(\r\n ++bail;\r\n }\r\n\r\n- peer->bxmt = p_xmt;\r\n-\r\n if (bail) {\r\n peer->timelastrec = current_time;\r\n sys_declined++;\r\n@@ -1563,6 +1559,14 @@ receive(\r\n peer->xmt = p_xmt;\r\n\r\n /*\r\n+ * Now that we know the packet is correctly authenticated,\r\n+ * update peer->bxmt if needed\r\n+ */\r\n+ if (MODE_BROADCAST == hismode) {\r\n+ peer->bxmt = p_xmt;\r\n+ }\r\n+\r\n+ /*\r\n * Set the peer ppoll to the maximum of the packet ppoll and the\r\n * peer minpoll. If a kiss-o'-death, set the peer minpoll to\r\n * this maximum and advance the headway to give the sender some\r\n@@ -2400,6 +2404,7 @@ peer_clear(\r\n )\r\n {\r\n u_char u;\r\n+ l_fp bxmt = peer->bxmt;\r\n\r\n #ifdef AUTOKEY\r\n /*\r\n@@ -2436,6 +2441,11 @@ peer_clear(\r\n peer->flash = peer_unfit(peer);\r\n peer->jitter = LOGTOD(sys_precision);\r\n\r\n+ /* Don't throw away our broadcast replay protection */\r\n+ if (peer->hmode == MODE_BCLIENT) {\r\n+ peer->bxmt = bxmt;\r\n+ }\r\n+\r\n /*\r\n * If interleave mode, initialize the alternate origin switch.\r\n */\r\n```\r\n\r\n### Timeline\r\n* 2016-09-12 - Vendor Disclosure\r\n* 2016-11-21 - Public Release", "bulletinFamily": "exploit", "references": [], "viewCount": 17, "status": "cve,details", "sourceHref": "", "cvelist": ["CVE-2015-7973", "CVE-2016-7427"], "enchantments_done": [], "title": "Network Time Protocol Broadcast Mode Replay Prevention Denial of Service Vulnerability(CVE-2016-7427)", "id": "SSV:96650", "sourceData": "", "published": "2017-10-11T00:00:00", "enchantments": {"score": {"value": 5.3, "vector": "NONE", "modified": "2017-11-19T12:01:01", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-7427", "CVE-2015-7973"]}, {"type": "f5", "idList": ["F5:K80996302", "F5:K32790144", "SOL32790144"]}, {"type": "talos", "idList": ["TALOS-2016-0070", "TALOS-2016-0131", "TALOS-2016-0130"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220201547", "OPENVAS:1361412562311220201723", "OPENVAS:1361412562311220201611", "OPENVAS:1361412562310106405", "OPENVAS:1361412562310106754", "OPENVAS:1361412562311220192446", "OPENVAS:1361412562311220192215", "OPENVAS:1361412562311220201457", "OPENVAS:1361412562311220201210", "OPENVAS:1361412562311220192637"]}, {"type": "nessus", "idList": ["AIX_IV92194.NASL", "AIX_IV92067.NASL", "AIX_NTP_V3_ADVISORY8.NASL", "EULEROS_SA-2020-2225.NASL", "AIX_IV92192.NASL", "AIX_IV92193.NASL", "AIX_NTP_V4_ADVISORY8.NASL", "EULEROS_SA-2020-1611.NASL", "EULEROS_SA-2020-1547.NASL", "EULEROS_SA-2020-1723.NASL"]}, {"type": "seebug", "idList": ["SSV:96648"]}, {"type": "aix", "idList": ["NTP_ADVISORY6.ASC", "NTP_ADVISORY8.ASC"]}, {"type": "freebsd", "idList": ["5237F5D7-C020-11E5-B397-D050996490D0", "FCEDCDBB-C86E-11E6-B1CF-14DAE9D210B8", "8DB8D62A-B08B-11E6-8EBA-D050996490D0"]}, {"type": "ubuntu", "idList": ["USN-3707-2", "USN-3096-1", "USN-3349-1"]}, {"type": "huawei", "idList": ["HUAWEI-SA-20171129-01-NTPD"]}, {"type": "archlinux", "idList": ["ASA-201611-28"]}, {"type": "paloalto", "idList": ["PAN-SA-2016-0019"]}, {"type": "slackware", "idList": ["SSA-2016-326-01", "SSA-2016-054-04"]}, {"type": "cert", "idList": ["VU:633847", "VU:718152"]}, {"type": "symantec", "idList": ["SMNTC-1393", "SMNTC-1350"]}, {"type": "cisco", "idList": ["CISCO-SA-20161123-NTPD", "CISCO-SA-20160127-NTPD"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:1292-1", "SUSE-SU-2016:1177-1", "SUSE-SU-2016:1247-1", "SUSE-SU-2016:1175-1"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:0B67E4FF46553AC705FD601C96C1A6B6", "CFOUNDRY:8722C197C1671303FFCA9E919368B734"]}], "modified": "2017-11-19T12:01:01", "rev": 2}, "vulnersScore": 5.3}}

{"cve": [{"lastseen": "2020-10-03T12:10:50", "description": "The broadcast mode replay prevention functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via a crafted broadcast mode packet.", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "LOW", "integrityImpact": "NONE", "baseScore": 4.3, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2017-01-13T16:59:00", "title": "CVE-2016-7427", "type": "cve", "cwe": ["CWE-400"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.5, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 3.3, "vectorString": "AV:A/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "ADJACENT_NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7427"], "modified": "2019-01-24T11:29:00", "cpe": ["cpe:/a:ntp:ntp:4.2.8"], "id": "CVE-2016-7427", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7427", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:P"}, "cpe23": ["cpe:2.3:a:ntp:ntp:4.2.8:p8:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p7:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p6:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T20:03:08", "description": "NTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast mode, allows man-in-the-middle attackers to conduct replay attacks by sniffing the network.", "edition": 5, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "baseScore": 6.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 4.2}, "published": "2017-01-30T21:59:00", "title": "CVE-2015-7973", "type": "cve", "cwe": ["CWE-254"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 5.8, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7973"], "modified": "2017-11-21T02:29:00", "cpe": ["cpe:/a:ntp:ntp:4.3.18", "cpe:/a:ntp:ntp:4.3.45", "cpe:/a:ntp:ntp:4.3.72", "cpe:/a:ntp:ntp:4.3.0", "cpe:/a:ntp:ntp:4.3.25", "cpe:/a:ntp:ntp:4.3.74", "cpe:/a:ntp:ntp:4.3.28", "cpe:/a:ntp:ntp:4.3.61", "cpe:/a:ntp:ntp:4.3.22", "cpe:/a:ntp:ntp:4.3.51", "cpe:/a:ntp:ntp:4.3.54", "cpe:/a:ntp:ntp:4.3.3", "cpe:/a:ntp:ntp:4.3.81", "cpe:/a:ntp:ntp:4.3.67", "cpe:/a:ntp:ntp:4.3.79", "cpe:/a:ntp:ntp:4.3.76", "cpe:/a:ntp:ntp:4.3.29", "cpe:/a:ntp:ntp:4.3.33", "cpe:/a:ntp:ntp:4.3.20", "cpe:/a:ntp:ntp:4.3.37", "cpe:/a:ntp:ntp:4.3.24", "cpe:/a:ntp:ntp:4.3.49", "cpe:/a:ntp:ntp:4.3.11", "cpe:/a:ntp:ntp:4.3.17", "cpe:/a:ntp:ntp:4.3.19", "cpe:/a:ntp:ntp:4.3.4", "cpe:/a:ntp:ntp:4.3.13", "cpe:/a:ntp:ntp:4.3.78", "cpe:/a:ntp:ntp:4.3.31", "cpe:/a:ntp:ntp:4.3.44", "cpe:/a:ntp:ntp:4.3.69", "cpe:/a:ntp:ntp:4.3.1", "cpe:/a:ntp:ntp:4.3.55", "cpe:/a:ntp:ntp:4.3.34", "cpe:/a:ntp:ntp:4.2.8", "cpe:/a:ntp:ntp:4.3.23", "cpe:/a:ntp:ntp:4.3.41", "cpe:/a:ntp:ntp:4.3.84", "cpe:/a:ntp:ntp:4.3.75", "cpe:/a:ntp:ntp:4.3.52", "cpe:/a:ntp:ntp:4.3.40", "cpe:/a:ntp:ntp:4.3.10", "cpe:/a:ntp:ntp:4.3.36", "cpe:/a:ntp:ntp:4.3.83", "cpe:/a:ntp:ntp:4.3.65", "cpe:/a:ntp:ntp:4.3.77", "cpe:/a:ntp:ntp:4.3.60", "cpe:/a:ntp:ntp:4.3.38", "cpe:/a:ntp:ntp:4.3.30", "cpe:/a:ntp:ntp:4.3.56", "cpe:/a:ntp:ntp:4.3.53", "cpe:/a:ntp:ntp:4.3.64", "cpe:/a:ntp:ntp:4.3.15", "cpe:/a:ntp:ntp:4.3.46", "cpe:/a:ntp:ntp:4.3.57", "cpe:/a:ntp:ntp:4.3.59", "cpe:/a:ntp:ntp:4.3.58", "cpe:/a:ntp:ntp:4.3.87", "cpe:/a:ntp:ntp:4.3.12", "cpe:/a:ntp:ntp:4.3.62", "cpe:/a:ntp:ntp:4.3.6", "cpe:/a:ntp:ntp:4.3.66", "cpe:/a:ntp:ntp:4.3.32", "cpe:/a:ntp:ntp:4.3.86", "cpe:/a:ntp:ntp:4.3.2", "cpe:/a:ntp:ntp:4.3.80", "cpe:/a:ntp:ntp:4.3.63", "cpe:/a:ntp:ntp:4.3.21", "cpe:/a:ntp:ntp:4.3.82", "cpe:/a:ntp:ntp:4.3.5", "cpe:/a:ntp:ntp:4.3.89", "cpe:/a:ntp:ntp:4.3.14", "cpe:/a:ntp:ntp:4.3.8", "cpe:/a:ntp:ntp:4.3.7", "cpe:/a:ntp:ntp:4.3.43", "cpe:/a:ntp:ntp:4.3.47", "cpe:/a:ntp:ntp:4.3.48", "cpe:/a:ntp:ntp:4.3.73", "cpe:/a:ntp:ntp:4.3.16", "cpe:/a:ntp:ntp:4.3.70", "cpe:/a:ntp:ntp:4.3.26", "cpe:/a:ntp:ntp:4.3.50", "cpe:/a:ntp:ntp:4.3.27", "cpe:/a:ntp:ntp:4.3.39", "cpe:/a:ntp:ntp:4.3.42", "cpe:/a:ntp:ntp:4.3.85", "cpe:/a:ntp:ntp:4.3.68", "cpe:/a:ntp:ntp:4.3.88", "cpe:/a:ntp:ntp:4.3.71", "cpe:/a:ntp:ntp:4.3.35"], "id": "CVE-2015-7973", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7973", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ntp:ntp:4.3.24:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.38:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.32:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.84:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.50:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.36:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.52:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.39:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.17:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.67:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.12:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.15:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.89:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.25:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.62:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.87:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.73:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.83:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.47:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.69:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.37:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.80:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.21:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.10:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.70:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.23:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.35:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.46:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.79:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.51:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.56:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.68:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.77:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.65:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.20:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.31:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.76:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.48:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.75:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.59:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.2.8:p5:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.26:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.57:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.29:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.33:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.30:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.44:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.28:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.72:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.11:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.22:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.27:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.55:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.53:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.42:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.34:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.58:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.45:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.43:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.16:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.66:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.64:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.40:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.74:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.86:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.85:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.61:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.8:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.19:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.13:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.18:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.60:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.71:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.54:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.78:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.41:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.81:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.14:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.82:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.7:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.49:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.63:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.2:*:*:*:*:*:*:*", "cpe:2.3:a:ntp:ntp:4.3.88:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2017-06-08T00:16:30", "bulletinFamily": "software", "cvelist": ["CVE-2015-7973"], "edition": 1, "description": "\nF5 Product Development has assigned ID 572824 (BIG-IP), ID 573413 (Enterprise Manager), ID 573411 (BIG-IQ), and ID 507785 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| None| Low| ntpq and ntpd \nBIG-IP AAM| 12.0.0 \n11.4.0 - 11.6.0| None| Low| ntpq and ntpd \nBIG-IP AFM| 12.0.0 \n11.3.0 - 11.6.0| None| Low| ntpq and ntpd \nBIG-IP Analytics| 12.0.0 \n11.0.0 - 11.6.0| None| Low| ntpq and ntpd \nBIG-IP APM| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| None| Low| ntpq and ntpd \nBIG-IP ASM| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| None| Low| ntpq and ntpd \nBIG-IP DNS| 12.0.0| None| Low| ntpq and ntpd \nBIG-IP Edge Gateway| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpq and ntpd \nBIG-IP GTM| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| None| Low| ntpq and ntpd \nBIG-IP Link Controller| 12.0.0 \n11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| None| Low| ntpq and ntpd \nBIG-IP PEM| 12.0.0 \n11.3.0 - 11.6.0| None| Low| ntpq and ntpd \nBIG-IP PSM| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| None| Low| ntpq and ntpd \nBIG-IP WebAccelerator| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpq and ntpd \nBIG-IP WOM| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpq and ntpd \nARX| 6.0.0 - 6.4.0| None| Low| ntpq and ntpd \nEnterprise Manager| 3.0.0 - 3.1.1| None| Low| ntpq and ntpd \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Low| ntpq and ntpd \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Low| ntpq and ntpd \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Low| ntpq and ntpd \nBIG-IQ ADC| 4.5.0| None| Low| ntpq and ntpd \nBIG-IQ Centralized Management| 4.6.0| None| Low| ntpq and ntpd \nBIG-IQ Cloud and Orchestration| 1.0.0| None| Low| ntpq and ntpd \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| Not vulnerable| None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the** Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nBIG-IP, BIG-IQ, and Enterprise Manager\n\nTo mitigate this vulnerability for the BIG-IP system, do not configure NTP to accept broadcast packets by enabling any \"broadcast\" or \"broadcastclient\" directives in the **/etc/ntp.conf** file. By default, the BIG-IP system is not configured to accept NTP broadcast packets.\n\nARX\n\nTo mitigate this vulnerability, you can disable NTP functionality on the ARX system.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 12.x)](<https://support.f5.com/csp/article/K13123>)\n * [K10025: Managing BIG-IP product hotfixes (10.x)](<https://support.f5.com/csp/article/K10025>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n * [K15106: Managing BIG-IQ product hotfixes](<https://support.f5.com/csp/article/K15106>)\n * [K15113: BIG-IQ hotfix matrix](<https://support.f5.com/csp/article/K15113>)\n * [K12766: ARX hotfix matrix](<https://support.f5.com/csp/article/K12766>)\n", "modified": "2017-03-14T19:23:00", "published": "2016-02-22T21:36:00", "href": "https://support.f5.com/csp/article/K32790144", "id": "F5:K32790144", "title": "NTP vulnerability CVE-2015-7973", "type": "f5", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-26T17:22:57", "bulletinFamily": "software", "cvelist": ["CVE-2015-7973"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the** Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nF5 responds to vulnerabilities in accordance with the **Severity **values published in the previous table. The **Severity** values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy.\n\n**BIG-IP, BIG-IQ and Enterprise Manager**\n\nTo mitigate this vulnerability for the BIG-IP system, do not configure NTP to accept broadcast packets by enabling any \"broadcast\" or \"broadcastclient\" directives in the **/etc/ntp.conf** file. By default, the BIG-IP system is not configured to accept NTP broadcast packets.\n\n**ARX**\n\nTo mitigate this vulnerability, you can disable NTP functionality on the ARX system.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n * SOL10025: Managing BIG-IP product hotfixes (10.x)\n * SOL9502: BIG-IP hotfix matrix\n * SOL15106: Managing BIG-IQ product hotfixes\n * SOL15113: BIG-IQ hotfix matrix\n * SOL12766: ARX hotfix matrix\n", "modified": "2016-02-22T00:00:00", "published": "2016-02-22T00:00:00", "id": "SOL32790144", "href": "http://support.f5.com/kb/en-us/solutions/public/k/32/sol32790144.html", "type": "f5", "title": "SOL32790144 - NTP vulnerability CVE-2015-7973", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2017-06-08T00:16:02", "bulletinFamily": "software", "cvelist": ["CVE-2016-9312", "CVE-2015-8138", "CVE-2016-7433", "CVE-2016-7427", "CVE-2016-7429", "CVE-2016-7428", "CVE-2016-7431"], "edition": 1, "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.2| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.2 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebSafe| None| 12.0.0 - 12.1.2 \n11.6.0 - 11.6.1| Not vulnerable| None \nARX| None| 6.2.0 - 6.4.0| Not vulnerable| None \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.0.2| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| None| 5.0.0 - 5.1.0 \n4.0.0 - 4.4.0| Not vulnerable| None\n\nNone\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "modified": "2017-03-14T19:23:00", "published": "2016-12-17T02:37:00", "href": "https://support.f5.com/csp/article/K80996302", "id": "F5:K80996302", "type": "f5", "title": "Multiple NTP vulnerabilities", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "talos": [{"lastseen": "2020-07-01T21:25:30", "bulletinFamily": "info", "cvelist": ["CVE-2015-7973", "CVE-2016-7427"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0131\n\n## Network Time Protocol Broadcast Mode Replay Prevention Denial of Service Vulnerability\n\n##### November 21, 2016\n\n##### CVE Number\n\nCVE-2016-7427\n\n### Summary\n\nAn exploitable denial of service vulnerability exists in the broadcast mode replay prevention functionality of ntpd. To prevent replay of broadcast mode packets, ntpd rejects broadcast mode packets with non-monotonically increasing transmit timestamps. Remote unauthenticated attackers can send specially crafted broadcast mode NTP packets to cause ntpd to reject all broadcast mode packets from legitimate NTP broadcast servers.\n\n### Tested Versions\n\nNTP 4.2.8p6\n\n### Product URLs\n\nhttp://www.ntp.org/\n\n### CVSS Scores\n\nCVSSv2: 5.0 - (AV:N/AC:L/Au:N/C:N/I:N/A:P) \nCVSSv3: 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\n\n### Details\n\nIn response to the NTP Deja Vu vulnerability (CVE-2015-7973), ntp-4.2.8p6 introduced several new integrity checks on incoming broadcast mode packets. Upon receipt of a broadcast mode packet, before authentication is enforced, ntpd will reject the packet if any of the following conditions hold:\n\n 1. The packet poll value is out of bounds for the broadcast association, i.e.\n \n pkt->ppoll < peer->minpoll || pkt->ppoll > peer->maxpoll\n \n\n 2. The packet was received before a full poll interval has elapsed since the last broadcast packet was received from the packet\u2019s sender. i.e. A server cannot ingress packets more frequently than `peer->minpoll`.\n\n 3. The packet transmit timestamp is less than the last seen broadcast packet transmit timestamp from the packet\u2019s sender. i.e. Broadcast packet transmit timestamps must be monotonically increasing.\n\nThe following logic is used to ensure that packet transmit timestamps are monotonically increasing:\n \n \n /* ntp-4.2.8p6 ntpd/ntp_proto.c */\n 1305 if (MODE_BROADCAST == hismode) {\n ...\n 1351 tdiff = p_xmt;\n 1352 L_SUB(&tdiff, &peer->bxmt);\n 1353 if (tdiff.l_i < 0) {\n 1354 msyslog(LOG_INFO, \"receive: broadcast packet from %s contains non-monotonic timestamp: %#010x.%08x -> %#010x.%08x\",\n 1355 stoa(&rbufp->recv_srcadr),\n 1356 peer->bxmt.l_ui, peer->bxmt.l_uf,\n 1357 p_xmt.l_ui, p_xmt.l_uf\n 1358 );\n 1359 ++bail;\n 1360 }\n 1361\n 1362 peer->bxmt = p_xmt;\n 1363\n 1364 if (bail) {\n 1365 peer->timelastrec = current_time;\n 1366 sys_declined++;\n 1367 return;\n 1368 }\n 1369 }\n \n\nIf the packet transmit timestamp is less than the transmit timestamp on the last received broadcast packet from this association (`p_xmt - peer->bxmt < 0`), the packet will be discarded.\n\nUnfortunately, line 1362 updates the saved transmit timestamp for alleged sender of the packet (`peer->bxmt`) before the packet is discarded. The update takes place even if the packet is unauthenticated and fails the previous integrity checks.\n\nThis leads to a trivial denial of service attack. The attacker:\n\n 1. Discovers the IP address of the victim\u2019s broadcast server. e.g. Send the victim a client mode NTP packet and discover the broadcast server from the refid field of the victim\u2019s reply.\n\n 2. Every poll period, send the victim a spoofed broadcast mode packet from the broadcast server with a transmit timestamp in the future. This will move `peer->bxmt` forward so that any legitimate packet will be rejected by the non-monotonic timestamp check.\n\n * The attacker does not need to be on the same subnet as the victim. The attacker can address the spoofed broadcast NTP packet directly to the victim\u2019s IP address.\n\n * The attacker can choose any reasonably small estimate for the poll period. Because the `peer->bxmt` update happens even when a packet fails the poll period checks, there is no penalty for sending packets too frequently.\n\nTo prevent this vulnerability, `peer->bxmt` should only be updated when a packet authenticates correctly. This is the approach taken in the patch below.\n\n### Mitigation\n\nThere is no workaround for this issue. Because the vulnerable logic is executed before authentication is enforced, authentication and the `restrict notrust` ntpd.conf directive have no effect. An attacker can bypass `notrust` restrictions by sending incorrectly authenticated packets.\n\nIn order to succeed in an attack, the attacker must send at least one spoofed packet per poll period. Therefore observing more than one NTP broadcast packet from the same sender address per poll period indicates a possible attack.\n\nThe following patch can be used to fix this vulnerability:\n \n \n From 097fd4dae9ac4927d7cfa8011fd42f704bd02c45 Mon Sep 17 00:00:00 2001\n From: Matthew Van Gundy <mvangund@cisco.com>\n Date: Tue, 26 Jan 2016 15:00:28 -0500\n Subject: [PATCH] Fix unauthenticated broadcast mode denial of service (peer->bxmt)\n \n ---\n include/ntp_fp.h | 1 +\n ntpd/ntp_proto.c | 22 ++++++++++++++++------\n 2 files changed, 17 insertions(+), 6 deletions(-)\n \n diff --git a/include/ntp_fp.h b/include/ntp_fp.h\n index 7806932..ad7a01d 100644\n --- a/include/ntp_fp.h\n +++ b/include/ntp_fp.h\n @@ -242,6 +242,7 @@ typedef u_int32 u_fp;\n #define L_ISGTU(a, b) M_ISGTU((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)\n #define L_ISHIS(a, b) M_ISHIS((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)\n #define L_ISGEQ(a, b) M_ISGEQ((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)\n +#define L_ISGEQU(a, b) L_ISHIS(a, b)\n #define L_ISEQU(a, b) M_ISEQU((a)->l_ui, (a)->l_uf, (b)->l_ui, (b)->l_uf)\n \n /*\n diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c\n index ad45409..ac469ce 100644\n --- a/ntpd/ntp_proto.c\n +++ b/ntpd/ntp_proto.c\n @@ -1305,7 +1305,6 @@ receive(\n if (MODE_BROADCAST == hismode) {\n u_char poll;\n int bail = 0;\n - l_fp tdiff;\n \n DPRINTF(2, (\"receive: PROCPKT/BROADCAST: prev pkt %ld seconds ago, ppoll: %d, %d secs\\n\",\n (current_time - peer->timelastrec),\n @@ -1348,9 +1347,8 @@ receive(\n ++bail;\n }\n \n - tdiff = p_xmt;\n - L_SUB(&tdiff, &peer->bxmt);\n - if (tdiff.l_i < 0) {\n + /* Use L_ISGEQU() to ensure unsigned comparison */\n + if (!L_ISGEQU(&p_xmt, &peer->bxmt)) {\n msyslog(LOG_INFO, \"receive: broadcast packet from %s contains non-monotonic timestamp: %#010x.%08x -> %#010x.%08x\",\n stoa(&rbufp->recv_srcadr),\n peer->bxmt.l_ui, peer->bxmt.l_uf,\n @@ -1359,8 +1357,6 @@ receive(\n ++bail;\n }\n \n - peer->bxmt = p_xmt;\n -\n if (bail) {\n peer->timelastrec = current_time;\n sys_declined++;\n @@ -1563,6 +1559,14 @@ receive(\n peer->xmt = p_xmt;\n \n /*\n + * Now that we know the packet is correctly authenticated,\n + * update peer->bxmt if needed\n + */\n + if (MODE_BROADCAST == hismode) {\n + peer->bxmt = p_xmt;\n + }\n +\n + /*\n * Set the peer ppoll to the maximum of the packet ppoll and the\n * peer minpoll. If a kiss-o'-death, set the peer minpoll to\n * this maximum and advance the headway to give the sender some\n @@ -2400,6 +2404,7 @@ peer_clear(\n )\n {\n u_char u;\n + l_fp bxmt = peer->bxmt;\n \n #ifdef AUTOKEY\n /*\n @@ -2436,6 +2441,11 @@ peer_clear(\n peer->flash = peer_unfit(peer);\n peer->jitter = LOGTOD(sys_precision);\n \n + /* Don't throw away our broadcast replay protection */\n + if (peer->hmode == MODE_BCLIENT) {\n + peer->bxmt = bxmt;\n + }\n +\n /*\n * If interleave mode, initialize the alternate origin switch.\n */\n \n\n### Timeline\n\n2016-09-12 - Vendor Disclosure \n2016-11-21 - Public Release\n\n##### Credit\n\nDiscovered by Matthew Van Gundy of Cisco ASIG.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0130\n\nPrevious Report\n\nTALOS-2016-0203\n", "edition": 13, "modified": "2016-11-21T00:00:00", "published": "2016-11-21T00:00:00", "id": "TALOS-2016-0131", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0131", "title": "Network Time Protocol Broadcast Mode Replay Prevention Denial of Service Vulnerability", "type": "talos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-05-29T19:20:09", "bulletinFamily": "info", "cvelist": ["CVE-2015-7973"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0070\n\n## Network Time Protocol Deja Vu: Broadcast Mode Replay Vulnerability\n\n##### January 19, 2016\n\n##### CVE Number\n\nCVE-2015-7973\n\n### Summary\n\nExpected Behavior: RFC 5905 page 29 Section 8 states that the on-wire protocol resists replay of server response packet in broadcast mode. Also on page 55 section 15, the RFC claims security in authenticated mode against on-path attackers where an attacker can:\n\na) Intercept and archive packets forever\n\nb) In a wiretap attack, intercept, modify and replay a packet.\n\nc) In a middleman attack or masquerade attack, intercept, modify and replay a packet and prevent onward transmission of the original packet.\n\nThe expected behavior in authenticated broadcast mode MUST then at the least prevent against an on-path replay attack.\n\nActual Behavior:\n\na) In a middleman attack, where the intruder is positioned between the server and the client and can intercept, and replay a packet and prevent onward transmission of the original packet, the protocol does not resist the replay attack.\n\nb) Also if the attacker is one of the machines on the network or adjacent network who also gets broadcast packets from the same NTP server and has the same trusted keys as the victim, then he can simply replay the packets that he receives from the broadcast server.\n\nImplications of the attack: Man-in-the-middle or a malicious client on the same/adjacent subnet can replay broadcast server packets and make the victim client\u2019s machine be stuck at a particular time value forever. Having time back in the past has severe implications on various applications.\n\nNote: Be aware that this issue could affect other ntpd modes of operation such as multicast.\n\n### Tested Versions\n\nntp 4.2.8p3 \nNTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c\n\n### Product URLs\n\n(http://www.ntp.org)[http://www.ntp.org] \n(http://www.ntpsec.org/)[http://www.ntpsec.org/]\n\n### CVSS Score\n\nCVSSv2: 4.3 - AV:A/AC:M/Au:N/C:N/I:P/A:P \nCVSSv3: 4.2 - CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\n\n### Details\n\nTestbed Configuration for NTP:\n\na) We have a broadcast server and broadcast client.\n\nb) The broadcast server is a stratum 1 server. Its refid is .LOCL. The following lines are added to the ntp.conf file for broadcast server.\n \n \n broadcast subnetaddress key keyid1\n trustedkey keyid1 keyid2\n keys /etc/ntp/ntp_key # Path to the key file\n \n\nWe also create a key file ntp_key where all the keys are listed in /etc/ntp directory:\n \n \n keyid1 MD5 password1\n keyid2 MD5 password2\n \n\nc) The broadcast client is configured only as a broadcast client and does not have any other associations. Following lines are added to the ntp.conf on the client:\n \n \n broadcastclient subnetaddress\n trustedkey keyid1 keyid2\n keys /etc/ntp/ntp_key # Path to the key file\n \n\nWe also create a key file ntp_key where all the keys are listed in /etc/ntp directory:\n \n \n keyid1 MD5 password1\n keyid2 MD5 password2\n \n\nTestbed Configuration for NTPSec:\n\na) We have a broadcast server and broadcast client.\n\nb) The broadcast server is a stratum 4 server. Its refid is 192.168.33.9. The following lines are added to the ntp.conf file for broadcast server.\n \n \n server 192.168.33.9\n broadcast subnetaddress key keyid1\n trustedkey keyid1 keyid2\n keys /etc/ntp/ntp_key # Path to the key file\n \n\nWe also create a key file ntp_key where all the keys are listed in /etc/ntp directory:\n \n \n keyid1 MD5 password1\n keyid2 MD5 password2\n \n\nc) The broadcast client is configured only as a broadcast client and does not have any other associations. Following lines are added to the ntp.conf on the client:\n \n \n broadcastclient subnetaddress\n trustedkey keyid1 keyid2\n keys /etc/ntp/ntp_key # Path to the key file\n \n\nWe also create a key file ntp_key where all the keys are listed in /etc/ntp directory:\n \n \n keyid1 MD5 password1\n keyid2 MD5 password2\n \n\n### Recommended Fix\n\nThe major problem here is that there is no origin timestamp check on the broadcast packets as origin timestamp is set to null in the broadcast server packets. There are a couple of recommendations that might be effective:\n\na) The broadcast server packet may include an incrementing counter value in the extensions field. The client should maintain state for this value in the previous packet and check if this counter value in the current packet is greater than that of the previous packet. This simple check can prevent the replay of the old packets.\n\nb) There could be some way for NTP to see if it is stuck at the same timestamp for a considerable amount of time and should log an error or do something to warn the admin.\n\n### Timeline\n\n2015-10-07 - Vendor Disclosure \n2016-01-19 - Public Release\n\n##### Credit\n\nAanchal Malhotra\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0071\n\nPrevious Report\n\nTALOS-2016-0023\n", "edition": 10, "modified": "2016-01-19T00:00:00", "published": "2016-01-19T00:00:00", "id": "TALOS-2016-0070", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0070", "title": "Network Time Protocol Deja Vu: Broadcast Mode Replay Vulnerability", "type": "talos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-07-01T21:25:07", "bulletinFamily": "info", "cvelist": ["CVE-2015-7973", "CVE-2016-7428"], "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0130\n\n## Network Time Protocol Broadcast Mode Poll Interval Enforcement Denial of Service Vulnerability\n\n##### November 21, 2016\n\n##### CVE Number\n\nCVE-2016-7428\n\n### Summary\n\nAn exploitable denial of service vulnerability exists in the broadcast mode poll interval enforcement functionality of ntpd. To limit abuse, ntpd restricts the rate at which each broadcast association will process incoming packets. ntpd will reject broadcast mode packets that arrive before the poll interval specified in the preceding broadcast packet expires. A vulnerability exists which allows remote unauthenticated attackers to send specially crafted broadcast mode NTP packets which will cause ntpd to reject all broadcast mode packets from legitimate NTP broadcast servers.\n\n### Tested Versions\n\nNTP 4.2.8p6\n\n### Product URLs\n\nhttp://www.ntp.org/\n\n### CVSS Scores\n\nCVSSv2: 5.0 - (AV:N/AC:L/Au:N/C:N/I:N/A:P) \nCVSSv3: 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\n\n### Details\n\nIn response to the NTP Deja Vu vulnerability (CVE-2015-7973), ntp-4.2.8p6 introduced several new integrity checks on incoming broadcast mode packets. Upon receipt of a broadcast mode packet, before authentication is enforced, ntpd will reject the packet if any of the following conditions hold:\n\n 1. The packet poll value is out of bounds for the broadcast association, i.e.\n \n pkt->ppoll < peer->minpoll || pkt->ppoll > peer->maxpoll\n \n\n 2. The packet was received before a full poll interval has elapsed since the last broadcast packet was received from the packet\u2019s sender. i.e. A server cannot ingress packets more frequently than `peer->minpoll`.\n\n 3. The packet transmit timestamp is less than the last seen broadcast packet transmit timestamp from the packet\u2019s sender. i.e. Broadcast packet transmit timestamps must be monotonically increasing.\n\nThe following logic is used to ensure constraint 2, which ensures that broadcast associations will process only one incoming packet per poll interval:\n \n \n /* ntp-4.2.8p6 ntpd/ntp_proto.c */\n 1305 if (MODE_BROADCAST == hismode) {\n ...\n 1341 if ( (current_time - peer->timelastrec)\n 1342 < (1 << pkt->ppoll)) {\n 1343 msyslog(LOG_INFO, \"receive: broadcast packet from %s arrived after %ld, not %d seconds!\",\n 1344 stoa(&rbufp->recv_srcadr),\n 1345 (current_time - peer->timelastrec),\n 1346 (1 << pkt->ppoll)\n 1347 );\n 1348 ++bail;\n 1349 }\n ...\n 1361\n 1362 peer->bxmt = p_xmt;\n 1363\n 1364 if (bail) {\n 1365 peer->timelastrec = current_time;\n 1366 sys_declined++;\n 1367 return;\n 1368 }\n 1369 }\n \n\nIf the time elapsed since the last broadcast packet was received from this peer is less than the poll interval declared by the sender (`(current_time - peer->timelastrec) < (1 << pkt->ppoll)`), the packet will be discarded. (A previous check ensures that `pkt->ppoll` is within acceptable bounds.)\n\nUnfortunately, line 1341 compares the current time against the last time any broadcast mode packet was received with a source IP address of the peer (`peer->timelastrec`). In contrast to `peer->timereceived`, which is updated only when a _clean_ (correctly authenticated and passing integrity checks) packet is received, `peer->timelastrec` is updated by all incoming broadcast packets including spoofed and replayed packets.\n\nThis leads to a trivial denial of service attack. The attacker:\n\n 1. Discovers the IP address of the victim\u2019s broadcast server. e.g. Send the victim a client mode NTP packet and discover the broadcast server from the refid field of the victim\u2019s reply.\n\n 2. At least once per poll period, send the victim a spoofed broadcast mode packet from the broadcast server. This will set `peer->timelastrec = current_time` such that, when a legitimate packet is received, it will appear to have been received too early (`(current_time - peer->timelastrec) < (1 << pkt->ppoll)`) and will be discarded.\n\n * The attacker does not need to be on the same subnet as the victim. The attacker can address the spoofed broadcast NTP packet directly to the victim\u2019s IP address.\n\n * The attacker can choose any reasonably small estimate for the poll period. Because the `peer->timelastrec` update happens even when a packet fails the poll period check, there is no penalty for sending packets too frequently.\n\nTo prevent this vulnerability, ntpd should only discard packets broadcast packets when less than one poll interval has elapsed since the last legitimate packet has been received (`peer->timereceived`).\n\n### Mitigation\n\nThere is no workaround for this issue. Because the vulnerable logic is executed before authentication is enforced, authentication and the `restrict notrust` ntpd.conf directive have no effect. An attacker can bypass `notrust` restrictions by sending incorrectly authenticated packets.\n\nIn order to succeed in an attack, the attacker must send at least one spoofed packet per poll period. Therefore observing more than one NTP broadcast packet from the same sender address per poll period indicates a possible attack.\n\nThe following patch can be used to fix this vulnerability:\n \n \n From 8522882496d3df2bd764de6d8f7afac4a8d84006 Mon Sep 17 00:00:00 2001\n From: Matthew Van Gundy <mvangund@cisco.com>\n Date: Fri, 5 Feb 2016 17:38:32 -0500\n Subject: [PATCH] Fix unauthenticated broadcast mode denial of service (peer->timelastrec)\n \n Drop packets if they arrive less than one poll interval since the last\n **clean** packet received on an association. If we compare against the\n last time that *any* packet was received, even one that will be dropped\n for failing integrity checks, an attacker can DoS the association by\n sending incorrectly authenticated packets or replaying old packets to\n keep bumping the peer->timelastrec timer forward.\n ---\n include/ntp.h | 4 +++-\n ntpd/ntp_proto.c | 13 +++++++++++--\n 2 files changed, 14 insertions(+), 3 deletions(-)\n \n diff --git a/include/ntp.h b/include/ntp.h\n index 6a4e9aa..cbf6cec 100644\n --- a/include/ntp.h\n +++ b/include/ntp.h\n @@ -383,7 +383,9 @@ struct peer {\n * Statistic counters\n */\n u_long timereset; /* time stat counters were reset */\n - u_long timelastrec; /* last packet received time */\n + u_long timelastrec; /* last packet received time (may\n + * include spoofed, replayed, or other\n + * invalid packets) */\n u_long timereceived; /* last (clean) packet received time */\n u_long timereachable; /* last reachable/unreachable time */\n \n diff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c\n index ad45409..1ea5cee 100644\n --- a/ntpd/ntp_proto.c\n +++ b/ntpd/ntp_proto.c\n @@ -1338,11 +1338,20 @@ receive(\n ++bail;\n }\n \n - if ( (current_time - peer->timelastrec)\n + /*\n + * Ensure that at least one poll interval has\n + * elapsed since the last **clean** packet was\n + * received. We limit the check to **clean**\n + * packets to prevent replayed packets and\n + * incorrectly authenticated packets, which\n + * we'll discard, from being used to create a\n + * denial of service condition.\n + */\n + if ( (current_time - peer->timereceived)\n < (1 << pkt->ppoll)) {\n msyslog(LOG_INFO, \"receive: broadcast packet from %s arrived after %ld, not %d seconds!\",\n stoa(&rbufp->recv_srcadr),\n - (current_time - peer->timelastrec),\n + (current_time - peer->timereceived),\n (1 << pkt->ppoll)\n );\n ++bail;\n --\n 2.5.2\n \n\n### Timeline\n\n2016-09-12 - Vendor Disclosure \n2016-11-21 - Public Release\n\n##### Credit\n\nDiscovered by Matthew Van Gundy of Cisco ASIG.\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0260\n\nPrevious Report\n\nTALOS-2016-0131\n", "edition": 14, "modified": "2016-11-21T00:00:00", "published": "2016-11-21T00:00:00", "id": "TALOS-2016-0130", "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0130", "title": "Network Time Protocol Broadcast Mode Poll Interval Enforcement Denial of Service Vulnerability", "type": "talos", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:34:20", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9311", "CVE-2015-7973", "CVE-2015-8158", "CVE-2015-7979", "CVE-2016-7427", "CVE-2016-7429", "CVE-2016-9310", "CVE-2016-7431"], "description": "Junos OS is prone to multiple vulnerabilities in NTP.", "modified": "2018-10-26T00:00:00", "published": "2017-04-13T00:00:00", "id": "OPENVAS:1361412562310106754", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106754", "type": "openvas", "title": "Junos Multiple NTP Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_junos_jsa10776.nasl 12106 2018-10-26 06:33:36Z cfischer $\n#\n# Junos Multiple NTP Vulnerabilities\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2017 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = 'cpe:/o:juniper:junos';\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106754\");\n script_version(\"$Revision: 12106 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-26 08:33:36 +0200 (Fri, 26 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2017-04-13 08:24:49 +0200 (Thu, 13 Apr 2017)\");\n script_tag(name:\"cvss_base\", value:\"7.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n\n script_cve_id(\"CVE-2016-9311\", \"CVE-2016-9310\", \"CVE-2015-7973\", \"CVE-2015-7979\", \"CVE-2016-7431\",\n\"CVE-2015-8158\", \"CVE-2016-7429\", \"CVE-2016-7427\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Junos Multiple NTP Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n\n script_family(\"JunOS Local Security Checks\");\n script_copyright(\"This script is Copyright (C) 2017 Greenbone Networks GmbH\");\n script_dependencies(\"gb_ssh_junos_get_version.nasl\", \"gb_junos_snmp_version.nasl\");\n script_mandatory_keys(\"Junos/Version\");\n\n script_tag(name:\"summary\", value:\"Junos OS is prone to multiple vulnerabilities in NTP.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable OS build is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"NTP.org and FreeBSD have published security advisories for vulnerabilities\nresolved in ntpd which impact Junos OS.\");\n\n script_tag(name:\"affected\", value:\"Junos OS 12.3X48, 14.1, 14.2, 15.1, 16.1 and 16.2\");\n\n script_tag(name:\"solution\", value:\"New builds of Junos OS software are available from Juniper.\");\n\n script_xref(name:\"URL\", value:\"http://kb.juniper.net/JSA10776\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"revisions-lib.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE, nofork: TRUE))\n exit(0);\n\nif (version =~ \"^12\") {\n if ((revcomp(a: version, b: \"12.3X48-D45\") < 0) &&\n (revcomp(a: version, b: \"12.3X48\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"12.3X48-D45\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^14\") {\n if (revcomp(a: version, b: \"14.1R8-S3\") < 0) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"14.1R8-S3\");\n security_message(port: 0, data: report);\n exit(0);\n }\n else if ((revcomp(a: version, b: \"14.2R7-S6\") < 0) &&\n (revcomp(a: version, b: \"14.2\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"14.2R7-S6\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^15\") {\n if ((revcomp(a: version, b: \"15.1F7\") < 0) &&\n (revcomp(a: version, b: \"15.1F\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"15.1F7\");\n security_message(port: 0, data: report);\n exit(0);\n }\n else if ((revcomp(a: version, b: \"15.1R6\") < 0) &&\n (revcomp(a: version, b: \"15.1R\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"15.1R6\");\n security_message(port: 0, data: report);\n exit(0);\n }\n else if ((revcomp(a: version, b: \"15.1X49-D80\") < 0) &&\n (revcomp(a: version, b: \"15.1X49\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"15.1X49-D80\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nif (version =~ \"^16\") {\n if (revcomp(a: version, b: \"16.1R3-S3\") < 0) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"16.1R3-S3\");\n security_message(port: 0, data: report);\n exit(0);\n }\n else if ((revcomp(a: version, b: \"16.2R1-S3\") < 0) &&\n (revcomp(a: version, b: \"16.2\") >= 0)) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"16.2R1-S3\");\n security_message(port: 0, data: report);\n exit(0);\n }\n}\n\nexit(99);\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-09-25T13:22:22", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7427", "CVE-2016-7428"], "description": "NTP.org", "modified": "2019-09-24T00:00:00", "published": "2016-06-03T00:00:00", "id": "OPENVAS:1361412562310106405", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310106405", "type": "openvas", "title": "NTP.org 'ntpd' Multiple Vulnerabilities - Nov16 - 1", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# NTP.org 'ntp' Multiple Vulnerabilities (Nov-2016)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:ntp:ntp\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.106405\");\n script_version(\"2019-09-24T10:41:39+0000\");\n script_cve_id(\"CVE-2016-7428\", \"CVE-2016-7427\");\n script_tag(name:\"last_modification\", value:\"2019-09-24 10:41:39 +0000 (Tue, 24 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2016-06-03 11:18:33 +0700 (Fri, 03 Jun 2016)\");\n script_tag(name:\"cvss_base\", value:\"3.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:N/I:N/A:P\");\n script_name(\"NTP.org 'ntpd' Multiple Vulnerabilities - Nov16 - 1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_ntp_detect_lin.nasl\");\n script_mandatory_keys(\"ntpd/version/detected\");\n\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/633847\");\n\n script_tag(name:\"summary\", value:\"NTP.org's reference implementation of NTP server, ntpd, is prone to\n multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"NTP.org's ntpd is prone to multiple vulnerabilities:\n\n - The broadcast mode of NTP is expected to only be used in a trusted network. If the broadcast network is\n accessible to an attacker, a potentially exploitable denial of service vulnerability in ntpd's broadcast mode\n replay prevention functionality can be abused. An attacker with access to the NTP broadcast domain can\n periodically inject specially crafted broadcast mode NTP packets into the broadcast domain which, while being\n logged by ntpd, can cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers.\n (CVE-2016-7427)\n\n - The broadcast mode of NTP is expected to only be used in a trusted network. If the broadcast network is\n accessible to an attacker, a potentially exploitable denial of service vulnerability in ntpd's broadcast mode\n poll interval enforcement functionality can be abused. To limit abuse, ntpd restricts the rate at which each\n broadcast association will process incoming packets. ntpd will reject broadcast mode packets that arrive before\n the poll interval specified in the preceding broadcast packet expires. An attacker with access to the NTP\n broadcast domain can send specially crafted broadcast mode NTP packets to the broadcast domain which, while\n being logged by ntpd, will cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers.\n (CVE-2016-7428)\");\n\n script_tag(name:\"impact\", value:\"A remote unauthenticated attacker may be able to perform a denial of\n service on ntpd.\");\n\n script_tag(name:\"affected\", value:\"Version 4.2.8p6 up to 4.2.8p8, 4.3.90 up to 4.3.93.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to NTP.org's ntpd version 4.2.8p9, 4.3.94 or later.\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"revisions-lib.inc\");\ninclude(\"host_details.inc\");\n\nif(isnull(port = get_app_port(cpe:CPE)))\n exit(0);\n\nif(!infos = get_app_full(cpe:CPE, port:port))\n exit(0);\n\nif(!version = infos[\"version\"])\n exit(0);\n\nlocation = infos[\"location\"];\nproto = infos[\"proto\"];\n\nif((revcomp(a:version, b:\"4.2.8p6\") >= 0) && (revcomp(a:version, b:\"4.2.8p9\") < 0)) {\n report = report_fixed_ver(installed_version:version, fixed_version:\"4.2.8p9\", install_path:location);\n security_message(port:port, data:report, proto:proto);\n exit(0);\n}\n\nif((revcomp(a:version, b:\"4.3.90\") >= 0) && (revcomp(a:version, b:\"4.3.94\") < 0)) {\n report = report_fixed_ver(installed_version:version, fixed_version:\"4.3.94\", install_path:location);\n security_message(port:port, data:report, proto:proto);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-06-04T15:50:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7427", "CVE-2016-7428"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-06-03T00:00:00", "published": "2020-06-03T00:00:00", "id": "OPENVAS:1361412562311220201611", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201611", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1611)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1611\");\n script_version(\"2020-06-03T06:06:02+0000\");\n script_cve_id(\"CVE-2016-7427\", \"CVE-2016-7428\");\n script_tag(name:\"cvss_base\", value:\"3.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:A/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-06-03 06:06:02 +0000 (Wed, 03 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-03 06:06:02 +0000 (Wed, 03 Jun 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1611)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1611\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1611\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ntp' package(s) announced via the EulerOS-SA-2020-1611 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via the poll interval in a broadcast packet.(CVE-2016-7428)\n\nThe broadcast mode replay prevention functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via a crafted broadcast mode packet.(CVE-2016-7427)\");\n\n script_tag(name:\"affected\", value:\"'ntp' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~28.h15.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~28.h15.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"sntp\", rpm:\"sntp~4.2.6p5~28.h15.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-07-21T19:55:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5211", "CVE-2016-7427", "CVE-2016-7428"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-07-03T00:00:00", "published": "2020-07-03T00:00:00", "id": "OPENVAS:1361412562311220201723", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201723", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1723)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1723\");\n script_version(\"2020-07-03T06:18:48+0000\");\n script_cve_id(\"CVE-2013-5211\", \"CVE-2016-7427\", \"CVE-2016-7428\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-07-03 06:18:48 +0000 (Fri, 03 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-03 06:18:48 +0000 (Fri, 03 Jul 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1723)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-3\\.0\\.6\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1723\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1723\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ntp' package(s) announced via the EulerOS-SA-2020-1723 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.(CVE-2013-5211)\n\nThe broadcast mode replay prevention functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via a crafted broadcast mode packet.(CVE-2016-7427)\n\nntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via the poll interval in a broadcast packet.(CVE-2016-7428)\");\n\n script_tag(name:\"affected\", value:\"'ntp' package(s) on Huawei EulerOS Virtualization 3.0.6.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-3.0.6.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~28.h15.eulerosv2r7\", rls:\"EULEROSVIRT-3.0.6.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~28.h15.eulerosv2r7\", rls:\"EULEROSVIRT-3.0.6.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"sntp\", rpm:\"sntp~4.2.6p5~28.h15.eulerosv2r7\", rls:\"EULEROSVIRT-3.0.6.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-05-06T01:07:29", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5211", "CVE-2016-7427", "CVE-2016-7428"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-04-30T00:00:00", "published": "2020-04-30T00:00:00", "id": "OPENVAS:1361412562311220201547", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201547", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1547)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1547\");\n script_version(\"2020-04-30T12:13:13+0000\");\n script_cve_id(\"CVE-2013-5211\", \"CVE-2016-7427\", \"CVE-2016-7428\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-30 12:13:13 +0000 (Thu, 30 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-30 12:13:13 +0000 (Thu, 30 Apr 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1547)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.2\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1547\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1547\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ntp' package(s) announced via the EulerOS-SA-2020-1547 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013.(CVE-2013-5211)\n\nThe broadcast mode replay prevention functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via a crafted broadcast mode packet.(CVE-2016-7427)\n\nntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via the poll interval in a broadcast packet.(CVE-2016-7428)\");\n\n script_tag(name:\"affected\", value:\"'ntp' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.2.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.2.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~28.h15\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~28.h15\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"sntp\", rpm:\"sntp~4.2.6p5~28.h15\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2020-01-27T18:33:25", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5146", "CVE-2015-7973", "CVE-2016-2516", "CVE-2016-2517"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192446", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192446", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2019-2446)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2446\");\n script_version(\"2020-01-23T12:58:04+0000\");\n script_cve_id(\"CVE-2015-5146\", \"CVE-2015-7973\", \"CVE-2016-2517\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:58:04 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:58:04 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2019-2446)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2446\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2446\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ntp' package(s) announced via the EulerOS-SA-2019-2446 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"NTP before 4.2.8p7 and 4.3.x before 4.3.92 allows remote attackers to cause a denial of service (prevent subsequent authentication) by leveraging knowledge of the controlkey or requestkey and sending a crafted packet to ntpd, which changes the value of trustedkey, controlkey, or requestkey. NOTE: this vulnerability exists because of a CVE-2016-2516 regression.(CVE-2016-2517)\n\nNTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast mode, allows man-in-the-middle attackers to conduct replay attacks by sniffing the network.(CVE-2015-7973)\n\nntpd in ntp before 4.2.8p3 with remote configuration enabled allows remote authenticated users with knowledge of the configuration password and access to a computer entrusted to perform remote configuration to cause a denial of service (service crash) via a NULL byte in a crafted configuration directive packet.(CVE-2015-5146)\");\n\n script_tag(name:\"affected\", value:\"'ntp' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~25.1.h21\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~25.1.h21\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-01-27T18:37:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-5146", "CVE-2015-7973", "CVE-2016-2516", "CVE-2016-2517"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192637", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192637", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2019-2637)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2637\");\n script_version(\"2020-01-23T13:10:36+0000\");\n script_cve_id(\"CVE-2015-5146\", \"CVE-2015-7973\", \"CVE-2016-2517\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 13:10:36 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 13:10:36 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2019-2637)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP3\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2637\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2637\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ntp' package(s) announced via the EulerOS-SA-2019-2637 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"NTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast mode, allows man-in-the-middle attackers to conduct replay attacks by sniffing the network.(CVE-2015-7973)\n\nNTP before 4.2.8p7 and 4.3.x before 4.3.92 allows remote attackers to cause a denial of service (prevent subsequent authentication) by leveraging knowledge of the controlkey or requestkey and sending a crafted packet to ntpd, which changes the value of trustedkey, controlkey, or requestkey. NOTE: this vulnerability exists because of a CVE-2016-2516 regression.(CVE-2016-2517)\n\nntpd in ntp before 4.2.8p3 with remote configuration enabled allows remote authenticated users with knowledge of the configuration password and access to a computer entrusted to perform remote configuration to cause a denial of service (service crash) via a NULL byte in a crafted configuration directive packet.(CVE-2015-5146)\");\n\n script_tag(name:\"affected\", value:\"'ntp' package(s) on Huawei EulerOS V2.0SP3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~25.0.1.h20\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~25.0.1.h20\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"sntp\", rpm:\"sntp~4.2.6p5~25.0.1.h20\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-03-14T16:53:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7184", "CVE-2015-5146", "CVE-2015-7973", "CVE-2015-7704", "CVE-2018-7183"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-03-13T00:00:00", "published": "2020-03-13T00:00:00", "id": "OPENVAS:1361412562311220201210", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201210", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1210)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1210\");\n script_version(\"2020-03-13T07:14:54+0000\");\n script_cve_id(\"CVE-2015-5146\", \"CVE-2015-7973\", \"CVE-2018-7183\", \"CVE-2018-7184\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-13 07:14:54 +0000 (Fri, 13 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-03-13 07:14:54 +0000 (Fri, 13 Mar 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1210)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRTARM64-3\\.0\\.2\\.0\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1210\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1210\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ntp' package(s) announced via the EulerOS-SA-2020-1210 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the 'received' timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704.(CVE-2018-7184)\n\nBuffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.(CVE-2018-7183)\n\nNTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast mode, allows man-in-the-middle attackers to conduct replay attacks by sniffing the network.(CVE-2015-7973)\n\nntpd in ntp before 4.2.8p3 with remote configuration enabled allows remote authenticated users with knowledge of the configuration password and access to a computer entrusted to perform remote configuration to cause a denial of service (service crash) via a NULL byte in a crafted configuration directive packet.(CVE-2015-5146)\");\n\n script_tag(name:\"affected\", value:\"'ntp' package(s) on Huawei EulerOS Virtualization for ARM 64 3.0.2.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRTARM64-3.0.2.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~28.h12\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~28.h12\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"sntp\", rpm:\"sntp~4.2.6p5~28.h12\", rls:\"EULEROSVIRTARM64-3.0.2.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-27T18:34:18", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-7184", "CVE-2015-5146", "CVE-2015-7973", "CVE-2015-7704", "CVE-2018-7183"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-01-23T00:00:00", "published": "2020-01-23T00:00:00", "id": "OPENVAS:1361412562311220192215", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220192215", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2019-2215)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2019.2215\");\n script_version(\"2020-01-23T12:40:10+0000\");\n script_cve_id(\"CVE-2015-5146\", \"CVE-2015-7973\", \"CVE-2018-7183\", \"CVE-2018-7184\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-23 12:40:10 +0000 (Thu, 23 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 12:40:10 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2019-2215)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP5\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2019-2215\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-2215\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ntp' package(s) announced via the EulerOS-SA-2019-2215 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"NTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast mode, allows man-in-the-middle attackers to conduct replay attacks by sniffing the network.(CVE-2015-7973)\n\nntpd in ntp before 4.2.8p3 with remote configuration enabled allows remote authenticated users with knowledge of the configuration password and access to a computer entrusted to perform remote configuration to cause a denial of service (service crash) via a NULL byte in a crafted configuration directive packet.(CVE-2015-5146)\n\nBuffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.(CVE-2018-7183)\n\nntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the 'received' timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704.(CVE-2018-7184)\");\n\n script_tag(name:\"affected\", value:\"'ntp' package(s) on Huawei EulerOS V2.0SP5.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP5\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~28.h12.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~28.h12.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"sntp\", rpm:\"sntp~4.2.6p5~28.h12.eulerosv2r7\", rls:\"EULEROS-2.0SP5\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-17T16:58:26", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-8936", "CVE-2018-7184", "CVE-2015-5146", "CVE-2015-7973", "CVE-2015-7704", "CVE-2018-7183"], "description": "The remote host is missing an update for the Huawei EulerOS\n ", "modified": "2020-04-16T00:00:00", "published": "2020-04-16T00:00:00", "id": "OPENVAS:1361412562311220201457", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220201457", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1457)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from the referenced\n# advisories, and are Copyright (C) by the respective right holder(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2020.1457\");\n script_version(\"2020-04-16T05:55:39+0000\");\n script_cve_id(\"CVE-2015-5146\", \"CVE-2015-7973\", \"CVE-2018-7183\", \"CVE-2018-7184\", \"CVE-2019-8936\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-04-16 05:55:39 +0000 (Thu, 16 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-04-16 05:55:39 +0000 (Thu, 16 Apr 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for ntp (EulerOS-SA-2020-1457)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROSVIRT-3\\.0\\.2\\.2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2020-1457\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1457\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'ntp' package(s) announced via the EulerOS-SA-2020-1457 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"NTP through 4.2.8p12 has a NULL Pointer Dereference.(CVE-2019-8936)\n\nntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the 'received' timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704.(CVE-2018-7184)\n\nBuffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.(CVE-2018-7183)\n\nNTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast mode, allows man-in-the-middle attackers to conduct replay attacks by sniffing the network.(CVE-2015-7973)\n\nntpd in ntp before 4.2.8p3 with remote configuration enabled allows remote authenticated users with knowledge of the configuration password and access to a computer entrusted to perform remote configuration to cause a denial of service (service crash) via a NULL byte in a crafted configuration directive packet.(CVE-2015-5146)\");\n\n script_tag(name:\"affected\", value:\"'ntp' package(s) on Huawei EulerOS Virtualization 3.0.2.2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROSVIRT-3.0.2.2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~28.h12.eulerosv2r7\", rls:\"EULEROSVIRT-3.0.2.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~28.h12.eulerosv2r7\", rls:\"EULEROSVIRT-3.0.2.2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"sntp\", rpm:\"sntp~4.2.6p5~28.h12.eulerosv2r7\", rls:\"EULEROSVIRT-3.0.2.2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-07T09:04:34", "description": "According to the versions of the ntp packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via the poll interval in a broadcast\n packet.(CVE-2016-7428)\n\n - The broadcast mode replay prevention functionality in\n ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via a crafted broadcast mode\n packet.(CVE-2016-7427)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 4, "cvss3": {"score": 4.3, "vector": "AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "published": "2020-06-02T00:00:00", "title": "EulerOS 2.0 SP5 : ntp (EulerOS-SA-2020-1611)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-7427", "CVE-2016-7428"], "modified": "2020-06-02T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:ntpdate", "p-cpe:/a:huawei:euleros:ntp", "p-cpe:/a:huawei:euleros:sntp", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2020-1611.NASL", "href": "https://www.tenable.com/plugins/nessus/137029", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137029);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2016-7427\",\n \"CVE-2016-7428\"\n );\n\n script_name(english:\"EulerOS 2.0 SP5 : ntp (EulerOS-SA-2020-1611)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the ntp packages installed, the EulerOS\ninstallation on the remote host is affected by the following\nvulnerabilities :\n\n - ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via the poll interval in a broadcast\n packet.(CVE-2016-7428)\n\n - The broadcast mode replay prevention functionality in\n ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via a crafted broadcast mode\n packet.(CVE-2016-7427)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1611\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3fdb0465\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected ntp packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:A/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ntpdate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:sntp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"ntp-4.2.6p5-28.h15.eulerosv2r7\",\n \"ntpdate-4.2.6p5-28.h15.eulerosv2r7\",\n \"sntp-4.2.6p5-28.h15.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 3.3, "vector": "AV:A/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T09:04:16", "description": "According to the versions of the ntp packages installed, the EulerOS\nVirtualization for ARM 64 installation on the remote host is affected\nby the following vulnerabilities :\n\n - The monlist feature in ntp_request.c in ntpd in NTP\n before 4.2.7p26 allows remote attackers to cause a\n denial of service (traffic amplification) via forged\n (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests,\n as exploited in the wild in December\n 2013.(CVE-2013-5211)\n\n - The broadcast mode replay prevention functionality in\n ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via a crafted broadcast mode\n packet.(CVE-2016-7427)\n\n - ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via the poll interval in a broadcast\n packet.(CVE-2016-7428)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 5, "cvss3": {"score": 4.3, "vector": "AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "published": "2020-05-01T00:00:00", "title": "EulerOS Virtualization for ARM 64 3.0.2.0 : ntp (EulerOS-SA-2020-1547)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5211", "CVE-2016-7427", "CVE-2016-7428"], "modified": "2020-05-01T00:00:00", "cpe": ["cpe:/o:huawei:euleros:uvp:3.0.2.0", "p-cpe:/a:huawei:euleros:ntpdate", "p-cpe:/a:huawei:euleros:ntp", "p-cpe:/a:huawei:euleros:sntp"], "id": "EULEROS_SA-2020-1547.NASL", "href": "https://www.tenable.com/plugins/nessus/136250", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(136250);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2013-5211\",\n \"CVE-2016-7427\",\n \"CVE-2016-7428\"\n );\n script_bugtraq_id(\n 64692\n );\n\n script_name(english:\"EulerOS Virtualization for ARM 64 3.0.2.0 : ntp (EulerOS-SA-2020-1547)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization for ARM 64 host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the ntp packages installed, the EulerOS\nVirtualization for ARM 64 installation on the remote host is affected\nby the following vulnerabilities :\n\n - The monlist feature in ntp_request.c in ntpd in NTP\n before 4.2.7p26 allows remote attackers to cause a\n denial of service (traffic amplification) via forged\n (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests,\n as exploited in the wild in December\n 2013.(CVE-2013-5211)\n\n - The broadcast mode replay prevention functionality in\n ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via a crafted broadcast mode\n packet.(CVE-2016-7427)\n\n - ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via the poll interval in a broadcast\n packet.(CVE-2016-7428)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1547\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?bfe5fbf2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected ntp packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/04/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ntpdate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:sntp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"ntp-4.2.6p5-28.h15\",\n \"ntpdate-4.2.6p5-28.h15\",\n \"sntp-4.2.6p5-28.h15\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T09:05:07", "description": "According to the versions of the ntp packages installed, the EulerOS\nVirtualization installation on the remote host is affected by the\nfollowing vulnerabilities :\n\n - The monlist feature in ntp_request.c in ntpd in NTP\n before 4.2.7p26 allows remote attackers to cause a\n denial of service (traffic amplification) via forged\n (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests,\n as exploited in the wild in December\n 2013.(CVE-2013-5211)\n\n - The broadcast mode replay prevention functionality in\n ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via a crafted broadcast mode\n packet.(CVE-2016-7427)\n\n - ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via the poll interval in a broadcast\n packet.(CVE-2016-7428)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 7, "cvss3": {"score": 4.3, "vector": "AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "published": "2020-07-01T00:00:00", "title": "EulerOS Virtualization 3.0.6.0 : ntp (EulerOS-SA-2020-1723)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5211", "CVE-2016-7427", "CVE-2016-7428"], "modified": "2020-07-01T00:00:00", "cpe": ["cpe:/o:huawei:euleros:uvp:3.0.6.0", "p-cpe:/a:huawei:euleros:ntpdate", "p-cpe:/a:huawei:euleros:ntp", "p-cpe:/a:huawei:euleros:sntp"], "id": "EULEROS_SA-2020-1723.NASL", "href": "https://www.tenable.com/plugins/nessus/137942", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137942);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2013-5211\",\n \"CVE-2016-7427\",\n \"CVE-2016-7428\"\n );\n script_bugtraq_id(\n 64692\n );\n\n script_name(english:\"EulerOS Virtualization 3.0.6.0 : ntp (EulerOS-SA-2020-1723)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the ntp packages installed, the EulerOS\nVirtualization installation on the remote host is affected by the\nfollowing vulnerabilities :\n\n - The monlist feature in ntp_request.c in ntpd in NTP\n before 4.2.7p26 allows remote attackers to cause a\n denial of service (traffic amplification) via forged\n (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests,\n as exploited in the wild in December\n 2013.(CVE-2013-5211)\n\n - The broadcast mode replay prevention functionality in\n ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via a crafted broadcast mode\n packet.(CVE-2016-7427)\n\n - ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via the poll interval in a broadcast\n packet.(CVE-2016-7428)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1723\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fb360c82\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected ntp packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-5211\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ntpdate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:sntp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.6.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.6.0\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.6.0\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"ntp-4.2.6p5-28.h15.eulerosv2r7\",\n \"ntpdate-4.2.6p5-28.h15.eulerosv2r7\",\n \"sntp-4.2.6p5-28.h15.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2021-01-07T09:06:40", "description": "According to the versions of the ntp packages installed, the EulerOS\nVirtualization installation on the remote host is affected by the\nfollowing vulnerabilities :\n\n - The monlist feature in ntp_request.c in ntpd in NTP\n before 4.2.7p26 allows remote attackers to cause a\n denial of service (traffic amplification) via forged\n (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests,\n as exploited in the wild in December\n 2013.(CVE-2013-5211)\n\n - The broadcast mode replay prevention functionality in\n ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via a crafted broadcast mode\n packet.(CVE-2016-7427)\n\n - ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via the poll interval in a broadcast\n packet.(CVE-2016-7428)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 6, "cvss3": {"score": 6.5, "vector": "AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"}, "published": "2020-10-21T00:00:00", "title": "EulerOS Virtualization 3.0.2.2 : ntp (EulerOS-SA-2020-2225)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-5211", "CVE-2016-7427", "CVE-2016-7428"], "modified": "2020-10-21T00:00:00", "cpe": ["cpe:/o:huawei:euleros:uvp:3.0.2.2", "p-cpe:/a:huawei:euleros:ntpdate", "p-cpe:/a:huawei:euleros:ntp"], "id": "EULEROS_SA-2020-2225.NASL", "href": "https://www.tenable.com/plugins/nessus/141678", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141678);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2013-5211\",\n \"CVE-2016-7427\",\n \"CVE-2016-7428\"\n );\n script_bugtraq_id(\n 64692\n );\n\n script_name(english:\"EulerOS Virtualization 3.0.2.2 : ntp (EulerOS-SA-2020-2225)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS Virtualization host is missing multiple security\nupdates.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the versions of the ntp packages installed, the EulerOS\nVirtualization installation on the remote host is affected by the\nfollowing vulnerabilities :\n\n - The monlist feature in ntp_request.c in ntpd in NTP\n before 4.2.7p26 allows remote attackers to cause a\n denial of service (traffic amplification) via forged\n (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests,\n as exploited in the wild in December\n 2013.(CVE-2013-5211)\n\n - The broadcast mode replay prevention functionality in\n ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via a crafted broadcast mode\n packet.(CVE-2016-7427)\n\n - ntpd in NTP before 4.2.8p9 allows remote attackers to\n cause a denial of service (reject broadcast mode\n packets) via the poll interval in a broadcast\n packet.(CVE-2016-7428)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-2225\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b45ced1b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected ntp packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2013-5211\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:ntpdate\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:uvp:3.0.2.2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (uvp != \"3.0.2.2\") audit(AUDIT_OS_NOT, \"EulerOS Virtualization 3.0.2.2\");\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"ntp-4.2.6p5-28.h15.eulerosv2r7\",\n \"ntpdate-4.2.6p5-28.h15.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2017-10-29T13:44:18", "edition": 11, "description": "NTPv3 and NTPv4 are vulnerable to :\n\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427 NTP is vulnerable to a denial of service, caused by an error in broadcast mode replay prevention functionality. By sending specially crafted NTP packets, a local attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by an error in broadcast mode poll interval enforcement functionality. By sending specially crafted NTP packets, a remote attacker from within the local network could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by an error in the control mode (mode 6) functionality. By sending specially crafted control mode packets, a remote attacker could exploit this vulnerability to obtain sensitive information and cause the application to crash. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference when trap service has been enabled. By sending specially crafted packets, a remote attacker could exploit this vulnerability to cause the application to crash.\n\nThis plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory8.nasl (plugin id 102129).", "published": "2017-02-14T00:00:00", "title": "AIX 7.2 TL 0 : ntp (IV92192) (deprecated)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9311", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-9310"], "modified": "2017-08-03T00:00:00", "cpe": ["cpe:/o:ibm:aix:7.2"], "id": "AIX_IV92192.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=97133", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory ntp_advisory8.asc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2017/07/20. Deprecated by aix_ntp_v3_advisory8.nasl.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97133);\n script_version(\"$Revision: 3.7 $\");\n script_cvs_date(\"$Date: 2017/08/03 16:49:17 $\");\n\n script_cve_id(\"CVE-2016-7427\", \"CVE-2016-7428\", \"CVE-2016-9310\", \"CVE-2016-9311\");\n\n script_name(english:\"AIX 7.2 TL 0 : ntp (IV92192) (deprecated)\");\n script_summary(english:\"Check for APAR IV92192\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"NTPv3 and NTPv4 are vulnerable to :\n\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427 NTP is\nvulnerable to a denial of service, caused by an error in broadcast\nmode replay prevention functionality. By sending specially crafted NTP\npackets, a local attacker could exploit this vulnerability to cause a\ndenial of service. NTP is vulnerable to a denial of service, caused by\nan error in broadcast mode poll interval enforcement functionality. By\nsending specially crafted NTP packets, a remote attacker from within\nthe local network could exploit this vulnerability to cause a denial\nof service. NTP is vulnerable to a denial of service, caused by an\nerror in the control mode (mode 6) functionality. By sending specially\ncrafted control mode packets, a remote attacker could exploit this\nvulnerability to obtain sensitive information and cause the\napplication to crash. NTP is vulnerable to a denial of service, caused\nby a NULL pointer dereference when trap service has been enabled. By\nsending specially crafted packets, a remote attacker could exploit\nthis vulnerability to cause the application to crash.\n\nThis plugin has been deprecated to better accommodate iFix\nsupersedence with replacement plugin aix_ntp_v3_advisory8.nasl (plugin\nid 102129).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"n/a\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:7.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Use aix_ntp_v3_advisory8.nasl (plugin ID 102129) instead.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"7.2\", ml:\"00\", sp:\"00\", patch:\"IV92192m2a\", package:\"bos.net.tcp.ntp\", minfilesetver:\"7.2.0.0\", maxfilesetver:\"7.2.0.2\") < 0) flag++;\nif (aix_check_ifix(release:\"7.2\", ml:\"00\", sp:\"00\", patch:\"IV92192m2a\", package:\"bos.net.tcp.ntpd\", minfilesetver:\"7.2.0.0\", maxfilesetver:\"7.2.0.2\") < 0) flag++;\nif (aix_check_ifix(release:\"7.2\", ml:\"00\", sp:\"01\", patch:\"IV92192m2a\", package:\"bos.net.tcp.ntp\", minfilesetver:\"7.2.0.0\", maxfilesetver:\"7.2.0.2\") < 0) flag++;\nif (aix_check_ifix(release:\"7.2\", ml:\"00\", sp:\"01\", patch:\"IV92192m2a\", package:\"bos.net.tcp.ntpd\", minfilesetver:\"7.2.0.0\", maxfilesetver:\"7.2.0.2\") < 0) flag++;\nif (aix_check_ifix(release:\"7.2\", ml:\"00\", sp:\"02\", patch:\"IV92192m2a\", package:\"bos.net.tcp.ntp\", minfilesetver:\"7.2.0.0\", maxfilesetver:\"7.2.0.2\") < 0) flag++;\nif (aix_check_ifix(release:\"7.2\", ml:\"00\", sp:\"02\", patch:\"IV92192m2a\", package:\"bos.net.tcp.ntpd\", minfilesetver:\"7.2.0.0\", maxfilesetver:\"7.2.0.2\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-10-29T13:45:03", "edition": 9, "description": "NTPv3 and NTPv4 are vulnerable to :\n\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427 NTP is vulnerable to a denial of service, caused by an error in broadcast mode replay prevention functionality. By sending specially crafted NTP packets, a local attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by an error in broadcast mode poll interval enforcement functionality. By sending specially crafted NTP packets, a remote attacker from within the local network could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by an error in the control mode (mode 6) functionality. By sending specially crafted control mode packets, a remote attacker could exploit this vulnerability to obtain sensitive information and cause the application to crash. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference when trap service has been enabled. By sending specially crafted packets, a remote attacker could exploit this vulnerability to cause the application to crash.\n\nThis plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory8.nasl (plugin id 102129).", "published": "2017-02-21T00:00:00", "type": "nessus", "title": "AIX 5.3 TL 12 : ntp (IV92194) (deprecated)", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9311", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-9310"], "cpe": ["cpe:/o:ibm:aix:5.3"], "modified": "2017-08-03T00:00:00", "href": "https://www.tenable.com/plugins/index.php?view=single&id=97230", "id": "AIX_IV92194.NASL", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory ntp_advisory8.asc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2017/07/20. Deprecated by aix_ntp_v3_advisory8.nasl.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97230);\n script_version(\"$Revision: 3.5 $\");\n script_cvs_date(\"$Date: 2017/08/03 16:49:17 $\");\n\n script_cve_id(\"CVE-2016-7427\", \"CVE-2016-7428\", \"CVE-2016-9310\", \"CVE-2016-9311\");\n\n script_name(english:\"AIX 5.3 TL 12 : ntp (IV92194) (deprecated)\");\n script_summary(english:\"Check for APAR IV92194\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"NTPv3 and NTPv4 are vulnerable to :\n\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427 NTP is\nvulnerable to a denial of service, caused by an error in broadcast\nmode replay prevention functionality. By sending specially crafted NTP\npackets, a local attacker could exploit this vulnerability to cause a\ndenial of service. NTP is vulnerable to a denial of service, caused by\nan error in broadcast mode poll interval enforcement functionality. By\nsending specially crafted NTP packets, a remote attacker from within\nthe local network could exploit this vulnerability to cause a denial\nof service. NTP is vulnerable to a denial of service, caused by an\nerror in the control mode (mode 6) functionality. By sending specially\ncrafted control mode packets, a remote attacker could exploit this\nvulnerability to obtain sensitive information and cause the\napplication to crash. NTP is vulnerable to a denial of service, caused\nby a NULL pointer dereference when trap service has been enabled. By\nsending specially crafted packets, a remote attacker could exploit\nthis vulnerability to cause the application to crash.\n\nThis plugin has been deprecated to better accommodate iFix\nsupersedence with replacement plugin aix_ntp_v3_advisory8.nasl (plugin\nid 102129).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"n/a\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:5.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Use aix_ntp_v3_advisory8.nasl (plugin ID 102129) instead.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"5.3\", ml:\"12\", sp:\"09\", patch:\"IV92194m9a\", package:\"bos.net.tcp.client\", minfilesetver:\"5.3.12.0\", maxfilesetver:\"5.3.12.10\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-10-29T13:42:40", "edition": 11, "description": "NTPv3 and NTPv4 are vulnerable to :\n\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427 NTP is vulnerable to a denial of service, caused by an error in broadcast mode replay prevention functionality. By sending specially crafted NTP packets, a local attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by an error in broadcast mode poll interval enforcement functionality. By sending specially crafted NTP packets, a remote attacker from within the local network could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by an error in the control mode (mode 6) functionality. By sending specially crafted control mode packets, a remote attacker could exploit this vulnerability to obtain sensitive information and cause the application to crash. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference when trap service has been enabled. By sending specially crafted packets, a remote attacker could exploit this vulnerability to cause the application to crash.\n\nThis plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory8.nasl (plugin id 102129).", "published": "2017-02-14T00:00:00", "title": "AIX 6.1 TL 9 : ntp (IV91803) (deprecated)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9311", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-9310"], "modified": "2017-08-03T00:00:00", "cpe": ["cpe:/o:ibm:aix:6.1"], "href": "https://www.tenable.com/plugins/index.php?view=single&id=97131", "id": "AIX_IV91803.NASL", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory ntp_advisory8.asc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2017/07/20. Deprecated by aix_ntp_v3_advisory8.nasl.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97131);\n script_version(\"$Revision: 3.7 $\");\n script_cvs_date(\"$Date: 2017/08/03 16:49:17 $\");\n\n script_cve_id(\"CVE-2016-7427\", \"CVE-2016-7428\", \"CVE-2016-9310\", \"CVE-2016-9311\");\n\n script_name(english:\"AIX 6.1 TL 9 : ntp (IV91803) (deprecated)\");\n script_summary(english:\"Check for APAR IV91803\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"NTPv3 and NTPv4 are vulnerable to :\n\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427 NTP is\nvulnerable to a denial of service, caused by an error in broadcast\nmode replay prevention functionality. By sending specially crafted NTP\npackets, a local attacker could exploit this vulnerability to cause a\ndenial of service. NTP is vulnerable to a denial of service, caused by\nan error in broadcast mode poll interval enforcement functionality. By\nsending specially crafted NTP packets, a remote attacker from within\nthe local network could exploit this vulnerability to cause a denial\nof service. NTP is vulnerable to a denial of service, caused by an\nerror in the control mode (mode 6) functionality. By sending specially\ncrafted control mode packets, a remote attacker could exploit this\nvulnerability to obtain sensitive information and cause the\napplication to crash. NTP is vulnerable to a denial of service, caused\nby a NULL pointer dereference when trap service has been enabled. By\nsending specially crafted packets, a remote attacker could exploit\nthis vulnerability to cause the application to crash.\n\nThis plugin has been deprecated to better accommodate iFix\nsupersedence with replacement plugin aix_ntp_v3_advisory8.nasl (plugin\nid 102129).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"n/a\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:6.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Use aix_ntp_v3_advisory8.nasl (plugin ID 102129) instead.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"6.1\", ml:\"09\", sp:\"06\", patch:\"IV91803m6a\", package:\"bos.net.tcp.client\", minfilesetver:\"6.1.9.0\", maxfilesetver:\"6.1.9.200\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"09\", sp:\"07\", patch:\"IV91803m6a\", package:\"bos.net.tcp.client\", minfilesetver:\"6.1.9.0\", maxfilesetver:\"6.1.9.200\") < 0) flag++;\nif (aix_check_ifix(release:\"6.1\", ml:\"09\", sp:\"08\", patch:\"IV91803m6a\", package:\"bos.net.tcp.client\", minfilesetver:\"6.1.9.0\", maxfilesetver:\"6.1.9.200\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2021-01-06T09:18:34", "description": "The version of NTP installed on the remote AIX host is affected by\nthe following vulnerabilities :\n\n - A denial of service vulnerability exists in the\n broadcast mode replay prevention functionality. An\n unauthenticated, adjacent attacker can exploit this, via\n specially crafted broadcast mode NTP packets\n periodically injected into the broadcast domain, to\n cause ntpd to reject broadcast mode packets from\n legitimate NTP broadcast servers. (CVE-2016-7427)\n\n - A denial of service vulnerability exists in the\n broadcast mode poll interval functionality. An\n unauthenticated, adjacent attacker can exploit this, via\n specially crafted broadcast mode NTP packets, to cause\n ntpd to reject packets from a legitimate NTP broadcast\n server. (CVE-2016-7428)\n\n - A flaw exists in the control mode (mode 6) functionality\n when handling specially crafted control mode packets. An\n unauthenticated, adjacent attacker can exploit this to\n set or disable ntpd traps, resulting in the disclosure\n of potentially sensitive information, disabling of\n legitimate monitoring, or DDoS amplification.\n (CVE-2016-9310)\n\n - A NULL pointer dereference flaw exists in the\n report_event() function within file ntpd/ntp_control.c\n when the trap service handles certain peer events. An\n unauthenticated, remote attacker can exploit this, via\n a specially crafted packet, to cause a denial of service\n condition. (CVE-2016-9311)", "edition": 35, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-04-04T00:00:00", "title": "AIX NTP v4 Advisory : ntp_advisory8.asc (IV92126) (IV92287)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9311", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-9310"], "modified": "2017-04-04T00:00:00", "cpe": ["cpe:/a:ntp:ntp", "cpe:/o:ibm:aix"], "id": "AIX_NTP_V4_ADVISORY8.NASL", "href": "https://www.tenable.com/plugins/nessus/99184", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(99184);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2016-7427\",\n \"CVE-2016-7428\",\n \"CVE-2016-9310\",\n \"CVE-2016-9311\"\n );\n script_bugtraq_id(\n 94444,\n 94446,\n 94447,\n 94452\n );\n script_xref(name:\"CERT\", value:\"633847\");\n\n script_name(english:\"AIX NTP v4 Advisory : ntp_advisory8.asc (IV92126) (IV92287)\");\n script_summary(english:\"Checks the version of the ntp packages for appropriate iFixes.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote AIX host has a version of NTP installed that is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of NTP installed on the remote AIX host is affected by\nthe following vulnerabilities :\n\n - A denial of service vulnerability exists in the\n broadcast mode replay prevention functionality. An\n unauthenticated, adjacent attacker can exploit this, via\n specially crafted broadcast mode NTP packets\n periodically injected into the broadcast domain, to\n cause ntpd to reject broadcast mode packets from\n legitimate NTP broadcast servers. (CVE-2016-7427)\n\n - A denial of service vulnerability exists in the\n broadcast mode poll interval functionality. An\n unauthenticated, adjacent attacker can exploit this, via\n specially crafted broadcast mode NTP packets, to cause\n ntpd to reject packets from a legitimate NTP broadcast\n server. (CVE-2016-7428)\n\n - A flaw exists in the control mode (mode 6) functionality\n when handling specially crafted control mode packets. An\n unauthenticated, adjacent attacker can exploit this to\n set or disable ntpd traps, resulting in the disclosure\n of potentially sensitive information, disabling of\n legitimate monitoring, or DDoS amplification.\n (CVE-2016-9310)\n\n - A NULL pointer dereference flaw exists in the\n report_event() function within file ntpd/ntp_control.c\n when the trap service handles certain peer events. An\n unauthenticated, remote attacker can exploit this, via\n a specially crafted packet, to cause a denial of service\n condition. (CVE-2016-9311)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc\");\n script_set_attribute(attribute:\"solution\", value:\n\"A fix is available and can be downloaded from the IBM AIX website.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/09/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/04/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ntp:ntp\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"AIX Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\ninclude(\"aix.inc\");\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\noslevel = get_kb_item(\"Host/AIX/version\");\nif (isnull(oslevel)) audit(AUDIT_UNKNOWN_APP_VER, \"AIX\");\noslevel = oslevel - \"AIX-\";\n\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This AIX package check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\naix_ntp_vulns = {\n \"6.1\": {\n \"minfilesetver\":\"6.1.6.0\",\n \"maxfilesetver\":\"6.1.6.7\",\n \"patch\":\"(IV92287m5a|IV96311m5a)\"\n },\n \"7.1\": {\n \"minfilesetver\":\"7.1.0.0\",\n \"maxfilesetver\":\"7.1.0.7\",\n \"patch\":\"(IV92287m5a|IV96312m5a)\"\n },\n \"7.2\": {\n \"minfilesetver\":\"7.1.0.0\",\n \"maxfilesetver\":\"7.1.0.7\",\n \"patch\":\"(IV92126m3a|IV96312m5a)\"\n }\n};\n\nversion_report = \"AIX \" + oslevel;\nif ( empty_or_null(aix_ntp_vulns[oslevel]) ) {\n os_options = join( sort( keys(aix_ntp_vulns) ), sep:' / ' );\n audit(AUDIT_OS_NOT, os_options, version_report);\n}\n\nforeach oslevel ( keys(aix_ntp_vulns) ) {\n package_info = aix_ntp_vulns[oslevel];\n minfilesetver = package_info[\"minfilesetver\"];\n maxfilesetver = package_info[\"maxfilesetver\"];\n patch = package_info[\"patch\"];\n if (aix_check_ifix(release:oslevel, patch:patch, package:\"ntp.rte\", minfilesetver:minfilesetver, maxfilesetver:maxfilesetver) < 0) flag++;\n}\n\nif (flag)\n{\n aix_report_extra = ereg_replace(string:aix_report_get(), pattern:\"[()]\", replace:\"\");\n aix_report_extra = ereg_replace(string:aix_report_extra, pattern:\"[|]\", replace:\" or \");\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : aix_report_extra\n );\n}\nelse\n{\n tested = aix_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp.rte\");\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-01-06T09:18:33", "description": "The version of NTP installed on the remote AIX host is affected by\nthe following vulnerabilities :\n\n - A denial of service vulnerability exists in the\n broadcast mode replay prevention functionality. An\n unauthenticated, adjacent attacker can exploit this, via\n specially crafted broadcast mode NTP packets\n periodically injected into the broadcast domain, to\n cause ntpd to reject broadcast mode packets from\n legitimate NTP broadcast servers. (CVE-2016-7427)\n\n - A denial of service vulnerability exists in the\n broadcast mode poll interval functionality. An\n unauthenticated, adjacent attacker can exploit this, via\n specially crafted broadcast mode NTP packets, to cause\n ntpd to reject packets from a legitimate NTP broadcast\n server. (CVE-2016-7428)\n\n - A flaw exists in the control mode (mode 6) functionality\n when handling specially crafted control mode packets. An\n unauthenticated, adjacent attacker can exploit this to\n set or disable ntpd traps, resulting in the disclosure\n of potentially sensitive information, disabling of\n legitimate monitoring, or DDoS amplification.\n (CVE-2016-9310)\n\n - A NULL pointer dereference flaw exists in the\n report_event() function within file ntpd/ntp_control.c\n when the trap service handles certain peer events. An\n unauthenticated, remote attacker can exploit this, via\n a specially crafted packet, to cause a denial of service\n condition. (CVE-2016-9311)", "edition": 30, "cvss3": {"score": 5.9, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}, "published": "2017-08-03T00:00:00", "title": "AIX NTP v3 Advisory : ntp_advisory8.asc (IV92194) (IV91803) (IV92193) (IV91951) (IV92192) (IV92067)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9311", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-9310"], "modified": "2017-08-03T00:00:00", "cpe": ["cpe:/a:ntp:ntp", "cpe:/o:ibm:aix"], "id": "AIX_NTP_V3_ADVISORY8.NASL", "href": "https://www.tenable.com/plugins/nessus/102129", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(102129);\n script_version(\"3.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\n \"CVE-2016-7427\",\n \"CVE-2016-7428\",\n \"CVE-2016-9310\",\n \"CVE-2016-9311\"\n );\n script_bugtraq_id(\n 94444,\n 94446,\n 94447,\n 94452\n );\n script_xref(name:\"CERT\", value:\"633847\");\n\n script_name(english:\"AIX NTP v3 Advisory : ntp_advisory8.asc (IV92194) (IV91803) (IV92193) (IV91951) (IV92192) (IV92067)\");\n script_summary(english:\"Checks the version of the ntp packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote AIX host has a version of NTP installed that is affected\nby multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of NTP installed on the remote AIX host is affected by\nthe following vulnerabilities :\n\n - A denial of service vulnerability exists in the\n broadcast mode replay prevention functionality. An\n unauthenticated, adjacent attacker can exploit this, via\n specially crafted broadcast mode NTP packets\n periodically injected into the broadcast domain, to\n cause ntpd to reject broadcast mode packets from\n legitimate NTP broadcast servers. (CVE-2016-7427)\n\n - A denial of service vulnerability exists in the\n broadcast mode poll interval functionality. An\n unauthenticated, adjacent attacker can exploit this, via\n specially crafted broadcast mode NTP packets, to cause\n ntpd to reject packets from a legitimate NTP broadcast\n server. (CVE-2016-7428)\n\n - A flaw exists in the control mode (mode 6) functionality\n when handling specially crafted control mode packets. An\n unauthenticated, adjacent attacker can exploit this to\n set or disable ntpd traps, resulting in the disclosure\n of potentially sensitive information, disabling of\n legitimate monitoring, or DDoS amplification.\n (CVE-2016-9310)\n\n - A NULL pointer dereference flaw exists in the\n report_event() function within file ntpd/ntp_control.c\n when the trap service handles certain peer events. An\n unauthenticated, remote attacker can exploit this, via\n a specially crafted packet, to cause a denial of service\n condition. (CVE-2016-9311)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc\");\n script_set_attribute(attribute:\"solution\", value:\n\"A fix is available and can be downloaded from the IBM AIX website.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/09/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/08/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ntp:ntp\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"AIX Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\ninclude(\"aix.inc\");\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\noslevel = get_kb_item(\"Host/AIX/version\");\nif (isnull(oslevel)) audit(AUDIT_UNKNOWN_APP_VER, \"AIX\");\noslevel = oslevel - \"AIX-\";\n\noslevelcomplete = chomp(get_kb_item(\"Host/AIX/oslevelsp\"));\nif (isnull(oslevelcomplete)) audit(AUDIT_UNKNOWN_APP_VER, \"AIX\");\noslevelparts = split(oslevelcomplete, sep:'-', keep:0);\nif ( max_index(oslevelparts) != 4 ) audit(AUDIT_UNKNOWN_APP_VER, \"AIX\");\nml = oslevelparts[1];\nsp = oslevelparts[2];\n\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This AIX package check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\naix_ntp_vulns = {\n \"5.3\": {\n \"12\": {\n \"09\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"5.3.12.0\",\n \"maxfilesetver\":\"5.3.12.10\",\n \"patch\":\"(IV92194m9a|IV96305m9a)\"\n }\n }\n }\n },\n \"6.1\": {\n \"09\": {\n \"06\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"6.1.9.0\",\n \"maxfilesetver\":\"6.1.9.200\",\n \"patch\":\"(IV91803m6a)\"\n }\n },\n \"07\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"6.1.9.0\",\n \"maxfilesetver\":\"6.1.9.200\",\n \"patch\":\"(IV91803m6a|IV96306m9a)\"\n }\n },\n \"08\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"6.1.9.0\",\n \"maxfilesetver\":\"6.1.9.200\",\n \"patch\":\"(IV91803m6a|IV96306m9a)\"\n }\n }\n }\n },\n \"7.1\": {\n \"03\": {\n \"05\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"7.1.3.0\",\n \"maxfilesetver\":\"7.1.3.45\",\n \"patch\":\"(IV92193m5a)\"\n }\n },\n \"06\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"7.1.3.0\",\n \"maxfilesetver\":\"7.1.3.46\",\n \"patch\":\"(IV92193m5a)\"\n }\n },\n \"07\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"7.1.3.0\",\n \"maxfilesetver\":\"7.1.3.47\",\n \"patch\":\"(IV92193m5a|IV96307m9a)\"\n }\n },\n \"08\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"7.1.3.0\",\n \"maxfilesetver\":\"7.1.3.48\",\n \"patch\":\"(IV92193m5a|IV96307m9a)\"\n }\n }\n },\n \"04\": {\n \"01\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"7.1.4.0\",\n \"maxfilesetver\":\"7.1.4.30\",\n \"patch\":\"(IV91951m3a)\"\n }\n },\n \"02\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"7.1.4.0\",\n \"maxfilesetver\":\"7.1.4.30\",\n \"patch\":\"(IV91951m3a|IV96308m4a)\"\n }\n },\n \"03\": {\n \"bos.net.tcp.client\": {\n \"minfilesetver\":\"7.1.4.0\",\n \"maxfilesetver\":\"7.1.4.30\",\n \"patch\":\"(IV91951m3a|IV96308m4a)\"\n }\n }\n }\n },\n \"7.2\": {\n \"00\": {\n \"00\": {\n \"bos.net.tcp.ntp\": {\n \"minfilesetver\":\"7.2.0.0\",\n \"maxfilesetver\":\"7.2.0.2\",\n \"patch\":\"(IV92192m2a)\"\n },\n \"bos.net.tcp.ntpd\": {\n \"minfilesetver\":\"7.2.0.0\",\n \"maxfilesetver\":\"7.2.0.2\",\n \"patch\":\"(IV92192m2a)\"\n }\n },\n \"01\": {\n \"bos.net.tcp.ntp\": {\n \"minfilesetver\":\"7.2.0.0\",\n \"maxfilesetver\":\"7.2.0.2\",\n \"patch\":\"(IV92192m2a)\"\n },\n \"bos.net.tcp.ntpd\": {\n \"minfilesetver\":\"7.2.0.0\",\n \"maxfilesetver\":\"7.2.0.2\",\n \"patch\":\"(IV92192m2a)\"\n }\n },\n \"02\": {\n \"bos.net.tcp.ntp\": {\n \"minfilesetver\":\"7.2.0.0\",\n \"maxfilesetver\":\"7.2.0.2\",\n \"patch\":\"(IV92192m2a|IV96309m4a)\"\n },\n \"bos.net.tcp.ntpd\": {\n \"minfilesetver\":\"7.2.0.0\",\n \"maxfilesetver\":\"7.2.0.2\",\n \"patch\":\"(IV92192m2a|IV96309m4a)\"\n }\n }\n },\n \"01\": {\n \"00\": {\n \"bos.net.tcp.ntp\": {\n \"minfilesetver\":\"7.2.1.0\",\n \"maxfilesetver\":\"7.2.1.0\",\n \"patch\":\"(IV92067s1a|IV96310m2a)\"\n },\n \"bos.net.tcp.ntpd\": {\n \"minfilesetver\":\"7.2.1.0\",\n \"maxfilesetver\":\"7.2.1.0\",\n \"patch\":\"(IV92067s1a|IV96310m2a)\"\n }\n },\n \"01\": {\n \"bos.net.tcp.ntp\": {\n \"minfilesetver\":\"7.2.1.0\",\n \"maxfilesetver\":\"7.2.1.0\",\n \"patch\":\"(IV92067s1a|IV96310m2a)\"\n },\n \"bos.net.tcp.ntpd\": {\n \"minfilesetver\":\"7.2.1.0\",\n \"maxfilesetver\":\"7.2.1.0\",\n \"patch\":\"(IV92067s1a|IV96310m2a)\"\n }\n }\n }\n }\n};\n\nversion_report = \"AIX \" + oslevel;\nif ( empty_or_null(aix_ntp_vulns[oslevel]) ) {\n os_options = join( sort( keys(aix_ntp_vulns) ), sep:' / ' );\n audit(AUDIT_OS_NOT, os_options, version_report);\n}\n\nversion_report = version_report + \" ML \" + ml;\nif ( empty_or_null(aix_ntp_vulns[oslevel][ml]) ) {\n ml_options = join( sort( keys(aix_ntp_vulns[oslevel]) ), sep:' / ' );\n audit(AUDIT_OS_NOT, \"ML \" + ml_options, version_report);\n}\n\nversion_report = version_report + \" SP \" + sp;\nif ( empty_or_null(aix_ntp_vulns[oslevel][ml][sp]) ) {\n sp_options = join( sort( keys(aix_ntp_vulns[oslevel][ml]) ), sep:' / ' );\n audit(AUDIT_OS_NOT, \"SP \" + sp_options, version_report);\n}\n\nforeach package ( keys(aix_ntp_vulns[oslevel][ml][sp]) ) {\n package_info = aix_ntp_vulns[oslevel][ml][sp][package];\n minfilesetver = package_info[\"minfilesetver\"];\n maxfilesetver = package_info[\"maxfilesetver\"];\n patch = package_info[\"patch\"];\n if (aix_check_ifix(release:oslevel, ml:ml, sp:sp, patch:patch, package:package, minfilesetver:minfilesetver, maxfilesetver:maxfilesetver) < 0) flag++;\n}\n\nif (flag)\n{\n aix_report_extra = ereg_replace(string:aix_report_get(), pattern:\"[()]\", replace:\"\");\n aix_report_extra = ereg_replace(string:aix_report_extra, pattern:\"[|]\", replace:\" or \");\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : aix_report_extra\n );\n}\nelse\n{\n tested = aix_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"bos.net.tcp.ntp / bos.net.tcp.ntpd / bos.net.tcp.client\");\n}\n", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2017-10-29T13:38:58", "edition": 11, "description": "NTPv3 and NTPv4 are vulnerable to :\n\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427 NTP is vulnerable to a denial of service, caused by an error in broadcast mode replay prevention functionality. By sending specially crafted NTP packets, a local attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by an error in broadcast mode poll interval enforcement functionality. By sending specially crafted NTP packets, a remote attacker from within the local network could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by an error in the control mode (mode 6) functionality. By sending specially crafted control mode packets, a remote attacker could exploit this vulnerability to obtain sensitive information and cause the application to crash. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference when trap service has been enabled. By sending specially crafted packets, a remote attacker could exploit this vulnerability to cause the application to crash.\n\nThis plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory8.nasl (plugin id 102129).", "published": "2017-02-14T00:00:00", "title": "AIX 7.1 TL 4 : ntp (IV91951) (deprecated)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-9311", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-9310"], "modified": "2017-08-03T00:00:00", "cpe": ["cpe:/o:ibm:aix:7.1"], "href": "https://www.tenable.com/plugins/index.php?view=single&id=97132", "id": "AIX_IV91951.NASL", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The text in the description was extracted from AIX Security\n# Advisory ntp_advisory8.asc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2017/07/20. Deprecated by aix_ntp_v3_advisory8.nasl.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97132);\n script_version(\"$Revision: 3.7 $\");\n script_cvs_date(\"$Date: 2017/08/03 16:49:17 $\");\n\n script_cve_id(\"CVE-2016-7427\", \"CVE-2016-7428\", \"CVE-2016-9310\", \"CVE-2016-9311\");\n\n script_name(english:\"AIX 7.1 TL 4 : ntp (IV91951) (deprecated)\");\n script_summary(english:\"Check for APAR IV91951\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"NTPv3 and NTPv4 are vulnerable to :\n\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427 NTP is\nvulnerable to a denial of service, caused by an error in broadcast\nmode replay prevention functionality. By sending specially crafted NTP\npackets, a local attacker could exploit this vulnerability to cause a\ndenial of service. NTP is vulnerable to a denial of service, caused by\nan error in broadcast mode poll interval enforcement functionality. By\nsending specially crafted NTP packets, a remote attacker from within\nthe local network could exploit this vulnerability to cause a denial\nof service. NTP is vulnerable to a denial of service, caused by an\nerror in the control mode (mode 6) functionality. By sending specially\ncrafted control mode packets, a remote attacker could exploit this\nvulnerability to obtain sensitive information and cause the\napplication to crash. NTP is vulnerable to a denial of service, caused\nby a NULL pointer dereference when trap service has been enabled. By\nsending specially crafted packets, a remote attacker could exploit\nthis vulnerability to cause the application to crash.\n\nThis plugin has been deprecated to better accommodate iFix\nsupersedence with replacement plugin aix_ntp_v3_advisory8.nasl (plugin\nid 102129).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"n/a\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:ibm:aix:7.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/02/14\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2017 Tenable Network Security, Inc.\");\n script_family(english:\"AIX Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/AIX/lslpp\", \"Host/local_checks_enabled\", \"Host/AIX/version\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Use aix_ntp_v3_advisory8.nasl (plugin ID 102129) instead.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"aix.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif ( ! get_kb_item(\"Host/AIX/version\") ) audit(AUDIT_OS_NOT, \"AIX\");\nif ( ! get_kb_item(\"Host/AIX/lslpp\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nif ( get_kb_item(\"Host/AIX/emgr_failure\" ) ) exit(0, \"This iFix check is disabled because : \"+get_kb_item(\"Host/AIX/emgr_failure\") );\n\nflag = 0;\n\nif (aix_check_ifix(release:\"7.1\", ml:\"04\", sp:\"01\", patch:\"IV91951m3a\", package:\"bos.net.tcp.client\", minfilesetver:\"7.1.4.0\", maxfilesetver:\"7.1.4.30\") < 0) flag++;\nif (aix_check_ifix(release:\"7.1\", ml:\"04\", sp:\"02\", patch:\"IV91951m3a\", package:\"bos.net.tcp.client\", minfilesetver:\"7.1.4.0\", maxfilesetver:\"7.1.4.30\") < 0) flag++;\nif (aix_check_ifix(release:\"7.1\", ml:\"04\", sp:\"03\", patch:\"IV91951m3a\", package:\"bos.net.tcp.client\", minfilesetver:\"7.1.4.0\", maxfilesetver:\"7.1.4.30\") < 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:aix_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T12:15:04", "description": "### Summary\r\nAn exploitable denial of service vulnerability exists in the broadcast mode poll interval enforcement functionality of ntpd. To limit abuse, ntpd restricts the rate at which each broadcast association will process incoming packets. ntpd will reject broadcast mode packets that arrive before the poll interval specified in the preceding broadcast packet expires. A vulnerability exists which allows remote unauthenticated attackers to send specially crafted broadcast mode NTP packets which will cause ntpd to reject all broadcast mode packets from legitimate NTP broadcast servers.\r\n\r\n### Tested Versions\r\nNTP 4.2.8p6\r\n\r\n### Product URLs\r\nhttp://www.ntp.org/\r\n\r\n### CVSS Scores\r\n* CVSSv2: 5.0 - (AV:N/AC:L/Au:N/C:N/I:N/A:P)\r\n* CVSSv3: 5.3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L\r\n\r\n### Details\r\nIn response to the NTP Deja Vu vulnerability (CVE-2015-7973), ntp-4.2.8p6 introduced several new integrity checks on incoming broadcast mode packets. Upon receipt of a broadcast mode packet, before authentication is enforced, ntpd will reject the packet if any of the following conditions hold:\r\n\r\n1. The packet poll value is out of bounds for the broadcast association, i.e.\r\n```\r\n pkt->ppoll < peer->minpoll || pkt->ppoll > peer->maxpoll\r\n```\r\n \r\n2. The packet was received before a full poll interval has elapsed since the last broadcast packet was received from the packet's sender. i.e. A server cannot ingress packets more frequently than `peer->minpoll`.\r\n3. The packet transmit timestamp is less than the last seen broadcast packet transmit timestamp from the packet's sender. i.e. Broadcast packet transmit timestamps must be monotonically increasing.\r\n\r\nThe following logic is used to ensure constraint 2, which ensures that broadcast associations will process only one incoming packet per poll interval:\r\n```\r\n/* ntp-4.2.8p6 ntpd/ntp_proto.c */\r\n1305 if (MODE_BROADCAST == hismode) {\r\n...\r\n1341 if ( (current_time - peer->timelastrec)\r\n1342 < (1 << pkt->ppoll)) {\r\n1343 msyslog(LOG_INFO, \"receive: broadcast packet from %s arrived after %ld, not %d seconds!\",\r\n1344 stoa(&rbufp->recv_srcadr),\r\n1345 (current_time - peer->timelastrec),\r\n1346 (1 << pkt->ppoll)\r\n1347 );\r\n1348 ++bail;\r\n1349 }\r\n...\r\n1361\r\n1362 peer->bxmt = p_xmt;\r\n1363\r\n1364 if (bail) {\r\n1365 peer->timelastrec = current_time;\r\n1366 sys_declined++;\r\n1367 return;\r\n1368 }\r\n1369 }\r\n```\r\n\r\nIf the time elapsed since the last broadcast packet was received from this peer is less than the poll interval declared by the sender (`(current_time - peer->timelastrec) < (1 << pkt->ppoll)`), the packet will be discarded. (A previous check ensures that `pkt->ppoll` is within acceptable bounds.)\r\n\r\nUnfortunately, line 1341 compares the current time against the last time any broadcast mode packet was received with a source IP address of the peer (`peer->timelastrec`). In contrast to `peer->timereceived`, which is updated only when a clean (correctly authenticated and passing integrity checks) packet is received, `peer->timelastrec` is updated by all incoming broadcast packets including spoofed and replayed packets.\r\n\r\nThis leads to a trivial denial of service attack. The attacker:\r\n1. Discovers the IP address of the victim's broadcast server. e.g. Send the victim a client mode NTP packet and discover the broadcast server from the refid field of the victim's reply.\r\n2. At least once per poll period, send the victim a spoofed broadcast mode packet from the broadcast server. This will set `peer->timelastrec = current_time` such that, when a legitimate packet is received, it will appear to have been received too early (`(current_time - peer->timelastrec) < (1 << pkt->ppoll)`) and will be discarded.\r\n\t* The attacker does not need to be on the same subnet as the victim. The attacker can address the spoofed broadcast NTP packet directly to the victim's IP address.\r\n\t* The attacker can choose any reasonably small estimate for the poll period. Because the `peer->timelastrec` update happens even when a packet fails the poll period check, there is no penalty for sending packets too frequently.\r\n\r\n\r\nTo prevent this vulnerability, ntpd should only discard packets broadcast packets when less than one poll interval has elapsed since the last legitimate packet has been received (`peer->timereceived`).\r\n\r\n### Mitigation\r\nThere is no workaround for this issue. Because the vulnerable logic is executed before authentication is enforced, authentication and the `restrict notrust` ntpd.conf directive have no effect. An attacker can bypass `notrust` restrictions by sending incorrectly authenticated packets.\r\n\r\nIn order to succeed in an attack, the attacker must send at least one spoofed packet per poll period. Therefore observing more than one NTP broadcast packet from the same sender address per poll period indicates a possible attack.\r\n\r\nThe following patch can be used to fix this vulnerability:\r\n```\r\nFrom 8522882496d3df2bd764de6d8f7afac4a8d84006 Mon Sep 17 00:00:00 2001\r\nFrom: Matthew Van Gundy <mvangund@cisco.com>\r\nDate: Fri, 5 Feb 2016 17:38:32 -0500\r\nSubject: [PATCH] Fix unauthenticated broadcast mode denial of service (peer->timelastrec)\r\n\r\nDrop packets if they arrive less than one poll interval since the last\r\n**clean** packet received on an association. If we compare against the\r\nlast time that *any* packet was received, even one that will be dropped\r\nfor failing integrity checks, an attacker can DoS the association by\r\nsending incorrectly authenticated packets or replaying old packets to\r\nkeep bumping the peer->timelastrec timer forward.\r\n---\r\n include/ntp.h | 4 +++-\r\n ntpd/ntp_proto.c | 13 +++++++++++--\r\n 2 files changed, 14 insertions(+), 3 deletions(-)\r\n\r\ndiff --git a/include/ntp.h b/include/ntp.h\r\nindex 6a4e9aa..cbf6cec 100644\r\n--- a/include/ntp.h\r\n+++ b/include/ntp.h\r\n@@ -383,7 +383,9 @@ struct peer {\r\n * Statistic counters\r\n */\r\n u_long timereset; /* time stat counters were reset */\r\n- u_long timelastrec; /* last packet received time */\r\n+ u_long timelastrec; /* last packet received time (may\r\n+ * include spoofed, replayed, or other\r\n+ * invalid packets) */\r\n u_long timereceived; /* last (clean) packet received time */\r\n u_long timereachable; /* last reachable/unreachable time */\r\n\r\ndiff --git a/ntpd/ntp_proto.c b/ntpd/ntp_proto.c\r\nindex ad45409..1ea5cee 100644\r\n--- a/ntpd/ntp_proto.c\r\n+++ b/ntpd/ntp_proto.c\r\n@@ -1338,11 +1338,20 @@ receive(\r\n ++bail;\r\n }\r\n\r\n- if ( (current_time - peer->timelastrec)\r\n+ /*\r\n+ * Ensure that at least one poll interval has\r\n+ * elapsed since the last **clean** packet was\r\n+ * received. We limit the check to **clean**\r\n+ * packets to prevent replayed packets and\r\n+ * incorrectly authenticated packets, which\r\n+ * we'll discard, from being used to create a\r\n+ * denial of service condition.\r\n+ */\r\n+ if ( (current_time - peer->timereceived)\r\n < (1 << pkt->ppoll)) {\r\n msyslog(LOG_INFO, \"receive: broadcast packet from %s arrived after %ld, not %d seconds!\",\r\n stoa(&rbufp->recv_srcadr),\r\n- (current_time - peer->timelastrec),\r\n+ (current_time - peer->timereceived),\r\n (1 << pkt->ppoll)\r\n );\r\n ++bail;\r\n--\r\n2.5.2\r\n```\r\n\r\n### Timeline\r\n* 2016-09-12 - Vendor Disclosure\r\n* 2016-11-21 - Public Release", "published": "2017-10-11T00:00:00", "type": "seebug", "title": "Network Time Protocol Broadcast Mode Poll Interval Enforcement Denial of Service Vulnerability(CVE-2016-7428)", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-7973", "CVE-2016-7428"], "modified": "2017-10-11T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-96648", "id": "SSV:96648", "sourceData": "", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": ""}], "aix": [{"lastseen": "2020-04-22T00:52:14", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9311", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-9310"], "description": "IBM SECURITY ADVISORY\n\nFirst Issued: Mon Feb 13 15:32:47 CST 2017\n|Updated: Mon Oct 2 10:47:12 CDT 2017 \n|Update 2: Removed bos.net.tcp.ntp from the impacted fileset list for\n| AIX 7200-01-02. Fileset bos.net.tcp.ntpd is still listed as impacted\n| for AIX 7200-01-02.\n\n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc\nhttps://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc\nftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc\n\n\nSecurity Bulletin: Vulnerabilities in NTP affect AIX\n CVE-2016-7427 CVE-2016-7428 CVE-2016-9310 CVE-2016-9311 \n\n===============================================================================\n\nSUMMARY:\n\n There are multiple vulnerabilities in NTPv3 and NTPv4 that impact AIX. \n\n\n===============================================================================\n\nVULNERABILITY DETAILS:\n\n NTPv3 and NTPv4 are vulnerable to:\n\n CVEID: CVE-2016-7427\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427 \n DESCRIPTION: NTP is vulnerable to a denial of service, caused by an error\n in broadcast mode replay prevention functionality. By sending specially \n crafted NTP packets, a local attacker could exploit this vulnerability to \n cause a denial of service.\n CVSS Base Score: 4\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/119088 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n \n CVEID: CVE-2016-7428 \n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7428\n DESCRIPTION: NTP is vulnerable to a denial of service, caused by an error \n in broadcast mode poll interval enforcement functionality. By sending \n specially crafted NTP packets, a remote attacker from within the local \n network could exploit this vulnerability to cause a denial of service.\n CVSS Base Score: 4.3 \n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/119089 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n CVEID: CVE-2016-9310\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9310\n DESCRIPTION: NTP is vulnerable to a denial of service, caused by an error \n in the control mode (mode 6) functionality. By sending specially crafted \n control mode packets, a remote attacker could exploit this vulnerability \n to obtain sensitive information and cause the application to crash.\n CVSS Base Score: 6.5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/119087 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)\n\n CVEID: CVE-2016-9311\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9311\n DESCRIPTION: NTP is vulnerable to a denial of service, caused by a NULL \n pointer dereference when trap service has been enabled. By sending specially \n crafted packets, a remote attacker could exploit this vulnerability to cause\n the application to crash. \n CVSS Base Score: 4.4\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/119086 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H)\n\n \n AFFECTED PRODUCTS AND VERSIONS:\n \n AIX 5.3, 6.1, 7.1, 7.2\n VIOS 2.2\n\n The following fileset levels are vulnerable:\n \n key_fileset = aix\n \n For NTPv3:\n\n Fileset Lower Level Upper Level KEY PRODUCT(S)\n ------------------------------------------------------------------\n bos.net.tcp.client 5.3.12.0 5.3.12.10 key_w_fs NTPv3\n bos.net.tcp.client 6.1.9.0 6.1.9.200 key_w_fs NTPv3\n bos.net.tcp.client 7.1.3.0 7.1.3.48 key_w_fs NTPv3\n bos.net.tcp.client 7.1.4.0 7.1.4.30 key_w_fs NTPv3\n bos.net.tcp.ntp 7.2.0.0 7.2.0.2 key_w_fs NTPv3\n bos.net.tcp.ntpd 7.2.0.0 7.2.0.2 key_w_fs NTPv3\n bos.net.tcp.ntpd 7.2.1.0 7.2.1.0 key_w_fs NTPv3\n\n \n For NTPv4:\n\n Fileset Lower Level Upper Level KEY PRODUCT(S) \n -----------------------------------------------------------------\n ntp.rte 6.1.6.0 6.1.6.7 key_w_fs NTPv4\n ntp.rte 7.1.0.0 7.1.0.7 key_w_fs NTPv4 \n \n Note: To find out whether the affected filesets are installed \n on your systems, refer to the lslpp command found in AIX user's\n guide.\n\n Example: lslpp -L | grep -i ntp.rte \n\n\n REMEDIATION:\n\n A. APARS\n \n IBM has assigned the following APARs to this problem:\n\n For NTPv3:\n\n AIX Level APAR Availability SP KEY PRODUCT(S)\n ------------------------------------------------------------\n 5.3.12 IV92194 NA key_w_apar NTPv3\n 6.1.9 IV91803 ** SP9 key_w_apar NTPv3\n 7.1.3 IV92193 ** SP9 key_w_apar NTPv3\n 7.1.4 IV91951 ** SP4 key_w_apar NTPv3\n 7.2.0 IV92192 ** SP4 key_w_apar NTPv3\n 7.2.1 IV92067 ** SP2 key_w_apar NTPv3\n\n For NTPv4:\n\n AIX Level APAR Availability SP KEY PRODUCT(S)\n ------------------------------------------------------------\n 6.1.9 IV92287 ** SP9 key_w_apar NTPv4\n 7.1.3 IV92126 ** SP9 key_w_apar NTPv4\n 7.1.4 IV92126 ** SP4 key_w_apar NTPv4\n 7.2.0 IV92126 ** SP4 key_w_apar NTPv4\n 7.2.1 IV92126 ** SP2 key_w_apar NTPv4\n\n ** Please refer to AIX support lifecycle information page for availability\n of Service Packs:\n http://www-01.ibm.com/support/docview.wss?uid=isg3T1012517\n\n Subscribe to the APARs here:\n\n http://www.ibm.com/support/docview.wss?uid=isg1IV91803\n http://www.ibm.com/support/docview.wss?uid=isg1IV91951\n http://www.ibm.com/support/docview.wss?uid=isg1IV92192\n http://www.ibm.com/support/docview.wss?uid=isg1IV92287\n http://www.ibm.com/support/docview.wss?uid=isg1IV92126\n http://www.ibm.com/support/docview.wss?uid=isg1IV92194\n http://www.ibm.com/support/docview.wss?uid=isg1IV92193\n http://www.ibm.com/support/docview.wss?uid=isg1IV92067\n \n https://www.ibm.com/support/docview.wss?uid=isg1IV91803\n https://www.ibm.com/support/docview.wss?uid=isg1IV91951\n https://www.ibm.com/support/docview.wss?uid=isg1IV92192\n https://www.ibm.com/support/docview.wss?uid=isg1IV92287\n https://www.ibm.com/support/docview.wss?uid=isg1IV92126\n https://www.ibm.com/support/docview.wss?uid=isg1IV92194\n https://www.ibm.com/support/docview.wss?uid=isg1IV92193\n https://www.ibm.com/support/docview.wss?uid=isg1IV92067\n \n By subscribing, you will receive periodic email alerting you\n to the status of the APAR, and a link to download the fix once\n it becomes available.\n\n B. FIXES\n\n Fixes are available.\n\n The fixes can be downloaded via ftp or http from:\n\n ftp://aix.software.ibm.com/aix/efixes/security/ntp_fix8.tar\n http://aix.software.ibm.com/aix/efixes/security/ntp_fix8.tar\n https://aix.software.ibm.com/aix/efixes/security/ntp_fix8.tar \n\n The links above are to a tar file containing this signed\n advisory, interim fixes, and OpenSSL signatures for each interim fix.\n The fixes below include prerequisite checking. This will\n enforce the correct mapping between the fixes and AIX\n Technology Levels.\n\n For NTPv3:\n\n AIX Level Interim Fix (*.Z) KEY PRODUCT(S)\n ----------------------------------------------------------\n 5.3.12.9 IV92194m9a.170113.epkg.Z key_w_fix NTPv3\n 6.1.9.6 IV91803m6a.170112.epkg.Z key_w_fix NTPv3\n 6.1.9.7 IV91803m6a.170112.epkg.Z key_w_fix NTPv3\n 6.1.9.8 IV91803m6a.170112.epkg.Z key_w_fix NTPv3\n 7.1.3.5 IV92193m5a.170112.epkg.Z key_w_fix NTPv3\n 7.1.3.6 IV92193m5a.170112.epkg.Z key_w_fix NTPv3\n 7.1.3.7 IV92193m5a.170112.epkg.Z key_w_fix NTPv3\n 7.1.3.8 IV92193m5a.170112.epkg.Z key_w_fix NTPv3\n 7.1.4.1 IV91951m3a.170113.epkg.Z key_w_fix NTPv3\n 7.1.4.2 IV91951m3a.170113.epkg.Z key_w_fix NTPv3\n 7.1.4.3 IV91951m3a.170113.epkg.Z key_w_fix NTPv3\n 7.2.0.0 IV92192m2a.170112.epkg.Z key_w_fix NTPv3\n 7.2.0.1 IV92192m2a.170112.epkg.Z key_w_fix NTPv3\n 7.2.0.2 IV92192m2a.170112.epkg.Z key_w_fix NTPv3\n 7.2.1.0 IV92067s1a.170112.epkg.Z key_w_fix NTPv3\n 7.2.1.1 IV92067s1a.170112.epkg.Z key_w_fix NTPv3\n\n\n VIOS Level Interim Fix (*.Z) KEY PRODUCT(S)\n -----------------------------------------------------------\n 2.2.4.2x IV91803m6a.170112.epkg.Z key_w_fix NTPv3\n\n \n For NTPv4:\n\n AIX Level Interim Fix (*.Z) KEY PRODUCT(S)\n ----------------------------------------------------------\n 6.1.x IV92287m5a.170113.epkg.Z key_w_fix NTPv4\n 7.1.x IV92126m3a.170106.epkg.Z key_w_fix NTPv4\n 7.2.x IV92126m3a.170106.epkg.Z key_w_fix NTPv4\n \n \n All fixes included are cumulative and address previously\n issued AIX NTP security bulletins with respect to SP and TL. \n\n To extract the fixes from the tar file:\n\n tar xvf ntp_fix8.tar\n cd ntp_fix8\n\n Verify you have retrieved the fixes intact:\n\n The checksums below were generated using the\n \"openssl dgst -sha256 <filename>\" command as the following:\n\n openssl dgst -sha256 filename KEY\n -----------------------------------------------------------------------------------------------------\n 70044311eab50e798b1a0756b8f7fef368b65ae79c03496c1fbcf5ba8da7b176 IV91803m6a.170112.epkg.Z key_w_csum\n 8ef346dbd1d7f3d8e9c03b21fa6e2cd1dca88de9d0951675a4787f34bf892f30 IV91951m3a.170113.epkg.Z key_w_csum\n f6105a97e957651e8a464cfd6edd0ad50a74ba9dffb974925612f68d21fa7857 IV92192m2a.170112.epkg.Z key_w_csum\n f1ab705600cc8b08dd11a6e12d1b32a2ec89b988557502ffffd6c06dd53936b9 IV92287m5a.170113.epkg.Z key_w_csum\n 57c9db9c53098f21e837a407e2b2dead1c1c754d44812eb0392d050e697ae2bd IV92126m3a.170106.epkg.Z key_w_csum\n f8d9c43a2ae724a7a1e69caab5973aed0bb4b6ddc72bc57d038fad6faa680fa1 IV92194m9a.170113.epkg.Z key_w_csum\n 558db7a325e5d6733bac66f9b01a9dee4a93826163a50992ee99c1cb9f7dfe70 IV92193m5a.170112.epkg.Z key_w_csum\n eee9aec25443fa496168f7c4cfb289dbfaeed96c8be0fc3cb57b888733e4f9d4 IV92067s1a.170112.epkg.Z key_w_csum\n\n \n These sums should match exactly. The OpenSSL signatures in the tar\n file and on this advisory can also be used to verify the\n integrity of the fixes. If the sums or signatures cannot be\n confirmed, contact IBM AIX Security at\n security-alert@austin.ibm.com and describe the discrepancy.\n \n openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>\n\n openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>\n\n Published advisory OpenSSL signature file location:\n \n http://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc.sig \n\n C. FIX AND INTERIM FIX INSTALLATION\n\n IMPORTANT: If possible, it is recommended that a mksysb backup\n of the system be created. Verify it is both bootable and\n readable before proceeding.\n\n The fix will not take affect until any running xntpd servers\n have been stopped and restarted with the following commands:\n\n stopsrc -s xntpd\n startsrc -s xntpd\n\n To preview a fix installation:\n\n installp -a -d fix_name -p all # where fix_name is the name of the\n # fix package being previewed.\n To install a fix package:\n\n installp -a -d fix_name -X all # where fix_name is the name of the\n # fix package being installed.\n\n After installation the ntp daemon must be restarted:\n\n stopsrc -s xntpd\n startsrc -s xntpd\n\n Interim fixes have had limited functional and regression\n testing but not the full regression testing that takes place\n for Service Packs; however, IBM does fully support them.\n\n Interim fix management documentation can be found at:\n\n http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html\n\n To preview an interim fix installation:\n\n emgr -e ipkg_name -p # where ipkg_name is the name of the\n # interim fix package being previewed.\n\n To install an interim fix package:\n\n emgr -e ipkg_name -X # where ipkg_name is the name of the\n # interim fix package being installed.\n\n WORKAROUNDS AND MITIGATIONS:\n\n None.\n\n\n===============================================================================\n\nCONTACT US:\n\n Note: Keywords labeled as KEY in this document are used for parsing\n purposes.\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n https://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n https://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n https://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n To obtain the PGP public key that can be used to communicate\n securely with the AIX Security Team via security-alert@austin.ibm.com you\n can either:\n\n A. Download the key from our web page:\n\nhttp://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\nhttps://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\n\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n \n Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide\n https://www.first.org/cvss/user-guide\n On-line Calculator v3:\n http://www.first.org/cvss/calculator/3.0\n https://www.first.org/cvss/calculator/3.0\n\n\n\nACKNOWLEDGEMENTS:\n\n None \n\n\nCHANGE HISTORY:\n\n First Issued: Mon Feb 13 15:32:47 CST 2017\n Updated:Fri Feb 17 18:40:29 CST 2017\n Update: New iFixes provided for NTPv3 in AIX 5.3.12.9,6.1.9.6,\n 6.1.9.8,7.1.3.5,7.1.3.6,7.1.3.7,7.1.3.8,7.1.4.3,7.2.0.0,7.2.0.2\n 7.2.1.0,7.2.1.1 and VIOS 2.2.4.x.\n| Updated: Mon Oct 2 10:47:12 CDT 2017\n| Update 2: Removed bos.net.tcp.ntp from the impacted fileset list for\n| AIX 7200-01-02. Fileset bos.net.tcp.ntpd is still listed as impacted\n| for AIX 7200-01-02.\n\n===============================================================================\n\n*The CVSS Environment Score is customer environment specific and will \nultimately impact the Overall CVSS Score. Customers can evaluate the impact \nof this vulnerability in their environments by accessing the links in the \nReference section of this Security Bulletin. \n\nDisclaimer\nAccording to the Forum of Incident Response and Security Teams (FIRST), the \nCommon Vulnerability Scoring System (CVSS) is an \"industry open standard \ndesigned to convey vulnerability severity and help to determine urgency and \npriority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY \nOF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS \nFOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT \nOF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n \n\n\n\n\n\n\n", "edition": 25, "modified": "2017-10-02T10:47:12", "published": "2017-02-13T15:32:47", "id": "NTP_ADVISORY8.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/ntp_advisory8.asc", "title": "There are multiple vulnerabilities in NTPv3 and NTPv4 that impact AIX.", "type": "aix", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-04-22T00:52:05", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8140", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-8139"], "description": "ntp_advisory6.asc: Version 6\nVersion 6 Issued: Tue Aug 16 11:41:45 CDT 2016 \nVersion 6 Changes: Fix added for AIX 7.2.0.2 and is now included in the \n tar file, ntp_fix6.tar.\n AIX 7.2.0.2 iFix for NTPv3: IV83995s2b.160713.epkg.Z \n\nIBM SECURITY ADVISORY\n\nFirst Issued: Wed Jun 8 13:17:48 CDT 2016 \n|Updated: Tue Aug 16 11:41:45 CDT 2016 \n|Update: Added iFix for AIX 7.2.0.2. \n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc\nhttps://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc\nftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc\n\n\nSecurity Bulletin: Vulnerabilities in NTP affect AIX\n CVE-2015-7973 CVE-2015-7977 CVE-2015-7979 CVE-2015-8158 \n CVE-2015-8139 CVE-2015-8140\n\n===============================================================================\n\nSUMMARY:\n\n There are multiple vulnerabilities in NTP that impact AIX. \n\n\n===============================================================================\n\nVULNERABILITY DETAILS:\n\n CVEID: CVE-2015-7973\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 \n DESCRIPTION: NTP could allow a remote attacker to launch a replay attack.\n An attacker could exploit this vulnerability using authenticated\n broadcast mode packets to conduct a replay attack and gain\n unauthorized access to the system. \n CVSS Base Score: 5.4 \n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/110018 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)\n \n CVEID: CVE-2015-7977\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977\n DESCRIPTION: NTP is vulnerable to a denial of service, caused by a NULL\n pointer dereference. By sending a specially crafted ntpdc reslist\n command, an attacker could exploit this vulnerability to cause a\n segmentation fault.\n CVSS Base Score: 5.3\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/110022 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n CVEID: CVE-2015-7979\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979\n DESCRIPTION: NTP could allow a remote attacker to bypass security\n restrictions. By sending specially crafted broadcast packets with bad\n authentication, an attacker could exploit this vulnerability to cause\n the target broadcast client to tear down the association with the\n broadcast server.\n CVSS Base Score: 6.5\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/110024 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n CVEID: CVE-2015-8139\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8139\n DESCRIPTION: NTP could allow a remote attacker to obtain sensitive\n information, caused by an origin leak in ntpq and ntpdc. An attacker\n could exploit this vulnerability to obtain sensitive information. \n CVSS Base Score: 5.3\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/110027 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n CVEID: CVE-2015-8140\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8140\n DESCRIPTION: NTP could allow a remote attacker to launch a replay attack.\n An attacker could exploit this vulnerability using ntpq to conduct a\n replay attack and gain unauthorized access to the system. \n CVSS Base Score: 5.3\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/110028 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n CVEID: CVE-2015-8158\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158\n DESCRIPTION: NTP is vulnerable to a denial of service, caused by the\n improper processing of incoming packets by ntpq. By sending specially\n crafted data, an attacker could exploit this vulnerability to cause\n the application to enter into an infinite loop.\n CVSS Base Score: 5.3\n CVSS Temporal Score: See\n https://exchange.xforce.ibmcloud.com/vulnerabilities/110026 for more\n information.\n CVSS Environmental Score*: Undefined\n CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n \n\n AFFECTED PRODUCTS AND VERSIONS:\n \n AIX 5.3, 6.1, 7.1, 7.2\n VIOS 2.2.x\n\n The following fileset levels are vulnerable:\n \n key_fileset = aix\n \n For NTPv3:\n\n Fileset Lower Level Upper Level KEY PRODUCT(S)\n -----------------------------------------------------------------\n bos.net.tcp.client 5.3.12.0 5.3.12.10 key_w_fs NTPv3\n bos.net.tcp.client 6.1.9.0 6.1.9.102 key_w_fs NTPv3\n bos.net.tcp.client 7.1.3.0 7.1.3.47 key_w_fs NTPv3\n bos.net.tcp.client 7.1.4.0 7.1.4.1 key_w_fs NTPv3\n bos.net.tcp.ntp 7.2.0.0 7.2.0.2 key_w_fs NTPv3\n bos.net.tcp.ntpd 7.2.0.0 7.2.0.2 key_w_fs NTPv3\n\n\n For NTPv4:\n\n Fileset Lower Level Upper Level KEY PRODUCT(S)\n -----------------------------------------------------------------\n ntp.rte 6.1.6.0 6.1.6.5 key_w_fs NTPv4\n ntp.rte 7.1.0.0 7.1.0.5 key_w_fs NTPv4\n \n Note: to find out whether the affected filesets are installed \n on your systems, refer to the lslpp command found in AIX user's guide.\n\n Example: lslpp -L | grep -i ntp.rte \n\n\n REMEDIATION:\n\n A. APARS\n \n IBM has assigned the following APARs to this problem:\n\n For NTPv3:\n\n AIX Level APAR Availability SP KEY PRODUCT(S)\n ------------------------------------------------------------\n 5.3.12 IV84269 N/A key_w_apar NTPv3\n 6.1.9 IV83984 10/21/16 SP8 key_w_apar NTPv3\n 7.1.3 IV83993 1/27/17 SP8 key_w_apar NTPv3\n 7.1.4 IV83994 10/21/16 SP3 key_w_apar NTPv3\n 7.2.0 IV83995 1/27/17 SP3 key_w_apar NTPv3\n\n For NTPv4:\n\n AIX Level APAR Availability SP KEY PRODUCT(S)\n ------------------------------------------------------------\n 6.1.9 IV83992 10/21/16 SP8 key_w_apar NTPv4\n 7.1.3 IV83983 1/27/17 SP8 key_w_apar NTPv4\n 7.1.4 IV83983 10/21/16 SP3 key_w_apar NTPv4\n 7.2.0 IV83983 1/27/17 SP3 key_w_apar NTPv4\n\n Subscribe to the APARs here:\n\n http://www.ibm.com/support/docview.wss?uid=isg1IV83983\n http://www.ibm.com/support/docview.wss?uid=isg1IV83984\n http://www.ibm.com/support/docview.wss?uid=isg1IV83992\n http://www.ibm.com/support/docview.wss?uid=isg1IV83993\n http://www.ibm.com/support/docview.wss?uid=isg1IV83994\n http://www.ibm.com/support/docview.wss?uid=isg1IV83995\n http://www.ibm.com/support/docview.wss?uid=isg1IV84269\n\n By subscribing, you will receive periodic email alerting you\n to the status of the APAR, and a link to download the fix once\n it becomes available.\n\n B. FIXES\n\n Fixes are available.\n\n The fixes can be downloaded via ftp or http from:\n\n ftp://aix.software.ibm.com/aix/efixes/security/ntp_fix6.tar\n http://aix.software.ibm.com/aix/efixes/security/ntp_fix6.tar\n https://aix.software.ibm.com/aix/efixes/security/ntp_fix6.tar \n\n The link above is to a tar file containing this signed\n advisory, fix packages, and OpenSSL signatures for each package.\n The fixes below include prerequisite checking. This will\n enforce the correct mapping between the fixes and AIX\n Technology Levels.\n\n For NTPv3:\n\n AIX Level Interim Fix (*.Z) KEY PRODUCT(S)\n ----------------------------------------------------------\n 5.3.12.9 IV84269m9a.160522.epkg.Z key_w_fix NTPv3\n 6.1.9.4 IV83984m4a.160506.epkg.Z key_w_fix NTPv3\n 6.1.9.5 IV83984m5a.160510.epkg.Z key_w_fix NTPv3\n 6.1.9.6 IV83984m6a.160504.epkg.Z key_w_fix NTPv3\n 6.1.9.7 IV83984s7a.160622.epkg.Z key_w_fix NTPv3\n 7.1.3.4 IV83993m4b.160510.epkg.Z key_w_fix NTPv3\n 7.1.3.5 IV83993m5a.160510.epkg.Z key_w_fix NTPv3\n 7.1.3.6 IV83993m6a.160505.epkg.Z key_w_fix NTPv3\n 7.1.3.7 IV83993s7a.160714.epkg.Z key_w_fix NTPv3\n 7.1.4.0 IV83994m1a.160505.epkg.Z key_w_fix NTPv3\n 7.1.4.1 IV83994m1a.160505.epkg.Z key_w_fix NTPv3\n 7.1.4.2 IV83994s2a.160620.epkg.Z key_w_fix NTPv3\n 7.2.0.0 IV83995m0a.160510.epkg.Z key_w_fix NTPv3\n 7.2.0.1 IV83995m1a.160601.epkg.Z key_w_fix NTPv3\n| 7.2.0.2 IV83995s2b.160713.epkg.Z key_w_fix NTPv3\n\n VIOS Level Interim Fix (*.Z) KEY PRODUCT(S)\n -----------------------------------------------------------\n 2.2.4.0 IV83984m6a.160504.epkg.Z key_w_fix NTPv3\n 2.2.4.2x IV83984s7a.160622.epkg.Z key_w_fix NTPv3\n\n For NTPv4:\n\n AIX Level Interim Fix (*.Z) KEY PRODUCT(S)\n ----------------------------------------------------------\n 6.1.x IV83992s5a.160602.epkg.Z key_w_fix NTPv4\n 7.1.x IV83983s5a.160602.epkg.Z key_w_fix NTPv4\n 7.2.x IV83983s5a.160602.epkg.Z key_w_fix NTPv4\n \n VIOS Level Interim Fix (*.Z) KEY PRODUCT(S)\n -----------------------------------------------------------\n 2.2.x IV83992s5a.160602.epkg.Z key_w_fix NTPv4\n \n All fixes included are cumulative and address previously\n issued AIX NTP security bulletins with respect to SP and TL. \n\n To extract the fixes from the tar file:\n\n tar xvf ntp_fix6.tar\n cd ntp_fix6\n\n Verify you have retrieved the fixes intact:\n\n The checksums below were generated using the\n \"openssl dgst -sha256 file\" command as the followng:\n\n openssl dgst -sha256 filename KEY\n -----------------------------------------------------------------------------------------------------\n 1dde048eab83d5519a8331f2db377a010f6adccb24665eaebabf2d8fb55decda IV83983s5a.160602.epkg.Z key_w_csum\n afbe3f7603602dc81f7a55dd68f7e00f6d6c90672cc91dca6d647a5e9455f470 IV83984m4a.160506.epkg.Z key_w_csum\n 1df47de2dc201ac958da849a126b68f9c58c88ec4bd11ab0874465f25ba92878 IV83984m5a.160510.epkg.Z key_w_csum\n 7b26d3a1e5e420e2c93febbd87f73806cdef506793abe7508d189ef6ee2596a7 IV83984m6a.160504.epkg.Z key_w_csum\n 14ec9d1beab7335c197662ad57e112b17c25f2ffc13bb9b9767416b5dda9251b IV83984s7a.160622.epkg.Z key_w_csum\n 657a259c37c99aa990933f1ecd7719fcb07c7852acd3236bc33f932c45ad5bee IV83992s5a.160602.epkg.Z key_w_csum\n cb890c4c7d3a0ab09fe10da469721737d2a4cbd3baa4da5214e68ce467a6b1b0 IV83993m4b.160510.epkg.Z key_w_csum\n 3b78ac22352ec959be91a561f23b13912f7fbda00974d818c5a66bc332e85abc IV83993m5a.160510.epkg.Z key_w_csum\n 0c73bb6b7da724d29400c4398fb98bc3cfb45a88e9744879fcde6c421108bee6 IV83993m6a.160505.epkg.Z key_w_csum\n 86998a1cb16cc5d5f941fe737709cd210754d85449a4cb280662026f6ef5bf09 IV83993s7a.160714.epkg.Z key_w_csum\n c3abfb2272f6a6793f2ef9c4d5e8a54cf5d60c20d49b65414a9c5d2d28b9c964 IV83994m1a.160505.epkg.Z key_w_csum\n 540fcf0df555219d88619bac9e7de276010d26fad5957d5bac8decd19798bd93 IV83994s2a.160620.epkg.Z key_w_csum\n 7b214849e3d46c41498eef287497e7576f89fe274ca4305a6b3e5eb7e2be63dd IV83995m0a.160510.epkg.Z key_w_csum\n 97c9b857e023d89fdfc22730938ea4127c7efce25628d76abdc86337f64f7a03 IV83995m1a.160601.epkg.Z key_w_csum\n| ef7f0f4a205af86be406ed7b1258080f8e916e5e6fbc86a8b7cdd927f670cd29 IV83995s2b.160713.epkg.Z key_w_csum\n 732f0254ace2786f5e7ddadef10e1e64cc381ecf5d6ebb9131b64115f87e8d52 IV84269m9a.160522.epkg.Z key_w_csum\n\n\n These sums should match exactly. The OpenSSL signatures in the tar\n file and on this advisory can also be used to verify the\n integrity of the fixes. If the sums or signatures cannot be\n confirmed, contact IBM AIX Security at\n security-alert@austin.ibm.com and describe the discrepancy.\n \n openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>\n\n openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>\n\n Published advisory OpenSSL signature file location:\n \n http://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc.sig\n https://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc.sig\n ftp://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc.sig \n\n C. FIX AND INTERIM FIX INSTALLATION\n\n IMPORTANT: If possible, it is recommended that a mksysb backup\n of the system be created. Verify it is both bootable and\n readable before proceeding.\n\n The fix will not take affect until any running xntpd servers\n have been stopped and restarted with the following commands:\n\n stopsrc -s xntpd\n startsrc -s xntpd\n\n To preview a fix installation:\n\n installp -a -d fix_name -p all # where fix_name is the name of the\n # fix package being previewed.\n To install a fix package:\n\n installp -a -d fix_name -X all # where fix_name is the name of the\n # fix package being installed.\n\n After installation the ntp daemon must be restarted:\n\n stopsrc -s xntpd\n\n startsrc -s xntpd\n\n Interim fixes have had limited functional and regression\n testing but not the full regression testing that takes place\n for Service Packs; however, IBM does fully support them.\n\n Interim fix management documentation can be found at:\n\n http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html\n\n To preview an interim fix installation:\n\n emgr -e ipkg_name -p # where ipkg_name is the name of the\n # interim fix package being previewed.\n\n To install an interim fix package:\n\n emgr -e ipkg_name -X # where ipkg_name is the name of the\n # interim fix package being installed.\n\n WORKAROUNDS AND MITIGATIONS:\n\n For CVE-2015-8139 and CVE-2015-8140:\n Monitor your ntpd instances.\n If this sort of attack is an active problem for you, you have deeper\n problems to investigate. Also consider having smaller NTP broadcast \n domains. \n If you must enable mode 7: \n configure the use of a requestkey to control who can issue mode 7\n requests. \n configure restrict noquery to further limit mode 7 requests to\n trusted sources.\n Don't use broadcast mode if you cannot monitor your client servers. \n\n\n===============================================================================\n\nCONTACT US:\n\n Note: Keywords labeled as KEY in this document are used for parsing\n purposes.\n\n If you would like to receive AIX Security Advisories via email,\n please visit \"My Notifications\":\n\n http://www.ibm.com/support/mynotifications\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pubkey.txt\n\n To obtain the PGP public key that can be used to communicate\n securely with the AIX Security Team via security-alert@austin.ibm.com you\n can either:\n\n A. Download the key from our web page:\n\nhttp://www.ibm.com/systems/resources/systems_p_os_aix_security_pgppubkey.txt\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\nREFERENCES:\n \n Complete CVSS v3 Guide: http://www.first.org/cvss/user-guide\n On-line Calculator v3:\n http://www.first.org/cvss/calculator/3.0\n\n\nACKNOWLEDGEMENTS:\n\n None \n\n\nCHANGE HISTORY:\n\n First Issued: Wed Jun 8 13:17:48 CDT 2016 \n Updated: Thu Jun 9 11:04:06 CDT 2016\n Update: CVE-2015-8139 and CVE-2015-8140 added with clarified Workarounds\n and Mitigations section.\n Updated: Mon Jun 20 10:45:48 CDT 2016\n Update: Added iFix for AIX 7.1.4.2.\n Updated: Wed Jun 22 10:25:29 CDT 2016 \n Update: Added iFix for AIX 6.1.9.7 and VIOS 2.2.4.20.\n Updated: Tue Jul 19 11:47:37 CDT 2016\n Update: Added iFix for AIX 7.1.3.7.\n| Updated: Tue Aug 16 11:41:45 CDT 2016\n| Update: Added iFix for AIX 7.2.0.2.\n\n\n===============================================================================\n\n*The CVSS Environment Score is customer environment specific and will \nultimately impact the Overall CVSS Score. Customers can evaluate the impact \nof this vulnerability in their environments by accessing the links in the \nReference section of this Security Bulletin. \n\nDisclaimer\nAccording to the Forum of Incident Response and Security Teams (FIRST), the \nCommon Vulnerability Scoring System (CVSS) is an \"industry open standard \ndesigned to convey vulnerability severity and help to determine urgency and \npriority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY \nOF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS \nFOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT \nOF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n \n\n", "edition": 17, "modified": "2016-08-16T11:41:45", "published": "2016-06-08T13:17:48", "id": "NTP_ADVISORY6.ASC", "href": "https://aix.software.ibm.com/aix/efixes/security/ntp_advisory6.asc", "title": "Vulnerabilities in NTP affect AIX,Vulnerabilities in NTP affect VIOS", "type": "aix", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:32:24", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7434", "CVE-2016-9311", "CVE-2016-7433", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-9310", "CVE-2016-7426", "CVE-2016-7431"], "description": "\nProblem Description:\nMultiple vulnerabilities have been discovered in the NTP\n\tsuite:\nCVE-2016-9311: Trap crash, Reported by Matthew Van Gundy\n\tof Cisco ASIG.\nCVE-2016-9310: Mode 6 unauthenticated trap information\n\tdisclosure and DDoS vector. Reported by Matthew Van Gundy\n\tof Cisco ASIG.\nCVE-2016-7427: Broadcast Mode Replay Prevention DoS.\n\tReported by Matthew Van Gundy of Cisco ASIG.\nCVE-2016-7428: Broadcast Mode Poll Interval Enforcement\n\tDoS. Reported by Matthew Van Gundy of Cisco ASIG.\nCVE-2016-7431: Regression: 010-origin: Zero Origin\n\tTimestamp Bypass. Reported by Sharon Goldberg and Aanchal\n\tMalhotra of Boston University.\nCVE-2016-7434: Null pointer dereference in\n\t_IO_str_init_static_internal(). Reported by Magnus Stubman.\nCVE-2016-7426: Client rate limiting and server responses.\n\tReported by Miroslav Lichvar of Red Hat.\nCVE-2016-7433: Reboot sync calculation problem. Reported\n\tindependently by Brian Utterback of Oracle, and by Sharon\n\tGoldberg and Aanchal Malhotra of Boston University.\nImpact:\nA remote attacker who can send a specially crafted packet\n\tto cause a NULL pointer dereference that will crash ntpd,\n\tresulting in a Denial of Service. [CVE-2016-9311]\nAn exploitable configuration modification vulnerability\n\texists in the control mode (mode 6) functionality of ntpd.\n\tIf, against long-standing BCP recommendations, \"restrict\n\tdefault noquery ...\" is not specified, a specially crafted\n\tcontrol mode packet can set ntpd traps, providing information\n\tdisclosure and DDoS amplification, and unset ntpd traps,\n\tdisabling legitimate monitoring by an attacker from remote.\n\t[CVE-2016-9310]\nAn attacker with access to the NTP broadcast domain can\n\tperiodically inject specially crafted broadcast mode NTP\n\tpackets into the broadcast domain which, while being logged\n\tby ntpd, can cause ntpd to reject broadcast mode packets\n\tfrom legitimate NTP broadcast servers. [CVE-2016-7427]\nAn attacker with access to the NTP broadcast domain can\n\tsend specially crafted broadcast mode NTP packets to the\n\tbroadcast domain which, while being logged by ntpd, will\n\tcause ntpd to reject broadcast mode packets from legitimate\n\tNTP broadcast servers. [CVE-2016-7428]\nOrigin timestamp problems were fixed in ntp 4.2.8p6.\n\tHowever, subsequent timestamp validation checks introduced\n\ta regression in the handling of some Zero origin timestamp\n\tchecks. [CVE-2016-7431]\nIf ntpd is configured to allow mrulist query requests\n\tfrom a server that sends a crafted malicious packet, ntpd\n\twill crash on receipt of that crafted malicious mrulist\n\tquery packet. [CVE-2016-7434]\nAn attacker who knows the sources (e.g., from an IPv4\n\trefid in server response) and knows the system is (mis)configured\n\tin this way can periodically send packets with spoofed\n\tsource address to keep the rate limiting activated and\n\tprevent ntpd from accepting valid responses from its sources.\n\t[CVE-2016-7426]\nNtp Bug 2085 described a condition where the root delay\n\twas included twice, causing the jitter value to be higher\n\tthan expected. Due to a misinterpretation of a small-print\n\tvariable in The Book, the fix for this problem was incorrect,\n\tresulting in a root distance that did not include the peer\n\tdispersion. The calculations and formulas have been reviewed\n\tand reconciled, and the code has been updated accordingly.\n\t[CVE-2016-7433]\n", "edition": 5, "modified": "2016-12-22T00:00:00", "published": "2016-12-22T00:00:00", "id": "FCEDCDBB-C86E-11E6-B1CF-14DAE9D210B8", "href": "https://vuxml.freebsd.org/freebsd/fcedcdbb-c86e-11e6-b1cf-14dae9d210b8.html", "title": "FreeBSD -- Multiple vulnerabilities of ntp", "type": "freebsd", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:32:28", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9312", "CVE-2016-7434", "CVE-2016-9311", "CVE-2016-7433", "CVE-2016-7427", "CVE-2016-7429", "CVE-2016-7428", "CVE-2016-9310", "CVE-2016-7426", "CVE-2016-7431"], "description": "\nNetwork Time Foundation reports:\n\nNTF's NTP Project is releasing ntp-4.2.8p9, which addresses:\n\n1 HIGH severity vulnerability that only affects Windows\n2 MEDIUM severity vulnerabilities\n2 MEDIUM/LOW severity vulnerabilities\n5 LOW severity vulnerabilities\n28 other non-security fixes and improvements\n\nAll of the security issues in this release are listed in\n\t VU#633847.\n\n", "edition": 5, "modified": "2016-11-21T00:00:00", "published": "2016-11-21T00:00:00", "id": "8DB8D62A-B08B-11E6-8EBA-D050996490D0", "href": "https://vuxml.freebsd.org/freebsd/8db8d62a-b08b-11e6-8eba-d050996490d0.html", "title": "ntp -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:32:52", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "description": "\nNetwork Time Foundation reports:\n\nNTF's NTP Project has been notified of the following low-\n\t and medium-severity vulnerabilities that are fixed in\n\t ntp-4.2.8p6, released on Tuesday, 19 January 2016:\n\nBug 2948 / CVE-2015-8158: Potential Infinite Loop\n\t in ntpq. Reported by Cisco ASIG.\nBug 2945 / CVE-2015-8138: origin: Zero Origin\n\t Timestamp Bypass. Reported by Cisco ASIG.\nBug 2942 / CVE-2015-7979: Off-path Denial of\n\t Service (DoS) attack on authenticated broadcast\n\t mode. Reported by Cisco ASIG.\nBug 2940 / CVE-2015-7978: Stack exhaustion in\n\t recursive traversal of restriction list.\n\t Reported by Cisco ASIG.\nBug 2939 / CVE-2015-7977: reslist NULL pointer\n\t dereference. Reported by Cisco ASIG.\nBug 2938 / CVE-2015-7976: ntpq saveconfig command\n\t allows dangerous characters in filenames.\n\t Reported by Cisco ASIG.\nBug 2937 / CVE-2015-7975: nextvar() missing length\n\t check. Reported by Cisco ASIG.\nBug 2936 / CVE-2015-7974: Skeleton Key: Missing\n\t key check allows impersonation between authenticated\n\t peers. Reported by Cisco ASIG.\nBug 2935 / CVE-2015-7973: Deja Vu: Replay attack on\n\t authenticated broadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following\n\t two issues:\n\nBug 2947 / CVE-2015-8140: ntpq vulnerable to replay\n\t attacks. Reported by Cisco ASIG.\nBug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc,\n\t disclose origin. Reported by Cisco ASIG.\n\n\n", "edition": 5, "modified": "2016-08-09T00:00:00", "published": "2016-01-20T00:00:00", "id": "5237F5D7-C020-11E5-B397-D050996490D0", "href": "https://vuxml.freebsd.org/freebsd/5237f5d7-c020-11e5-b397-d050996490d0.html", "title": "ntp -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "huawei": [{"lastseen": "2019-02-01T18:02:17", "bulletinFamily": "software", "cvelist": ["CVE-2016-7434", "CVE-2016-9311", "CVE-2016-7433", "CVE-2016-7427", "CVE-2016-7429", "CVE-2016-7428", "CVE-2016-9310", "CVE-2016-7426", "CVE-2016-7431"], "description": "Products\n\nSwitches\nRouters\nWLAN\nServers\nSee All\n\n\n\nSolutions\n\nCloud Data Center\nEnterprise Networking\nWireless Private Network\nSolutions by Industry\nSee All\n\n\n\nServices\n\nTraining and Certification\nICT Lifecycle Services\nTechnology Services\nIndustry Solution Services\nSee All\n\n\n\nSee all offerings at e.huawei.com\n\n\n\nNeed Support ?\n\nProduct Support\nSoftware Download\nCommunity\nTools\n\nGo to Full Support", "edition": 1, "modified": "2017-11-29T00:00:00", "published": "2017-11-29T00:00:00", "id": "HUAWEI-SA-20171129-01-NTPD", "href": "https://www.huawei.com/en/psirt/security-advisories/2017/huawei-sa-20171129-01-ntpd-en", "title": "Security Advisory - Multiple NTPd Vulnerabilities in Huawei Products", "type": "huawei", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7426", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-7429", "CVE-2016-7431", "CVE-2016-7433", "CVE-2016-7434", "CVE-2016-9310", "CVE-2016-9311"], "description": "Arch Linux Security Advisory ASA-201611-28\n==========================================\n\nSeverity: High\nDate : 2016-11-26\nCVE-ID : CVE-2016-7426 CVE-2016-7427 CVE-2016-7428 CVE-2016-7429\nCVE-2016-7431 CVE-2016-7433 CVE-2016-7434 CVE-2016-9310\nCVE-2016-9311\nPackage : ntp\nType : multiple issues\nRemote : Yes\nLink : https://wiki.archlinux.org/index.php/CVE\n\nSummary\n=======\n\nThe package ntp before version 4.2.8.p9-1 is vulnerable to multiple\nissues including denial of service, insufficient validation and\nincorrect calculation.\n\nResolution\n==========\n\nUpgrade to 4.2.8.p9-1.\n\n# pacman -Syu \"ntp>=4.2.8.p9-1\"\n\nThe problems have been fixed upstream in version 4.2.8.p9.\n\nWorkaround\n==========\n\nA partial fix to some of the issues is to implement BCP-38, use\n\"restrict default noquery ...\" in your ntp.conf file and only allow\nmode 6 queries from trusted networks and hosts.\n\nDescription\n===========\n\n- CVE-2016-7426 (denial of service)\n\nWhen ntpd is configured with rate limiting for all associations\n(restrict default limited in ntp.conf), the limits are applied also to\nresponses received from its configured sources. An attacker who knows\nthe sources (e.g., from an IPv4 refid in server response) and knows the\nsystem is (mis)configured in this way can periodically send packets\nwith spoofed source address to keep the rate limiting activated and\nprevent ntpd from accepting valid responses from its sources.\n\n- CVE-2016-7427 (denial of service)\n\nThe broadcast mode of NTP is expected to only be used in a trusted\nnetwork. If the broadcast network is accessible to an attacker, a\npotentially exploitable denial of service vulnerability in ntpd's\nbroadcast mode replay prevention functionality can be abused. An\nattacker with access to the NTP broadcast domain can periodically\ninject specially crafted broadcast mode NTP packets into the broadcast\ndomain which, while being logged by ntpd, can cause ntpd to reject\nbroadcast mode packets from legitimate NTP broadcast servers.\n\n- CVE-2016-7428 (denial of service)\n\nThe broadcast mode of NTP is expected to only be used in a trusted\nnetwork. If the broadcast network is accessible to an attacker, a\npotentially exploitable denial of service vulnerability in ntpd's\nbroadcast mode poll interval enforcement functionality can be abused.\nTo limit abuse, ntpd restricts the rate at which each broadcast\nassociation will process incoming packets. ntpd will reject broadcast\nmode packets that arrive before the poll interval specified in the\npreceding broadcast packet expires. An attacker with access to the NTP\nbroadcast domain can send specially crafted broadcast mode NTP packets\nto the broadcast domain which, while being logged by ntpd, will cause\nntpd to reject broadcast mode packets from legitimate NTP broadcast\nservers.\n\n- CVE-2016-7429 (denial of service)\n\nWhen ntpd receives a server response on a socket that corresponds to a\ndifferent interface than was used for the request, the peer structure\nis updated to use the interface for new requests. If ntpd is running on\na host with multiple interfaces in separate networks and the operating\nsystem doesn't check source address in received packets (e.g. rp_filter\non Linux is set to 0), an attacker that knows the address of the source\ncan send a packet with spoofed source address which will cause ntpd to\nselect wrong interface for the source and prevent it from sending new\nrequests until the list of interfaces is refreshed, which happens on\nrouting changes or every 5 minutes by default. If the attack is\nrepeated often enough (once per second), ntpd will not be able to\nsynchronize with the source.\n\n- CVE-2016-7431 (insufficient validation)\n\nZero Origin timestamp problems were fixed by Bug 2945 in ntp-4.2.8p6.\nHowever, subsequent timestamp validation checks introduced a regression\nin the handling of some Zero origin timestamp checks.\n\n- CVE-2016-7433 (incorrect calculation)\n\nntpd Bug 2085 described a condition where the root delay was included\ntwice, causing the jitter value to be higher than expected. Due to a\nmisinterpretation of a small-print variable in The Book, the fix for\nthis problem was incorrect, resulting in a root distance that did not\ninclude the peer dispersion. The calculations and formula have been\nreviewed and reconciled, and the code has been updated accordingly.\n\n- CVE-2016-7434 (denial of service)\n\nIf ntpd is configured to allow mrulist query requests from a server\nthat sends a crafted malicious packet, ntpd will crash on receipt of\nthat crafted malicious mrulist query packet.\n\n- CVE-2016-9310 (denial of service)\n\nAn exploitable configuration modification vulnerability exists in the\ncontrol mode (mode 6) functionality of ntpd. If, against long-standing\nBCP recommendations, \"restrict default noquery ...\" is not specified, a\nspecially crafted control mode packet can set ntpd traps, providing\ninformation disclosure and DDoS amplification, and unset ntpd traps,\ndisabling legitimate monitoring. A remote, unauthenticated, network\nattacker can trigger this vulnerability.\n\n- CVE-2016-9311 (denial of service)\n\nntpd does not enable trap service by default. If trap service has been\nexplicitly enabled, an attacker can send a specially crafted packet to\ncause a null pointer dereference that will crash ntpd, resulting in a\ndenial of service.\n\nImpact\n======\n\nA remote unauthenticated attacker may be able to perform a denial of\nservice attack on ntpd via multiple vectors.\n\nReferences\n==========\n\nhttp://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se\nhttp://www.kb.cert.org/vuls/id/633847\nhttp://support.ntp.org/bin/view/Main/NtpBug3071\nhttp://support.ntp.org/bin/view/Main/NtpBug3114\nhttp://support.ntp.org/bin/view/Main/NtpBug3113\nhttp://support.ntp.org/bin/view/Main/NtpBug3072\nhttp://support.ntp.org/bin/view/Main/NtpBug3102\nhttp://support.ntp.org/bin/view/Main/NtpBug3067\nhttp://bugs.ntp.org/show_bug.cgi?id=2085\nhttp://support.ntp.org/bin/view/Main/NtpBug3082\nhttp://support.ntp.org/bin/view/Main/NtpBug3118\nhttp://support.ntp.org/bin/view/Main/NtpBug3119\nhttps://access.redhat.com/security/cve/CVE-2016-7426\nhttps://access.redhat.com/security/cve/CVE-2016-7427\nhttps://access.redhat.com/security/cve/CVE-2016-7428\nhttps://access.redhat.com/security/cve/CVE-2016-7429\nhttps://access.redhat.com/security/cve/CVE-2016-7431\nhttps://access.redhat.com/security/cve/CVE-2016-7433\nhttps://access.redhat.com/security/cve/CVE-2016-7434\nhttps://access.redhat.com/security/cve/CVE-2016-9310\nhttps://access.redhat.com/security/cve/CVE-2016-9311", "modified": "2016-11-26T00:00:00", "published": "2016-11-26T00:00:00", "id": "ASA-201611-28", "href": "https://security.archlinux.org/ASA-201611-28", "type": "archlinux", "title": "[ASA-201611-28] ntp: multiple issues", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}], "ubuntu": [{"lastseen": "2020-07-02T11:38:44", "bulletinFamily": "unix", "cvelist": ["CVE-2016-9311", "CVE-2018-7185", "CVE-2018-7183", "CVE-2016-7427", "CVE-2017-6462", "CVE-2017-6463", "CVE-2016-7428", "CVE-2016-9310", "CVE-2016-7426"], "description": "USN-3707-1 and USN-3349-1 fixed several vulnerabilities in NTP. This update \nprovides the corresponding update for Ubuntu 12.04 ESM.\n\nOriginal advisory details:\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain spoofed \naddresses when performing rate limiting. A remote attacker could possibly \nuse this issue to perform a denial of service. (CVE-2016-7426)\n\nMatthew Van Gundy discovered that NTP incorrectly handled certain crafted \nbroadcast mode packets. A remote attacker could possibly use this issue to \nperform a denial of service. (CVE-2016-7427, CVE-2016-7428)\n\nMatthew Van Gundy discovered that NTP incorrectly handled certain control \nmode packets. A remote attacker could use this issue to set or unset traps. \n(CVE-2016-9310)\n\nMatthew Van Gundy discovered that NTP incorrectly handled the trap service. \nA remote attacker could possibly use this issue to cause NTP to crash, resulting \nin a denial of service. (CVE-2016-9311)\n\nIt was discovered that the NTP legacy DPTS refclock driver incorrectly handled \nthe /dev/datum device. A local attacker could possibly use this issue to cause \na denial of service. (CVE-2017-6462)\n\nIt was discovered that NTP incorrectly handled certain invalid settings in a \n:config directive. A remote authenticated user could possibly use this issue \nto cause NTP to crash, resulting in a denial of service. (CVE-2017-6463)\n\nMichael Macnair discovered that NTP incorrectly handled certain responses. \nA remote attacker could possibly use this issue to execute arbitrary code. \n(CVE-2018-7183)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain \nzero-origin timestamps. A remote attacker could possibly use this issue to \ncause a denial of service. (CVE-2018-7185)", "edition": 4, "modified": "2019-01-23T00:00:00", "published": "2019-01-23T00:00:00", "id": "USN-3707-2", "href": "https://ubuntu.com/security/notices/USN-3707-2", "title": "NTP vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-02T11:34:29", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7434", "CVE-2016-9311", "CVE-2017-6460", "CVE-2016-7433", "CVE-2017-6458", "CVE-2016-7427", "CVE-2016-9042", "CVE-2017-6462", "CVE-2016-7429", "CVE-2017-6463", "CVE-2016-2519", "CVE-2016-7428", "CVE-2016-9310", "CVE-2017-6464", "CVE-2016-7426", "CVE-2016-7431"], "description": "Yihan Lian discovered that NTP incorrectly handled certain large request \ndata values. A remote attacker could possibly use this issue to cause NTP \nto crash, resulting in a denial of service. This issue only affected \nUbuntu 16.04 LTS. (CVE-2016-2519)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain spoofed \naddresses when performing rate limiting. A remote attacker could possibly \nuse this issue to perform a denial of service. This issue only affected \nUbuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7426)\n\nMatthew Van Gundy discovered that NTP incorrectly handled certain crafted \nbroadcast mode packets. A remote attacker could possibly use this issue to \nperform a denial of service. This issue only affected Ubuntu 14.04 LTS, \nUbuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7427, CVE-2016-7428)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain responses. \nA remote attacker could possibly use this issue to perform a denial of \nservice. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and \nUbuntu 16.10. (CVE-2016-7429)\n\nSharon Goldberg and Aanchal Malhotra discovered that NTP incorrectly \nhandled origin timestamps of zero. A remote attacker could possibly use \nthis issue to bypass the origin timestamp protection mechanism. This issue \nonly affected Ubuntu 16.10. (CVE-2016-7431)\n\nBrian Utterback, Sharon Goldberg and Aanchal Malhotra discovered that NTP \nincorrectly performed initial sync calculations. This issue only applied \nto Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7433)\n\nMagnus Stubman discovered that NTP incorrectly handled certain mrulist \nqueries. A remote attacker could possibly use this issue to cause NTP to \ncrash, resulting in a denial of service. This issue only affected Ubuntu \n16.04 LTS and Ubuntu 16.10. (CVE-2016-7434)\n\nMatthew Van Gund discovered that NTP incorrectly handled origin timestamp \nchecks. A remote attacker could possibly use this issue to perform a denial \nof service. This issue only affected Ubuntu Ubuntu 16.10, and Ubuntu 17.04. \n(CVE-2016-9042)\n\nMatthew Van Gundy discovered that NTP incorrectly handled certain control \nmode packets. A remote attacker could use this issue to set or unset traps. \nThis issue only applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu \n16.10. (CVE-2016-9310)\n\nMatthew Van Gundy discovered that NTP incorrectly handled the trap service. \nA remote attacker could possibly use this issue to cause NTP to crash, \nresulting in a denial of service. This issue only applied to Ubuntu 14.04 \nLTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9311)\n\nIt was discovered that NTP incorrectly handled memory when processing long \nvariables. A remote authenticated user could possibly use this issue to \ncause NTP to crash, resulting in a denial of service. (CVE-2017-6458)\n\nIt was discovered that NTP incorrectly handled memory when processing long \nvariables. A remote authenticated user could possibly use this issue to \ncause NTP to crash, resulting in a denial of service. This issue only \napplied to Ubuntu 16.04 LTS, Ubuntu 16.10 and Ubuntu 17.04. (CVE-2017-6460)\n\nIt was discovered that the NTP legacy DPTS refclock driver incorrectly \nhandled the /dev/datum device. A local attacker could possibly use this \nissue to cause a denial of service. (CVE-2017-6462)\n\nIt was discovered that NTP incorrectly handled certain invalid settings \nin a :config directive. A remote authenticated user could possibly use \nthis issue to cause NTP to crash, resulting in a denial of service. \n(CVE-2017-6463)\n\nIt was discovered that NTP incorrectly handled certain invalid mode \nconfiguration directives. A remote authenticated user could possibly use \nthis issue to cause NTP to crash, resulting in a denial of service. \n(CVE-2017-6464)", "edition": 5, "modified": "2017-07-05T00:00:00", "published": "2017-07-05T00:00:00", "id": "USN-3349-1", "href": "https://ubuntu.com/security/notices/USN-3349-1", "title": "NTP vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-07-02T11:44:30", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2016-4956", "CVE-2016-4955", "CVE-2015-8138", "CVE-2016-0727", "CVE-2015-7973", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7979", "CVE-2016-4954", "CVE-2015-7976", "CVE-2015-7975", "CVE-2016-1547", "CVE-2015-7974", "CVE-2015-7978"], "description": "Aanchal Malhotra discovered that NTP incorrectly handled authenticated \nbroadcast mode. A remote attacker could use this issue to perform a replay \nattack. (CVE-2015-7973)\n\nMatt Street discovered that NTP incorrectly verified peer associations of \nsymmetric keys. A remote attacker could use this issue to perform an \nimpersonation attack. (CVE-2015-7974)\n\nJonathan Gardner discovered that the NTP ntpq utility incorrectly handled \nmemory. An attacker could possibly use this issue to cause ntpq to crash, \nresulting in a denial of service. This issue only affected Ubuntu 16.04 \nLTS. (CVE-2015-7975)\n\nJonathan Gardner discovered that the NTP ntpq utility incorrectly handled \ndangerous characters in filenames. An attacker could possibly use this \nissue to overwrite arbitrary files. (CVE-2015-7976)\n\nStephen Gray discovered that NTP incorrectly handled large restrict lists. \nAn attacker could use this issue to cause NTP to crash, resulting in a \ndenial of service. (CVE-2015-7977, CVE-2015-7978)\n\nAanchal Malhotra discovered that NTP incorrectly handled authenticated \nbroadcast mode. A remote attacker could use this issue to cause NTP to \ncrash, resulting in a denial of service. (CVE-2015-7979)\n\nJonathan Gardner discovered that NTP incorrectly handled origin timestamp \nchecks. A remote attacker could use this issue to spoof peer servers. \n(CVE-2015-8138)\n\nJonathan Gardner discovered that the NTP ntpq utility did not properly \nhandle certain incorrect values. An attacker could possibly use this issue \nto cause ntpq to hang, resulting in a denial of service. (CVE-2015-8158)\n\nIt was discovered that the NTP cronjob incorrectly cleaned up the \nstatistics directory. A local attacker could possibly use this to escalate \nprivileges. (CVE-2016-0727)\n\nStephen Gray and Matthew Van Gundy discovered that NTP incorrectly \nvalidated crypto-NAKs. A remote attacker could possibly use this issue to \nprevent clients from synchronizing. (CVE-2016-1547)\n\nMiroslav Lichvar and Jonathan Gardner discovered that NTP incorrectly \nhandled switching to interleaved symmetric mode. A remote attacker could \npossibly use this issue to prevent clients from synchronizing. \n(CVE-2016-1548)\n\nMatthew Van Gundy, Stephen Gray and Loganaden Velvindron discovered that \nNTP incorrectly handled message authentication. A remote attacker could \npossibly use this issue to recover the message digest key. (CVE-2016-1550)\n\nYihan Lian discovered that NTP incorrectly handled duplicate IPs on \nunconfig directives. An authenticated remote attacker could possibly use \nthis issue to cause NTP to crash, resulting in a denial of service. \n(CVE-2016-2516)\n\nYihan Lian discovered that NTP incorrectly handled certail peer \nassociations. A remote attacker could possibly use this issue to cause NTP \nto crash, resulting in a denial of service. (CVE-2016-2518)\n\nJakub Prokes discovered that NTP incorrectly handled certain spoofed \npackets. A remote attacker could possibly use this issue to cause a denial \nof service. (CVE-2016-4954)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain packets \nwhen autokey is enabled. A remote attacker could possibly use this issue to \ncause a denial of service. (CVE-2016-4955)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain spoofed \nbroadcast packets. A remote attacker could possibly use this issue to \ncause a denial of service. (CVE-2016-4956)\n\nIn the default installation, attackers would be isolated by the NTP \nAppArmor profile.", "edition": 5, "modified": "2016-10-05T00:00:00", "published": "2016-10-05T00:00:00", "id": "USN-3096-1", "href": "https://ubuntu.com/security/notices/USN-3096-1", "title": "NTP vulnerabilities", "type": "ubuntu", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "paloalto": [{"lastseen": "2019-05-29T23:19:22", "bulletinFamily": "software", "cvelist": ["CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "description": "The open source ntp project has been found to contain several vulnerabilities (CVE-2015-8158, CVE-2015-8138, CVE-2015-7979, CVE-2015-7978, CVE-2015-7977, CVE-2015-7976, CVE-2015-7975, CVE-2015-7974, CVE-2015-7973, all released in January 2016). Palo Alto...\n", "edition": 4, "modified": "2016-10-18T00:00:00", "published": "2016-08-15T00:00:00", "id": "PAN-SA-2016-0019", "href": "https://securityadvisories.paloaltonetworks.com/Home/Detail/52", "title": "NTP Vulnerabilities", "type": "paloalto", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "symantec": [{"lastseen": "2020-12-24T10:41:07", "bulletinFamily": "software", "cvelist": ["CVE-2016-7426", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-7429", "CVE-2016-7431", "CVE-2016-7433", "CVE-2016-7434", "CVE-2016-9310", "CVE-2016-9311", "CVE-2016-9312"], "description": "### SUMMARY\n\nSymantec Network Protection products using affected versions of the NTP reference implementation from ntp.org are susceptible to multiple vulnerabilities. A remote attacker can modify the target's system time, prevent the target from synchronizing its time, cause denial of service through NTP daemon crashes, perform DDoS attack amplification, and evade security monitoring in the NTP daemon. \n \n\n\n### AFFECTED PRODUCTS \n\nThe following products are vulnerable:\n\n**Content Analysis (CA)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 2.2 and later | Not vulnerable, fixed in 2.2.1.1 \nCVE-2016-7429, CVE-2016-7433 | 2.1 | Upgrade to later release with fixes. \n1.3 | Upgrade to later release with fixes. \nCVE-2016-7431 | 2.1 | Upgrade to later release with fixes. \n1.3.7.3, 1.3.7.4 | Upgrade to later release with fixes. \n \n \n\n**Director** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs except CVE-2016-7429 | 6.1 | Upgrade to 6.1.23.1. \n \n \n\n**Mail Threat Defense (MTD)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-7429, CVE-2016-7433 | 1.1 | Not available at this time \n \n \n\n**Management Center (MC)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-7431, CVE-2016-7433 | 1.11 and later | Not vulnerable, fixed in 1.11.1.1. \n1.10 | Upgrade to later release with fixes. \n1.9 | Upgrade to later release with fixes. \n1.8 | Upgrade to later release with fixes. \n \n \n\n**Reporter** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-7429, CVE-2016-7431, \nCVE-2016-7433 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1. \n10.1 | Upgrade to 10.1.5.5. \nAll CVEs | 9.5 | Not vulnerable \nAll CVEs | 9.4 | Not vulnerable \n \n \n\n**Security Analytics** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 7.3 and later | Not vulnerable, fixed in 7.3.1. \nCVE-2016-7426, CVE-2016-7429, \nCVE-2016-7433, CVE-2016-9310, \nCVE-2016-9311 | 7.2 | Upgrade to 7.2.3. \n7.1 | Upgrade to later release with fixes. \n6.6 | Upgrade to later release with fixes. \nCVE-2016-7427, CVE-2016-7428, CVE-2016-7431, CVE-2016-7434 | 7.2.2 | Not available at this time \n7.1 with ntp-4.2.8p8 RPM patch | Upgrade to later release with fixes. \n6.6 with ntp-4.2.8p8 RPM patch | Upgrade to later release with fixes. \n \n \n\n**SSL Visibility (SSLV)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-7431, CVE-2016-7433 | 4.1 and later | Not vulnerable, fixed in 4.1.1.1. \n4.0 | Upgrade to later release with fixes. \n3.8, 3.8.4FC, 3.9, 3.10, 3.12 | Not vulnerable to known vectors of attack. \n \n \n\n**X-Series XOS** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2016-7426, CVE-2016-7429, \nCVE-2016-7433, CVE-2016-9310, \nCVE-2016-9311 | 11.0 | Not available at this time \n10.0 | Not available at this time \n9.7 | Upgrade to later release with fixes. \n \n \n\nThe following products contain a vulnerable version of the ntp.org NTP reference implementation, but are not vulnerable to known vectors of attack:\n\n**Advanced Secure Gateway (ASG)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 7.1 | Not vulnerable, fixed in 7.1.1.1 \n6.7 | Upgrade to 6.7.3.1. \n6.6 | Upgrade to later release with fixes. \n \n \n\n### ADDITIONAL PRODUCT INFORMATION\n\nSymantec Network Protection products do not enable or use all functionality within the ntp.org NTP reference implementation. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.\n\n * **ASG:** all CVEs\n * **CA:** CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7434, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312\n * **Director:** CVE-2016-7429\n * **MTD:** CVE-2016-7426, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312\n * **MC:** CVE-2016-7426, CVE-2016-7429, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312\n * **Reporter 10.1:** CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7434, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312\n * **Security Analytics:** CVE-2016-9312\n * **SSLV 3.x and 4.x:** CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7429 (4.0 only), CVE-2016-7434, CVE-2016-9310, CVE-2016-9311\n\nThe following products are not vulnerable: \n**Android Mobile Agent \nAuthConnector \nBCAAA \nSymantec HSM Agent for the Luna SP \nCacheFlow \nClient Connector \nCloud Data Protection for Salesforce \nCloud Data Protection for Salesforce Analytics \nCloud Data Protection for ServiceNow \nCloud Data Protection for Oracle CRM On Demand \n**Cloud Data Protection for Oracle Field Service Cloud** \nCloud Data Protection for Oracle Sales Cloud \nCloud Data Protection Integration Server \nCloud Data Protection Communication Server \nCloud Data Protection Policy Builder \nGeneral Auth Connector Login Application \nIntelligenceCenter \nIntelligenceCenter Data Collector \nK9 \nMalware Analysis \nNorman Shark Industrial Control System Protection \nNorman Shark Network Protection \nNorman Shark SCADA Protection \nPacketShaper \nPacketShaper S-Series \nPolicyCenter \nPolicyCenter S-Series \nProxyClient \nProxyAV \nProxyAV ConLog and ConLogXP \nProxySG \nUnified Agent \nWeb Isolation**\n\nSymantec no longer provides vulnerability information for the following products:\n\n**DLP** \nPlease, contact Digital Guardian technical support regarding vulnerability information for DLP. \n \n\n\n### ISSUES \n\n**CVE-2016-7426** \n--- \n**Severity / CVSSv2** | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 94451](<https://www.securityfocus.com/bid/94451>) / NVD: [CVE-2016-7426](<https://nvd.nist.gov/vuln/detail/CVE-2016-7426>) \n**Impact** | Denial of service \n**Description** | A flaw in rate limiting allows a remote attacker to send NTP packets with spoofed source IP addresses and cause the target to reject legitimate packets from configured NTP servers. The attacker can thus prevent the target from synchronizing its system time. \n \n \n\n**CVE-2016-7427** \n--- \n**Severity / CVSSv2** | Low / 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 94447](<https://www.securityfocus.com/bid/94447>) / NVD: [CVE-2016-7427](<https://nvd.nist.gov/vuln/detail/CVE-2016-7427>) \n**Impact** | Denial of service \n**Description** | A flaw in NTP broadcast packet replay prevention allows a remote attacker with access to the NTP broadcast domain to send crafted broadcast packets and cause the target to reject legitimate packets from NTP broadcast servers. The attacker can thus prevent the target from synchronizing its system time. \n \n \n\n**CVE-2016-7428** \n--- \n**Severity / CVSSv2** | Low / 3.3 (AV:A/AC:L/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 94446](<https://www.securityfocus.com/bid/94446>) / NVD: [CVE-2016-7428](<https://nvd.nist.gov/vuln/detail/CVE-2016-7428>) \n**Impact** | Denial of service \n**Description** | A flaw in NTP broadcast packet poll interval enforcement allows a remote attacker with access to the NTP broadcast domain to send crafted broadcast packets and cause the target to reject legitimate packets from NTP broadcast servers. The attacker can thus prevent the target from synchronizing its system time. \n \n \n\n**CVE-2016-7429** \n--- \n**Severity / CVSSv2** | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 94453](<https://www.securityfocus.com/bid/94453>) / NVD: [CVE-2016-7429](<https://nvd.nist.gov/vuln/detail/CVE-2016-7429>) \n**Impact** | Denial of service \n**Description** | There is a flaw in the NTP daemon when it listens on multiple network interfaces and the operating system does not validate the source address of received packets. A remote attacker can send an NTP packet with a spoofed source IP address on an unexpected network interface to corrupt the NTP daemon's internal state and prevent it from synchronizing the system time. \n \n \n\n**CVE-2016-7431** \n--- \n**Severity / CVSSv2** | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n**References** | SecurityFocus: [BID 94454](<https://www.securityfocus.com/bid/94454>) / NVD: [CVE-2016-7431](<https://nvd.nist.gov/vuln/detail/CVE-2016-7431>) \n**Impact** | Denial of service, unauthorized modification of time \n**Description** | A flaw in NTP packet origin timestamp validation allows a remote attacker to send crafted NTP packets and and either modify the target's system time or prevent it from synchronizing its time. \n \n \n\n**CVE-2016-7433** \n--- \n**Severity / CVSSv2** | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 94455](<https://www.securityfocus.com/bid/94455>) / NVD: [CVE-2016-7433](<https://nvd.nist.gov/vuln/detail/CVE-2016-7433>) \n**Impact** | Unauthorized modification of time \n**Description** | A flaw in initial time synchronization allows a remote attacker to send a spoofed NTP response and modify the target's system time. \n \n \n\n**CVE-2016-7434** \n--- \n**Severity / CVSSv2** | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 94448](<https://www.securityfocus.com/bid/94448>) / NVD: [CVE-2016-7434](<https://nvd.nist.gov/vuln/detail/CVE-2016-7434>) \n**Impact** | Denial of service \n**Description** | A flaw in mrulist query handling allows a remote attacker to send crafted query requests to the NTP daemon and cause it to crash, resulting in denial of service. \n \n \n\n**CVE-2016-9310** \n--- \n**Severity / CVSSv2** | Medium / 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P) \n**References** | SecurityFocus: [BID 94452](<https://www.securityfocus.com/bid/94452>) / NVD: [CVE-2016-9310](<https://nvd.nist.gov/vuln/detail/CVE-2016-9310>) \n**Impact** | Information disclosure, DDoS amplification, security control bypass \n**Description** | A missing authorization flaw allows a remote attacker to send query requests and obtain sensitive information, perform DDoS attack amplification, and evade security monitoring in the target's NTP daemon. \n \n \n\n**CVE-2016-9311** \n--- \n**Severity / CVSSv2** | High / 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C) \n**References** | SecurityFocus: [BID 94444](<https://www.securityfocus.com/bid/94444>) / NVD: [CVE-2016-9311](<https://nvd.nist.gov/vuln/detail/CVE-2016-9311>) \n**Impact** | Denial of service \n**Description** | A flaw in remote query handling allows a remote attacker to send crafted query requests to the NTP daemon and cause it to crash, resulting in denial of service. \n \n \n\n**CVE-2016-9312** \n--- \n**Severity / CVSSv2** | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 94450](<https://www.securityfocus.com/bid/94450>) / NVD: [CVE-2016-9312](<https://nvd.nist.gov/vuln/detail/CVE-2016-9312>) \n**Impact** | Denial of service \n**Description** | A flaw in oversized packet handling on Windows platforms allows a remote attacker to send crafted NTP packets to the NTP daemon and cause it to crash, resulting in denial of service. \n \n \n\n### MITIGATION\n\nThese vulnerabilities can be exploited only through the management network port for CA, Director, MTD, MC, Security Analytics, SSLV, and XOS. Allowing only machines, IP addresses and subnets from a trusted network to access to the management network port reduces the threat of exploiting the vulnerabilities.\n\nBy default, Director does not enable unrestricted rate limiting, NTP broadcast mode, and remote querying in the NTP daemon. Customers who leave these NTP features disabled prevent attacks against Director using CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7434, CVE-2016-9310, and CVE-2016-9311.\n\nBy default, Security Analytics does not enable unrestricted rate limiting, NTP broadcast mode, and remote querying in the NTP daemon. The Security Analytics NTP daemon also does not listen by default on multiple network interfaces. Customers who leave these NTP features disabled prevent attacks against Security Analytics using CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7429, CVE-2016-7434, CVE-2016-9310, and CVE-2016-9311.\n\nBy default, XOS does not enable unrestricted rate limiting and remote querying in the NTP daemon. Customers who leave this behavior unchanged prevent attacks against XOS using CVE-2016-7426, CVE-2016-9310, and CVE-2016-9311. \n \n\n\n### REFERENCES\n\nNTP.org Security Notice - <https://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se> \nVulnerability Note VU#633847 - [http://www.kb.cert.org/vuls/id/633847](<https://www.kb.cert.org/vuls/id/633847>) \n \n\n\n### REVISION \n\n2020-04-26 Advanced Secure Gateway (ASG) 7.1 and later versions are not vulnerable because a fix is available in 7.1.1.1. Advisory status changed to Closed. \n2019-10-02 Web Isolation is not vulnerable. \n2019-08-10 SSLV 3.x has a vulnerable version of the NTP reference implementation, but is not vulnerable to known vectors of attack. \n2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2019-01-21 Security Analytics 8.0 is not vulnerable because a fix is available in SA 8.0.1. \n2019-01-12 A fix for Security Analytics 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2019-01-11 A fix for CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2018-08-07 A fix for CA 1.3 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2018-06-25 A fix for SSLV 3.11 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2018-04-26 A fix for SSLV 4.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2018-04-22 CAS 2.3 is not vulnerable. Reporter 10.1 prior to 10.1.5.5 is vulnerable to CVE-2016-7429, CVE-2016-7431, and CVE-2016-7433. Reporter 10.2 is not vulnerable because a fix is available in 10.2.1.1. \n2018-01-31 A fix for ASG 6.7 is avaialble in 6.7.3.1. \n2017-11-16 A fix for SSLV 3.9 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2017-11-09 MC 1.11 is not vulnerable because a fix is available in 1.11.1.1. A fix for MC 1.10 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2017-11-08 CA 2.2 is not vulnerable because a fix is available in 2.2.1.1. \n2017-11-06 ASG 6.7 has a vulnerable version of the NTP reference implementation, but is not vulnerable to known vectors of attack. \n2017-08-03 SSLV 4.1 is not vulnerable because a fix is available in 4.1.1.1. \n2017-03-30 MC 1.10 is vulnerable to CVE-2016-7431 and CVE-2016-7433. It also has a vulnerable version of the NTP reference implementation for CVE-2016-7426, CVE-2016-7429, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312 but is not vulnerable to known vectors of attack. A fix for MC 1.9 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2017-06-22 Security Analytics 7.3 is not vulnerable. \n2016-06-10 Corrected advisory to say that SSLV 3.9, 3.10, and 3.11 are not vulnerable to CVE-2016-7431. Also, CA, MC, and SSLV are not vulnerable to known vectors of attack for CVE-2016-9312. SSLV 3.8.4FC is vulnerable to CVE-2016-7433. SSLV 3.8.4FC also has a vulnerable version of the ntp.org NTP reference implementation for CVE-2016-7426, CVE-2016-9310, CVE-2016-9311, and CVE-2016-9312, but is not vulnerable to known vectors of attack. \n2017-05-29 A fix for Security Analytics 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes. \n2017-05-18 CAS 2.1 is vulnerable to CVE-2016-7429, CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312. \n2017-04-30 A fix for Director 6.1 is available in 6.1.23.1. \n2017-03-30 MC 1.9 is vulnerable to CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312. \n2017-03-09 A fix for Security Analytics 7.2 is available in 7.2.3. \n2017-03-08 SSLV 4.0 is vulnerable to CVE-2016-7431, CVE-2016-7433, and CVE-2016-9312. \n2017-01-12 initial public release \n2016-01-23 Added CVSS v2 base scores from National Vulnerability Database (NVD)\n", "modified": "2020-04-26T14:52:52", "published": "2017-01-12T08:00:00", "id": "SMNTC-1393", "href": "", "type": "symantec", "title": "SA139 : November 2016 NTP Security Vulnerabilities", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-12-24T10:41:55", "bulletinFamily": "software", "cvelist": ["CVE-2015-5300", "CVE-2015-7973", "CVE-2015-7974", "CVE-2015-7975", "CVE-2015-7976", "CVE-2015-7977", "CVE-2015-7978", "CVE-2015-7979", "CVE-2015-8138", "CVE-2015-8139", "CVE-2015-8140", "CVE-2015-8158"], "description": "### SUMMARY\n\nBlue Coat products using affected versions of the NTP software distribution from ntp.org are susceptible to multiple vulnerabilities. A remote attacker may exploit these vulnerabilities to set the victim's system time to an arbitrary value or cause it to become out of sync. The attacker can also cause denial of service through application crashes and perform unauthorized modifications to the victim's NTP daemon configuration and other files on the local file system. \n \n\n\n### AFFECTED PRODUCTS\n\nThe following products are vulnerable:\n\n**Advanced Secure Gateway (ASG)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-8158 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1 \n6.6 | Upgrade to 6.6.5.4. \nAll CVEs except CVE-2015-8139, \nCVE-2015-8140, CVE-2015-8158 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1 \n6.6 (not vulnerable to known vectors of attack) | Upgrade to 6.6.5.4. \nCVE-2015-8139, CVE-2015-8140 | 6.6 and later (not vulnerable to known vectors of attack) | A fix will not be provided. ASG does not enable remote NTP configuration. \n \n \n\n**Content Analysis System (CAS)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs except CVE-2015-8139, \nCVE-2015-8140 | 2.1 and later | Not vulnerable, fixed in 2.1.1.1 \n1.2 | Upgrade to later release with fixes. \nCVE-2015-8138 | 1.3 | Upgrade to 1.3.6.1. \nCVE-2015-5300 | 1.3 (not vulnerable to known vectors of attack) | Upgrade to 1.3.6.1. \nCVE-2015-8158 | 1.3 | Upgrade to 1.3.7.3. \nCVE-2015-7973, CVE-2015-7974, \nCVE-2015-7975, CVE-2015-7976, \nCVE-2015-7977, CVE-2015-7978, \nCVE-2015-7979 | 1.3 (not vulnerable to known vectors of attack) | Upgrade to 1.3.7.3. \nCVE-2015-8139, CVE-2015-8140 | 1.2 and later (not vulnerable to known vectors of attack) | A fix will not be provided. ASG does not enable remote NTP configuration. \n \n \n\n**Director** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs except for CVE-2015-7975, \nCVE-2015-8138, CVE-2015-8139, \nCVE-2015-8140 | 6.1 | Upgrade to 6.1.22.1. \nCVE-2015-8139, CVE-2015-8140 | 6.1 | A fix will not be provided. Director by default does not enable remote NTP configuration. \n \n \n\n**Mail Threat Defense (MTD)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-8158 | 1.1 | Upgrade to a version of CAS and SMG with the fixes. \n \n \n\n**Management Center (MC)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-5300, CVE-2015-8138 | 1.6 and later | Not vulnerable, fixed in 1.6.1.1 \n1.5 | Upgrade to 1.5.3.1. \nCVE-2015-8158 | 1.8 and later | Not vulnerable, fixed in 1.8.1.1 \n1.7 | Upgrade to 1.7.2.1. \n1.5, 1.6 | Upgrade to later release with fixes. \nAll CVEs except CVE-2015-5300, \nCVE-2015-8138, CVE-2015-8139, \nCVE-2015-8140, CVE-2015-8158 | 1.8 and later | Not vulnerable, fixed in 1.8.1.1 \n1.7 | Upgrade to 1.7.2.1. \n1.5, 1.6 | Upgrade to later release with fixes. \nCVE-2015-8139, CVE-2015-8140 | 1.8 and later | Not vulnerable, fixed in 1.8.1.1 \n1.7 (not vulnerable to known vectors of attack) | Upgrade to 1.7.2.1 \n1.5, 1.6 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes. \n \n \n\n**Reporter** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nCVE-2015-5300, CVE-2015-8138 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1 \n10.1 | Upgrade to 10.1.4.1. \nCVE-2015-7973, CVE-2015-7976 | 10.5 and later | Not vulnerable, fixed in 10.5.1.1 \n10.3, 10.4 (not vulnerable to known vectors of attack) | Upgrade to later release with fixes. \n10.2 | Not vulnerable, fixed in 10.2.1.1 \n10.1 (not vulnerable to known vectors of attack) | Upgrade to 10.1.5.1 \nCVE-2015-8158 | 10.2 and later | Not vulnerable, fixed in 10.2.1.1 \n10.1 | Upgrade to 10.1.5.1. \nCVE-2015-8139, CVE-2015-8140 | 10.1 and later | A fix will not be provided. Reporter does not enable remote NTP configuration. \nCVE-2015-7974, CVE-2015-7977, \nCVE-2015-7978, CVE-2015-7979 | 10.1 (not vulnerable to known vectors of attack) | Upgrade to 10.1.5.1. \nAll CVEs | 9.4, 9.5 | Not vulnerable \n \n \n\n**Security Analytics** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs except CVE-2015-7973, CVE-2015-7976, CVE-2015-8139 and CVE-2015-8140 | 7.3 and later | Not vulnerable, fixed in 7.3.1. \n7.2 | Upgrade to 7.2.2. \nCVE-2015-8139, CVE-2015-8140 | 7.2 and later | A fix will not be provided. SA by default does not enable NTP remote configuration. \nCVE-2015-7973, CVE-2015-7976 | 8.1, 8.2 | Not available at this time \n8.0, 7.3 starting with 7.3.2 | Upgrade to later release with fixes. \n7.2, 7.3.1 | Not vulnerable, fixed in 7.2.1. \nAll CVEs except CVE-2015-7973, and CVE-2015-7976 | 7.2 | Not vulnerable, fixed in 7.2.1. \nCVE-2015-5300, CVE-2015-8138 | 7.1 | Upgrade to 7.1.11. \n7.0 | Upgrade to later release with fixes. \n6.6 | Upgrade to 6.6.12. \nCVE-2015-7973, CVE-2015-7974, \nCVE-2015-7976, CVE-2015-7977, \nCVE-2015-7978, CVE-2015-7979, \nCVE-2015-8139, \nCVE-2015-8158 | 7.1 | Apply patch RPM from customer support. \n7.0 | Upgrade to later release with fixes. \n6.6 | Apply patch RPM from customer support. \nCVE-2015-8140 | 6.6, 7.0, 7.1 | A fix will not be provided. SA by default does not enable NTP remote configuration. \n \n \n\n**SSL Visibility (SSLV)** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs | 3.11 and later | Not vulnerable, fixed in 3.11.1.1 \nCVE-2015-5300 | 3.10 | Upgrade to 3.10.2.1. \n3.9 | Upgrade to 3.9.3.1. \n3.8, 3.8.4FC | Upgrade to later release with fixes. \nCVE-2015-7974, CVE-2015-8138 | 3.10 | Upgrade to 3.10.2.1. \n3.9 | Upgrade to 3.9.7.1. \n3.8, 3.8.4FC | Upgrade to later release with fixes. \n \n \n\nWeb Isolation (WI) \n--- \n**CVE** | **Supported Version(s)** | **Remediation** \nCVE-2015-8139, CVE-2015-8140 | 1.12 and later (not vulnerable to known vectors of attack) | A fix will not be provided. WI by default does not enable NTP remote querying and configuration. \n \n \n\n**X-Series XOS** \n--- \n**CVE** | **Affected Version(s)** | **Remediation** \nAll CVEs except CVE-2015-7975 | 9.7, 10.0, 11.0 | A fix will not be provided. \n \n### \nADDITIONAL PRODUCT INFORMATION\n\nIn SSL Visibility, the NTP vulnerabilities can be exploited only through the same physical network port that is used by the product's management interfaces (web UI, CLD). Limiting the machines, IP addresses and subnets able to reach this physical network port reduces the threat. The reduced threat reduces the CVSS v2 scores for each CVE. The adjusted CVSS v2 base scores and severity are:\n\n * CVE-2015-5300 - 2.9 (LOW) (AV:A/AC:M/Au:N/C:N/I:P/A:N)\n * CVE-2015-7974 - 1.4 (LOW) (AV:A/AC:H/Au:S/C:N/I:P/A:N)\n * CVE-2015-8138 - 4.8 (MEDIUM) (AV:A/AC:L/Au:N/C:N/I:P/A:P)\n\nBlue Coat products do not enable or use all functionality within the NTP software distribution from ntp.org. Products listed below do not utilize the functionality described in the CVEs below, and are thus not known to be vulnerable to them. However, fixes for those CVEs will be included in the patches that are provided.\n\n * **ASG 6.6:** CVE-2015-5300, CVE-2015-7973, CVE-2015-7974, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8138, CVE-2015-8139, and CVE-2015-8140.\n * **ASG 6.7:** CVE-2015-8139 and CVE-2015-8140\n * **CAS:** CVE-2015-7973, CVE-2015-7974, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, and CVE-2015-8140.\n * **MTD:** CVE-2015-7973, CVE-2015-7974, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, and CVE-2015-8140.\n * **MC:** CVE-2015-7973, CVE-2015-7974, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, and CVE-2015-8140.\n * **Reporter 10.1:** CVE-2015-7973, CVE-2015-7974, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, and CVE-2015-8140.\n * **SSLV 3x:** CVE-2015-7973, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, CVE-2015-8140, and CVE-2015-8158.\n * **SSLV 4.x:** CVE-2015-8139, CVE-2015-8140\n\nThe following products are not vulnerable: \n**Android Mobile Agent \nAuthConnector \nBCAAA \nBlue Coat HSM Agent for the Luna SP \nCacheFlow \nClient Connector \nCloud Data Protection for Salesforce \nCloud Data Protection for Salesforce Analytics \nCloud Data Protection for ServiceNow \nCloud Data Protection for Oracle CRM On Demand \nCloud Data Protection for Oracle Field Service Cloud \nCloud Data Protection for Oracle Sales Cloud \nCloud Data Protection Integration Server \nCloud Data Protection Communication Server \nCloud Data Protection Policy Builder \nGeneral Auth Connector Login Application \nIntelligenceCenter \nIntelligenceCenter Data Collector \nK9 \nMalware Analysis Appliance \nNorman Shark Industrial Control System Protection \nNorman Shark Network Protection \nNorman Shark SCADA Protection \nPacketShaper \nPacketShaper S-Series \nPolicyCenter \nPolicyCenter S-Series \nProxyAV \nProxyAV ConLog and ConLogXP \nProxyClient \nProxySG \nUnified Agent**\n\nBlue Coat no longer provides vulnerability information for the following products:\n\n**DLP** \nPlease, contact Digital Guardian technical support regarding vulnerability information for DLP. \n \n\n\n### ISSUES\n\n**CVE-2015-5300** \n--- \n**Severity / CVSSv2** | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n**References** | SecurityFocus: [BID 77312](<https://www.securityfocus.com/bid/77312>) / NVD: [CVE-2015-5300](<https://nvd.nist.gov/vuln/detail/CVE-2015-5300>) \n**Impact** | Unauthorized modification of system time \n**Description** | A flaw in ntpd allows a remote attacker to adjust the victim's system time by an offset larger than the ntpd panic threshold. The attacker can effectively set the victim's system time to an arbitrary value. \n \n \n\n**CVE-2015-7973** \n--- \n**Severity / CVSSv2** | Medium / 4.3 (AV:A/AC:M/Au:N/C:N/I:P/A:P) \n**References** | SecurityFocus: [BID 81963](<https://www.securityfocus.com/bid/81963>) / NVD: [CVE-2015-7973](<https://nvd.nist.gov/vuln/detail/CVE-2015-7973>) \n**Impact** | Unauthorized modification of system time \n**Description** | A flaw in the NTP protocol broadcast mode allows a man-in-the-middle or a malicious broadcast client to replay time packets to broadcast clients. This attack can cause the victim's system time to become out of sync. \n \n \n\n**CVE-2015-7974** \n--- \n**Severity / CVSSv2** | Low / 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N) \n**References** | SecurityFocus: [BID 81960](<https://www.securityfocus.com/bid/81960>) / NVD: [CVE-2015-7974](<https://nvd.nist.gov/vuln/detail/CVE-2015-7974>) \n**Impact** | Unauthorized modification of system time \n**Description** | A flaw in ntpd allows a remote malicious trusted NTP client or server to impersonate a different trusted NTP client or server and modify time packets. This attack can cause the victim's system time to become out of sync. \n \n \n\n**CVE-2015-7975** \n--- \n**Severity / CVSSv2** | Low / 2.6 (AV:N/AC:H/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 81959](<https://www.securityfocus.com/bid/81959>) / NVD: [CVE-2015-7975](<https://nvd.nist.gov/vuln/detail/CVE-2015-7975>) \n**Impact** | Denial of service \n**Description** | A flaw in ntpq allows a remote attacker to send a crafted response to ntpq and cause it to crash, resulting in denial of service. \n \n \n\n**CVE-2015-7976** \n--- \n**Severity / CVSSv2** | Medium / 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N) \n**References** | SecurityFocus: NVD: [CVE-2015-7976](<https://nvd.nist.gov/vuln/detail/CVE-2015-7976>) \n**Impact** | Unauthorized modification of data \n**Description** | A flaw in ntpd allows a remote attacker to send a crafted \"saveconfig\" command to ntpd, causing it to modify files on the local filesystem. \n \n \n\n**CVE-2015-7977** \n--- \n**Severity / CVSSv2** | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 81815](<https://www.securityfocus.com/bid/81815>) / NVD: [CVE-2015-7977](<https://nvd.nist.gov/vuln/detail/CVE-2015-7977>) \n**Impact** | Denial of service \n**Description** | A flaw in ntpd allows a remote attacker to send a crafted \"ntpdc reslist\" command to ntpd. This attack causes ntpd to dereference a NULL pointer and crash, resulting in denial of service. \n \n \n\n**CVE-2015-7978** \n--- \n**Severity / CVSSv2** | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 81962](<https://www.securityfocus.com/bid/81962>) / NVD: [CVE-2015-7978](<https://nvd.nist.gov/vuln/detail/CVE-2015-7978>) \n**Impact** | Denial of service \n**Description** | A flaw in ntpd allows a remote attacker to send a crafted \"ntpdc reslist\" command to ntpd. This attack causes ntpd to exhaust its call stack and crash, resulting in denial of service. \n \n \n\n**CVE-2015-7979** \n--- \n**Severity / CVSSv2** | Medium / 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P) \n**References** | SecurityFocus: [BID 81816](<https://www.securityfocus.com/bid/81816>) / NVD: [CVE-2015-7979](<https://nvd.nist.gov/vuln/detail/CVE-2015-7979>) \n**Impact** | Denial of service \n**Description** | A flaw in the NTP protocol broadcast mode allows a remote attacker to send bad authentication packets to broadcast clients. This attack causes the clients to stop synchronizing their system time from the broadcast server, which causes their time to become out of sync and results in denial of service. \n \n \n\n**CVE-2015-8138** \n--- \n**Severity / CVSSv2** | Medium / 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P) \n**References** | SecurityFocus: [BID 81811](<https://www.securityfocus.com/bid/81811>) / NVD: [CVE-2015-8138](<https://nvd.nist.gov/vuln/detail/CVE-2015-8138>) \n**Impact** | Denial of service, unauthorized modification of system time \n**Description** | A flaw in ntpd allows a remote attacker to send a forged time packet to an NTP client. This attack causes the client to set its system time to an arbitrary value or stop synchonizing its time from the NTP server. \n \n \n\n**CVE-2015-8139** \n--- \n**Severity / CVSSv2** | Medium / 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) \n**References** | SecurityFocus: [BID 82105](<https://www.securityfocus.com/bid/82105>) / NVD: [CVE-2015-8139](<https://nvd.nist.gov/vuln/detail/CVE-2015-8139>) \n**Impact** | Unauthorized modification of system time \n**Description** | A flaw in ntpd allows a remote attacker to obtain timestamp information from an NTP client and use the information to send a forged time packet to the client. This attack can cause the client to set its system time to an arbitrary value. \n \n \n\n**CVE-2015-8140** \n--- \n**Severity / CVSSv2** | Medium / 5.4 (AV:A/AC:M/Au:N/C:P/I:P/A:P) \n**References** | SecurityFocus: [BID 82102](<https://www.securityfocus.com/bid/82102>) / NVD: [CVE-2015-8140](<https://nvd.nist.gov/vuln/detail/CVE-2015-8140>) \n**Impact** | Unauthorized modification of data \n**Description** | A flaw in the ntpq protocol that allows replay attacks allows a remote attacker can sniff an ntpq configuration command and replay it at a later time, modifying the victim's ntpd configuration in an unexpected way. \n \n \n\n**CVE-2015-8158** \n--- \n**Severity / CVSSv2** | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P) \n**References** | SecurityFocus: [BID 81814](<https://www.securityfocus.com/bid/81814>) / NVD: [CVE-2015-8158](<https://nvd.nist.gov/vuln/detail/CVE-2015-8158>) \n**Impact** | Denial of service \n**Description** | A flaw in ntpq and ntpdc allows an attacker to send a crafted response to ntpq or ntpdc and force them to enter an infinite loop. This attack results in denial of service. \n \n### \nMITIGATION\n\nThese vulnerabilities can be exploited only through the management network port for CAS, Director, MC, and XOS. Allowing only machines, IP addresses and subnets from a trusted network to access to the management network port reduces the threat of exploiting the vulnerabilities.\n\nBy default, Director, Security Analytics and XOS do not run ntpd with the -g command line option, and do not enable NTP broadcast mode, symmetric authentication, remote querying, and remote configuration. Customers who leave these NTP features disabled prevent attacks against these products using the following vulnerabilities:\n\n * **Director and Security Analytics:** CVE-2015-5300, CVE-2015-7973, CVE-2015-7974, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, CVE-2015-8140.\n * **XOS:** CVE-2015-7973, CVE-2015-7974, CVE-2015-7976, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, CVE-2015-8140.\n\n### REFERENCES\n\nNTP Project Security Notice - <https://support.ntp.org/bin/view/Main/SecurityNotice> \nAttacking the Network Time Protocol (technical paper) - <https://www.cs.bu.edu/~goldbe/NTPattack.html> \nAttacking NTP's Authenticated Broadcast Mode - <https://www.cs.bu.edu/~goldbe/papers/NTPbroadcast.html> \n \n\n\n### REVISION\n\n2020-11-17 A fix for MTD 1.1 will not be provided. Please upgrade to a version of CAS and SMG with the vulnerability fixes. A fix for SA 7.3 and 8.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for XOS 9.7, 10.0, and 11.0 will not be provided. \n2020-04-23 A fix for CVE-2015-7973 and CVE-2015-7976 in Reporter 10.3 will not be provided. Please upgrade to a larger release with the vulnerability fixes. Reporter 10.5 is not vulnerable to CVE-2015-7973 and CVE-2015-7976 because a fix is available in 10.5.1.1. \n2019-10-07 WI 1.12 and 1.13 have vulnerable versions of the NTP software distribution from ntp.org for CVE-2015-8139 and CVE-2015-8140, but do not enable remote querying and configuration in ntpd, so they are not vulnerable to known vectors of attack. Fixes will not be provided. \n2019-08-28 Reporter 10.3 and 10.4 have vulnerable versions of the NTP software distribution from ntp.org, but are not vulnerable to known vectors of attack. \n2019-01-21 SA 7.3 starting with 7.3.2 and 8.0 are vulnerable to CVE-2015-7973 and CVE-2015-7976. SA 8.0 is vulnerable to CVE-2015-8139 and CVE-2015-8140. By default, SA 8.0 does not enable NTP remote configuration. \n2019-01-18 SSLV 4.x is not vulnerable to CVE-2015-8139 and CVE-2015-8140 because a fix is available in 4.0.2.1. \n2018-04-22 CAS 2.3 has a vulnerable version of the NTP software distribution from ntp.org, but is not vulnerable to known vectors of attack. A fix for CVE-2015-8139 and CVE-2015-8140 will not be provided. CAS 2.3 does not enable remote configuration in the NTP reference implementation and is not vulnerable to known vectors of attack for CVE-2015-8139 and CVE-2015-8140. \n2017-11-08 CAS 2.2 has a vulnerable version of the NTP software distribution from ntp.org, but is not vulnerable to known vectors of attack. A fix for CVE-2015-8139 and CVE-2015-8140 will not be provided. CAS 2.2 does not enable remote configuration in the NTP reference implementation and is not vulnerable to known vectors of attack for CVE-2015-8139 and CVE-2015-8140. \n2017-11-07 MC 1.8 and later releases have a vulnerable version of the NTP software distribution from ntp.org for CVE-2015-8139 and CVE-2015-8140. A fix will not be provided. MC does not enable remote configuration in the NTP. reference implementation and is not vulnerable to known vectors of attack for CVE-2015-8139 and CVE-2015-8140 \n2017-11-06 ASG 6.7 has a vulnerable version of the NTP software distribution from ntp.org for CVE-2015-8139 and CVE-2015-8140. A fix will not be provided. ASG 6.7 does not enable remote configuration in the NTP reference implementation and is not vulnerable to known vectors of attack for CVE-2015-8139 and CVE-2015-8140. \n2017-11-04 It was previously reported that SSLV 4.0 and 4.1 are not vulnerable. Futher investigtion indicates that SSLV 4.x has a vulnerable version of the NTP software distribution from ntp.org for CVE-2015-8139 and CVE-2015-8140. Fixes will not be provided. SSLV 4.x does not enable remote configuration and is not vulnerable to known vectors of attack. \n2017-08-02 SSLV 4.1 is not vulnerable. \n2017-07-20 MC 1.10 has a vulnerable version of the NTP software distribution from ntp.org, but is not vulnerable to known vectors of attack. A fix for CVE-2015-8139 and CVE-2015-8140 in MC 1.9 will not be provided. MC 1.9 does not enable remote configuration in the NTP. reference implementation and is not vulnerable to known vectors of attack for CVE-2015-8139 and CVE-2015-8140. \n2017-07-18 A fix for CVE-2015-8139 and CVE-2015-8140 will not be provided for ASG, CA, Director, MC, Reporter, and Security Analytics. These products do not enable remote configuration in the NTP reference implementation and are not vulnerable to known vectors of attack. \n2017-06-22 Security Analytics 7.3 is vulnerable to CVE-2015-8139 and CVE-2015-8140. \n2017-05-17 CAS 2.1 has a vulnerable version of the NTP software distribution from ntp.org, but is not vulnerable to known vectors of attack. \n2017-03-30 MC 1.8 and 1.9 have a vulnerable version of the NTP software distribution from ntp.org, but are not vulnerable to known vectors of attack. \n2017-03-29 A fix for all CVEs except CVE-2015-8139 and CVE-2015-8140 in ASG 6.6 is available in 6.6.5.4. \n2017-03-16 A fix for all CVEs in SSLV 3.10 is available in 3.10.2.1. \n2017-03-08 A fix for all CVEs except CVE-2015-8139 and CVE-2015-8140 in Director is available in 6.1.22.1. \n2017-03-06 MC 1.8 is not vulnerable. SSLV 4.0 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support. \n2017-01-25 A fix for all CVEs except CVE-2015-8139 and CVE-2015-8140 in SA 7.2 is available in 7.2.2. \n2017-01-24 A fix for all CVEs except CVE-2015-8139 and CVE-2015-8140 in CAS 1.3 is available in 1.3.7.3. \n2017-01-13 A fix for all CVEs in SSLV 3.9 is available in 3.9.7.1. \n2017-01-10 A fix for all CVEs except for CVE-2015-8139 and CVE-2015-8140 in Reporter 10.1 is available in 10.1.5.1. \n2016-12-04 A fix is available in SSLV 3.11.1.1. \n2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable. \n2016-11-14 A fix for all CVEs except CVE-2015-8139 and CVE-2015-8140 is available in MC 1.7.2.1. \n2016-11-11 SSLV 3.10 is vulnerable to CVE-2015-7974 and CVE-2015-8138. A fix is not available at this time. \n2016-11-08 A fix for all CVEs except CVE-2015-8140 in Security Analytics 6.6 and 7.1 is available through a patch RPM from Blue Coat Support. SA 7.2 is vulnerable to CVE-2015-7973, CVE-2015-7976, and CVE-2015-8140. \n2016-10-26 MC 1.6 and 1.7 are vulnerable to CVE-2015-8158. They also have vulnerable code for multiple CVEs, but are not vulnerable to known vectors of attack. See Advisory Details section for a list of CVEs. A fix will not be provided for MC 1.6. Please, upgrade to a later version with the vulnerability fixes. \n2016-07-18 A fix for CVE-2015-7974, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8139, and CVE-2015-8158 in Security Analytics 6.6 and 7.1 is available through a patch RPM from customer support. A fix for the other CVEs is not available at this time. \n2016-06-23 A fix for CVE-2015-5300 and CVE-2015-8138 is available in ASG 6.6.4.1. \n2016-05-17 A fix for CVE-2015-5300 and CVE-2015-8138 is available in Security Analytics 6.6.12 and 7.1.11. \n2016-05-11 No Cloud Data Protection products are vulnerable. \n2016-04-24 MTD 1.1 is vulnerable to CVE-2015-8158. It also have vulnerable code for a number of CVEs, but is not vulnerable to known vectors of attack. \n2016-04-01 A fix for CVE-2015-5300 and CVE-2015-8138 in Reporter 10.1 is available in 10.1.4.1. \n2016-03-28 Previously it was reported that SSLV has vulnerable code for CVE-2015-7975. Further investigation has shown that SSLV is not vulnerable to this CVE. \n2016-03-14 A fix for CVE-2015-5300 and CVE-2015-8138 in CAS 1.3 is available in 1.3.6.1. A fix for CVE-2015-5300 and CVE-2015-8138 in MC 1.5 is available in 1.5.3.1. \n2016-03-03 initial public release\n", "modified": "2020-12-22T05:06:10", "published": "2016-03-03T08:00:00", "id": "SMNTC-1350", "href": "", "type": "symantec", "title": "SA113 : January 2016 NTP Security Vulnerabilities", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "cert": [{"lastseen": "2020-09-18T20:41:19", "bulletinFamily": "info", "cvelist": ["CVE-2016-7426", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-7429", "CVE-2016-7431", "CVE-2016-7433", "CVE-2016-7434", "CVE-2016-9310", "CVE-2016-9311", "CVE-2016-9312"], "description": "### Overview \n\nNTP.org ntpd versions ntp-4.2.7p385 up to but not including ntp-4.2.8p9 and ntp-4.3.0 up to but not including ntp-4.3.94 contain multiple denial of service vulnerabilities.\n\n### Description \n\nNTP.org's ntpd, versions ntp-4.2.7p385 up to but not including ntp-4.2.8p9 and ntp-4.3.0 up to but not including ntp-4.3.94, contain multiple denial of service vulnerabilities.\n\n[**CWE-476**](<http://cwe.mitre.org/data/definitions/476.html>)**: NULL Pointer Dereference - **CVE-2016-9311 \n \nAccording to NTP.org, \"ntpd does not enable trap service by default. If trap service has been explicitly enabled, an attacker can send a specially crafted packet to cause a null pointer dereference that will crash ntpd, resulting in a denial of service. Affects Windows only.\" \n \n[**CWE-400**](<http://cwe.mitre.org/data/definitions/400.html>)**: Uncontrolled Resource Consumption ('Resource Exhaustion') - **CVE-2016-9310 \n \nAccording to NTP.org, \"An exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. If, against long-standing BCP recommendations, \"restrict default noquery ...\" is not specified, a specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, disabling legitimate monitoring. A remote, unauthenticated, network attacker can trigger this vulnerability.\" \n \n[**CWE-400**](<http://cwe.mitre.org/data/definitions/400.html>)**: Uncontrolled Resource Consumption ('Resource Exhaustion') - **CVE-2016-7427 \n \nAccording to NTP.org, \"The broadcast mode of NTP is expected to only be used in a trusted network. If the broadcast network is accessible to an attacker, a potentially exploitable denial of service vulnerability in ntpd's broadcast mode replay prevention functionality can be abused. An attacker with access to the NTP broadcast domain can periodically inject specially crafted broadcast mode NTP packets into the broadcast domain which, while being logged by ntpd, can cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers.\" \n \n \n[**CWE-400**](<http://cwe.mitre.org/data/definitions/400.html>)**: Uncontrolled Resource Consumption ('Resource Exhaustion') - **CVE-2016-7428 \n \nAccording to NTP.org, \"The broadcast mode of NTP is expected to only be used in a trusted network. If the broadcast network is accessible to an attacker, a potentially exploitable denial of service vulnerability in ntpd's broadcast mode poll interval enforcement functionality can be abused. To limit abuse, ntpd restricts the rate at which each broadcast association will process incoming packets. ntpd will reject broadcast mode packets that arrive before the poll interval specified in the preceding broadcast packet expires. An attacker with access to the NTP broadcast domain can send specially crafted broadcast mode NTP packets to the broadcast domain which, while being logged by ntpd, will cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers.\" \n \n[**CWE-410**](<http://cwe.mitre.org/data/definitions/410.html>)**: Insufficient Resource Pool - **CVE-2016-9312 \n \nAccording to NTP.org, \"If a vulnerable instance of ntpd on Windows receives a crafted malicious packet that is \"too big\", ntpd will stop working.\" \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2016-7431 \n \nAccording to NTP.org, \"Zero Origin timestamp problems were fixed by Bug 2945 in ntp-4.2.8p6. However, subsequent timestamp validation checks introduced a regression in the handling of some Zero origin timestamp checks.\" \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2016-7434 \n \nAccording to NTP.org, \"If ntpd is configured to allow mrulist query requests from a server that sends a crafted malicious packet, ntpd will crash on receipt of that crafted malicious mrulist query packet.\" \n \n[**CWE-605**](<http://cwe.mitre.org/data/definitions/605.html>)**: Multiple Binds to the Same Port -** CVE-2016-7429 \n \nAccording to NTP.org, \"When ntpd receives a server response on a socket that corresponds to a different interface than was used for the request, the peer structure is updated to use the interface for new requests. If ntpd is running on a host with multiple interfaces in separate networks and the operating system doesn't check source address in received packets (e.g. rp_filter on Linux is set to 0), an attacker that knows the address of the source can send a packet with spoofed source address which will cause ntpd to select wrong interface for the source and prevent it from sending new requests until the list of interfaces is refreshed, which happens on routing changes or every 5 minutes by default. If the attack is repeated often enough (once per second), ntpd will not be able to synchronize with the source.\" \n \n[**CWE-410**](<http://cwe.mitre.org/data/definitions/410.html>)**: Insufficient Resource Pool - **CVE-2016-7426 \n \nAccording to NTP.org, \"When ntpd is configured with rate limiting for all associations (restrict default limited in ntp.conf), the limits are applied also to responses received from its configured sources. An attacker who knows the sources (e.g., from an IPv4 refid in server response) and knows the system is (mis)configured in this way can periodically send packets with spoofed source address to keep the rate limiting activated and prevent ntpd from accepting valid responses from its sources.\" \n \n[**CWE-682**](<http://cwe.mitre.org/data/definitions/682.html>)**: Incorrect Calculation - **CVE-2016-7433 \n \nAccording to NTP.org, \"Bug 2085 described a condition where the root delay was included twice, causing the jitter value to be higher than expected. Due to a misinterpretation of a small-print variable in The Book, the fix for this problem was incorrect, resulting in a root distance that did not include the peer dispersion. The calculations and formulae have been reviewed and reconciled, and the code has been updated accordingly.\" \n \nFor more information, please see NTP.org's [security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se>).[](<http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NT>)[](<nwtime.org/ntp428p9_release>) \n \nThe CVSS score below is based on CVE-2016-9312. \n \n--- \n \n### Impact \n\nA remote unauthenticated attacker may be able to perform a denial of service on ntpd. \n \n--- \n \n### Solution \n\n**Implement BCP-38.** \n \nUse \"`restrict default noquery ...`\" in your `ntp.conf` file. Only allow mode 6 queries from trusted networks and hosts. \n \n**Apply an update** \n \nUpgrade to [4.2.8p9](<nwtime.org/ntp428p9_release>), or later, from the NTP Project Download Page or the NTP Public Services Project Download Page. \n \n**Monitor ntpd** \n \nProperly monitor your ntpd instances, and auto-restart ntpd (without -g) if it stops running. \n \n--- \n \n### Vendor Information\n\n633847\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### NTP Project Affected\n\nUpdated: November 18, 2016 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### CoreOS __ Not Affected\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n**Statement Date: November 21, 2016**\n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\n`CoreOS Container Linux, by default, is not affected by this since ntpd is disabled.`\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### ACCESS Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### AT&T Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Alcatel-Lucent Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Apple Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Arch Linux Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Arista Networks, Inc. Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Aruba Networks Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Avaya, Inc. Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Barracuda Networks Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Belkin, Inc. Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Blue Coat Systems Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Brocade Communication Systems Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### CA Technologies Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### CMX Systems Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### CentOS Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Check Point Software Technologies Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Cisco Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Contiki OS Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### D-Link Systems, Inc. Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Debian GNU/Linux Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### DesktopBSD Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### DragonFly BSD Project Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### EMC Corporation Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### EfficientIP SAS Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Enterasys Networks Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Ericsson Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### European Registry for Internet Domains Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Extreme Networks Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### F5 Networks, Inc. Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Fedora Project Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Force10 Networks Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Fortinet, Inc. Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Foundry Brocade Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### FreeBSD Project Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### GNU adns Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### GNU glibc Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Gentoo Linux Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Google Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Hardened BSD Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Hewlett Packard Enterprise Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Hitachi Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Huawei Technologies Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### IBM Corporation Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Infoblox Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Intel Corporation Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Internet Systems Consortium Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Internet Systems Consortium - DHCP Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### JH Software Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Juniper Networks Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Lenovo Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Lynx Software Technologies Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### McAfee Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Microchip Technology Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Microsoft Corporation Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### NEC Corporation Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### NLnet Labs Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### NetBSD Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Nokia Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Nominum Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### OmniTI Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### OpenBSD Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### OpenDNS Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Openwall GNU/*/Linux Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Oracle Corporation Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Oryx Embedded Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Peplink Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### PowerDNS Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Q1 Labs Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### QNX Software Systems Inc. Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Quadros Systems Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Red Hat, Inc. Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Rocket RTOS Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### SUSE Linux Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### SafeNet Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Secure64 Software Corporation Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Slackware Linux Inc. Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### SmoothWall Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Snort Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Sony Corporation Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Sourcefire Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Symantec Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### TCPWave Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### TippingPoint Technologies Inc. Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Tizen Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### TrueOS Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Turbolinux Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Ubuntu Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Unisys Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### VMware Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Wind River Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### WizNET Technology Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Xilinx Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Zephyr Project Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### ZyXEL Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### dnsmasq Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### gdnsd Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### m0n0wall Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### openSUSE project Unknown\n\nNotified: November 21, 2016 Updated: November 21, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\nView all 100 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 7.8 | AV:N/AC:L/Au:N/C:N/I:N/A:C \nTemporal | 6.1 | E:POC/RL:OF/RC:C \nEnvironmental | 6.1 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se>\n * [nwtime.org/ntp428p9_release](<nwtime.org/ntp428p9_release>)\n\n### Acknowledgements\n\nNTP.org thanks Matthew Van Gundy of Cisco, Robert Pajak, Sharon Goldberg and Aanchal Malhotra of Boston University, Magnus Stubman, Miroslav Lichvar of Red Hat, and Brian Utterback of Oracle for reporting these vulnerabilities.\n\nThis document was written by Garret Wassermann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2016-7426](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-7426>), [CVE-2016-7427](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-7427>), [CVE-2016-7428](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-7428>), [CVE-2016-7429](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-7429>), [CVE-2016-7431](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-7431>), [CVE-2016-7433](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-7433>), [CVE-2016-7434](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-7434>), [CVE-2016-9310](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-9310>), [CVE-2016-9312](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-9312>) \n---|--- \n**Date Public:** | 2016-11-21 \n**Date First Published:** | 2016-11-21 \n**Date Last Updated: ** | 2017-11-20 15:38 UTC \n**Document Revision: ** | 26 \n", "modified": "2017-11-20T15:38:00", "published": "2016-11-21T00:00:00", "id": "VU:633847", "href": "https://www.kb.cert.org/vuls/id/633847", "type": "cert", "title": "NTP.org ntpd contains multiple denial of service vulnerabilities", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-09-18T20:41:39", "bulletinFamily": "info", "cvelist": ["CVE-2015-7704", "CVE-2015-7705", "CVE-2015-7973", "CVE-2015-7974", "CVE-2015-7975", "CVE-2015-7976", "CVE-2015-7977", "CVE-2015-7978", "CVE-2015-7979", "CVE-2015-8138", "CVE-2015-8139", "CVE-2015-8140", "CVE-2015-8158", "CVE-2016-1547", "CVE-2016-1548", "CVE-2016-1549", "CVE-2016-1550", "CVE-2016-1551", "CVE-2016-2516", "CVE-2016-2517", "CVE-2016-2518", "CVE-2016-2519"], "description": "### Overview \n\nThe NTP.org reference implementation of `ntpd` contains multiple vulnerabilities.\n\n### Description \n\nNTP.org's reference implementation of NTP server, `ntpd`, contains multiple vulnerabilities.\n\n[**CWE-294**](<http://cwe.mitre.org/data/definitions/294.html>)**: Authentication Bypass by Capture-replay - **CVE-2015-7973 \n \nAn attacker on the network can record and replay authenticated broadcast mode packets. Also known as the \"Deja Vu\" attack. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7974 \n \nA missing key check allows impersonation between authenticated peers. Also known as the \"Skeleton Key\" attack. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7975 \n \nThe `nextvar()` function does not properly validate length. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7976 \n \n`ntpq saveconfig` command allows dangerous characters in filenames \n \n[**CWE-476**](<http://cwe.mitre.org/data/definitions/476.html>)**: NULL Pointer Dereference - **CVE-2015-7977 \n \n`reslist` NULL pointer dereference \n \n[**CWE-400**](<http://cwe.mitre.org/data/definitions/400.html>)**: Uncontrolled Resource Consumption ('Resource Exhaustion') - **CVE-2015-7978 \n \nStack exhaustion in recursive traversal of restriction list \n \n[**CWE-821**](<http://cwe.mitre.org/data/definitions/821.html>)**: Incorrect Synchronization - **CVE-2015-7979 \n \nOff-path Denial of Service (DoS) attack on authenticated broadcast and other pre-emptable modes \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-8138 \n \nZero Origin Timestamp Bypass \n \n[**CWE-200**](<http://cwe.mitre.org/data/definitions/200.html>)**: Information Exposure - **CVE-2015-8139 \n \nNetwork Time Protocol ntpq and ntpdc Origin Timestamp Disclosure Vulnerability \n<http://support.ntp.org/bin/view/Main/NtpBug2946> \n \n[**CWE-294**](<http://cwe.mitre.org/data/definitions/294.html>)**: Authentication Bypass by Capture-replay - **CVE-2015-8140 \n \nNetwork Time Protocol ntpq Control Protocol Replay Vulnerability \n<http://support.ntp.org/bin/view/Main/NtpBug2947> \n \n[**CWE-400**](<http://cwe.mitre.org/data/definitions/400.html>)**: Uncontrolled Resource Consumption ('Resource Exhaustion') - **CVE-2015-8158 \n \nPotential Infinite Loop in ntpq \n<http://support.ntp.org/bin/view/Main/NtpBug2948> \n \n[**CWE-821**](<http://cwe.mitre.org/data/definitions/821.html>)**: Incorrect Synchronization - **CVE-2016-1547 \n \nAn off-path attacker can deny service to `ntpd` clients by demobilizing preemptable associations using spoofed crypto-NAK packets. This vulnerability involves different code paths than those used by CVE-2015-7979. \n \n[**CWE-290**](<http://cwe.mitre.org/data/definitions/290.html>)**: Authentication Bypass by Spoofing - **CVE-2016-1548 \n \nBy spoofing packets from a legitimate server, an attacker can change the time of an` ntpd` client or deny service to an `ntpd` client by forcing it to change from basic client/server mode to interleaved symmetric mode. \n \n[**CWE-362**](<http://cwe.mitre.org/data/definitions/362.html>)**: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') - **CVE-2016-1549 \n \nntpd does not prevent Sybil attacks from authenticated peers. An malicious authenticated peer can create any number of ephemeral associations in order to win ntpd's clock selection algorithm and modify a victim's clock. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2016-1550 \n \nntpd does not use a constant-time memory comparison function when validating the authentication digest on incoming packets. In some situations this may allow an attacker to conduct a timing attack to compute the value of the valid authentication digest causing forged packets to be accepted by `ntpd`. \n \n[**CWE-290**](<http://cwe.mitre.org/data/definitions/290.html>)**: Authentication Bypass by Spoofing - **CVE-2016-1551 \n \nntpd does not filter IPv4 bogon packets received from the network. This allows unauthenticated network attackers to spoof refclock packets to ntpd processes on systems that do not implement bogon filtering. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2016-2516, CVE-2016-2517 \n \nDuplicate IPs on `unconfig` directives will cause an assertion botch in `ntpd`. A regression caused by the patch for CVE-2016-2516 was fixed and identified as CVE-2016-2517. \n \n[**CWE-125**](<http://cwe.mitre.org/data/definitions/125.html>)**: Out-of-bounds Read - **CVE-2016-2518 \n \nUsing a crafted packet to create a peer association with hmode > 7 causes the MATCH_ASSOC() lookup to make an out-of-bounds reference. \n \n[**CWE-119**](<http://cwe.mitre.org/data/definitions/119.html>)**: Improper Restriction of Operations within the Bounds of a Memory Buffer - **CVE-2016-2519 \n \n`ntpq` and `ntpdc` can be used to store and retrieve information in `ntpd`. It is possible to store a data value that is larger than the size of the buffer that the `ctl_getitem()` function of `ntpd` uses to report the return value. If the length of the requested data value returned by `ctl_getitem()` is too large, the value NULL is returned instead. There are 2 cases where the return value from `ctl_getitem()` was not directly checked to make sure it's not NULL, but there are subsequent INSIST() checks that make sure the return value is not NULL. There are no data values ordinarily stored in `ntpd` that would exceed this buffer length. But if one has permission to store values and one stores a value that is \"too large\", then `ntpd` will abort if an attempt is made to read that oversized value. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7704**, **CVE-2015-7705 \n \nAn ntpd client that honors Kiss-of-Death (KoD) responses will honor KoD messages that have been forged by an attacker, causing it to delay or stop querying its servers for time updates. Also, an attacker can forge packets that claim to be from the target and send them to servers often enough that a server that implements KoD rate limiting will send the target machine a KoD response to attempt to reduce the rate of incoming packets, or it may also trigger a firewall block at the server for packets from the target machine. For either of these attacks to succeed, the attacker must know what servers the target is communicating with. An attacker can be anywhere on the Internet and can frequently learn the identity of the target's time source by sending the target a time query. \n \nFor more information on these vulnerabilities, please see NTP.org's [April 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security>) as well as the [January 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit>). \n \n--- \n \n### Impact \n\nUnauthenticated remote attackers may be able to spoof packets to cause denial of service, authentication bypass on commands, or certain configuration changes. For more information on these vulnerabilities, please see NTP.org's [April 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security>) as well as the [January 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit>). \n \n--- \n \n### Solution \n\n**Apply an update** \n \nPartial patches for some of these issues were initially released in January 2016 as version 4.2.8p6. Complete patches for all of these issues are now available in version [4.2.8p7](<http://www.ntp.org/downloads.html>), released 2016-04-26. Affected users are encouraged to update as soon as possible. \n \n--- \n \n### Vendor Information\n\n718152\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### NTP Project Affected\n\nNotified: January 19, 2016 Updated: April 22, 2016 \n\n**Statement Date: April 19, 2016**\n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### ACCESS Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### AT&T Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Alcatel-Lucent Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Apple Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Arista Networks, Inc. Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Aruba Networks Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Avaya, Inc. Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Belkin, Inc. Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Blue Coat Systems Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### CA Technologies Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### CentOS Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Check Point Software Technologies Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Cisco Unknown\n\nNotified: January 08, 2016 Updated: January 08, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### CoreOS Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### D-Link Systems, Inc. Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Debian GNU/Linux Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### DesktopBSD Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### DragonFly BSD Project Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### EMC Corporation Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### EfficientIP SAS Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Enterasys Networks Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Ericsson Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Extreme Networks Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### F5 Networks, Inc. Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Fedora Project Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Force10 Networks Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### FreeBSD Project Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Gentoo Linux Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Google Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Hardened BSD Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Hewlett Packard Enterprise Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Hitachi Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Huawei Technologies Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### IBM Corporation Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### IBM eServer Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Infoblox Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Intel Corporation Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Internet Systems Consortium Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Internet Systems Consortium - DHCP Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Juniper Networks Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### McAfee Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Microsoft Corporation Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### NEC Corporation Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### NTPsec Unknown\n\nNotified: January 19, 2016 Updated: January 19, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### NetBSD Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Nokia Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Nominum Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### OmniTI Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### OpenBSD Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### OpenDNS Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Openwall GNU/*/Linux Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Oracle Corporation Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Peplink Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Q1 Labs Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### QNX Software Systems Inc. Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Red Hat, Inc. Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### SUSE Linux Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### SafeNet Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Secure64 Software Corporation Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Slackware Linux Inc. Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### SmoothWall Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Snort Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Sony Corporation Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Sourcefire Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Symantec Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### TippingPoint Technologies Inc. Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Turbolinux Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Ubuntu Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Unisys Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### VMware Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### Wind River Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### dnsmasq Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### m0n0wall Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\n### openSUSE project Unknown\n\nNotified: April 25, 2016 Updated: April 25, 2016 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor References\n\nView all 75 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P \nTemporal | 5.3 | E:POC/RL:OF/RC:C \nEnvironmental | 5.3 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security>\n * <http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit>\n\n### Acknowledgements\n\nThanks to Cisco TALOS for reporting many of these issues to us. The Network Time Foundation credits many researchers for these vulnerabilities; see NTP.org's January 2016 and April 2016 security advisories for the complete list.\n\nThis document was written by Garret Wassermann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2015-7704](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-7704>), [CVE-2015-7705](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-7705>), [CVE-2015-7973](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-7973>), [CVE-2015-7974](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-7974>), [CVE-2015-7975](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-7975>), [CVE-2015-7976](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-7976>), [CVE-2015-7977](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-7977>), [CVE-2015-7978](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-7978>), [CVE-2015-7979](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-7979>), [CVE-2015-8138](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-8138>), [CVE-2015-8139](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-8139>), [CVE-2015-8140](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-8140>), [CVE-2015-8158](<http://web.nvd.nist.gov/vuln/detail/CVE-2015-8158>), [CVE-2016-1547](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-1547>), [CVE-2016-1548](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-1548>), [CVE-2016-1549](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-1549>), [CVE-2016-1550](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-1550>), [CVE-2016-1551](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-1551>), [CVE-2016-2516](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-2516>), [CVE-2016-2517](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-2517>), [CVE-2016-2518](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-2518>), [CVE-2016-2519](<http://web.nvd.nist.gov/vuln/detail/CVE-2016-2519>) \n---|--- \n**Date Public:** | 2016-04-26 \n**Date First Published:** | 2016-04-27 \n**Date Last Updated: ** | 2016-04-28 15:15 UTC \n**Document Revision: ** | 49 \n", "modified": "2016-04-28T15:15:00", "published": "2016-04-27T00:00:00", "id": "VU:718152", "href": "https://www.kb.cert.org/vuls/id/718152", "type": "cert", "title": "NTP.org ntpd contains multiple vulnerabilities", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "slackware": [{"lastseen": "2020-10-25T16:36:06", "bulletinFamily": "unix", "cvelist": ["CVE-2016-7426", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-7429", "CVE-2016-7431", "CVE-2016-7433", "CVE-2016-7434", "CVE-2016-9310", "CVE-2016-9311", "CVE-2016-9312"], "description": "New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\n14.2, and -current to fix security issues.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/ntp-4.2.8p9-i586-1_slack14.2.txz: Upgraded.\n In addition to bug fixes and enhancements, this release fixes the\n following 1 high- (Windows only :-), 2 medium-, 2 medium-/low, and\n 5 low-severity vulnerabilities, and provides 28 other non-security\n fixes and improvements.\n CVE-2016-9311: Trap crash\n CVE-2016-9310: Mode 6 unauthenticated trap info disclosure and DDoS vector\n CVE-2016-7427: Broadcast Mode Replay Prevention DoS\n CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS\n CVE-2016-9312: Windows: ntpd DoS by oversized UDP packet\n CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp Bypass\n CVE-2016-7434: Null pointer dereference in _IO_str_init_static_internal()\n CVE-2016-7429: Interface selection attack\n CVE-2016-7426: Client rate limiting and server responses\n CVE-2016-7433: Reboot sync calculation problem\n For more information, see:\n https://www.kb.cert.org/vuls/id/633847\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9311\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9310\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7427\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7428\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9312\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7431\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7434\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7429\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7426\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7433\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ntp-4.2.8p9-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/ntp-4.2.8p9-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ntp-4.2.8p9-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ntp-4.2.8p9-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ntp-4.2.8p9-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ntp-4.2.8p9-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8p9-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8p9-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8p9-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8p9-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/ntp-4.2.8p9-i586-1_slack14.2.txz\n\nUpdated package for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/ntp-4.2.8p9-x86_64-1_slack14.2.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8p9-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8p9-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\nde30f660b0bdcf5d395d58fe95baebaf ntp-4.2.8p9-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\ncf19e17e609553bdac6bed7a5463a652 ntp-4.2.8p9-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\n366967036495ace2e4ee27c28737fb39 ntp-4.2.8p9-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\n70535cbef8c11188ad965c8c6890c7a5 ntp-4.2.8p9-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\nea3caede15d6879d83e9727bb706eb4b ntp-4.2.8p9-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\n08921ff8cf9f68539e12d586765adb5b ntp-4.2.8p9-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\nc787e7e9c2b813af7d1d1260a5572f71 ntp-4.2.8p9-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\nd2b1608fc009dac1c68dc710004f26f3 ntp-4.2.8p9-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\n4329419d697ce523da2bf24c060c650f ntp-4.2.8p9-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\nacdb54929957393f6957c28716867bbf ntp-4.2.8p9-x86_64-1_slack14.1.txz\n\nSlackware 14.2 package:\n1118e86610a5ceea6f86901e4306dc1a ntp-4.2.8p9-i586-1_slack14.2.txz\n\nSlackware x86_64 14.2 package:\n9a6db91e52972e7e6ea902acefef1198 ntp-4.2.8p9-x86_64-1_slack14.2.txz\n\nSlackware -current package:\nb098a4bafbb0d07ace6e976624d54a7a n/ntp-4.2.8p9-i586-1.txz\n\nSlackware x86_64 -current package:\n2a08f8963d13804c467cec22603d69e4 n/ntp-4.2.8p9-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg ntp-4.2.8p9-i586-1_slack14.2.txz\n\nThen, restart the NTP daemon:\n\n > sh /etc/rc.d/rc.ntpd restart", "modified": "2016-11-21T19:25:10", "published": "2016-11-21T19:25:10", "id": "SSA-2016-326-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.641761", "type": "slackware", "title": "[slackware-security] ntp", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-10-25T16:36:36", "bulletinFamily": "unix", "cvelist": ["CVE-2015-5300", "CVE-2015-7973", "CVE-2015-7974", "CVE-2015-7975", "CVE-2015-7976", "CVE-2015-7977", "CVE-2015-7978", "CVE-2015-7979", "CVE-2015-8138", "CVE-2015-8158"], "description": "New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix security issues.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/ntp-4.2.8p6-i486-1_slack14.1.txz: Upgraded.\n In addition to bug fixes and enhancements, this release fixes\n several low and medium severity vulnerabilities.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the \"Get Slack\" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ntp-4.2.8p6-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/ntp-4.2.8p6-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ntp-4.2.8p6-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ntp-4.2.8p6-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ntp-4.2.8p6-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ntp-4.2.8p6-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8p6-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8p6-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8p6-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8p6-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8p6-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8p6-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\n31365ae4f12849e65d4ad1c8c7d5f89a ntp-4.2.8p6-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n5a2d24bdacd8dd05ab9e0613c829212b ntp-4.2.8p6-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\ne70f7422bc81c144e6fac1df2c202634 ntp-4.2.8p6-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\nf6637f6d24b94a6b17c68467956a6283 ntp-4.2.8p6-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\n82601e105f95e324dfd1e2f0df513673 ntp-4.2.8p6-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\nd3ba32d46f7eef8f75a3444bbee4c677 ntp-4.2.8p6-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\nc5ff13e58fbbea0b7a677e947449e7b1 ntp-4.2.8p6-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n9e2abfaf0b0b7bf84a8a4db89f60eff6 ntp-4.2.8p6-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\ne1e6b84808b7562314e0e29479153553 ntp-4.2.8p6-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n8db0a4ca68805c7f5e487d5bcd69d098 ntp-4.2.8p6-x86_64-1_slack14.1.txz\n\nSlackware -current package:\nf96f443f54a74c20b5eb67467f5958ea n/ntp-4.2.8p6-i586-1.txz\n\nSlackware x86_64 -current package:\n5e256f2e1906b4c75047a966996a7a41 n/ntp-4.2.8p6-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg ntp-4.2.8p6-i486-1_slack14.1.txz\n\nThen, restart the NTP daemon:\n\n > sh /etc/rc.d/rc.ntpd restart", "modified": "2016-02-23T19:51:20", "published": "2016-02-23T19:51:20", "id": "SSA-2016-054-04", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.546478", "type": "slackware", "title": "[slackware-security] ntp", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "cisco": [{"lastseen": "2020-12-24T11:41:14", "bulletinFamily": "software", "cvelist": ["CVE-2015-8138", "CVE-2016-7426", "CVE-2016-7427", "CVE-2016-7428", "CVE-2016-7429", "CVE-2016-7431", "CVE-2016-7433", "CVE-2016-7434", "CVE-2016-9310", "CVE-2016-9311", "CVE-2016-9312"], "description": "A vulnerability in Network Time Protocol (NTP) could allow an unauthenticated, remote attacker to modify the system clock on a targeted system.\n\nThe vulnerability is due to insufficient checks of user-supplied data by the affected software. An attacker could exploit this vulnerability by sending a crafted packet to a targeted NTP client. A successful exploit could disable server synchronization, resulting in the ability to modify the system clock on the targeted client system.\n\nA vulnerability in the Network Time Protocol (NTP) service could allow a local attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to improper initial sync calculations that are performed by the affected software. The vulnerability was introduced as the result of an attempt to fix NTP Bug 2085, involving a condition where the root delay was included twice, causing a higher than expected jitter value. Because of a misinterpretation of a small-print variable, a root distance would not include the peer dispersion. An attacker could exploit this vulnerability to cause a partial DoS condition on an affected system.\n\nA vulnerability in the Network Time Protocol (NTP) service could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to improper handling of crafted packets by the affected software when the trap service is enabled. An attacker could exploit this vulnerability by sending crafted packets to a targeted system. An exploit could cause a NULL pointer dereference that could cause the ntpd service to crash, resulting in a DoS condition.\n\nA vulnerability in the Network Time Protocol (NTP) service could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to insufficient resource pooling when rate limiting for all associations is configured within the affected software. An attacker could exploit this vulnerability by sending crafted packets with a spoofed source address to the targeted system. An exploit could prevent the affected software from accepting valid responses from its configured sources, resulting in a DoS condition.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow a local attacker to cause a denial of service (DoS) condition on a targeted system.\n\nThe vulnerability is due to improper validation of user-supplied data by the affected software. An attacker could exploit the vulnerability by sending a malicious packet to a targeted system. A successful exploit could cause the ntpd to stop functioning, resulting in a DoS condition.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.\n\nThe vulnerability is due to improper validation of user-supplied data by the affected software. An unauthenticated, remote attacker could exploit the vulnerability by sending a malicious packet to a targeted system. A successful exploit could cause the ntpd to stop functioning, resulting in a DoS condition.\n\nA vulnerability in the broadcast-mode, poll-interval enforcement functionality of the Network Time Protocol (NTP) service could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to improper resource management by the affected software. An attacker who has access to the broadcast domain of a targeted system could exploit this vulnerability by injecting crafted, broadcast-mode NTP packets into the broadcast domain in which the targeted system resides. A successful exploit could cause the NTP daemon to reject broadcast-mode packets from legitimate broadcast servers, resulting in a DoS condition.\n\nA vulnerability in the broadcast-mode, replay prevention functionality of the Network Time Protocol (NTP) service could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to improper resource management by the affected software. An attacker who has access to the broadcast domain of a targeted system could exploit this vulnerability by injecting crafted, broadcast-mode NTP packets into the broadcast domain in which the targeted system resides. A successful exploit could cause the NTP daemon to reject broadcast-mode packets from legitimate broadcast servers, resulting in a DoS condition.\n\nA vulnerability in the control mode (mode 6) functionality of the Network Time Protocol (NTP) service could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition.\n\nThe vulnerability is due to improper security restrictions that could lead to configuration modification. If the restrict default noquery best current practices recommendation for NTP is not specified, an attacker could exploit this vulnerability by sending a crafted control mode packet to an affected system. An exploit could allow the attacker to modify the affected software. The attacker could set ntpd traps, which could be leveraged to disclose sensitive information or aid in DDoS amplification. In addition, an attacker could unset ntpd traps, which could disable monitoring, resulting in a DoS condition.\n\nMultiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.\n\nOn November 21, 2016, the NTP Consortium of the Network Time Foundation released a security notice that details ten issues regarding DoS vulnerabilities and logic issues that may allow an attacker to shift a system's time.\n\nThe new vulnerabilities disclosed in this document are as follows:\n\nNetwork Time Protocol Trap Service Denial of Service Vulnerability\nNetwork Time Protocol Broadcast Mode Denial of Service Vulnerability\nNetwork Time Protocol Broadcast Mode Denial of Service Vulnerability\nNetwork Time Protocol Insufficient Resource Pool Denial of Service Vulnerability\nNetwork Time Protocol Configuration Modification Denial of Service Vulnerability\nNetwork Time Protocol mrulist Query Requests Denial of Service Vulnerability\nNetwork Time Protocol Multiple Binds to the Same Port Vulnerability\nNetwork Time Protocol Rate Limiting Denial of Service Vulnerability\n\nAs well as:\n\nRegression of CVE-2015-8138\nNetwork Time Protocol Reboot sync calculation problem\n Additional details about each vulnerability are in the NTP Consortium Security Notice [\"http://support.ntp.org/bin/view/Main/SecurityNotice#November_2016_ntp_4_2_8p9_NTP_Se\"].\n\nWorkarounds that address one or more of these vulnerabilities may be available and are documented in the Cisco bug for each affected product.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161123-ntpd [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161123-ntpd\"]", "modified": "2017-01-23T14:51:48", "published": "2016-11-23T16:00:00", "id": "CISCO-SA-20161123-NTPD", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161123-ntpd", "type": "cisco", "title": "Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: November 2016", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2020-12-24T11:41:24", "bulletinFamily": "software", "cvelist": ["CVE-2015-7973", "CVE-2015-7974", "CVE-2015-7975", "CVE-2015-7976", "CVE-2015-7977", "CVE-2015-7978", "CVE-2015-7979", "CVE-2015-8138", "CVE-2015-8139", "CVE-2015-8140", "CVE-2015-8158"], "description": "A vulnerability in the Network Time Protocol daemon (ntpd) could allow an authenticated, remote attacker to leverage any trusted key, not just the trusted key for its address.\n\nThe vulnerability is exists because ntpd does not properly verify that the key being used matches the proper servers' key. An attacker could exploit this vulnerability by sending packets with any trusted key, as long as the keyid references another key the systems share and that key is used to compute the message authentication code (MAC). An exploit could allow the attacker to masquerade as another configured trusted association.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow an unauthenticated, adjacent attacker to replay broadcast server packets.\n\nThe vulnerability is due to no replay protection on NTP broadcast packets. An attacker could exploit this vulnerability by capturing and retransmiting NTP broadcast packets to a targeted system. An exploit could allow the attacker to cause time settings on a targeted system to stop updating and maintain a particular time value.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow an unauthenticated, remote attacker to modify time settings on a targeted system.\n\nThe vulnerability is due to incorrect processing of NTP update packets. An attacker could exploit this vulnerability by sending crafted updates that contain an a zero-origin timestamp to the clients' peer server. An exploit could allow the attacker to modify the time values received by the client, preventing client systems from receiving further updates from its legitimately configured time server.\n\nA vulnerability in the Standard Network Time Protocol query program (ntpq) could allow an unauthenticated, remote attacker to replay a previously captured ntpq command.\n\nThe vulnerability is due to an invalid checking of the sequence number. An attacker could exploit this vulnerability by capturing an authenticated ntpq command that was executed and then replaying back the command at a later stage. An exploit could allow the attacker to replay previously captured ntpq commands.\n\nA vulnerability in the list_restrict4() and list_restrict6() routines of the Network Time Protocol daemon (ntpd) could allow an authenticated, remote attacker to cause the ntpd to crash.\n\nThe vulnerability is due to a null pointer dereference in the list_restrict4() and list_restrict6() routines. An attacker could exploit this vulnerability by performing an ntpdc reslist command against a device that has a large number of NTP restrictions in place. An exploit could allow the attacker to cause the ntpd to crash.\n\nA vulnerability in the standard Network Time Protocol query program (ntpq) could allow a unauthenticated, local attacker to execute a buffer overflow attack.\n\nThe vulnerability is due to the function nextvar() executing a memcpy() into the name buffer without a proper length check. An attacker could exploit this vulnerability by calling ntpq to read variable names from an untrusted source, such as a user or environment variable. An exploit could allow the attacker to trigger a buffer overflow.\n\nA vulnerability in the standard and special Network Time Protocol query program (ntpq and ntpdc) could allow an unauthenticated, remote attacker to cause the ntpq or ntpdc program to remain in a processing loop.\n\nThe vulnerability is due to a loop that is not exited under certain conditions in the ntpq and ntpdc processes. An attacker could exploit this vulnerability by sending malicious packets to an ntpq or ntpdc client from a malicious NTP server or from a privileged network position by conducting a man-in-the-middle attack between a targeted client and the NTP server. An exploit could allow the attacker to cause the ntpq or ntpdc process to enter an infinite loop, resulting in a denial of service (DoS) condition.\n\nA vulnerability in the standard and the special Network Time Protocol query program (ntpq and ntpdc) could allow an unauthenticated, remote attacker to obtain the value of the origin timestamp expected in the next peer response.\n\nThe vulnerability is due to ntpq and ntpdc providing this information without requiring authentication. An attacker could exploit this issue by querying the client with the appropriate ntpq or ntpdc commands. An exploit could allow the attacker to obtain the next peer response origin timestamp, which could be leveraged in further attacks.\n\nA vulnerability of the Network Time Protocol daemon (ntpd) could allow an authenticated, remote attacker to cause the ntpd to crash by exhausting the call stack.\n\nThe vulnerability exists because function calls to list_restrict4() or list_restrict6() can be made to exhaust space on the call stack. An attacker could exploit this vulnerability by performing an ntpdc reslist command against a device that has a large number of NTP restrictions in place. An exploit could allow the attacker to cause the ntpd to crash.\n\nA vulnerability the Network Time Protocol daemon (ntpd) could allow an unauthenticated, remote attacker to prevent clients from synchronizing to a time server.\n\nThe vulnerability is due to the improper handling of malicious packets by the broadcast server. An attacker could exploit this vulnerability by sending malicious, authenticated packets to the broadcast network. An exploit could allow the attacker to prevent the broadcast clients from synchronizing with configured time servers.\n\nAn issue in the standard Network Time Protocol query program (ntpq) could allow an authenticated, remote attacker to create files on the system with dangerous characters in the filename.\n\nThe issue is due to to improper validation of characters within filenames. An attacker could exploit this issue by saving a filename with the saveconfig command. An exploit could allow the attacker to write filenames to the system that may contain potentially dangerous character sequences.\n\nMultiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.\n\nOn January 19, 2016, NTP Consortium at Network Time Foundation released a security advisory detailing 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities, and logic issues that may allow an attacker to shift a client's time. The vulnerabilities covered in this document are as follows:\n\nCVE-2015-7973: Network Time Protocol Replay Attack on Authenticated Broadcast Mode Vulnerability\nCVE-2015-7974: Network Time Protocol Missing Trusted Key Check\nCVE-2015-7975: Standard Network Time Protocol Query Program nextvar() Missing Length Check\nCVE-2015-7976: Standard Network Time Protocol Query Program saveconfig Command Allows Dangerous Characters in Filenames\nCVE-2015-7978: Network Time Protocol Daemon reslist NULL Pointer Deference Denial of Service Vulnerability\nCVE-2015-7977: Network Time Protocol Stack Exhaustion Denial of Service\nCVE-2015-7979: Network Time Protocol Off-Path Broadcast Mode Denial of Service\nCVE-2015-8138: Network Time Protocol Zero Origin Timestamp Bypass\nCVE-2015-8139: Network Time Protocol Information Disclosure of Origin Timestamp\nCVE-2015-8140: Standard Network Time Protocol Query Program Replay Attack\nCVE-2015-8158: Standard and Special Network Time Protocol Query Program Infinite loop\n Additional details on each of the vulnerabilities are in the official security advisory from the NTP Consortium at Network Time Foundation at the following link: Security Notice [\"http://nwtime.org/security-policy/\"]\n\nCisco has released software updates that address these vulnerabilities.\n\nWorkarounds that address some of these vulnerabilities may be available. Available workarounds will be documented in the corresponding Cisco bug for each affected product.\n\nThis advisory is available at the following link:\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd", "modified": "2016-03-07T14:02:40", "published": "2016-01-27T20:00:00", "id": "CISCO-SA-20160127-NTPD", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd", "type": "cisco", "title": "Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}], "suse": [{"lastseen": "2016-09-04T12:22:35", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "edition": 1, "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n\n This update was imported from the SUSE:SLE-12-SP1:Update update project.\n\n", "modified": "2016-05-12T21:07:47", "published": "2016-05-12T21:07:47", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00038.html", "id": "OPENSUSE-SU-2016:1292-1", "title": "Security update for ntp (important)", "type": "suse", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T12:46:49", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "edition": 1, "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n\n", "modified": "2016-04-28T19:13:09", "published": "2016-04-28T19:13:09", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00060.html", "id": "SUSE-SU-2016:1177-1", "title": "Security update for ntp (important)", "type": "suse", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T11:47:01", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "edition": 1, "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n - bsc#784760: Remove local clock from default configuration\n\n", "modified": "2016-04-28T19:09:34", "published": "2016-04-28T19:09:34", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00059.html", "id": "SUSE-SU-2016:1175-1", "title": "Security update for ntp (important)", "type": "suse", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T12:27:22", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7703", "CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7855", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7704", "CVE-2015-7979", "CVE-2015-7701", "CVE-2015-7976", "CVE-2015-7848", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7692", "CVE-2015-7851", "CVE-2015-7702", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7849", "CVE-2015-7691", "CVE-2015-7705", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7850", "CVE-2015-7854", "CVE-2015-7978", "CVE-2015-7853"], "description": "ntp was updated to version 4.2.8p6 to fix 28 security issues.\n\n Major functional changes:\n - The "sntp" commandline tool changed its option handling in a major way,\n some options have been renamed or dropped.\n - "controlkey 1" is added during update to ntp.conf to allow sntp to work.\n - The local clock is being disabled during update.\n - ntpd is no longer running chrooted.\n\n Other functional changes:\n - ntp-signd is installed.\n - "enable mode7" can be added to the configuration to allow ntdpc to work\n as compatibility mode option.\n - "kod" was removed from the default restrictions.\n - SHA1 keys are used by default instead of MD5 keys.\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n - CVE-2015-7871: NAK to the Future: Symmetric association authentication\n bypass via crypto-NAK (bsc#951608).\n - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning\n FAIL on some bogus values (bsc#951608).\n - CVE-2015-7854: Password Length Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7853: Invalid length data provided by a custom refclock driver\n could cause a buffer overflow (bsc#951608).\n - CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#951608).\n - CVE-2015-7850: remote config logfile-keyfile (bsc#951608).\n - CVE-2015-7849: trusted key use-after-free (bsc#951608).\n - CVE-2015-7848: mode 7 loop counter underrun (bsc#951608).\n - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#951608).\n - CVE-2015-7703: configuration directives "pidfile" and "driftfile" should\n only be allowed locally (bsc#951608).\n - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD should validate\n the origin timestamp field (bsc#951608).\n - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete autokey data\n packet length checks (bsc#951608).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n - Add a controlkey line to /etc/ntp.conf if one does not already exist to\n allow runtime configuuration via ntpq.\n - bsc#946386: Temporarily disable memlock to avoid problems due to high\n memory usage during name resolution.\n - bsc#905885: Use SHA1 instead of MD5 for symmetric keys.\n - Improve runtime configuration:\n * Read keytype from ntp.conf\n * Don't write ntp keys to syslog.\n - Fix legacy action scripts to pass on command line arguments.\n - bsc#944300: Remove "kod" from the restrict line in ntp.conf.\n - bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.\n - Add a controlkey to ntp.conf to make the above work.\n - Don't let "keysdir" lines in ntp.conf trigger the "keys" parser.\n - Disable mode 7 (ntpdc) again, now that we don't use it anymore.\n - Add "addserver" as a new legacy action.\n - bsc#910063: Fix the comment regarding addserver in ntp.conf.\n - bsc#926510: Disable chroot by default.\n - bsc#920238: Enable ntpdc for backwards compatibility.\n\n", "edition": 1, "modified": "2016-05-06T13:07:50", "published": "2016-05-06T13:07:50", "id": "SUSE-SU-2016:1247-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00020.html", "title": "Security update for ntp (important)", "type": "suse", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:33:04", "bulletinFamily": "software", "cvelist": ["CVE-2016-7434", "CVE-2016-9311", "CVE-2017-6460", "CVE-2016-7433", "CVE-2017-6458", "CVE-2016-7427", "CVE-2016-9042", "CVE-2017-6462", "CVE-2016-7429", "CVE-2017-6463", "CVE-2016-2519", "CVE-2016-7428", "CVE-2016-9310", "CVE-2017-6464", "CVE-2016-7426", "CVE-2016-7431"], "description": "# \n\n# Severity\n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\n * Canonical Ubuntu 14.04\n\n# Description\n\nYihan Lian discovered that NTP incorrectly handled certain large request data values. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. ([CVE-2016-2519](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2519>))\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain spoofed addresses when performing rate limiting. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. ([CVE-2016-7426](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7426>))\n\nMatthew Van Gundy discovered that NTP incorrectly handled certain crafted broadcast mode packets. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. ([CVE-2016-7427](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7427>), [CVE-2016-7428](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7428>))\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain responses. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. ([CVE-2016-7429](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7429>))\n\nSharon Goldberg and Aanchal Malhotra discovered that NTP incorrectly handled origin timestamps of zero. A remote attacker could possibly use this issue to bypass the origin timestamp protection mechanism. This issue only affected Ubuntu 16.10. ([CVE-2016-7431](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7431>))\n\nBrian Utterback, Sharon Goldberg and Aanchal Malhotra discovered that NTP incorrectly performed initial sync calculations. This issue only applied to Ubuntu 16.04 LTS and Ubuntu 16.10. ([CVE-2016-7433](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7433>))\n\nMagnus Stubman discovered that NTP incorrectly handled certain mrulist queries. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. ([CVE-2016-7434](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7434>))\n\nMatthew Van Gund discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu Ubuntu 16.10, and Ubuntu 17.04. ([CVE-2016-9042](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9042>))\n\nMatthew Van Gundy discovered that NTP incorrectly handled certain control mode packets. A remote attacker could use this issue to set or unset traps. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. ([CVE-2016-9310](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9310>))\n\nMatthew Van Gundy discovered that NTP incorrectly handled the trap service. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. ([CVE-2016-9311](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9311>))\n\nIt was discovered that NTP incorrectly handled memory when processing long variables. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. ([CVE-2017-6458](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6458>))\n\nIt was discovered that NTP incorrectly handled memory when processing long variables. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only applied to Ubuntu 16.04 LTS, Ubuntu 16.10 and Ubuntu 17.04. ([CVE-2017-6460](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6460>))\n\nIt was discovered that the NTP legacy DPTS refclock driver incorrectly handled the /dev/datum device. A local attacker could possibly use this issue to cause a denial of service. ([CVE-2017-6462](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6462>))\n\nIt was discovered that NTP incorrectly handled certain invalid settings in a :config directive. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. ([CVE-2017-6463](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6463>))\n\nIt was discovered that NTP incorrectly handled certain invalid mode configuration directives. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. ([CVE-2017-6464](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6464>))\n\n# Affected Cloud Foundry Products and Versions\n\n_Severity is medium unless otherwise noted._\n\n * Cloud Foundry BOSH stemcells are vulnerable, including: \n * 3312.x versions prior to 3312.32\n * 3363.x versions prior to 3363.29\n * 3421.x versions prior to 3421.18\n * All other stemcells not listed.\n * All versions of Cloud Foundry cflinuxfs2 prior to 1.137.0\n\n# Mitigation\n\nOSS users are strongly encouraged to follow one of the mitigations below:\n\n * The Cloud Foundry project recommends upgrading the following BOSH stemcells: \n * Upgrade 3312.x versions prior to 3312.32\n * Upgrade 3363.x versions prior to 3363.29\n * Upgrade 3421.x versions prior to 3421.18\n * All other stemcells should be upgraded to the latest version available on [bosh.io](<https://bosh.io>).\n * The Cloud Foundry project recommends that Cloud Foundry deployments run with cflinuxfs2 version 1.137.0 or later.\n\n# References\n\n * [USN-3349-1](<http://www.ubuntu.com/usn/usn-3349-1/>)\n * [CVE-2016-2519](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-2519>)\n * [CVE-2016-7426](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7426>)\n * [CVE-2016-7427](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7427>)\n * [CVE-2016-7428](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7428>)\n * [CVE-2016-7429](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7429>)\n * [CVE-2016-7431](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7431>)\n * [CVE-2016-7433](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7433>)\n * [CVE-2016-7434](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-7434>)\n * [CVE-2016-9042](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9042>)\n * [CVE-2016-9310](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9310>)\n * [CVE-2016-9311](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2016-9311>)\n * [CVE-2017-6458](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6458>)\n * [CVE-2017-6460](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6460>)\n * [CVE-2017-6462](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6462>)\n * [CVE-2017-6463](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6463>)\n * [CVE-2017-6464](<http://people.ubuntu.com/~ubuntu-security/cve/CVE-2017-6464>)\n", "edition": 5, "modified": "2017-08-04T00:00:00", "published": "2017-08-04T00:00:00", "id": "CFOUNDRY:8722C197C1671303FFCA9E919368B734", "href": "https://www.cloudfoundry.org/blog/usn-3349-1/", "title": "USN-3349-1: NTP vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.1, "vector": "AV:N/AC:M/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2019-05-29T18:32:58", "bulletinFamily": "software", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2016-4956", "CVE-2016-4955", "CVE-2015-8138", "CVE-2016-0727", "CVE-2015-7973", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7979", "CVE-2016-4954", "CVE-2015-7976", "CVE-2016-1547", "CVE-2015-7974", "CVE-2015-7978"], "description": "USN-3096-1 NTP vulnerabilities\n\n# \n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\nCanonical Ubuntu 14.04 LTS\n\n# Description\n\nAanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to perform a replay attack. (CVE-2015-7973)\n\nMatt Street discovered that NTP incorrectly verified peer associations of symmetric keys. A remote attacker could use this issue to perform an impersonation attack. (CVE-2015-7974)\n\nJonathan Gardner discovered that the NTP ntpq utility incorrectly handled dangerous characters in filenames. An attacker could possibly use this issue to overwrite arbitrary files. (CVE-2015-7976)\n\nStephen Gray discovered that NTP incorrectly handled large restrict lists. An attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7977, CVE-2015-7978)\n\nAanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7979)\n\nJonathan Gardner discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could use this issue to spoof peer servers. (CVE-2015-8138)\n\nJonathan Gardner discovered that the NTP ntpq utility did not properly handle certain incorrect values. An attacker could possibly use this issue to cause ntpq to hang, resulting in a denial of service. (CVE-2015-8158)\n\nIt was discovered that the NTP cronjob incorrectly cleaned up the statistics directory. A local attacker could possibly use this to escalate privileges. (CVE-2016-0727)\n\nStephen Gray and Matthew Van Gundy discovered that NTP incorrectly validated crypto-NAKs. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1547)\n\nMiroslav Lichvar and Jonathan Gardner discovered that NTP incorrectly handled switching to interleaved symmetric mode. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1548)\n\nMatthew Van Gundy, Stephen Gray and Loganaden Velvindron discovered that NTP incorrectly handled message authentication. A remote attacker could possibly use this issue to recover the message digest key. (CVE-2016-1550)\n\nYihan Lian discovered that NTP incorrectly handled duplicate IPs on unconfig directives. An authenticated remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2516)\n\nYihan Lian discovered that NTP incorrectly handled certain peer associations. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2518)\n\nJakub Prokes discovered that NTP incorrectly handled certain spoofed packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4954)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain packets when autokey is enabled. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4955)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain spoofed broadcast packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4956)\n\nIn the default installation, attackers would be isolated by the NTP AppArmor profile.\n\n# Affected Cloud Foundry Products and Versions\n\nSeverity is medium unless otherwise noted.\n\nCloud Foundry BOSH stemcells are vulnerable, including:\n\n * All versions prior to 3146.24\n * 3151.x versions prior to 3151.2\n * 3232.x versions prior to 3232.22\n * 3233.x versions prior to 3233.2\n * 3262.x versions prior to 3262.21\n * Other versions prior to 3263.7\n\n# Mitigation\n\nThe Cloud Foundry team recommends upgrading to the following BOSH stemcells:\n\n * Upgrade all versions prior to 3146.x to 3146.24\n * Upgrade 3151.x versions to 3151.2\n * Upgrade 3232.x versions to 3232.22\n * Upgrade 3233.x versions to 3233.2\n * Upgrade 3262.x versions to 3262.21\n * Upgrade other versions to 3263.7\n\n# Credit\n\nMatt Street, Aanchal Malhotra, Jonathan Gardner, Matthew Van Gundy, Stephen Gray, Loganaden Velvindron, Yihan Lian, Jakub Prokes, Miroslav Lichvar\n\n# References\n\n * <https://www.ubuntu.com/usn/usn-3096-1/>\n", "edition": 5, "modified": "2016-12-21T00:00:00", "published": "2016-12-21T00:00:00", "id": "CFOUNDRY:0B67E4FF46553AC705FD601C96C1A6B6", "href": "https://www.cloudfoundry.org/blog/usn-3096-1/", "title": "USN-3096-1: NTP vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}