{"id": "TALOS-2016-0075", "bulletinFamily": "info", "title": "Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability", "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0075\n\n## Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability\n\n##### January 19, 2016\n\n##### CVE Number\n\nCVE-2015-7978\n\nCERT VU#357792\n\n### Summary\n\nAn unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by exhausting the call stack.\n\nThe following conditions must be met:\n\n 1. Mode 7 must be enabled. By default, mode 7 is disabled.\n 2. A large enough number of entries must be in the restrict lists to cause enough calls to list_restrict4() or list_restrict6() that the stack space is exhausted.\n\n### Expected Behavior:\n\nThe ntpdc reslist command is used to query the restrictions currently enforced by ntpd. If the number of restrictions is too large, enough function calls to list_restrict4() or list_restric6() will occur to exhaust the space on the call stack. The reslist command does not require authentication.\n\nThe ntpd process should be able to traverse any number of entries in the restrict list without exhausting the call stack.\n\n### Actual Behavior:\n\nThe IPv4 and IPv6 restriction lists are kept sorted in reverse order. To correctly display the output, the functions list_restrict4() and list_restrict6() traverse the list recursively and dump the lists in reverse. If enough entries exist in the restrict list, the recursion will eventually exhaust the available space on the call stack.\n\n### Implications of the defect:\n\nAn attacker that can increase the size of the restrict list on a server with request mode enabled can crash ntpd. The attacker might be able to increase the number of restrictions dynamically via the \"restrict source\" mechanism. Additionally, an authenticated user can add restrict lines to the configuration with mode 6 if it is enabled.\n\n### Recommendations:\n\nUse iteration to traverse the restrict list or terminate the recursion after some number of entries have been processed.\n\n### Tested Versions\n\nntp 4.2.8p3 \nNTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92\n\n### Product URLs\n\n<http://www.ntp.org> \n<http://www.ntpsec.org/>\n\n### CVSS Score\n\nCVSSv2: 5.4 - AV:N/AC:H/Au:N/C:N/I:N/A:C \nCVSSv3: 5.9 - AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### Timeline\n\n2015-10-07 - Vendor Disclosure \n2016-01-19 - Public Release\n\n##### Credit\n\nStephen Gray\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0076\n\nPrevious Report\n\nTALOS-2016-0074\n", "published": "2016-01-19T00:00:00", "modified": "2016-01-19T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0075", "reporter": "Talos Intelligence", "references": [], "cvelist": ["CVE-2015-7978"], "type": "talos", "lastseen": "2018-08-31T00:36:19", "history": [{"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2015-7978"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0075\n\n## Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability\n\n##### January 19, 2016\n\n##### CVE Number\n\nCVE-2015-7978\n\nCERT VU#357792\n\n### Summary\n\nAn unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by exhausting the call stack.\n\nThe following conditions must be met:\n\n 1. Mode 7 must be enabled. By default, mode 7 is disabled.\n 2. A large enough number of entries must be in the restrict lists to cause enough calls to list_restrict4() or list_restrict6() that the stack space is exhausted.\n\n### Expected Behavior:\n\nThe ntpdc reslist command is used to query the restrictions currently enforced by ntpd. If the number of restrictions is too large, enough function calls to list_restrict4() or list_restric6() will occur to exhaust the space on the call stack. The reslist command does not require authentication.\n\nThe ntpd process should be able to traverse any number of entries in the restrict list without exhausting the call stack.\n\n### Actual Behavior:\n\nThe IPv4 and IPv6 restriction lists are kept sorted in reverse order. To correctly display the output, the functions list_restrict4() and list_restrict6() traverse the list recursively and dump the lists in reverse. If enough entries exist in the restrict list, the recursion will eventually exhaust the available space on the call stack.\n\n### Implications of the defect:\n\nAn attacker that can increase the size of the restrict list on a server with request mode enabled can crash ntpd. The attacker might be able to increase the number of restrictions dynamically via the \"restrict source\" mechanism. Additionally, an authenticated user can add restrict lines to the configuration with mode 6 if it is enabled.\n\n### Recommendations:\n\nUse iteration to traverse the restrict list or terminate the recursion after some number of entries have been processed.\n\n### Tested Versions\n\nntp 4.2.8p3 \nNTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92\n\n### Product URLs\n\n<http://www.ntp.org> \n<http://www.ntpsec.org/>\n\n### CVSS Score\n\nCVSSv2: 5.4 - AV:N/AC:H/Au:N/C:N/I:N/A:C \nCVSSv3: 5.9 - AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### Timeline\n\n2015-10-07 - Vendor Disclosure \n2016-01-19 - Public Release\n\n##### Credit\n\nStephen Gray\n\n* * *\n\nBack\n", "edition": 2, "hash": "f7c64b2c36f8b0ae6c082ac18b59e86d89d71a0d031b47c356bbac9c4f25f852", "hashmap": [{"hash": "84c08cb9f8f093887ac14c9ea07fcd0c", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "modified"}, {"hash": "0afd20de3dc97cf9f0412ac5ef720a4f", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "published"}, {"hash": "f2cee3fd74aadb43c91396f206bcf3e8", "key": "type"}, {"hash": "11f1ed18c7bd1e05a18ddbd32fb48f83", "key": "description"}, {"hash": "ca965bf058afad33ff775c6b5f29ad68", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "34956ac0a726126687502bf9088bc7bb", "key": "reporter"}], "history": [], "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0075", "id": "TALOS-2016-0075", "lastseen": "2017-05-13T14:24:51", "modified": "2016-01-19T00:00:00", "objectVersion": "1.2", "published": "2016-01-19T00:00:00", "references": [], "reporter": "Talos Intelligence", "title": "Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability", "type": "talos", "viewCount": 0}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2017-05-13T14:24:51"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2015-7978"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0075\n\n## Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability\n\n##### January 19, 2016\n\n##### CVE Number\n\nCVE-2015-7978\n\nCERT VU#357792\n\n### Summary\n\nAn unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by exhausting the call stack.\n\nThe following conditions must be met:\n\n 1. Mode 7 must be enabled. By default, mode 7 is disabled.\n 2. A large enough number of entries must be in the restrict lists to cause enough calls to list_restrict4() or list_restrict6() that the stack space is exhausted.\n\n### Expected Behavior:\n\nThe ntpdc reslist command is used to query the restrictions currently enforced by ntpd. If the number of restrictions is too large, enough function calls to list_restrict4() or list_restric6() will occur to exhaust the space on the call stack. The reslist command does not require authentication.\n\nThe ntpd process should be able to traverse any number of entries in the restrict list without exhausting the call stack.\n\n### Actual Behavior:\n\nThe IPv4 and IPv6 restriction lists are kept sorted in reverse order. To correctly display the output, the functions list_restrict4() and list_restrict6() traverse the list recursively and dump the lists in reverse. If enough entries exist in the restrict list, the recursion will eventually exhaust the available space on the call stack.\n\n### Implications of the defect:\n\nAn attacker that can increase the size of the restrict list on a server with request mode enabled can crash ntpd. The attacker might be able to increase the number of restrictions dynamically via the \"restrict source\" mechanism. Additionally, an authenticated user can add restrict lines to the configuration with mode 6 if it is enabled.\n\n### Recommendations:\n\nUse iteration to traverse the restrict list or terminate the recursion after some number of entries have been processed.\n\n### Tested Versions\n\nntp 4.2.8p3 \nNTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92\n\n### Product URLs\n\n<http://www.ntp.org> \n<http://www.ntpsec.org/>\n\n### CVSS Score\n\nCVSSv2: 5.4 - AV:N/AC:H/Au:N/C:N/I:N/A:C \nCVSSv3: 5.9 - AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### Timeline\n\n2015-10-07 - Vendor Disclosure \n2016-01-19 - Public Release\n\n##### Credit\n\nStephen Gray\n\n* * *\n\nVulnerability Reports Next Report Previous Report\n", "edition": 4, "enchantments": {}, "hash": "cf4210f092dbb5b06d76dd5aa711c16208ed6db7d1102bd33c5948d6c315ab59", "hashmap": [{"hash": "84c08cb9f8f093887ac14c9ea07fcd0c", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "modified"}, {"hash": "0afd20de3dc97cf9f0412ac5ef720a4f", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "published"}, {"hash": "f2cee3fd74aadb43c91396f206bcf3e8", "key": "type"}, {"hash": "ca965bf058afad33ff775c6b5f29ad68", "key": "href"}, {"hash": "84813b1457b92d6ba1174abffbb83a2f", "key": "cvss"}, {"hash": "34956ac0a726126687502bf9088bc7bb", "key": "reporter"}, {"hash": "10f248c46f722778312a81433ff95edc", "key": "description"}], "history": [], "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0075", "id": "TALOS-2016-0075", "lastseen": "2017-07-24T22:18:10", "modified": "2016-01-19T00:00:00", "objectVersion": "1.3", "published": "2016-01-19T00:00:00", "references": [], "reporter": "Talos Intelligence", "title": "Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability", "type": "talos", "viewCount": 0}, "differentElements": ["description"], "edition": 4, "lastseen": "2017-07-24T22:18:10"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2015-7978"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0075\n\n## Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability\n\n##### January 19, 2016\n\n##### CVE Number\n\nCVE-2015-7978\n\nCERT VU#357792\n\n### Summary\n\nAn unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by exhausting the call stack.\n\nThe following conditions must be met:\n\n 1. Mode 7 must be enabled. By default, mode 7 is disabled.\n 2. A large enough number of entries must be in the restrict lists to cause enough calls to list_restrict4() or list_restrict6() that the stack space is exhausted.\n\n### Expected Behavior:\n\nThe ntpdc reslist command is used to query the restrictions currently enforced by ntpd. If the number of restrictions is too large, enough function calls to list_restrict4() or list_restric6() will occur to exhaust the space on the call stack. The reslist command does not require authentication.\n\nThe ntpd process should be able to traverse any number of entries in the restrict list without exhausting the call stack.\n\n### Actual Behavior:\n\nThe IPv4 and IPv6 restriction lists are kept sorted in reverse order. To correctly display the output, the functions list_restrict4() and list_restrict6() traverse the list recursively and dump the lists in reverse. If enough entries exist in the restrict list, the recursion will eventually exhaust the available space on the call stack.\n\n### Implications of the defect:\n\nAn attacker that can increase the size of the restrict list on a server with request mode enabled can crash ntpd. The attacker might be able to increase the number of restrictions dynamically via the \"restrict source\" mechanism. Additionally, an authenticated user can add restrict lines to the configuration with mode 6 if it is enabled.\n\n### Recommendations:\n\nUse iteration to traverse the restrict list or terminate the recursion after some number of entries have been processed.\n\n### Tested Versions\n\nntp 4.2.8p3 \nNTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92\n\n### Product URLs\n\n<http://www.ntp.org> \n<http://www.ntpsec.org/>\n\n### CVSS Score\n\nCVSSv2: 5.4 - AV:N/AC:H/Au:N/C:N/I:N/A:C \nCVSSv3: 5.9 - AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### Timeline\n\n2015-10-07 - Vendor Disclosure \n2016-01-19 - Public Release\n\n##### Credit\n\nStephen Gray\n\n* * *\n\nBack\n", "edition": 3, "enchantments": {}, "hash": "cd147caa2d9c93977882c1f25f19d7b4401b82aef843d10de1b7314ee2bc936b", "hashmap": [{"hash": "84c08cb9f8f093887ac14c9ea07fcd0c", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "modified"}, {"hash": "0afd20de3dc97cf9f0412ac5ef720a4f", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "published"}, {"hash": "f2cee3fd74aadb43c91396f206bcf3e8", "key": "type"}, {"hash": "11f1ed18c7bd1e05a18ddbd32fb48f83", "key": "description"}, {"hash": "ca965bf058afad33ff775c6b5f29ad68", "key": "href"}, {"hash": "84813b1457b92d6ba1174abffbb83a2f", "key": "cvss"}, {"hash": "34956ac0a726126687502bf9088bc7bb", "key": "reporter"}], "history": [], "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0075", "id": "TALOS-2016-0075", "lastseen": "2017-05-30T18:45:37", "modified": "2016-01-19T00:00:00", "objectVersion": "1.2", "published": "2016-01-19T00:00:00", "references": [], "reporter": "Talos Intelligence", "title": "Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability", "type": "talos", "viewCount": 0}, "differentElements": ["description"], "edition": 3, "lastseen": "2017-05-30T18:45:37"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2015-7978"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0075\n\n## Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability\n\n##### January 19, 2016\n\n##### CVE Number\n\nCVE-2015-7978\n\nCERT VU#357792\n\n### Summary\n\nAn unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by exhausting the call stack.\n\nThe following conditions must be met:\n\n 1. Mode 7 must be enabled. By default, mode 7 is disabled.\n 2. A large enough number of entries must be in the restrict lists to cause enough calls to list_restrict4() or list_restrict6() that the stack space is exhausted.\n\n### Expected Behavior:\n\nThe ntpdc reslist command is used to query the restrictions currently enforced by ntpd. If the number of restrictions is too large, enough function calls to list_restrict4() or list_restric6() will occur to exhaust the space on the call stack. The reslist command does not require authentication.\n\nThe ntpd process should be able to traverse any number of entries in the restrict list without exhausting the call stack.\n\n### Actual Behavior:\n\nThe IPv4 and IPv6 restriction lists are kept sorted in reverse order. To correctly display the output, the functions list_restrict4() and list_restrict6() traverse the list recursively and dump the lists in reverse. If enough entries exist in the restrict list, the recursion will eventually exhaust the available space on the call stack.\n\n### Implications of the defect:\n\nAn attacker that can increase the size of the restrict list on a server with request mode enabled can crash ntpd. The attacker might be able to increase the number of restrictions dynamically via the \"restrict source\" mechanism. Additionally, an authenticated user can add restrict lines to the configuration with mode 6 if it is enabled.\n\n### Recommendations:\n\nUse iteration to traverse the restrict list or terminate the recursion after some number of entries have been processed.\n\n### Tested Versions\n\nntp 4.2.8p3 \nNTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92\n\n### Product URLs\n\n<http://www.ntp.org> \n<http://www.ntpsec.org/>\n\n### CVSS Score\n\nCVSSv2: 5.4 - AV:N/AC:H/Au:N/C:N/I:N/A:C \nCVSSv3: 5.9 - AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### Timeline\n\n2015-10-07 - Vendor Disclosure \n2016-01-19 - Public Release\n\n##### Credit\n\nStephen Gray\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0076\n\nPrevious Report\n\nTALOS-2016-0074\n", "edition": 8, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "483c73b4c0efb17becb2eed746c17c253b5ef8367d03c0bc91ab10bd75ba705a", "hashmap": [{"hash": "84c08cb9f8f093887ac14c9ea07fcd0c", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "modified"}, {"hash": "0afd20de3dc97cf9f0412ac5ef720a4f", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "published"}, {"hash": "f2cee3fd74aadb43c91396f206bcf3e8", "key": "type"}, {"hash": "ca965bf058afad33ff775c6b5f29ad68", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "1c41341f50b7090ace083cce336515ed", "key": "description"}, {"hash": "34956ac0a726126687502bf9088bc7bb", "key": "reporter"}], "history": [], "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0075", "id": "TALOS-2016-0075", "lastseen": "2018-08-30T20:35:56", "modified": "2016-01-19T00:00:00", "objectVersion": "1.3", "published": "2016-01-19T00:00:00", "references": [], "reporter": "Talos Intelligence", "title": "Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability", "type": "talos", "viewCount": 2}, "differentElements": ["cvss"], "edition": 8, "lastseen": "2018-08-30T20:35:56"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2015-7978"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0075\n\n## Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability\n\n##### January 19, 2016\n\n##### CVE Number\n\nCVE-2015-7978\n\nCERT VU#357792\n\n### Summary\n\nAn unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by exhausting the call stack.\n\nThe following conditions must be met:\n\n 1. Mode 7 must be enabled. By default, mode 7 is disabled.\n 2. A large enough number of entries must be in the restrict lists to cause enough calls to list_restrict4() or list_restrict6() that the stack space is exhausted.\n\n### Expected Behavior:\n\nThe ntpdc reslist command is used to query the restrictions currently enforced by ntpd. If the number of restrictions is too large, enough function calls to list_restrict4() or list_restric6() will occur to exhaust the space on the call stack. The reslist command does not require authentication.\n\nThe ntpd process should be able to traverse any number of entries in the restrict list without exhausting the call stack.\n\n### Actual Behavior:\n\nThe IPv4 and IPv6 restriction lists are kept sorted in reverse order. To correctly display the output, the functions list_restrict4() and list_restrict6() traverse the list recursively and dump the lists in reverse. If enough entries exist in the restrict list, the recursion will eventually exhaust the available space on the call stack.\n\n### Implications of the defect:\n\nAn attacker that can increase the size of the restrict list on a server with request mode enabled can crash ntpd. The attacker might be able to increase the number of restrictions dynamically via the \"restrict source\" mechanism. Additionally, an authenticated user can add restrict lines to the configuration with mode 6 if it is enabled.\n\n### Recommendations:\n\nUse iteration to traverse the restrict list or terminate the recursion after some number of entries have been processed.\n\n### Tested Versions\n\nntp 4.2.8p3 \nNTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92\n\n### Product URLs\n\n<http://www.ntp.org> \n<http://www.ntpsec.org/>\n\n### CVSS Score\n\nCVSSv2: 5.4 - AV:N/AC:H/Au:N/C:N/I:N/A:C \nCVSSv3: 5.9 - AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### Timeline\n\n2015-10-07 - Vendor Disclosure \n2016-01-19 - Public Release\n\n##### Credit\n\nStephen Gray\n\n* * *\n\nVulnerability Reports Next Report Previous Report\n", "edition": 6, "enchantments": {}, "hash": "cf4210f092dbb5b06d76dd5aa711c16208ed6db7d1102bd33c5948d6c315ab59", "hashmap": [{"hash": "84c08cb9f8f093887ac14c9ea07fcd0c", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "modified"}, {"hash": "0afd20de3dc97cf9f0412ac5ef720a4f", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "published"}, {"hash": "f2cee3fd74aadb43c91396f206bcf3e8", "key": "type"}, {"hash": "ca965bf058afad33ff775c6b5f29ad68", "key": "href"}, {"hash": "84813b1457b92d6ba1174abffbb83a2f", "key": "cvss"}, {"hash": "34956ac0a726126687502bf9088bc7bb", "key": "reporter"}, {"hash": "10f248c46f722778312a81433ff95edc", "key": "description"}], "history": [], "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0075", "id": "TALOS-2016-0075", "lastseen": "2017-07-26T04:23:36", "modified": "2016-01-19T00:00:00", "objectVersion": "1.3", "published": "2016-01-19T00:00:00", "references": [], "reporter": "Talos Intelligence", "title": "Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability", "type": "talos", "viewCount": 0}, "differentElements": ["description"], "edition": 6, "lastseen": "2017-07-26T04:23:36"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2015-7978"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0075\n\n## Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability\n\n##### January 19, 2016\n\n##### CVE Number\n\nCVE-2015-7978\n\nCERT VU#357792\n\n### Summary\n\nAn unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by exhausting the call stack.\n\nThe following conditions must be met:\n\n 1. Mode 7 must be enabled. By default, mode 7 is disabled.\n 2. A large enough number of entries must be in the restrict lists to cause enough calls to list_restrict4() or list_restrict6() that the stack space is exhausted.\n\n### Expected Behavior:\n\nThe ntpdc reslist command is used to query the restrictions currently enforced by ntpd. If the number of restrictions is too large, enough function calls to list_restrict4() or list_restric6() will occur to exhaust the space on the call stack. The reslist command does not require authentication.\n\nThe ntpd process should be able to traverse any number of entries in the restrict list without exhausting the call stack.\n\n### Actual Behavior:\n\nThe IPv4 and IPv6 restriction lists are kept sorted in reverse order. To correctly display the output, the functions list_restrict4() and list_restrict6() traverse the list recursively and dump the lists in reverse. If enough entries exist in the restrict list, the recursion will eventually exhaust the available space on the call stack.\n\n### Implications of the defect:\n\nAn attacker that can increase the size of the restrict list on a server with request mode enabled can crash ntpd. The attacker might be able to increase the number of restrictions dynamically via the \"restrict source\" mechanism. Additionally, an authenticated user can add restrict lines to the configuration with mode 6 if it is enabled.\n\n### Recommendations:\n\nUse iteration to traverse the restrict list or terminate the recursion after some number of entries have been processed.\n\n### Tested Versions\n\nntp 4.2.8p3 \nNTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92\n\n### Product URLs\n\n<http://www.ntp.org> \n<http://www.ntpsec.org/>\n\n### CVSS Score\n\nCVSSv2: 5.4 - AV:N/AC:H/Au:N/C:N/I:N/A:C \nCVSSv3: 5.9 - AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### Timeline\n\n2015-10-07 - Vendor Disclosure \n2016-01-19 - Public Release\n\n##### Credit\n\nStephen Gray\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0076\n\nPrevious Report\n\nTALOS-2016-0074\n", "edition": 5, "enchantments": {}, "hash": "10fe5c963d563c38b86cc51d86eb4ced98b8a5a185c1394e729cdd5995770b98", "hashmap": [{"hash": "84c08cb9f8f093887ac14c9ea07fcd0c", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "modified"}, {"hash": "0afd20de3dc97cf9f0412ac5ef720a4f", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "published"}, {"hash": "f2cee3fd74aadb43c91396f206bcf3e8", "key": "type"}, {"hash": "ca965bf058afad33ff775c6b5f29ad68", "key": "href"}, {"hash": "1c41341f50b7090ace083cce336515ed", "key": "description"}, {"hash": "84813b1457b92d6ba1174abffbb83a2f", "key": "cvss"}, {"hash": "34956ac0a726126687502bf9088bc7bb", "key": "reporter"}], "history": [], "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0075", "id": "TALOS-2016-0075", "lastseen": "2017-07-25T22:18:33", "modified": "2016-01-19T00:00:00", "objectVersion": "1.3", "published": "2016-01-19T00:00:00", "references": [], "reporter": "Talos Intelligence", "title": "Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability", "type": "talos", "viewCount": 0}, "differentElements": ["description"], "edition": 5, "lastseen": "2017-07-25T22:18:33"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2015-7978"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0075\n\n## Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability\n\n##### January 19, 2016\n\n##### CVE Number\n\nCVE-2015-7978\n\nCERT VU#357792\n\n### Summary\n\nAn unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by exhausting the call stack.\n\nThe following conditions must be met:\n\n 1. Mode 7 must be enabled. By default, mode 7 is disabled.\n 2. A large enough number of entries must be in the restrict lists to cause enough calls to list_restrict4() or list_restrict6() that the stack space is exhausted.\n\n### Expected Behavior:\n\nThe ntpdc reslist command is used to query the restrictions currently enforced by ntpd. If the number of restrictions is too large, enough function calls to list_restrict4() or list_restric6() will occur to exhaust the space on the call stack. The reslist command does not require authentication.\n\nThe ntpd process should be able to traverse any number of entries in the restrict list without exhausting the call stack.\n\n### Actual Behavior:\n\nThe IPv4 and IPv6 restriction lists are kept sorted in reverse order. To correctly display the output, the functions list_restrict4() and list_restrict6() traverse the list recursively and dump the lists in reverse. If enough entries exist in the restrict list, the recursion will eventually exhaust the available space on the call stack.\n\n### Implications of the defect:\n\nAn attacker that can increase the size of the restrict list on a server with request mode enabled can crash ntpd. The attacker might be able to increase the number of restrictions dynamically via the \"restrict source\" mechanism. Additionally, an authenticated user can add restrict lines to the configuration with mode 6 if it is enabled.\n\n### Recommendations:\n\nUse iteration to traverse the restrict list or terminate the recursion after some number of entries have been processed.\n\n### Tested Versions\n\nntp 4.2.8p3 \nNTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92\n\n### Product URLs\n\n<http://www.ntp.org> \n<http://www.ntpsec.org/>\n\n### CVSS Score\n\nCVSSv2: 5.4 - AV:N/AC:H/Au:N/C:N/I:N/A:C \nCVSSv3: 5.9 - AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### Timeline\n\n2015-10-07 - Vendor Disclosure \n2016-01-19 - Public Release\n\n##### Credit\n\nStephen Gray\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0076\n\nPrevious Report\n\nTALOS-2016-0074\n", "edition": 7, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}}, "hash": "10fe5c963d563c38b86cc51d86eb4ced98b8a5a185c1394e729cdd5995770b98", "hashmap": [{"hash": "84c08cb9f8f093887ac14c9ea07fcd0c", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "modified"}, {"hash": "0afd20de3dc97cf9f0412ac5ef720a4f", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "published"}, {"hash": "f2cee3fd74aadb43c91396f206bcf3e8", "key": "type"}, {"hash": "ca965bf058afad33ff775c6b5f29ad68", "key": "href"}, {"hash": "1c41341f50b7090ace083cce336515ed", "key": "description"}, {"hash": "84813b1457b92d6ba1174abffbb83a2f", "key": "cvss"}, {"hash": "34956ac0a726126687502bf9088bc7bb", "key": "reporter"}], "history": [], "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0075", "id": "TALOS-2016-0075", "lastseen": "2017-07-26T06:23:59", "modified": "2016-01-19T00:00:00", "objectVersion": "1.3", "published": "2016-01-19T00:00:00", "references": [], "reporter": "Talos Intelligence", "title": "Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability", "type": "talos", "viewCount": 2}, "differentElements": ["cvss"], "edition": 7, "lastseen": "2017-07-26T06:23:59"}], "edition": 9, "hashmap": [{"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "0afd20de3dc97cf9f0412ac5ef720a4f"}, {"key": "cvss", "hash": "84813b1457b92d6ba1174abffbb83a2f"}, {"key": "description", "hash": "1c41341f50b7090ace083cce336515ed"}, {"key": "href", "hash": "ca965bf058afad33ff775c6b5f29ad68"}, {"key": "modified", "hash": "023c2ac5b7ebb9c0b61f61354ada163f"}, {"key": "published", "hash": "023c2ac5b7ebb9c0b61f61354ada163f"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "34956ac0a726126687502bf9088bc7bb"}, {"key": "title", "hash": "84c08cb9f8f093887ac14c9ea07fcd0c"}, {"key": "type", "hash": "f2cee3fd74aadb43c91396f206bcf3e8"}], "hash": "10fe5c963d563c38b86cc51d86eb4ced98b8a5a185c1394e729cdd5995770b98", "viewCount": 3, "enchantments": {"score": {"value": 5.0, "vector": "NONE"}, "vulnersScore": 5.0}, "objectVersion": "1.3"}

{"cve": [{"lastseen": "2018-05-18T11:12:20", "references": ["http://rhn.redhat.com/errata/RHSA-2016-0780.html", "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00059.html", "https://www.kb.cert.org/vuls/id/718152", "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd", "http://www.securitytracker.com/id/1034782", "http://rhn.redhat.com/errata/RHSA-2016-2583.html", "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00038.html", "http://www.ubuntu.com/usn/USN-3096-1", "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00026.html", "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177507.html", "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00020.html", "http://lists.opensuse.org/opensuse-updates/2016-05/msg00114.html", "https://security.netapp.com/advisory/ntap-20171031-0001/", "http://www.securityfocus.com/bid/81962", "https://security.gentoo.org/glsa/201607-15", "http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176434.html", "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00060.html", "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:09.ntp.asc", "http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security", "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00048.html", "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00042.html", "https://bto.bluecoat.com/security-advisory/sa113", "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", "http://www.debian.org/security/2016/dsa-3629"], "description": "NTP before 4.2.8p6 and 4.3.0 before 4.3.90 allows a remote attackers to cause a denial of service (stack exhaustion) via an ntpdc relist command, which triggers recursive traversal of the restriction list.", "edition": 4, "reporter": "NVD", "published": "2017-01-30T16:59:00", "title": "CVE-2015-7978", "type": "cve", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2015-7978"], "scanner": [], "modified": "2018-05-17T21:29:02", "cpe": ["cpe:/a:ntp:ntp:4.3.18", "cpe:/a:ntp:ntp:4.3.45", "cpe:/a:ntp:ntp:4.3.72", "cpe:/a:ntp:ntp:4.3.0", "cpe:/a:ntp:ntp:4.3.25", "cpe:/a:ntp:ntp:4.3.74", "cpe:/a:ntp:ntp:4.3.28", "cpe:/a:ntp:ntp:4.3.61", "cpe:/a:ntp:ntp:4.3.22", "cpe:/a:ntp:ntp:4.3.51", "cpe:/a:ntp:ntp:4.3.54", "cpe:/a:ntp:ntp:4.3.3", "cpe:/a:ntp:ntp:4.3.81", "cpe:/a:ntp:ntp:4.3.67", "cpe:/a:ntp:ntp:4.3.79", "cpe:/a:ntp:ntp:4.3.76", "cpe:/a:ntp:ntp:4.3.29", "cpe:/a:ntp:ntp:4.3.33", "cpe:/a:ntp:ntp:4.3.20", "cpe:/a:ntp:ntp:4.3.37", "cpe:/a:ntp:ntp:4.3.24", "cpe:/a:ntp:ntp:4.3.49", "cpe:/a:ntp:ntp:4.3.11", "cpe:/a:ntp:ntp:4.3.17", "cpe:/a:ntp:ntp:4.3.19", "cpe:/a:ntp:ntp:4.3.4", "cpe:/a:ntp:ntp:4.3.13", "cpe:/a:ntp:ntp:4.3.78", "cpe:/a:ntp:ntp:4.3.31", "cpe:/a:ntp:ntp:4.3.44", "cpe:/a:ntp:ntp:4.3.69", "cpe:/a:ntp:ntp:4.3.1", "cpe:/a:ntp:ntp:4.3.55", "cpe:/a:ntp:ntp:4.3.34", "cpe:/a:ntp:ntp:4.3.23", "cpe:/a:ntp:ntp:4.3.41", "cpe:/a:ntp:ntp:4.3.84", "cpe:/a:ntp:ntp:4.3.75", "cpe:/a:ntp:ntp:4.3.52", "cpe:/a:ntp:ntp:4.3.40", "cpe:/a:ntp:ntp:4.3.10", "cpe:/a:ntp:ntp:4.3.36", "cpe:/a:ntp:ntp:4.3.83", "cpe:/a:ntp:ntp:4.3.65", "cpe:/a:ntp:ntp:4.3.77", "cpe:/a:ntp:ntp:4.3.60", "cpe:/a:ntp:ntp:4.3.38", "cpe:/a:ntp:ntp:4.3.30", "cpe:/a:ntp:ntp:4.3.56", "cpe:/a:ntp:ntp:4.3.53", "cpe:/a:ntp:ntp:4.3.64", "cpe:/a:ntp:ntp:4.3.15", "cpe:/a:ntp:ntp:4.3.46", "cpe:/a:ntp:ntp:4.3.57", "cpe:/a:ntp:ntp:4.3.59", "cpe:/a:ntp:ntp:4.3.58", "cpe:/a:ntp:ntp:4.3.87", "cpe:/a:ntp:ntp:4.3.12", "cpe:/a:ntp:ntp:4.3.62", "cpe:/a:ntp:ntp:4.3.6", "cpe:/a:ntp:ntp:4.3.66", "cpe:/a:ntp:ntp:4.3.32", "cpe:/a:ntp:ntp:4.3.86", "cpe:/a:ntp:ntp:4.3.2", "cpe:/a:ntp:ntp:4.3.80", "cpe:/a:ntp:ntp:4.3.63", "cpe:/a:ntp:ntp:4.3.21", "cpe:/a:ntp:ntp:4.3.82", "cpe:/a:ntp:ntp:4.3.5", "cpe:/a:ntp:ntp:4.3.89", "cpe:/a:ntp:ntp:4.3.14", "cpe:/a:ntp:ntp:4.3.8", "cpe:/a:ntp:ntp:4.3.7", "cpe:/a:ntp:ntp:4.3.43", "cpe:/a:ntp:ntp:4.3.47", "cpe:/a:ntp:ntp:4.3.48", "cpe:/a:ntp:ntp:4.3.73", "cpe:/a:ntp:ntp:4.3.16", "cpe:/a:ntp:ntp:4.2.8:p5", "cpe:/a:ntp:ntp:4.3.70", "cpe:/a:ntp:ntp:4.3.26", "cpe:/a:ntp:ntp:4.3.50", "cpe:/a:ntp:ntp:4.3.27", "cpe:/a:ntp:ntp:4.3.39", "cpe:/a:ntp:ntp:4.3.42", "cpe:/a:ntp:ntp:4.3.85", "cpe:/a:ntp:ntp:4.3.68", "cpe:/a:ntp:ntp:4.3.88", "cpe:/a:ntp:ntp:4.3.71", "cpe:/a:ntp:ntp:4.3.35"], "id": "CVE-2015-7978", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7978", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "f5": [{"lastseen": "2017-06-08T00:16:04", "references": [], "edition": 1, "description": "\nF5 Product Development has assigned ID 573343 (BIG-IP), ID 573411 (BIG-IQ), ID 573413 (Enterprise Manager), and ID 507785 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H574750 on the **Diagnostics** &gt; **Identified** &gt; **Low** screen. \n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP AAM| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP AFM| 12.0.0 - 12.1.1 \n11.3.0 - 11.6.1| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP Analytics| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP APM| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP ASM| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP DNS| 12.0.0 - 12.1.1| 12.1.2| Low| ntpd \nBIG-IP Edge Gateway| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpd \nBIG-IP GTM| 11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP Link Controller| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP PEM| 12.0.0 - 12.1.1 \n11.3.0 - 11.6.1| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP PSM| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| None| Low| ntpd \nBIG-IP WebAccelerator| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpd \nBIG-IP WOM| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpd \nARX| 6.0.0 - 6.4.0| None| Low| ntpq and ntpd \nEnterprise Manager| 3.0.0 - 3.1.1| None| Low| ntpd \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Low| ntpd \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Low| ntpd \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Low| ntpd \nBIG-IQ ADC| 4.5.0| None| Low| ntpd \nBIG-IQ Centralized Management| 4.6.0| None| Low| ntpd \nBIG-IQ Cloud and Orchestration| 1.0.0| None| Low| ntpd \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| Not vulnerable| None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nTo mitigate this vulnerability for affected BIG-IP, BIG-IQ, and Enterprise Manager systems, ensure that there are no more than 500 'restrict' directives in the **/config/ntp.conf** configuration file.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n", "reporter": "f5", "published": "2016-02-23T02:20:00", "type": "f5", "title": "NTP vulnerabilities CVE-2015-7977 and CVE-2015-7978", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2015-7977", "CVE-2015-7978"], "modified": "2017-05-03T22:46:00", "href": "https://support.f5.com/csp/article/K06288381", "id": "F5:K06288381", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-11-28T21:27:45", "references": ["https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15106.html", "https://support.f5.com/kb/en-us/solutions/public/13000/100/sol13123.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9970.html", "https://support.f5.com/kb/en-us/solutions/public/4000/900/sol4918.html", "https://support.f5.com/kb/en-us/solutions/public/9000/500/sol9502.html", "https://support.f5.com/kb/en-us/solutions/public/15000/100/sol15113.html", "https://support.f5.com/kb/en-us/solutions/public/4000/600/sol4602.html", "https://support.f5.com/kb/en-us/solutions/public/12000/700/sol12766.html", "https://support.f5.com/kb/en-us/solutions/public/10000/000/sol10025.html", "https://support.f5.com/kb/en-us/solutions/public/0000/100/sol167.html", "https://support.f5.com/kb/en-us/solutions/public/9000/900/sol9957.html"], "edition": 1, "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability for affected BIG-IP, BIG-IQ, and Enterprise Manager systems, ensure that there are no more than 500 'restrict' directives in the **/config/ntp.conf** configuration file.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n * SOL10025: Managing BIG-IP product hotfixes (10.x)\n * SOL9502: BIG-IP hotfix matrix\n * SOL15106: Managing BIG-IQ product hotfixes\n * SOL15113: BIG-IQ hotfix matrix\n * SOL12766: ARX hotfix matrix\n", "reporter": "f5", "published": "2016-02-22T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "f5", "title": "SOL06288381 - NTP vulnerabilities CVE-2015-7977 and CVE-2015-7978", "bulletinFamily": "software", "affectedSoftware": [{"name": "BIG-IP PEM", "version": "12.0.0", "operator": "le"}, {"name": "BIG-IP PSM", "version": "11.4.1", "operator": "le"}, {"name": "BIG-IQ Device", "version": "4.5.0", "operator": "le"}, {"name": "BIG-IP AFM", "version": "12.0.0", "operator": "le"}, {"name": "BIG-IQ ADC", "version": "4.5.0", "operator": "le"}, {"name": "BIG-IP LTM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP PEM", "version": "11.6.0", "operator": "le"}, {"name": "BIG-IP Link Controller", "version": "11.6.0", "operator": "le"}, {"name": "BIG-IP LTM", "version": "11.6.0", "operator": "le"}, {"name": "BIG-IP APM", "version": "11.6.0", "operator": "le"}, {"name": "BIG-IP GTM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IQ Cloud and Orchestration", "version": "1.0.0", "operator": "le"}, {"name": "BIG-IP WebAccelerator", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP ASM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IQ Cloud", "version": "4.5.0", "operator": "le"}, {"name": "BIG-IP PSM", "version": "10.2.4", "operator": "le"}, {"name": "ARX", "version": "6.4.0", "operator": "le"}, {"name": "BIG-IP GTM", "version": "11.6.0", "operator": "le"}, {"name": "BIG-IP Edge Gateway", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP AFM", "version": "11.6.0", "operator": "le"}, {"name": "Enterprise Manager", "version": "3.1.1", "operator": "le"}, {"name": "BIG-IQ Centralized Management", "version": "4.6.0", "operator": "le"}, {"name": "BIG-IP Edge Gateway", "version": "11.3.0", "operator": "le"}, {"name": "BIG-IP DNS", "version": "12.0.0", "operator": "le"}, {"name": "BIG-IP LTM", "version": "12.0.0", "operator": "le"}, {"name": "BIG-IP AAM", "version": "12.0.0", "operator": "le"}, {"name": "BIG-IQ Security", "version": "4.5.0", "operator": "le"}, {"name": "BIG-IP APM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP WebAccelerator", "version": "11.3.0", "operator": "le"}, {"name": "BIG-IP Link Controller", "version": "12.0.0", "operator": "le"}, {"name": "BIG-IP ASM", "version": "12.0.0", "operator": "le"}, {"name": "BIG-IP AAM", "version": "11.6.0", "operator": "le"}, {"name": "BIG-IP WOM", "version": "11.3.0", "operator": "le"}, {"name": "BIG-IP Link Controller", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP APM", "version": "12.0.0", "operator": "le"}, {"name": "BIG-IP Analytics", "version": "12.0.0", "operator": "le"}, {"name": "BIG-IP Analytics", "version": "11.6.0", "operator": "le"}, {"name": "BIG-IP WOM", "version": "10.2.4", "operator": "le"}, {"name": "BIG-IP ASM", "version": "11.6.0", "operator": "le"}], "cvelist": ["CVE-2015-7977", "CVE-2015-7978"], "modified": "2016-11-28T00:00:00", "id": "SOL06288381", "href": "http://support.f5.com/kb/en-us/solutions/public/k/06/sol06288381.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "nessus": [{"lastseen": "2018-09-01T23:51:10", "references": ["https://support.f5.com/csp/#/article/K06288381"], "pluginID": "96054", "description": "CVE-2015-7977 ntpd in NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (NULL pointer dereference) via a ntpdc reslist command.\n\nCVE-2015-7978 NTP before 4.2.8p6 and 4.3.0 before 4.3.90 allows a remote attackers to cause a denial of service (stack exhaustion) via an ntpdc relist command, which triggers recursive traversal of the restriction list.", "edition": 13, "reporter": "Tenable", "published": "2016-12-22T00:00:00", "title": "F5 Networks BIG-IP : NTP vulnerabilities (K06288381)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "F5 Networks Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7977", "CVE-2015-7978"], "modified": "2018-07-11T00:00:00", "cpe": ["cpe:/a:f5:big-ip_global_traffic_manager", "cpe:/a:f5:big-ip_link_controller", "cpe:/a:f5:big-ip_advanced_firewall_manager", "cpe:/a:f5:big-ip_policy_enforcement_manager", "cpe:/a:f5:big-ip_application_security_manager", "cpe:/a:f5:big-ip_application_acceleration_manager", "cpe:/h:f5:big-ip_protocol_security_manager", "cpe:/a:f5:big-ip_local_traffic_manager", "cpe:/a:f5:big-ip_wan_optimization_manager", "cpe:/h:f5:big-ip", "cpe:/a:f5:big-ip_application_visibility_and_reporting", "cpe:/a:f5:big-ip_webaccelerator", "cpe:/a:f5:big-ip_access_policy_manager"], "id": "F5_BIGIP_SOL06288381.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=96054", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from F5 Networks BIG-IP Solution K06288381.\n#\n# The text description of this plugin is (C) F5 Networks.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(96054);\n script_version(\"3.9\");\n script_cvs_date(\"Date: 2018/07/11 12:34:09\");\n\n script_cve_id(\"CVE-2015-7977\", \"CVE-2015-7978\");\n\n script_name(english:\"F5 Networks BIG-IP : NTP vulnerabilities (K06288381)\");\n script_summary(english:\"Checks the BIG-IP version.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote device is missing a vendor-supplied security patch.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"CVE-2015-7977 ntpd in NTP before 4.2.8p6 and 4.3.x before 4.3.90\nallows remote attackers to cause a denial of service (NULL pointer\ndereference) via a ntpdc reslist command.\n\nCVE-2015-7978 NTP before 4.2.8p6 and 4.3.0 before 4.3.90 allows a\nremote attackers to cause a denial of service (stack exhaustion) via\nan ntpdc relist command, which triggers recursive traversal of the\nrestriction list.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.f5.com/csp/#/article/K06288381\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade to one of the non-vulnerable versions listed in the F5\nSolution K06288381.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_access_policy_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_advanced_firewall_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_acceleration_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_security_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_application_visibility_and_reporting\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_global_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_link_controller\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_local_traffic_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_policy_enforcement_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_wan_optimization_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:f5:big-ip_webaccelerator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:f5:big-ip_protocol_security_manager\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/02/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"F5 Networks Local Security Checks\");\n\n script_dependencies(\"f5_bigip_detect.nbin\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/BIG-IP/hotfix\", \"Host/BIG-IP/modules\", \"Host/BIG-IP/version\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\n\ninclude(\"f5_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nversion = get_kb_item(\"Host/BIG-IP/version\");\nif ( ! version ) audit(AUDIT_OS_NOT, \"F5 Networks BIG-IP\");\nif ( isnull(get_kb_item(\"Host/BIG-IP/hotfix\")) ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/hotfix\");\nif ( ! get_kb_item(\"Host/BIG-IP/modules\") ) audit(AUDIT_KB_MISSING, \"Host/BIG-IP/modules\");\n\nsol = \"K06288381\";\nvmatrix = make_array();\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\n# AFM\nvmatrix[\"AFM\"] = make_array();\nvmatrix[\"AFM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.3.0-11.6.1\");\nvmatrix[\"AFM\"][\"unaffected\"] = make_list(\"12.1.2\",\"11.6.1HF2\",\"11.5.4HF3\");\n\n# AM\nvmatrix[\"AM\"] = make_array();\nvmatrix[\"AM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.4.0-11.6.1\");\nvmatrix[\"AM\"][\"unaffected\"] = make_list(\"12.1.2\",\"11.6.1HF2\",\"11.5.4HF3\");\n\n# APM\nvmatrix[\"APM\"] = make_array();\nvmatrix[\"APM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.0.0-11.6.1\",\"10.1.0-10.2.4\");\nvmatrix[\"APM\"][\"unaffected\"] = make_list(\"12.1.2\",\"11.6.1HF2\",\"11.5.4HF3\");\n\n# ASM\nvmatrix[\"ASM\"] = make_array();\nvmatrix[\"ASM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.0.0-11.6.1\",\"10.1.0-10.2.4\");\nvmatrix[\"ASM\"][\"unaffected\"] = make_list(\"12.1.2\",\"11.6.1HF2\",\"11.5.4HF3\");\n\n# AVR\nvmatrix[\"AVR\"] = make_array();\nvmatrix[\"AVR\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.0.0-11.6.1\");\nvmatrix[\"AVR\"][\"unaffected\"] = make_list(\"12.1.2\",\"11.6.1HF2\",\"11.5.4HF3\");\n\n# GTM\nvmatrix[\"GTM\"] = make_array();\nvmatrix[\"GTM\"][\"affected\" ] = make_list(\"11.0.0-11.6.1\",\"10.1.0-10.2.4\");\nvmatrix[\"GTM\"][\"unaffected\"] = make_list(\"11.6.1HF2\",\"11.5.4HF3\");\n\n# LC\nvmatrix[\"LC\"] = make_array();\nvmatrix[\"LC\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.0.0-11.6.1\",\"10.1.0-10.2.4\");\nvmatrix[\"LC\"][\"unaffected\"] = make_list(\"12.1.2\",\"11.6.1HF2\",\"11.5.4HF3\");\n\n# LTM\nvmatrix[\"LTM\"] = make_array();\nvmatrix[\"LTM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.0.0-11.6.1\",\"10.1.0-10.2.4\");\nvmatrix[\"LTM\"][\"unaffected\"] = make_list(\"12.1.2\",\"11.6.1HF2\",\"11.5.4HF3\");\n\n# PEM\nvmatrix[\"PEM\"] = make_array();\nvmatrix[\"PEM\"][\"affected\" ] = make_list(\"12.0.0-12.1.1\",\"11.3.0-11.6.1\");\nvmatrix[\"PEM\"][\"unaffected\"] = make_list(\"12.1.2\",\"11.6.1HF2\",\"11.5.4HF3\");\n\n\nif (bigip_is_affected(vmatrix:vmatrix, sol:sol))\n{\n if (report_verbosity > 0) security_warning(port:0, extra:bigip_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = bigip_get_tested_modules();\n audit_extra = \"For BIG-IP module(s) \" + tested + \",\";\n if (tested) audit(AUDIT_INST_VER_NOT_VULN, audit_extra, version);\n else audit(AUDIT_HOST_NOT, \"running any of the affected modules\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:43:47", "references": ["https://bugzilla.redhat.com/show_bug.cgi?id=1300271", "https://bugzilla.redhat.com/show_bug.cgi?id=1297471", "https://bugzilla.redhat.com/show_bug.cgi?id=1300273", "https://bugzilla.redhat.com/show_bug.cgi?id=1299442", "https://bugzilla.redhat.com/show_bug.cgi?id=1300270", "http://www.nessus.org/u?b6201181", "https://bugzilla.redhat.com/show_bug.cgi?id=1300269"], "pluginID": "89577", "description": "Security fix for CVE-2015-7974, CVE-2015-8138, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8158\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 8, "reporter": "Tenable", "published": "2016-03-04T00:00:00", "title": "Fedora 23 : ntp-4.2.6p5-36.fc23 (2016-8bb1932088)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8138", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2017-02-15T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:ntp", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2016-8BB1932088.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=89577", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2016-8bb1932088.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(89577);\n script_version(\"$Revision: 1.7 $\");\n script_cvs_date(\"$Date: 2017/02/15 14:34:00 $\");\n\n script_cve_id(\"CVE-2015-7974\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8158\");\n script_xref(name:\"FEDORA\", value:\"2016-8bb1932088\");\n\n script_name(english:\"Fedora 23 : ntp-4.2.6p5-36.fc23 (2016-8bb1932088)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security fix for CVE-2015-7974, CVE-2015-8138, CVE-2015-7977,\nCVE-2015-7978, CVE-2015-7979, CVE-2015-8158\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1297471\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1299442\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1300269\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1300270\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1300271\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1300273\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-January/176434.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b6201181\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected ntp package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"ntp-4.2.6p5-36.fc23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-09-02T00:09:17", "references": ["https://alas.aws.amazon.com/ALAS-2016-649.html"], "pluginID": "88661", "description": "It was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client.\n(CVE-2015-8138)\n\nA NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process. (CVE-2015-7977)\n\nIt was found that NTP does not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key.\n(CVE-2015-7974)\n\nA stack-based buffer overflow was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process. (CVE-2015-7978)\n\nIt was found that when NTP is configured in broadcast mode, an off-path attacker could broadcast packets with bad authentication (wrong key, mismatched key, incorrect MAC, etc) to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server. This could cause the time on affected clients to become out of sync over a longer period of time.\n(CVE-2015-7979)\n\nA flaw was found in the way the ntpq client certain processed incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance.\n(CVE-2015-8158)\n\nA flaw was found in ntpd that allows remote attackers to cause a denial of service (ephemeral-association demobilization) by sending a spoofed crypto-NAK packet with incorrect authentication data at a certain time. (CVE-2016-4953)\n\n(Updated 2016-10-18: CVE-2016-4953 was fixed in this release but was not previously part of this errata.)", "edition": 13, "reporter": "Tenable", "published": "2016-02-10T00:00:00", "title": "Amazon Linux AMI : ntp (ALAS-2016-649)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Amazon Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8138", "CVE-2016-4953", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2018-04-18T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:ntp-perl", "p-cpe:/a:amazon:linux:ntp-doc", "p-cpe:/a:amazon:linux:ntpdate", "p-cpe:/a:amazon:linux:ntp", "p-cpe:/a:amazon:linux:ntp-debuginfo", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2016-649.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=88661", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2016-649.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88661);\n script_version(\"2.12\");\n script_cvs_date(\"Date: 2018/04/18 15:09:35\");\n\n script_cve_id(\"CVE-2015-7974\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8158\", \"CVE-2016-4953\");\n script_xref(name:\"ALAS\", value:\"2016-649\");\n\n script_name(english:\"Amazon Linux AMI : ntp (ALAS-2016-649)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that ntpd as a client did not correctly check the\noriginate timestamp in received packets. A remote attacker could use\nthis flaw to send a crafted packet to an ntpd client that would\neffectively disable synchronization with the server, or push arbitrary\noffset/delay measurements to modify the time on the client.\n(CVE-2015-8138)\n\nA NULL pointer dereference flaw was found in the way ntpd processed\n'ntpdc reslist' commands that queried restriction lists with a large\namount of entries. A remote attacker could use this flaw to crash the\nntpd process. (CVE-2015-7977)\n\nIt was found that NTP does not verify peer associations of symmetric\nkeys when authenticating packets, which might allow remote attackers\nto conduct impersonation attacks via an arbitrary trusted key.\n(CVE-2015-7974)\n\nA stack-based buffer overflow was found in the way ntpd processed\n'ntpdc reslist' commands that queried restriction lists with a large\namount of entries. A remote attacker could use this flaw to crash the\nntpd process. (CVE-2015-7978)\n\nIt was found that when NTP is configured in broadcast mode, an\noff-path attacker could broadcast packets with bad authentication\n(wrong key, mismatched key, incorrect MAC, etc) to all clients. The\nclients, upon receiving the malformed packets, would break the\nassociation with the broadcast server. This could cause the time on\naffected clients to become out of sync over a longer period of time.\n(CVE-2015-7979)\n\nA flaw was found in the way the ntpq client certain processed incoming\npackets in a loop in the getresponse() function. A remote attacker\ncould potentially use this flaw to crash an ntpq client instance.\n(CVE-2015-8158)\n\nA flaw was found in ntpd that allows remote attackers to cause a\ndenial of service (ephemeral-association demobilization) by sending a\nspoofed crypto-NAK packet with incorrect authentication data at a\ncertain time. (CVE-2016-4953)\n\n(Updated 2016-10-18: CVE-2016-4953 was fixed in this release but was\nnot previously part of this errata.)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2016-649.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update ntp' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ntp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ntp-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ntp-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:ntpdate\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"ntp-4.2.6p5-36.29.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ntp-debuginfo-4.2.6p5-36.29.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ntp-doc-4.2.6p5-36.29.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ntp-perl-4.2.6p5-36.29.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"ntpdate-4.2.6p5-36.29.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp / ntp-debuginfo / ntp-doc / ntp-perl / ntpdate\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:37:18", "references": ["https://bugzilla.suse.com/962966", "https://www.suse.com/security/cve/CVE-2015-7974.html", "https://www.suse.com/security/cve/CVE-2015-7975.html", "https://bugzilla.suse.com/962995", "https://bugzilla.suse.com/956773", "https://bugzilla.suse.com/962970", "https://bugzilla.suse.com/916617", "https://www.suse.com/security/cve/CVE-2015-5300.html", "https://bugzilla.suse.com/784760", "https://bugzilla.suse.com/962784", "https://www.suse.com/security/cve/CVE-2015-7979.html", "https://www.suse.com/security/cve/CVE-2015-7977.html", "https://www.suse.com/security/cve/CVE-2015-7978.html", "https://bugzilla.suse.com/962988", "https://www.suse.com/security/cve/CVE-2015-8158.html", "https://bugzilla.suse.com/951559", "http://www.nessus.org/u?8dd6cc80", "https://bugzilla.suse.com/975981", "https://bugzilla.suse.com/975496", "https://bugzilla.suse.com/782060", "https://bugzilla.suse.com/962318", "https://www.suse.com/security/cve/CVE-2015-7976.html", "https://bugzilla.suse.com/951629", "https://bugzilla.suse.com/962802", "https://bugzilla.suse.com/962960", "https://www.suse.com/security/cve/CVE-2015-8138.html", "https://bugzilla.suse.com/962997", "https://www.suse.com/security/cve/CVE-2015-7973.html", "https://www.suse.com/security/cve/CVE-2015-8140.html", "https://bugzilla.suse.com/963000", "https://bugzilla.suse.com/962994", "https://bugzilla.suse.com/963002", "https://www.suse.com/security/cve/CVE-2015-8139.html"], "pluginID": "90820", "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\nThese security issues were fixed :\n\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784).\n\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000).\n\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802).\n\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960).\n\n - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995).\n\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629).\n\nThe update package also includes non-security fixes. See advisory for details.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 16, "reporter": "Tenable", "published": "2016-05-02T00:00:00", "title": "SUSE SLES11 Security Update : ntp (SUSE-SU-2016:1175-1)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2018-07-31T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:ntp-doc", "cpe:/o:novell:suse_linux:11", "p-cpe:/a:novell:suse_linux:ntp"], "id": "SUSE_SU-2016-1175-1.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=90820", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2016:1175-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(90820);\n script_version(\"2.15\");\n script_cvs_date(\"Date: 2018/07/31 17:27:55\");\n\n script_cve_id(\"CVE-2015-5300\", \"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n\n script_name(english:\"SUSE SLES11 Security Update : ntp (SUSE-SU-2016:1175-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\nThese security issues were fixed :\n\n - CVE-2015-8158: Fixed potential infinite loop in ntpq\n (bsc#962966).\n\n - CVE-2015-8138: Zero Origin Timestamp Bypass\n (bsc#963002).\n\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack\n on authenticated broadcast mode (bsc#962784).\n\n - CVE-2015-7978: Stack exhaustion in recursive traversal\n of restriction list (bsc#963000).\n\n - CVE-2015-7977: reslist NULL pointer dereference\n (bsc#962970).\n\n - CVE-2015-7976: ntpq saveconfig command allows dangerous\n characters in filenames (bsc#962802).\n\n - CVE-2015-7975: nextvar() missing length check\n (bsc#962988).\n\n - CVE-2015-7974: Skeleton Key: Missing key check allows\n impersonation between authenticated peers (bsc#962960).\n\n - CVE-2015-7973: Replay attack on authenticated broadcast\n mode (bsc#962995).\n\n - CVE-2015-8140: ntpq vulnerable to replay attacks\n (bsc#962994).\n\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\n origin (bsc#962997).\n\n - CVE-2015-5300: MITM attacker could have forced ntpd to\n make a step larger than the panic threshold\n (bsc#951629).\n\nThe update package also includes non-security fixes. See advisory for\ndetails.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/782060\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/784760\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/916617\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/951559\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/951629\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/956773\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/962318\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/962784\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/962802\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/962960\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/962966\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/962970\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/962988\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/962994\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/962995\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/962997\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/963000\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/963002\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/975496\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/975981\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-5300.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7973.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7974.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7975.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7976.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7977.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7978.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-7979.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-8138.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-8139.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-8140.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2015-8158.html\"\n );\n # https://www.suse.com/support/update/announcement/2016/suse-su-20161175-1.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8dd6cc80\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"To install this SUSE Security Update use YaST online_update.\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server 11-SP4 :\n\nzypper in -t patch slessp4-ntp-12533=1\n\nSUSE Linux Enterprise Debuginfo 11-SP4 :\n\nzypper in -t patch dbgsp4-ntp-12533=1\n\nTo bring your system up-to-date, use 'zypper patch'.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ntp-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:11\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/04/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/02\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = eregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^(SLES11)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES11\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES11\" && (! ereg(pattern:\"^(4)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES11 SP4\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"ntp-4.2.8p6-8.2\")) flag++;\nif (rpm_check(release:\"SLES11\", sp:\"4\", reference:\"ntp-doc-4.2.8p6-8.2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:33:15", "references": ["https://bugzilla.opensuse.org/show_bug.cgi?id=962966", "https://bugzilla.opensuse.org/show_bug.cgi?id=962802", "https://bugzilla.opensuse.org/show_bug.cgi?id=962784", "https://bugzilla.opensuse.org/show_bug.cgi?id=962318", "https://bugzilla.opensuse.org/show_bug.cgi?id=962995", "https://bugzilla.opensuse.org/show_bug.cgi?id=782060", "https://bugzilla.opensuse.org/show_bug.cgi?id=963002", "https://bugzilla.opensuse.org/show_bug.cgi?id=962988", "https://bugzilla.opensuse.org/show_bug.cgi?id=951559", "https://bugzilla.opensuse.org/show_bug.cgi?id=962960", "https://bugzilla.opensuse.org/show_bug.cgi?id=956773", "https://bugzilla.opensuse.org/show_bug.cgi?id=951629", "https://bugzilla.opensuse.org/show_bug.cgi?id=937837", "https://bugzilla.opensuse.org/show_bug.cgi?id=962994", "https://bugzilla.opensuse.org/show_bug.cgi?id=962997", "https://bugzilla.opensuse.org/show_bug.cgi?id=962970", "https://bugzilla.opensuse.org/show_bug.cgi?id=963000", "https://bugzilla.opensuse.org/show_bug.cgi?id=975496", "https://bugzilla.opensuse.org/show_bug.cgi?id=975981", "https://bugzilla.opensuse.org/show_bug.cgi?id=916617"], "pluginID": "91111", "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\nAlso yast2-ntp-client was updated to match some sntp syntax changes.\n(bsc#937837)\n\nThese security issues were fixed :\n\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784).\n\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000).\n\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802).\n\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960).\n\n - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995).\n\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629).\n\nThese non-security issues were fixed :\n\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added the authreg directive.\n\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which caused the synchronization to fail.\n\n - bsc#782060: Speedup ntpq.\n\n - bsc#916617: Add /var/db/ntp-kod.\n\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen quite a lot on loaded systems.\n\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n\n - Add ntp-fork.patch and build with threads disabled to allow name resolution even when running chrooted.\n\nThis update was imported from the SUSE:SLE-12-SP1:Update update project.", "edition": 10, "reporter": "Tenable", "published": "2016-05-13T00:00:00", "title": "openSUSE Security Update : ntp (openSUSE-2016-578)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2017-02-13T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:ntp-debuginfo", "cpe:/o:novell:opensuse:42.1", "p-cpe:/a:novell:opensuse:yast2-ntp-client", "p-cpe:/a:novell:opensuse:ntp-debugsource", "p-cpe:/a:novell:opensuse:ntp"], "id": "OPENSUSE-2016-578.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=91111", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-578.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91111);\n script_version(\"$Revision: 2.7 $\");\n script_cvs_date(\"$Date: 2017/02/13 20:45:10 $\");\n\n script_cve_id(\"CVE-2015-5300\", \"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n\n script_name(english:\"openSUSE Security Update : ntp (openSUSE-2016-578)\");\n script_summary(english:\"Check for the openSUSE-2016-578 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\nAlso yast2-ntp-client was updated to match some sntp syntax changes.\n(bsc#937837)\n\nThese security issues were fixed :\n\n - CVE-2015-8158: Fixed potential infinite loop in ntpq\n (bsc#962966).\n\n - CVE-2015-8138: Zero Origin Timestamp Bypass\n (bsc#963002).\n\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack\n on authenticated broadcast mode (bsc#962784).\n\n - CVE-2015-7978: Stack exhaustion in recursive traversal\n of restriction list (bsc#963000).\n\n - CVE-2015-7977: reslist NULL pointer dereference\n (bsc#962970).\n\n - CVE-2015-7976: ntpq saveconfig command allows dangerous\n characters in filenames (bsc#962802).\n\n - CVE-2015-7975: nextvar() missing length check\n (bsc#962988).\n\n - CVE-2015-7974: Skeleton Key: Missing key check allows\n impersonation between authenticated peers (bsc#962960).\n\n - CVE-2015-7973: Replay attack on authenticated broadcast\n mode (bsc#962995).\n\n - CVE-2015-8140: ntpq vulnerable to replay attacks\n (bsc#962994).\n\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose\n origin (bsc#962997).\n\n - CVE-2015-5300: MITM attacker could have forced ntpd to\n make a step larger than the panic threshold\n (bsc#951629).\n\nThese non-security issues were fixed :\n\n - fate#320758 bsc#975981: Enable compile-time support for\n MS-SNTP (--enable-ntp-signd). This replaces the w32\n patches in 4.2.4 that added the authreg directive.\n\n - bsc#962318: Call /usr/sbin/sntp with full path to\n synchronize in start-ntpd. When run as cron job,\n /usr/sbin/ is not in the path, which caused the\n synchronization to fail.\n\n - bsc#782060: Speedup ntpq.\n\n - bsc#916617: Add /var/db/ntp-kod.\n\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning\n that might happen quite a lot on loaded systems.\n\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp\n during DST.\n\n - Add ntp-fork.patch and build with threads disabled to\n allow name resolution even when running chrooted.\n\nThis update was imported from the SUSE:SLE-12-SP1:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=782060\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=916617\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=937837\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=951559\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=951629\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=956773\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=962318\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=962784\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=962802\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=962960\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=962966\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=962970\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=962988\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=962994\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=962995\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=962997\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=963000\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=963002\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=975496\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=975981\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected ntp packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ntp-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ntp-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:yast2-ntp-client\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.1\", reference:\"ntp-4.2.8p6-15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"ntp-debuginfo-4.2.8p6-15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"ntp-debugsource-4.2.8p6-15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"yast2-ntp-client-3.1.22-6.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp / ntp-debuginfo / ntp-debugsource / yast2-ntp-client\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:53:49", "references": ["https://packages.debian.org/source/wheezy/ntp", "https://lists.debian.org/debian-lts-announce/2016/07/msg00021.html"], "pluginID": "92546", "description": "Several vulnerabilities were discovered in the Network Time Protocol daemon and utility programs :\n\nCVE-2015-7974\n\nMatt Street discovered that insufficient key validation allows impersonation attacks between authenticated peers.\n\nCVE-2015-7977 / CVE-2015-7978\n\nStephen Gray discovered that a NULL pointer dereference and a buffer overflow in the handling of 'ntpdc reslist' commands may result in denial of service.\n\nCVE-2015-7979\n\nAanchal Malhotra discovered that if NTP is configured for broadcast mode, an attacker can send malformed authentication packets which break associations with the server for other broadcast clients.\n\nCVE-2015-8138\n\nMatthew van Gundy and Jonathan Gardner discovered that missing validation of origin timestamps in ntpd clients may result in denial of service.\n\nCVE-2015-8158\n\nJonathan Gardner discovered that missing input sanitising in ntpq may result in denial of service.\n\nCVE-2016-1547\n\nStephen Gray and Matthew van Gundy discovered that incorrect handling of crypto NAK packets my result in denial of service.\n\nCVE-2016-1548\n\nJonathan Gardner and Miroslav Lichvar discovered that ntpd clients could be forced to change from basic client/server mode to interleaved symmetric mode, preventing time synchronisation.\n\nCVE-2016-1550\n\nMatthew van Gundy, Stephen Gray and Loganaden Velvindron discovered that timing leaks in the the packet authentication code could result in recovery of a message digest.\n\nCVE-2016-2516\n\nYihan Lian discovered that duplicate IPs on 'unconfig' directives will trigger an assert.\n\nCVE-2016-2518\n\nYihan Lian discovered that an OOB memory access could potentially crash ntpd.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version 1:4.2.6.p5+dfsg-2+deb7u7.\n\nWe recommend that you upgrade your ntp packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "edition": 16, "reporter": "Tenable", "published": "2016-07-26T00:00:00", "title": "Debian DLA-559-1 : ntp security update", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-8138", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7979", "CVE-2016-1547", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2018-07-06T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:ntp-doc", "p-cpe:/a:debian:debian_linux:ntp", "p-cpe:/a:debian:debian_linux:ntpdate", "cpe:/o:debian:debian_linux:7.0"], "id": "DEBIAN_DLA-559.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=92546", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-559-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(92546);\n script_version(\"2.11\");\n script_cvs_date(\"Date: 2018/07/06 11:26:07\");\n\n script_cve_id(\"CVE-2015-7974\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8158\", \"CVE-2016-1547\", \"CVE-2016-1548\", \"CVE-2016-1550\", \"CVE-2016-2516\", \"CVE-2016-2518\");\n\n script_name(english:\"Debian DLA-559-1 : ntp security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Several vulnerabilities were discovered in the Network Time Protocol\ndaemon and utility programs :\n\nCVE-2015-7974\n\nMatt Street discovered that insufficient key validation allows\nimpersonation attacks between authenticated peers.\n\nCVE-2015-7977 / CVE-2015-7978\n\nStephen Gray discovered that a NULL pointer dereference and a buffer\noverflow in the handling of 'ntpdc reslist' commands may result in\ndenial of service.\n\nCVE-2015-7979\n\nAanchal Malhotra discovered that if NTP is configured for broadcast\nmode, an attacker can send malformed authentication packets which\nbreak associations with the server for other broadcast clients.\n\nCVE-2015-8138\n\nMatthew van Gundy and Jonathan Gardner discovered that missing\nvalidation of origin timestamps in ntpd clients may result in denial\nof service.\n\nCVE-2015-8158\n\nJonathan Gardner discovered that missing input sanitising in ntpq may\nresult in denial of service.\n\nCVE-2016-1547\n\nStephen Gray and Matthew van Gundy discovered that incorrect handling\nof crypto NAK packets my result in denial of service.\n\nCVE-2016-1548\n\nJonathan Gardner and Miroslav Lichvar discovered that ntpd clients\ncould be forced to change from basic client/server mode to interleaved\nsymmetric mode, preventing time synchronisation.\n\nCVE-2016-1550\n\nMatthew van Gundy, Stephen Gray and Loganaden Velvindron discovered\nthat timing leaks in the the packet authentication code could result\nin recovery of a message digest.\n\nCVE-2016-2516\n\nYihan Lian discovered that duplicate IPs on 'unconfig' directives will\ntrigger an assert.\n\nCVE-2016-2518\n\nYihan Lian discovered that an OOB memory access could potentially\ncrash ntpd.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version\n1:4.2.6.p5+dfsg-2+deb7u7.\n\nWe recommend that you upgrade your ntp packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2016/07/msg00021.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/wheezy/ntp\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected ntp, ntp-doc, and ntpdate packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ntp-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ntpdate\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:7.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/07/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/07/26\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"7.0\", prefix:\"ntp\", reference:\"1:4.2.6.p5+dfsg-2+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"ntp-doc\", reference:\"1:4.2.6.p5+dfsg-2+deb7u7\")) flag++;\nif (deb_check(release:\"7.0\", prefix:\"ntpdate\", reference:\"1:4.2.6.p5+dfsg-2+deb7u7\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:41:28", "references": ["http://www.nessus.org/u?465b5d89"], "pluginID": "88912", "description": "New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.", "edition": 9, "reporter": "Tenable", "published": "2016-02-24T00:00:00", "title": "Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2016-054-04)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Slackware Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2017-02-13T00:00:00", "cpe": ["cpe:/o:slackware:slackware_linux:14.1", "cpe:/o:slackware:slackware_linux:13.37", "cpe:/o:slackware:slackware_linux:14.0", "cpe:/o:slackware:slackware_linux:13.0", "p-cpe:/a:slackware:slackware_linux:ntp", "cpe:/o:slackware:slackware_linux", "cpe:/o:slackware:slackware_linux:13.1"], "id": "SLACKWARE_SSA_2016-054-04.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=88912", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Slackware Security Advisory 2016-054-04. The text \n# itself is copyright (C) Slackware Linux, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88912);\n script_version(\"$Revision: 2.8 $\");\n script_cvs_date(\"$Date: 2017/02/13 20:45:10 $\");\n\n script_cve_id(\"CVE-2015-5300\", \"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8158\");\n script_xref(name:\"SSA\", value:\"2016-054-04\");\n\n script_name(english:\"Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2016-054-04)\");\n script_summary(english:\"Checks for updated package in /var/log/packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Slackware host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0,\n14.1, and -current to fix security issues.\"\n );\n # http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.546478\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?465b5d89\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected ntp package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:slackware:slackware_linux:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:13.37\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.0\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:slackware:slackware_linux:14.1\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/02/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/02/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"Slackware Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Slackware/release\", \"Host/Slackware/packages\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"slackware.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Slackware/release\")) audit(AUDIT_OS_NOT, \"Slackware\");\nif (!get_kb_item(\"Host/Slackware/packages\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Slackware\", cpu);\n\n\nflag = 0;\nif (slackware_check(osver:\"13.0\", pkgname:\"ntp\", pkgver:\"4.2.8p6\", pkgarch:\"i486\", pkgnum:\"1_slack13.0\")) flag++;\nif (slackware_check(osver:\"13.0\", arch:\"x86_64\", pkgname:\"ntp\", pkgver:\"4.2.8p6\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.0\")) flag++;\n\nif (slackware_check(osver:\"13.1\", pkgname:\"ntp\", pkgver:\"4.2.8p6\", pkgarch:\"i486\", pkgnum:\"1_slack13.1\")) flag++;\nif (slackware_check(osver:\"13.1\", arch:\"x86_64\", pkgname:\"ntp\", pkgver:\"4.2.8p6\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.1\")) flag++;\n\nif (slackware_check(osver:\"13.37\", pkgname:\"ntp\", pkgver:\"4.2.8p6\", pkgarch:\"i486\", pkgnum:\"1_slack13.37\")) flag++;\nif (slackware_check(osver:\"13.37\", arch:\"x86_64\", pkgname:\"ntp\", pkgver:\"4.2.8p6\", pkgarch:\"x86_64\", pkgnum:\"1_slack13.37\")) flag++;\n\nif (slackware_check(osver:\"14.0\", pkgname:\"ntp\", pkgver:\"4.2.8p6\", pkgarch:\"i486\", pkgnum:\"1_slack14.0\")) flag++;\nif (slackware_check(osver:\"14.0\", arch:\"x86_64\", pkgname:\"ntp\", pkgver:\"4.2.8p6\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.0\")) flag++;\n\nif (slackware_check(osver:\"14.1\", pkgname:\"ntp\", pkgver:\"4.2.8p6\", pkgarch:\"i486\", pkgnum:\"1_slack14.1\")) flag++;\nif (slackware_check(osver:\"14.1\", arch:\"x86_64\", pkgname:\"ntp\", pkgver:\"4.2.8p6\", pkgarch:\"x86_64\", pkgnum:\"1_slack14.1\")) flag++;\n\nif (slackware_check(osver:\"current\", pkgname:\"ntp\", pkgver:\"4.2.8p6\", pkgarch:\"i586\", pkgnum:\"1\")) flag++;\nif (slackware_check(osver:\"current\", arch:\"x86_64\", pkgname:\"ntp\", pkgver:\"4.2.8p6\", pkgarch:\"x86_64\", pkgnum:\"1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:slackware_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-02T00:04:58", "references": ["https://www.tenable.com/security/research/tra-2015-04", "http://www.nessus.org/u?9c4dad4e"], "pluginID": "91539", "description": "Security Fix(es) :\n\n - It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n - A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)\n\n - An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)\n\n - A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)\n\n - A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd.\n (CVE-2015-7978)\n\n - It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194)\n\n - It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command.\n (CVE-2015-5195)\n\n - It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)\n\n - It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-7703)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichvr (Red Hat).", "edition": 9, "reporter": "Tenable", "published": "2016-06-09T00:00:00", "title": "Scientific Linux Security Update : ntp on SL6.x i386/x86_64", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "naslFamily": "Scientific Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7703", "CVE-2015-7977", "CVE-2015-5219", "CVE-2014-9750", "CVE-2015-7701", "CVE-2015-7692", "CVE-2015-7702", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7691", "CVE-2015-5195", "CVE-2015-7978"], "modified": "2017-08-16T00:00:00", "cpe": ["x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20160510_NTP_ON_SL6_X.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=91539", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91539);\n script_version(\"$Revision: 2.3 $\");\n script_cvs_date(\"$Date: 2017/08/16 14:11:36 $\");\n\n script_cve_id(\"CVE-2014-9750\", \"CVE-2015-5194\", \"CVE-2015-5195\", \"CVE-2015-5219\", \"CVE-2015-7691\", \"CVE-2015-7692\", \"CVE-2015-7701\", \"CVE-2015-7702\", \"CVE-2015-7703\", \"CVE-2015-7852\", \"CVE-2015-7977\", \"CVE-2015-7978\");\n script_xref(name:\"TRA\", value:\"TRA-2015-04\");\n\n script_name(english:\"Scientific Linux Security Update : ntp on SL6.x i386/x86_64\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - It was found that the fix for CVE-2014-9750 was\n incomplete: three issues were found in the value length\n checks in NTP's ntp_crypto.c, where a packet with\n particular autokey operations that contained malicious\n data was not always being completely validated. A remote\n attacker could use a specially crafted NTP packet to\n crash ntpd. (CVE-2015-7691, CVE-2015-7692,\n CVE-2015-7702)\n\n - A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If\n ntpd was configured to use autokey authentication, an\n attacker could send packets to ntpd that would, after\n several days of ongoing attack, cause it to run out of\n memory. (CVE-2015-7701)\n\n - An off-by-one flaw, leading to a buffer overflow, was\n found in cookedprint functionality of ntpq. A specially\n crafted NTP packet could potentially cause ntpq to\n crash. (CVE-2015-7852)\n\n - A NULL pointer dereference flaw was found in the way\n ntpd processed 'ntpdc reslist' commands that queried\n restriction lists with a large amount of entries. A\n remote attacker could potentially use this flaw to crash\n ntpd. (CVE-2015-7977)\n\n - A stack-based buffer overflow flaw was found in the way\n ntpd processed 'ntpdc reslist' commands that queried\n restriction lists with a large amount of entries. A\n remote attacker could use this flaw to crash ntpd.\n (CVE-2015-7978)\n\n - It was found that ntpd could crash due to an\n uninitialized variable when processing malformed\n logconfig configuration commands. (CVE-2015-5194)\n\n - It was found that ntpd would exit with a segmentation\n fault when a statistics type that was not enabled during\n compilation (e.g. timingstats) was referenced by the\n statistics or filegen configuration command.\n (CVE-2015-5195)\n\n - It was discovered that the sntp utility could become\n unresponsive due to being caught in an infinite loop\n when processing a crafted NTP packet. (CVE-2015-5219)\n\n - It was found that NTP's :config command could be used to\n set the pidfile and driftfile paths without any\n restrictions. A remote attacker could use this flaw to\n overwrite a file on the file system with a file\n containing the pid of the ntpd process (immediately) or\n the current estimated drift of the system clock (in\n hourly intervals). (CVE-2015-7703)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav\nLichvr (Red Hat).\"\n );\n # http://listserv.fnal.gov/scripts/wa.exe?A2=ind1606&L=scientific-linux-errata&F=&S=&P=1297\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9c4dad4e\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2015-04\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/06/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL6\", reference:\"ntp-4.2.6p5-10.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"ntp-debuginfo-4.2.6p5-10.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"ntp-doc-4.2.6p5-10.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"ntp-perl-4.2.6p5-10.el6\")) flag++;\nif (rpm_check(release:\"SL6\", reference:\"ntpdate-4.2.6p5-10.el6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-09-19T13:59:54", "references": ["http://support.ntp.org/bin/view/Main/SecurityNotice", "http://www.nessus.org/u?d42322ca"], "pluginID": "88054", "description": "The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p6.\nIt is, therefore, affected by the following vulnerabilities :\n\n - A flaw exists in the receive() function due to the use of authenticated broadcast mode. A man-in-the-middle attacker can exploit this to conduct a replay attack.\n (CVE-2015-7973)\n\n - A time serving flaw exists in the trusted key system due to improper key checks. An authenticated, remote attacker can exploit this to perform impersonation attacks between authenticated peers. (CVE-2015-7974)\n\n - An overflow condition exists in the nextvar() function due to improper validation of user-supplied input. A local attacker can exploit this to cause a buffer overflow, resulting in a denial of service condition.\n (CVE-2015-7975)\n\n - A flaw exists in ntp_control.c due to improper filtering of special characters in filenames by the saveconfig command. An authenticated, remote attacker can exploit this to inject arbitrary content. (CVE-2015-7976)\n\n - A NULL pointer dereference flaw exists in ntp_request.c that is triggered when handling ntpdc relist commands.\n A remote attacker can exploit this, via a specially crafted request, to crash the service, resulting in a denial of service condition. (CVE-2015-7977)\n\n - A flaw exists in ntpdc that is triggered during the handling of the relist command. A remote attacker can exploit this, via recursive traversals of the restriction list, to exhaust available space on the call stack, resulting in a denial of service condition.\n CVE-2015-7978)\n\n - An unspecified flaw exists in authenticated broadcast mode. A remote attacker can exploit this, via specially crafted packets, to cause a denial of service condition.\n (CVE-2015-7979)\n\n - A flaw exists in the receive() function that allows packets with an origin timestamp of zero to bypass security checks. A remote attacker can exploit this to spoof arbitrary content. (CVE-2015-8138)\n\n - A flaw exists in ntpq and ntpdc that allows a remote attacker to disclose sensitive information in timestamps. (CVE-2015-8139)\n\n - A flaw exists in the ntpq protocol that is triggered during the handling of an improper sequence of numbers.\n A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-8140)\n\n - A flaw exists in the ntpq client that is triggered when handling packets that cause a loop in the getresponse() function. A remote attacker can exploit this to cause an infinite loop, resulting in a denial of service condition. (CVE-2015-8158)", "edition": 14, "reporter": "Tenable", "published": "2016-01-21T00:00:00", "title": "Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p6 Multiple Vulnerabilities", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "Misc.", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2018-09-17T00:00:00", "cpe": ["cpe:/a:ntp:ntp"], "id": "NTP_4_2_8P6.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=88054", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(88054);\n script_version(\"1.17\");\n script_cvs_date(\"Date: 2018/09/17 21:46:53\");\n\n script_cve_id(\n \"CVE-2015-7973\",\n \"CVE-2015-7974\",\n \"CVE-2015-7975\",\n \"CVE-2015-7976\",\n \"CVE-2015-7977\",\n \"CVE-2015-7978\",\n \"CVE-2015-7979\",\n \"CVE-2015-8138\",\n \"CVE-2015-8139\",\n \"CVE-2015-8140\",\n \"CVE-2015-8158\"\n );\n script_bugtraq_id(\n 81963,\n 81811,\n 81814,\n 81815,\n 81816,\n 81959,\n 81960,\n 81962,\n 82102,\n 82105\n );\n script_xref(name:\"CERT\", value:\"718152\");\n\n script_name(english:\"Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p6 Multiple Vulnerabilities\");\n script_summary(english:\"Checks for a vulnerable NTP server.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote NTP server is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p6.\nIt is, therefore, affected by the following vulnerabilities :\n\n - A flaw exists in the receive() function due to the use\n of authenticated broadcast mode. A man-in-the-middle\n attacker can exploit this to conduct a replay attack.\n (CVE-2015-7973)\n\n - A time serving flaw exists in the trusted key system\n due to improper key checks. An authenticated, remote\n attacker can exploit this to perform impersonation\n attacks between authenticated peers. (CVE-2015-7974)\n\n - An overflow condition exists in the nextvar() function\n due to improper validation of user-supplied input. A\n local attacker can exploit this to cause a buffer\n overflow, resulting in a denial of service condition.\n (CVE-2015-7975)\n\n - A flaw exists in ntp_control.c due to improper filtering\n of special characters in filenames by the saveconfig\n command. An authenticated, remote attacker can exploit\n this to inject arbitrary content. (CVE-2015-7976)\n\n - A NULL pointer dereference flaw exists in ntp_request.c\n that is triggered when handling ntpdc relist commands.\n A remote attacker can exploit this, via a specially\n crafted request, to crash the service, resulting in a\n denial of service condition. (CVE-2015-7977)\n\n - A flaw exists in ntpdc that is triggered during the\n handling of the relist command. A remote attacker can\n exploit this, via recursive traversals of the\n restriction list, to exhaust available space on the call\n stack, resulting in a denial of service condition.\n CVE-2015-7978)\n\n - An unspecified flaw exists in authenticated broadcast\n mode. A remote attacker can exploit this, via specially\n crafted packets, to cause a denial of service condition.\n (CVE-2015-7979)\n\n - A flaw exists in the receive() function that allows\n packets with an origin timestamp of zero to bypass\n security checks. A remote attacker can exploit this to\n spoof arbitrary content. (CVE-2015-8138)\n\n - A flaw exists in ntpq and ntpdc that allows a remote\n attacker to disclose sensitive information in\n timestamps. (CVE-2015-8139)\n\n - A flaw exists in the ntpq protocol that is triggered\n during the handling of an improper sequence of numbers.\n A man-in-the-middle attacker can exploit this to conduct\n a replay attack. (CVE-2015-8140)\n\n - A flaw exists in the ntpq client that is triggered when\n handling packets that cause a loop in the getresponse()\n function. A remote attacker can exploit this to cause an\n infinite loop, resulting in a denial of service\n condition. (CVE-2015-8158)\");\n script_set_attribute(attribute:\"see_also\", value:\"http://support.ntp.org/bin/view/Main/SecurityNotice\");\n # http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d42322ca\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to NTP version 4.2.8p6 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-8140\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/01/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ntp:ntp\");\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ntp_open.nasl\");\n script_require_keys(\"NTP/Running\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\n\n# Make sure NTP server is running\nget_kb_item_or_exit('NTP/Running');\n\napp_name = \"NTP Server\";\n\nport = get_kb_item(\"Services/udp/ntp\");\nif (!port) port = 123;\n\nversion = get_kb_item_or_exit(\"Services/ntp/version\");\nif (version == 'unknown') audit(AUDIT_UNKNOWN_APP_VER, app_name);\n\nmatch = eregmatch(string:version, pattern:\"([0-9a-z.]+)\");\nif (isnull(match) || empty_or_null(match[1])) exit(AUDIT_UNKNOWN_APP_VER, app_name);\n\n# Paranoia check\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nver = match[1];\nverfields = split(ver, sep:\".\", keep:FALSE);\nmajor = int(verfields[0]);\nminor = int(verfields[1]);\nif ('p' >< verfields[2])\n{\n revpatch = split(verfields[2], sep:\"p\", keep:FALSE);\n rev = int(revpatch[0]);\n patch = int(revpatch[1]);\n}\nelse\n{\n rev = verfields[2];\n patch = 0;\n}\n\n# This vulnerability affects NTP 3.x / 4.x < 4.2.8p6\nif (\n (major == 3) ||\n (major == 4 && minor < 2) ||\n (major == 4 && minor == 2 && rev < 8) ||\n (major == 4 && minor == 2 && rev == 8 && patch < 6)\n)\n{\n fix = \"4.2.8p6\";\n}\nelse audit(AUDIT_INST_VER_NOT_VULN, app_name, version);\n\nreport =\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n\nsecurity_report_v4(\n port : port,\n proto : \"udp\",\n extra : report,\n severity : SECURITY_WARNING\n);\nexit(0);\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:35:37", "references": ["https://www.tenable.com/security/research/tra-2015-04", "https://oss.oracle.com/pipermail/el-errata/2016-May/006059.html"], "pluginID": "91151", "description": "From Red Hat Security Advisory 2016:0780 :\n\nAn update for ntp is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.\n\nSecurity Fix(es) :\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd.\n(CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978)\n\n* It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands.\n(CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g.\ntimingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195)\n\n* It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)\n\n* It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals).\n(CVE-2015-7703)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichvar (Red Hat).\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 6.8 Release Notes and Red Hat Enterprise Linux 6.8 Technical Notes linked from the References section.", "edition": 17, "reporter": "Tenable", "published": "2016-05-16T00:00:00", "title": "Oracle Linux 6 : ntp (ELSA-2016-0780)", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Oracle Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7703", "CVE-2015-7977", "CVE-2015-5219", "CVE-2015-7701", "CVE-2015-7692", "CVE-2015-7702", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7691", "CVE-2015-5195", "CVE-2015-7978"], "modified": "2018-07-24T00:00:00", "cpe": ["cpe:/o:oracle:linux:6", "p-cpe:/a:oracle:linux:ntpdate", "p-cpe:/a:oracle:linux:ntp-perl", "p-cpe:/a:oracle:linux:ntp-doc", "p-cpe:/a:oracle:linux:ntp"], "id": "ORACLELINUX_ELSA-2016-0780.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=91151", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2016:0780 and \n# Oracle Linux Security Advisory ELSA-2016-0780 respectively.\n#\n\nif (NASL_LEVEL < 3000) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(91151);\n script_version(\"2.11\");\n script_cvs_date(\"Date: 2018/07/24 18:56:12\");\n\n script_cve_id(\"CVE-2015-5194\", \"CVE-2015-5195\", \"CVE-2015-5219\", \"CVE-2015-7691\", \"CVE-2015-7692\", \"CVE-2015-7701\", \"CVE-2015-7702\", \"CVE-2015-7703\", \"CVE-2015-7852\", \"CVE-2015-7977\", \"CVE-2015-7978\");\n script_xref(name:\"RHSA\", value:\"2016:0780\");\n script_xref(name:\"TRA\", value:\"TRA-2015-04\");\n\n script_name(english:\"Oracle Linux 6 : ntp (ELSA-2016-0780)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"From Red Hat Security Advisory 2016:0780 :\n\nAn update for ntp is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe Network Time Protocol (NTP) is used to synchronize a computer's\ntime with another referenced time source. These packages include the\nntpd service which continuously adjusts system time and utilities used\nto query and configure the ntpd service.\n\nSecurity Fix(es) :\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three\nissues were found in the value length checks in NTP's ntp_crypto.c,\nwhere a packet with particular autokey operations that contained\nmalicious data was not always being completely validated. A remote\nattacker could use a specially crafted NTP packet to crash ntpd.\n(CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was\nconfigured to use autokey authentication, an attacker could send\npackets to ntpd that would, after several days of ongoing attack,\ncause it to run out of memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in\ncookedprint functionality of ntpq. A specially crafted NTP packet\ncould potentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed\n'ntpdc reslist' commands that queried restriction lists with a large\namount of entries. A remote attacker could potentially use this flaw\nto crash ntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd\nprocessed 'ntpdc reslist' commands that queried restriction lists with\na large amount of entries. A remote attacker could use this flaw to\ncrash ntpd. (CVE-2015-7978)\n\n* It was found that ntpd could crash due to an uninitialized variable\nwhen processing malformed logconfig configuration commands.\n(CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a\nstatistics type that was not enabled during compilation (e.g.\ntimingstats) was referenced by the statistics or filegen configuration\ncommand. (CVE-2015-5195)\n\n* It was discovered that the sntp utility could become unresponsive\ndue to being caught in an infinite loop when processing a crafted NTP\npacket. (CVE-2015-5219)\n\n* It was found that NTP's :config command could be used to set the\npidfile and driftfile paths without any restrictions. A remote\nattacker could use this flaw to overwrite a file on the file system\nwith a file containing the pid of the ntpd process (immediately) or\nthe current estimated drift of the system clock (in hourly intervals).\n(CVE-2015-7703)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav\nLichvar (Red Hat).\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 6.8 Release Notes and Red Hat Enterprise Linux 6.8\nTechnical Notes linked from the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2016-May/006059.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.tenable.com/security/research/tra-2015-04\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected ntp packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ntp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ntp-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ntp-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:ntpdate\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:6\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/05/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/05/16\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = eregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 6\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL6\", reference:\"ntp-4.2.6p5-10.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"ntp-doc-4.2.6p5-10.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"ntp-perl-4.2.6p5-10.el6\")) flag++;\nif (rpm_check(release:\"EL6\", reference:\"ntpdate-4.2.6p5-10.el6\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ntp / ntp-doc / ntp-perl / ntpdate\");\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "amazon": [{"lastseen": "2016-09-28T21:04:12", "references": [], "affectedPackage": [{"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "4.2.6p5-36.29", "arch": "noarch", "packageFilename": "ntp-doc-4.2.6p5-36.29.amzn1.noarch", "packageName": "ntp-doc", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "4.2.6p5-36.29", "arch": "i686", "packageFilename": "ntpdate-4.2.6p5-36.29.amzn1.i686", "packageName": "ntpdate", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "4.2.6p5-36.29", "arch": "x86_64", "packageFilename": "ntpdate-4.2.6p5-36.29.amzn1.x86_64", "packageName": "ntpdate", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "4.2.6p5-36.29", "arch": "x86_64", "packageFilename": "ntp-4.2.6p5-36.29.amzn1.x86_64", "packageName": "ntp", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "4.2.6p5-36.29", "arch": "i686", "packageFilename": "ntp-debuginfo-4.2.6p5-36.29.amzn1.i686", "packageName": "ntp-debuginfo", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "4.2.6p5-36.29", "arch": "src", "packageFilename": "ntp-4.2.6p5-36.29.amzn1.src", "packageName": "ntp", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "4.2.6p5-36.29", "arch": "i686", "packageFilename": "ntp-4.2.6p5-36.29.amzn1.i686", "packageName": "ntp", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "4.2.6p5-36.29", "arch": "noarch", "packageFilename": "ntp-perl-4.2.6p5-36.29.amzn1.noarch", "packageName": "ntp-perl", "operator": "lt"}, {"OS": "Amazon Linux", "OSVersion": "any", "packageVersion": "4.2.6p5-36.29", "arch": "x86_64", "packageFilename": "ntp-debuginfo-4.2.6p5-36.29.amzn1.x86_64", "packageName": "ntp-debuginfo", "operator": "lt"}], "edition": 1, "description": "**Issue Overview:**\n\nIt was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client. ([CVE-2015-8138 __](<https://access.redhat.com/security/cve/CVE-2015-8138>))\n\nA NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process. ([CVE-2015-7977 __](<https://access.redhat.com/security/cve/CVE-2015-7977>))\n\nIt was found that NTP does not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key. ([CVE-2015-7974 __](<https://access.redhat.com/security/cve/CVE-2015-7974>))\n\nA stack-based buffer overflow was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process. ([CVE-2015-7978 __](<https://access.redhat.com/security/cve/CVE-2015-7978>))\n\nIt was found that when NTP is configured in broadcast mode, an off-path attacker could broadcast packets with bad authentication (wrong key, mismatched key, incorrect MAC, etc) to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server. This could cause the time on affected clients to become out of sync over a longer period of time. ([CVE-2015-7979 __](<https://access.redhat.com/security/cve/CVE-2015-7979>))\n\nA flaw was found in the way the ntpq client certain processed incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance. ([CVE-2015-8158 __](<https://access.redhat.com/security/cve/CVE-2015-8158>))\n\n \n**Affected Packages:** \n\n\nntp\n\n \n**Issue Correction:** \nRun _yum update ntp_ to update your system. \n\n\n \n**New Packages:**\n \n \n i686: \n ntp-4.2.6p5-36.29.amzn1.i686 \n ntpdate-4.2.6p5-36.29.amzn1.i686 \n ntp-debuginfo-4.2.6p5-36.29.amzn1.i686 \n \n noarch: \n ntp-doc-4.2.6p5-36.29.amzn1.noarch \n ntp-perl-4.2.6p5-36.29.amzn1.noarch \n \n src: \n ntp-4.2.6p5-36.29.amzn1.src \n \n x86_64: \n ntpdate-4.2.6p5-36.29.amzn1.x86_64 \n ntp-4.2.6p5-36.29.amzn1.x86_64 \n ntp-debuginfo-4.2.6p5-36.29.amzn1.x86_64 \n \n \n", "reporter": "Amazon", "published": "2016-02-09T13:30:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "amazon", "title": "Important: ntp", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8138", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2016-02-09T13:30:00", "id": "ALAS-2016-649", "href": "https://alas.aws.amazon.com/ALAS-2016-649.html", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}], "openvas": [{"lastseen": "2018-09-01T23:45:29", "references": ["https://lists.fedoraproject.org/pipermail/package-announce/2016-January/176434.html", "2016-8"], "pluginID": "1361412562310807227", "description": "Check the version of ntp", "edition": 4, "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-02-05T00:00:00", "title": "Fedora Update for ntp FEDORA-2016-8", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Fedora Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8138", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2017-07-10T00:00:00", "id": "OPENVAS:1361412562310807227", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807227", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for ntp FEDORA-2016-8\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807227\");\n script_version(\"$Revision: 6631 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-10 08:36:10 +0200 (Mon, 10 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2016-02-05 13:14:22 +0530 (Fri, 05 Feb 2016)\");\n script_cve_id(\"CVE-2015-7974\", \"CVE-2015-8138\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8158\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for ntp FEDORA-2016-8\");\n script_tag(name: \"summary\", value: \"Check the version of ntp\");\n\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help\n of detect NVT and check if the version is vulnerable or not.\");\n\n script_tag(name: \"insight\", value: \"The Network Time Protocol (NTP) is used\n to synchronize a computer's time with another reference time source. This\n package includes ntpd (a daemon which continuously adjusts system time) and\n utilities used to query and configure the ntpd daemon.\n\n Perl scripts ntp-wait and ntptrace are in the ntp-perl package,\n ntpdate is in the ntpdate package and sntp is in the sntp package.\n The documentation is in the ntp-doc package.\");\n\n script_tag(name: \"affected\", value: \"ntp on Fedora 23\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n\n script_xref(name: \"FEDORA\", value: \"2016-8\");\n script_xref(name: \"URL\" , value: \"https://lists.fedoraproject.org/pipermail/package-announce/2016-January/176434.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~36.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:48:29", "references": ["https://alas.aws.amazon.com/ALAS-2016-649.html"], "pluginID": "1361412562310120639", "description": "Amazon Linux Local Security Checks", "edition": 4, "reporter": "Eero Volotinen", "published": "2016-02-11T00:00:00", "title": "Amazon Linux Local Check: alas-2016-649", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Amazon Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8138", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2017-07-06T00:00:00", "id": "OPENVAS:1361412562310120639", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120639", "sourceData": "# OpenVAS Vulnerability Test \n# Description: Amazon Linux security check \n# $Id: alas-2016-649.nasl 6574 2017-07-06 13:41:26Z cfischer $\n \n# Authors: \n# Eero Volotinen <eero.volotinen@iki.fi> \n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://ping-viini.org \n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\nif(description)\n {\nscript_oid(\"1.3.6.1.4.1.25623.1.0.120639\");\nscript_version(\"$Revision: 6574 $\");\nscript_tag(name:\"creation_date\", value:\"2016-02-11 07:16:47 +0200 (Thu, 11 Feb 2016)\");\nscript_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 15:41:26 +0200 (Thu, 06 Jul 2017) $\");\nscript_name(\"Amazon Linux Local Check: alas-2016-649\");\nscript_tag(name: \"insight\", value: \"It was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client. (CVE-2015-8138 )A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process. (CVE-2015-7977 )It was found that NTP does not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key. (CVE-2015-7974 )A stack-based buffer overflow was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process. (CVE-2015-7978 )It was found that when NTP is configured in broadcast mode, an off-path attacker could broadcast packets with bad authentication (wrong key, mismatched key, incorrect MAC, etc) to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server. This could cause the time on affected clients to become out of sync over a longer period of time. (CVE-2015-7979 )A flaw was found in the way the ntpq client certain processed incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance. (CVE-2015-8158 )\"); \nscript_tag(name : \"solution\", value : \"Run yum update ntp to update your system.\");\nscript_tag(name : \"solution_type\", value : \"VendorFix\");\nscript_xref(name : \"URL\" , value : \"https://alas.aws.amazon.com/ALAS-2016-649.html\");\nscript_cve_id(\"CVE-2015-7977\",\"CVE-2015-7974\",\"CVE-2015-7978\",\"CVE-2015-7979\",\"CVE-2015-8158\",\"CVE-2015-8138\");\nscript_tag(name:\"cvss_base\", value:\"5.0\");\nscript_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\nscript_tag(name:\"qod_type\", value:\"package\");\nscript_dependencies(\"gather-package-list.nasl\");\nscript_mandatory_keys(\"ssh/login/amazon_linux\", \"ssh/login/release\");\nscript_category(ACT_GATHER_INFO);\nscript_tag(name:\"summary\", value:\"Amazon Linux Local Security Checks\");\nscript_copyright(\"Eero Volotinen\");\nscript_family(\"Amazon Linux Local Security Checks\");\nexit(0);\n}\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\nrelease = get_kb_item(\"ssh/login/release\");\nres = \"\";\nif(release == NULL)\n{\n exit(0);\n}\nif(release == \"AMAZON\")\n{\nif ((res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~36.29.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~36.29.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"ntp-debuginfo\", rpm:\"ntp-debuginfo~4.2.6p5~36.29.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"ntp-doc\", rpm:\"ntp-doc~4.2.6p5~36.29.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif ((res = isrpmvuln(pkg:\"ntp-perl\", rpm:\"ntp-perl~4.2.6p5~36.29.amzn1\", rls:\"AMAZON\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99); #Not vulnerable\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:47:33", "references": ["http://www.debian.org/security/2016/dsa-3629.html"], "pluginID": "1361412562310703629", "description": "Several vulnerabilities were discovered\nin the Network Time Protocol daemon and utility programs:\n\nCVE-2015-7974 \nMatt Street discovered that insufficient key validation allows\nimpersonation attacks between authenticated peers.\n\nCVE-2015-7977CVE-2015-7978Stephen Gray discovered that a NULL pointer dereference\nand a buffer overflow in the handling of ntpdc reslist \ncommands may\nresult in denial of service.\n\nCVE-2015-7979 \nAanchal Malhotra discovered that if NTP is configured for broadcast\nmode, an attacker can send malformed authentication packets which\nbreak associations with the server for other broadcast clients.\n\nCVE-2015-8138 \nMatthew van Gundy and Jonathan Gardner discovered that missing\nvalidation of origin timestamps in ntpd clients may result in denial\nof service.\n\nCVE-2015-8158 \nJonathan Gardner discovered that missing input sanitising in ntpq\nmay result in denial of service.\n\nCVE-2016-1547 \nStephen Gray and Matthew van Gundy discovered that incorrect handling\nof crypto NAK packets may result in denial of service.\n\nCVE-2016-1548 \nJonathan Gardner and Miroslav Lichvar discovered that ntpd clients\ncould be forced to change from basic client/server mode to interleaved\nsymmetric mode, preventing time synchronisation.\n\nCVE-2016-1550 \nMatthew van Gundy, Stephen Gray and Loganaden Velvindron discovered\nthat timing leaks in the the packet authentication code could result\nin recovery of a message digest.\n\nCVE-2016-2516Yihan Lian discovered that duplicate IPs on unconfig \ndirectives will\ntrigger an assert.\n\nCVE-2016-2518 \nYihan Lian discovered that an OOB memory access could potentially\ncrash ntpd.", "edition": 3, "reporter": "Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net", "published": "2016-08-02T00:00:00", "title": "Debian Security Advisory DSA 3629-1 (ntp - security update)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-8138", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7979", "CVE-2016-1547", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2017-12-15T00:00:00", "id": "OPENVAS:1361412562310703629", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703629", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3629.nasl 8131 2017-12-15 07:30:28Z teissa $\n# Auto-generated from advisory DSA 3629-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.703629\");\n script_version(\"$Revision: 8131 $\");\n script_cve_id(\"CVE-2015-7974\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\",\n \"CVE-2015-8138\", \"CVE-2015-8158\", \"CVE-2016-1547\", \"CVE-2016-1548\",\n \"CVE-2016-1550\", \"CVE-2016-2516\", \"CVE-2016-2518\");\n script_name(\"Debian Security Advisory DSA 3629-1 (ntp - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-12-15 08:30:28 +0100 (Fri, 15 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-02 10:56:41 +0530 (Tue, 02 Aug 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3629.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"ntp on Debian Linux\");\n script_tag(name: \"insight\", value: \"NTP, the Network Time Protocol,\nis used to keep computer clocks accurate by synchronizing them over the Internet\nor a local network, or by following an accurate hardware receiver that interprets\nGPS, DCF-77, NIST or similar time signals.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie),\nthese problems have been fixed in version 1:4.2.6.p5+dfsg-7+deb8u2.\n\nFor the testing distribution (stretch), these problems have been fixed\nin version 1:4.2.8p7+dfsg-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1:4.2.8p7+dfsg-1.\n\nWe recommend that you upgrade your ntp packages.\");\n script_tag(name: \"summary\", value: \"Several vulnerabilities were discovered\nin the Network Time Protocol daemon and utility programs:\n\nCVE-2015-7974 \nMatt Street discovered that insufficient key validation allows\nimpersonation attacks between authenticated peers.\n\nCVE-2015-7977CVE-2015-7978Stephen Gray discovered that a NULL pointer dereference\nand a buffer overflow in the handling of ntpdc reslist \ncommands may\nresult in denial of service.\n\nCVE-2015-7979 \nAanchal Malhotra discovered that if NTP is configured for broadcast\nmode, an attacker can send malformed authentication packets which\nbreak associations with the server for other broadcast clients.\n\nCVE-2015-8138 \nMatthew van Gundy and Jonathan Gardner discovered that missing\nvalidation of origin timestamps in ntpd clients may result in denial\nof service.\n\nCVE-2015-8158 \nJonathan Gardner discovered that missing input sanitising in ntpq\nmay result in denial of service.\n\nCVE-2016-1547 \nStephen Gray and Matthew van Gundy discovered that incorrect handling\nof crypto NAK packets may result in denial of service.\n\nCVE-2016-1548 \nJonathan Gardner and Miroslav Lichvar discovered that ntpd clients\ncould be forced to change from basic client/server mode to interleaved\nsymmetric mode, preventing time synchronisation.\n\nCVE-2016-1550 \nMatthew van Gundy, Stephen Gray and Loganaden Velvindron discovered\nthat timing leaks in the the packet authentication code could result\nin recovery of a message digest.\n\nCVE-2016-2516Yihan Lian discovered that duplicate IPs on unconfig \ndirectives will\ntrigger an assert.\n\nCVE-2016-2518 \nYihan Lian discovered that an OOB memory access could potentially\ncrash ntpd.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.8p7+dfsg-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntp-doc\", ver:\"1:4.2.8p7+dfsg-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntpdate\", ver:\"1:4.2.8p7+dfsg-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.6.p5+dfsg-7+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntp-doc\", ver:\"1:4.2.6.p5+dfsg-7+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntpdate\", ver:\"1:4.2.6.p5+dfsg-7+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:48:22", "references": ["2016:0780-01", "https://www.redhat.com/archives/rhsa-announce/2016-May/msg00022.html"], "pluginID": "1361412562310871612", "description": "Check the version of ntp", "edition": 7, "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-05-11T00:00:00", "title": "RedHat Update for ntp RHSA-2016:0780-01", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Red Hat Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-7703", "CVE-2015-7977", "CVE-2015-5219", "CVE-2014-9750", "CVE-2015-7701", "CVE-2015-7692", "CVE-2015-7702", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7691", "CVE-2015-5195", "CVE-2015-7978"], "modified": "2017-08-18T00:00:00", "id": "OPENVAS:1361412562310871612", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871612", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# RedHat Update for ntp RHSA-2016:0780-01\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.871612\");\n script_version(\"$Revision: 6959 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-08-18 09:24:59 +0200 (Fri, 18 Aug 2017) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-11 05:23:05 +0200 (Wed, 11 May 2016)\");\n script_cve_id(\"CVE-2015-5194\", \"CVE-2015-5195\", \"CVE-2015-5219\", \"CVE-2015-7691\", \"CVE-2015-7692\", \"CVE-2015-7701\", \"CVE-2015-7702\", \"CVE-2015-7703\", \"CVE-2015-7852\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2014-9750\");\n script_tag(name:\"cvss_base\", value:\"7.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:C\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"RedHat Update for ntp RHSA-2016:0780-01\");\n script_tag(name: \"summary\", value: \"Check the version of ntp\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help of detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"The Network Time Protocol (NTP) is used to synchronize a computer's time\nwith another referenced time source. These packages include the ntpd\nservice which continuously adjusts system time and utilities used to query\nand configure the ntpd service.\n\nSecurity Fix(es):\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three issues\nwere found in the value length checks in NTP's ntp_crypto.c, where a packet\nwith particular autokey operations that contained malicious data was not\nalways being completely validated. A remote attacker could use a specially\ncrafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692,\nCVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was\nconfigured to use autokey authentication, an attacker could send packets to\nntpd that would, after several days of ongoing attack, cause it to run out\nof memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in\ncookedprint functionality of ntpq. A specially crafted NTP packet could\npotentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed\n'ntpdc reslist' commands that queried restriction lists with a large amount\nof entries. A remote attacker could potentially use this flaw to crash\nntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd processed\n'ntpdc reslist' commands that queried restriction lists with a large amount\nof entries. A remote attacker could use this flaw to crash ntpd.\n(CVE-2015-7978)\n\n* It was found that ntpd could crash due to an uninitialized variable when\nprocessing malformed logconfig configuration commands. (CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a\nstatistics type that was not enabled during compilation (e.g. timingstats)\nwas referenced by the statistics or filegen configuration command.\n(CVE-2015-5195)\n\n* It was discovered that the sntp utility could become unresponsive due to\nbeing caught in an infinite loop when processing a crafted NTP packet.\n(CVE-2015-5219)\n\n* It was found that NTP's :config command could be used to set the pidfile\nand driftfile paths without any restrictions. A remote attacker could use\nthis flaw to overwrite a file on the file system with a file containing the\npid of the ntpd process (immediately) or the current estimated drift of the\nsystem clock (in hourly intervals). (CVE-2015-7703)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav\nLichvar (R ... \n\n Description truncated, for more information please check the Reference URL\");\n script_tag(name: \"affected\", value: \"ntp on Red Hat Enterprise Linux Desktop (v. 6),\n Red Hat Enterprise Linux Server (v. 6),\n Red Hat Enterprise Linux Workstation (v. 6)\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n\n script_xref(name: \"RHSA\", value: \"2016:0780-01\");\n script_xref(name: \"URL\" , value: \"https://www.redhat.com/archives/rhsa-announce/2016-May/msg00022.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Red Hat Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/rhel\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"RHENT_6\")\n{\n\n if ((res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~10.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ntp-debuginfo\", rpm:\"ntp-debuginfo~4.2.6p5~10.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ntpdate\", rpm:\"ntpdate~4.2.6p5~10.el6\", rls:\"RHENT_6\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:55:11", "references": ["http://www.debian.org/security/2016/dsa-3629.html"], "pluginID": "703629", "description": "Several vulnerabilities were discovered\nin the Network Time Protocol daemon and utility programs:\n\nCVE-2015-7974 \nMatt Street discovered that insufficient key validation allows\nimpersonation attacks between authenticated peers.\n\nCVE-2015-7977CVE-2015-7978Stephen Gray discovered that a NULL pointer dereference\nand a buffer overflow in the handling of ntpdc reslist \ncommands may\nresult in denial of service.\n\nCVE-2015-7979 \nAanchal Malhotra discovered that if NTP is configured for broadcast\nmode, an attacker can send malformed authentication packets which\nbreak associations with the server for other broadcast clients.\n\nCVE-2015-8138 \nMatthew van Gundy and Jonathan Gardner discovered that missing\nvalidation of origin timestamps in ntpd clients may result in denial\nof service.\n\nCVE-2015-8158 \nJonathan Gardner discovered that missing input sanitising in ntpq\nmay result in denial of service.\n\nCVE-2016-1547 \nStephen Gray and Matthew van Gundy discovered that incorrect handling\nof crypto NAK packets may result in denial of service.\n\nCVE-2016-1548 \nJonathan Gardner and Miroslav Lichvar discovered that ntpd clients\ncould be forced to change from basic client/server mode to interleaved\nsymmetric mode, preventing time synchronisation.\n\nCVE-2016-1550 \nMatthew van Gundy, Stephen Gray and Loganaden Velvindron discovered\nthat timing leaks in the the packet authentication code could result\nin recovery of a message digest.\n\nCVE-2016-2516Yihan Lian discovered that duplicate IPs on unconfig \ndirectives will\ntrigger an assert.\n\nCVE-2016-2518 \nYihan Lian discovered that an OOB memory access could potentially\ncrash ntpd.", "edition": 2, "reporter": "Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net", "published": "2016-08-02T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "title": "Debian Security Advisory DSA 3629-1 (ntp - security update)", "type": "openvas", "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-8138", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7979", "CVE-2016-1547", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2017-07-07T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=703629", "id": "OPENVAS:703629", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_3629.nasl 6608 2017-07-07 12:05:05Z cfischer $\n# Auto-generated from advisory DSA 3629-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\n\nif(description)\n{\n script_id(703629);\n script_version(\"$Revision: 6608 $\");\n script_cve_id(\"CVE-2015-7974\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\",\n \"CVE-2015-8138\", \"CVE-2015-8158\", \"CVE-2016-1547\", \"CVE-2016-1548\",\n \"CVE-2016-1550\", \"CVE-2016-2516\", \"CVE-2016-2518\");\n script_name(\"Debian Security Advisory DSA 3629-1 (ntp - security update)\");\n script_tag(name: \"last_modification\", value: \"$Date: 2017-07-07 14:05:05 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2016-08-02 10:56:41 +0530 (Tue, 02 Aug 2016)\");\n script_tag(name:\"cvss_base\", value:\"7.1\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:N/A:C\");\n script_tag(name: \"solution_type\", value: \"VendorFix\");\n script_tag(name: \"qod_type\", value: \"package\");\n\n script_xref(name: \"URL\", value: \"http://www.debian.org/security/2016/dsa-3629.html\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2016 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name: \"affected\", value: \"ntp on Debian Linux\");\n script_tag(name: \"insight\", value: \"NTP, the Network Time Protocol,\nis used to keep computer clocks accurate by synchronizing them over the Internet\nor a local network, or by following an accurate hardware receiver that interprets\nGPS, DCF-77, NIST or similar time signals.\");\n script_tag(name: \"solution\", value: \"For the stable distribution (jessie),\nthese problems have been fixed in version 1:4.2.6.p5+dfsg-7+deb8u2.\n\nFor the testing distribution (stretch), these problems have been fixed\nin version 1:4.2.8p7+dfsg-1.\n\nFor the unstable distribution (sid), these problems have been fixed in\nversion 1:4.2.8p7+dfsg-1.\n\nWe recommend that you upgrade your ntp packages.\");\n script_tag(name: \"summary\", value: \"Several vulnerabilities were discovered\nin the Network Time Protocol daemon and utility programs:\n\nCVE-2015-7974 \nMatt Street discovered that insufficient key validation allows\nimpersonation attacks between authenticated peers.\n\nCVE-2015-7977CVE-2015-7978Stephen Gray discovered that a NULL pointer dereference\nand a buffer overflow in the handling of ntpdc reslist \ncommands may\nresult in denial of service.\n\nCVE-2015-7979 \nAanchal Malhotra discovered that if NTP is configured for broadcast\nmode, an attacker can send malformed authentication packets which\nbreak associations with the server for other broadcast clients.\n\nCVE-2015-8138 \nMatthew van Gundy and Jonathan Gardner discovered that missing\nvalidation of origin timestamps in ntpd clients may result in denial\nof service.\n\nCVE-2015-8158 \nJonathan Gardner discovered that missing input sanitising in ntpq\nmay result in denial of service.\n\nCVE-2016-1547 \nStephen Gray and Matthew van Gundy discovered that incorrect handling\nof crypto NAK packets may result in denial of service.\n\nCVE-2016-1548 \nJonathan Gardner and Miroslav Lichvar discovered that ntpd clients\ncould be forced to change from basic client/server mode to interleaved\nsymmetric mode, preventing time synchronisation.\n\nCVE-2016-1550 \nMatthew van Gundy, Stephen Gray and Loganaden Velvindron discovered\nthat timing leaks in the the packet authentication code could result\nin recovery of a message digest.\n\nCVE-2016-2516Yihan Lian discovered that duplicate IPs on unconfig \ndirectives will\ntrigger an assert.\n\nCVE-2016-2518 \nYihan Lian discovered that an OOB memory access could potentially\ncrash ntpd.\");\n script_tag(name: \"vuldetect\", value: \"This check tests the installed software\nversion using the apt package manager.\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.8p7+dfsg-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntp-doc\", ver:\"1:4.2.8p7+dfsg-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntpdate\", ver:\"1:4.2.8p7+dfsg-1\", rls_regex:\"DEB9.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntp\", ver:\"1:4.2.6.p5+dfsg-7+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntp-doc\", ver:\"1:4.2.6.p5+dfsg-7+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ntpdate\", ver:\"1:4.2.6.p5+dfsg-7+deb8u2\", rls_regex:\"DEB8.[0-9]+\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-09-01T23:45:49", "references": ["2016:1292_1"], "pluginID": "1361412562310851310", "description": "Check the version of ntp", "edition": 6, "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-05-17T00:00:00", "title": "SuSE Update for ntp openSUSE-SU-2016:1292-1 (ntp)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "SuSE Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2017-12-08T00:00:00", "id": "OPENVAS:1361412562310851310", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851310", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_suse_2016_1292_1.nasl 8047 2017-12-08 08:56:07Z santu $\n#\n# SuSE Update for ntp openSUSE-SU-2016:1292-1 (ntp)\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851310\");\n script_version(\"$Revision: 8047 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-08 09:56:07 +0100 (Fri, 08 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-17 13:40:09 +0200 (Tue, 17 May 2016)\");\n script_cve_id(\"CVE-2015-5300\", \"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \n \"CVE-2015-7976\", \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \n \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"SuSE Update for ntp openSUSE-SU-2016:1292-1 (ntp)\");\n script_tag(name: \"summary\", value: \"Check the version of ntp\");\n script_tag(name: \"vuldetect\", value: \"Get the installed version with the help \nof detect NVT and check if the version is vulnerable or not.\");\n script_tag(name: \"insight\", value: \"\n ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n\n This update was imported from the SUSE:SLE-12-SP1:Update update project.\");\n script_tag(name: \"affected\", value: \"ntp on openSUSE Leap 42.1\");\n script_tag(name: \"solution\", value: \"Please Install the Updated Packages.\");\n\n script_xref(name: \"openSUSE-SU\", value: \"2016:1292_1\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"openSUSELeap42.1\")\n{\n\n if ((res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.8p6~15.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ntp-debuginfo\", rpm:\"ntp-debuginfo~4.2.8p6~15.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ntp-debugsource\", rpm:\"ntp-debugsource~4.2.8p6~15.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"ntp-doc\", rpm:\"ntp-doc~4.2.8p6~15.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"yast2-ntp-client\", rpm:\"yast2-ntp-client~3.1.22~6.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isrpmvuln(pkg:\"yast2-ntp-client-devel-doc\", rpm:\"yast2-ntp-client-devel-doc~3.1.22~6.1\", rls:\"openSUSELeap42.1\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:47:56", "references": ["https://advisories.mageia.org/MGASA-2016-0039.html"], "pluginID": "1361412562310131203", "description": "Mageia Linux Local Security Checks mgasa-2016-0039", "edition": 4, "reporter": "Eero Volotinen", "published": "2016-02-02T00:00:00", "title": "Mageia Linux Local Check: mgasa-2016-0039", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "naslFamily": "Mageia Linux Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2017-07-06T00:00:00", "id": "OPENVAS:1361412562310131203", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310131203", "sourceData": "# OpenVAS Vulnerability Test \n# Description: Mageia Linux security check \n# $Id: mgasa-2016-0039.nasl 6562 2017-07-06 12:22:42Z cfischer $\n \n# Authors: \n# Eero Volotinen <eero.volotinen@solinor.com> \n#\n# Copyright:\n# Copyright (c) 2015 Eero Volotinen, http://www.solinor.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\nif(description)\n {\nscript_oid(\"1.3.6.1.4.1.25623.1.0.131203\");\nscript_version(\"$Revision: 6562 $\");\nscript_tag(name:\"creation_date\", value:\"2016-02-02 07:44:19 +0200 (Tue, 02 Feb 2016)\");\nscript_tag(name:\"last_modification\", value:\"$Date: 2017-07-06 14:22:42 +0200 (Thu, 06 Jul 2017) $\");\nscript_name(\"Mageia Linux Local Check: mgasa-2016-0039\");\nscript_tag(name: \"insight\", value: \"In ntpd before 4.2.8p6, when used with symmetric key encryption, the client would accept packets encrypted with keys for any configured server, allowing a server to impersonate other servers to clients, thus performing a man-in-the-middle attack. A server can be attacked by a client in a similar manner (CVE-2015-7974). A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process (CVE-2015-7977). A stack-based buffer overflow was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process (CVE-2015-7978). It was found that when NTP is configured in broadcast mode, an off-path attacker could broadcast packets with bad authentication (wrong key, mismatched key, incorrect MAC, etc) to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server. This could cause the time on affected clients to become out of sync over a longer period of time (CVE-2015-7979). A faulty protection against spoofing and replay attacks allows an attacker to disrupt synchronization with kiss-of-death packets, take full control of the clock, or cause ntpd to crash (CVE-2015-8138). A flaw was found in the way the ntpq client certain processed incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance (CVE-2015-8158). The ntp package has been patched to fix these issues and a few other bugs. Note that there are still some unfixed issues. Two of those issues, CVE-2015-8139 and CVE-2015-8140, are vulnerabilities to spoofing and replay attacks that can be mitigated by either adding the noquery option to all restrict entries in ntp.conf, configuring ntpd to get time from multiple sources, or using a restriction list to limit who is allowed to issue ntpq and ntpdc queries. Additionally, the other unfixed issues can also be mitigated. CVE-2015-7973, a replay attack issue, can be mitigated by not using broadcast mode, and CVE-2015-7976, a bug that can cause globbing issues on the server, can be mitigated by restricting use of the saveconfig command with the restrict nomodify directive.\"); \nscript_tag(name : \"solution\", value : \"update software\");\nscript_tag(name : \"solution_type\", value : \"VendorFix\");\nscript_xref(name : \"URL\" , value : \"https://advisories.mageia.org/MGASA-2016-0039.html\");\nscript_cve_id(\"CVE-2015-7974\",\"CVE-2015-7977\",\"CVE-2015-7978\",\"CVE-2015-7979\",\"CVE-2015-8138\",\"CVE-2015-8158\");\nscript_tag(name:\"cvss_base\", value:\"5.0\");\nscript_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:N/A:P\");\nscript_tag(name:\"qod_type\", value:\"package\");\nscript_dependencies(\"gather-package-list.nasl\");\nscript_mandatory_keys(\"ssh/login/mageia_linux\", \"ssh/login/release\");\nscript_category(ACT_GATHER_INFO);\nscript_tag(name : \"summary\", value : \"Mageia Linux Local Security Checks mgasa-2016-0039\");\nscript_copyright(\"Eero Volotinen\");\nscript_family(\"Mageia Linux Local Security Checks\");\nexit(0);\n}\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\nrelease = get_kb_item(\"ssh/login/release\");\nres = \"\";\nif(release == NULL)\n{\n exit(0);\n}\nif(release == \"MAGEIA5\")\n{\nif ((res = isrpmvuln(pkg:\"ntp\", rpm:\"ntp~4.2.6p5~24.4.mga5\", rls:\"MAGEIA5\")) != NULL) {\n security_message(data:res);\n exit(0);\n}\nif (__pkg_match) exit(99); #Not vulnerable\n exit(0);\n}\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-20T16:07:14", "references": ["http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd"], "pluginID": "1361412562310105726", "description": "Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package.\nVersions of this package are affected by one or more vulnerabilities that could allow an\nunauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time\nbeing advertised by a device acting as a Network Time Protocol (NTP) server.\n\nOn January 19, 2016, NTP Consortium at Network Time Foundation released a security advisory\ndetailing 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities,\nand logic issues that may allow an attacker to shift a client", "edition": 4, "reporter": "This script is Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-05-18T00:00:00", "title": "Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "CISCO", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2018-09-20T00:00:00", "id": "OPENVAS:1361412562310105726", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105726", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_ipics_cisco-sa-20160127-ntpd.nasl 11493 2018-09-20 09:02:35Z asteins $\n#\n# Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:cisco:ip_interoperability_and_collaboration_system\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105726\");\n script_cve_id(\"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\", \"CVE-2015-7978\", \"CVE-2015-7977\", \"CVE-2015-7979\", \"CVE-2015-8138\", \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\", \"CVE-2015-7973\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_version(\"$Revision: 11493 $\");\n\n script_name(\"Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016\");\n\n script_xref(name:\"URL\", value:\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd\");\n\n script_tag(name:\"vuldetect\", value:\"Check the version.\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n script_tag(name:\"summary\", value:\"Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package.\nVersions of this package are affected by one or more vulnerabilities that could allow an\nunauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time\nbeing advertised by a device acting as a Network Time Protocol (NTP) server.\n\nOn January 19, 2016, NTP Consortium at Network Time Foundation released a security advisory\ndetailing 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities,\nand logic issues that may allow an attacker to shift a client's time. The vulnerabilities covered in\nthis document are as follows: CVE-2015-7973: Network Time Protocol Replay Attack on Authenticated\nBroadcast Mode Vulnerability CVE-2015-7974: Network Time Protocol Missing Trusted Key Check CVE-2015-\n7975: Standard Network Time Protocol Query Program nextvar() Missing Length Check CVE-2015-7976:\nStandard Network Time Protocol Query Program saveconfig Command Allows Dangerous Characters in\nFilenames CVE-2015-7978: Network Time Protocol Daemon reslist NULL Pointer Deference Denial of\nService Vulnerability CVE-2015-7977: Network Time Protocol Stack Exhaustion Denial of Service CVE-2015-\n7979: Network Time Protocol Off-Path Broadcast Mode Denial of Service CVE-2015-8138: Network Time\nProtocol Zero Origin Timestamp Bypass CVE-2015-8139: Network Time Protocol Information Disclosure of\nOrigin Timestamp CVE-2015-8140: Standard Network Time Protocol Query Program Replay Attack CVE-2015-\n8158: Standard and Special Network Time Protocol Query Program Infinite loop\n\nCisco has released software updates that address these vulnerabilities.\n\nWorkarounds that address some of these vulnerabilities may be available. Available workarounds will\nbe documented in the corresponding Cisco bug for each affected product.\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-20 11:02:35 +0200 (Thu, 20 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-18 10:53:18 +0200 (Wed, 18 May 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_ipics_version.nasl\");\n script_mandatory_keys(\"cisco/ipics/version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) ) exit( 0 );\n\naffected = make_list(\n\t\t'1.0(1.1)',\n\t\t'4.0(1)',\n\t\t'4.5(1)',\n\t\t'4.6(1)',\n\t\t'4.7(1)',\n\t\t'4.8(2)' );\n\nforeach af ( affected )\n{\n if( version == af )\n {\n report = report_fixed_ver( installed_version:version, fixed_version: \"See advisory\" );\n security_message( port:0, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:47:19", "references": ["http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd"], "pluginID": "1361412562310105666", "description": "Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.\n\nOn January 19, 2016, NTP Consortium at Network Time Foundation released a security advisory detailing 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities, and logic issues that may allow an attacker to shift a client", "edition": 3, "reporter": "This script is Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-05-09T00:00:00", "title": "Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "naslFamily": "CISCO", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2017-03-20T00:00:00", "id": "OPENVAS:1361412562310105666", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105666", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_cisco_ios_xe_cisco-sa-20160127-ntpd.nasl 5612 2017-03-20 10:00:41Z teissa $\n#\n# Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/o:cisco:ios_xe\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105666\");\n script_cve_id(\"CVE-2015-7974\",\"CVE-2015-7975\",\"CVE-2015-7976\",\"CVE-2015-7978\",\"CVE-2015-7977\",\"CVE-2015-7979\",\"CVE-2015-8138\",\"CVE-2015-8139\",\"CVE-2015-8140\",\"CVE-2015-8158\",\"CVE-2015-7973\");\n script_tag(name:\"cvss_base\", value:\"5.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_version (\"$Revision: 5612 $\");\n\n script_name(\"Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016\");\n\n script_xref(name:\"URL\", value:\"http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd\");\n \n\n script_tag(name: \"vuldetect\" , value:\"Check the version.\");\n\n script_tag(name: \"solution\" , value:\"See the referenced vendor advisory for a solution.\");\n script_tag(name: \"summary\" , value:\"Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.\n\nOn January 19, 2016, NTP Consortium at Network Time Foundation released a security advisory detailing 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities, and logic issues that may allow an attacker to shift a client's time. The vulnerabilities covered in this document are as follows:\n CVE-2015-7973: Network Time Protocol Replay Attack on Authenticated Broadcast Mode Vulnerability \n CVE-2015-7974: Network Time Protocol Missing Trusted Key Check\n CVE-2015-7975: Standard Network Time Protocol Query Program nextvar() Missing Length Check\n CVE-2015-7976: Standard Network Time Protocol Query Program saveconfig Command Allows Dangerous Characters in Filenames\n CVE-2015-7978: Network Time Protocol Daemon reslist NULL Pointer Deference Denial of Service Vulnerability\n CVE-2015-7977: Network Time Protocol Stack Exhaustion Denial of Service\n CVE-2015-7979: Network Time Protocol Off-Path Broadcast Mode Denial of Service \n CVE-2015-8138: Network Time Protocol Zero Origin Timestamp Bypass\n CVE-2015-8139: Network Time Protocol Information Disclosure of Origin Timestamp\n CVE-2015-8140: Standard Network Time Protocol Query Program Replay Attack\n CVE-2015-8158: Standard and Special Network Time Protocol Query Program Infinite loop\n\nCisco has released software updates that address these vulnerabilities.\n\nWorkarounds that address some of these vulnerabilities may be available. Available workarounds will be documented in the corresponding Cisco bug for each affected product. \n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd \");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2017-03-20 11:00:41 +0100 (Mon, 20 Mar 2017) $\");\n script_tag(name:\"creation_date\", value:\"2016-05-09 17:40:21 +0200 (Mon, 09 May 2016)\");\n script_category(ACT_GATHER_INFO);\n script_family(\"CISCO\");\n script_copyright(\"This script is Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_cisco_ios_xe_version.nasl\");\n script_mandatory_keys(\"cisco_ios_xe/version\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif( ! version = get_app_version( cpe:CPE ) ) exit( 0 );\n\naffected = make_list( \n\t\t'2.1.0',\n\t\t'2.1.1',\n\t\t'2.1.2',\n\t\t'2.2.1',\n\t\t'2.2.2',\n\t\t'2.2.3',\n\t\t'2.3.0',\n\t\t'2.3.0t',\n\t\t'2.3.1t',\n\t\t'2.3.2',\n\t\t'2.4.0',\n\t\t'2.4.1',\n\t\t'2.5.0',\n\t\t'2.5.1',\n\t\t'2.5.2',\n\t\t'2.6.0',\n\t\t'2.6.1',\n\t\t'2.6.2',\n\t\t'3.1.0S',\n\t\t'3.1.1S',\n\t\t'3.1.2S',\n\t\t'3.1.3S',\n\t\t'3.1.4S',\n\t\t'3.1.5S',\n\t\t'3.1.6S',\n\t\t'3.1.0SG',\n\t\t'3.1.1SG',\n\t\t'3.2.0S',\n\t\t'3.2.1S',\n\t\t'3.2.2S',\n\t\t'3.2.3S',\n\t\t'3.2.0SE',\n\t\t'3.2.1SE',\n\t\t'3.2.2SE',\n\t\t'3.2.3SE',\n\t\t'3.2.0SG',\n\t\t'3.2.1SG',\n\t\t'3.2.2SG',\n\t\t'3.2.3SG',\n\t\t'3.2.4SG',\n\t\t'3.2.5SG',\n\t\t'3.2.6SG',\n\t\t'3.2.7SG',\n\t\t'3.2.8SG',\n\t\t'3.2.9SG',\n\t\t'3.2.0XO',\n\t\t'3.2.1XO',\n\t\t'3.3.0S',\n\t\t'3.3.1S',\n\t\t'3.3.2S',\n\t\t'3.3.0SE',\n\t\t'3.3.1SE',\n\t\t'3.3.2SE',\n\t\t'3.3.3SE',\n\t\t'3.3.4SE',\n\t\t'3.3.5SE',\n\t\t'3.3.0SG',\n\t\t'3.3.1SG',\n\t\t'3.3.2SG',\n\t\t'3.3.0SQ',\n\t\t'3.3.1SQ',\n\t\t'3.3.0XO',\n\t\t'3.3.1XO',\n\t\t'3.3.2XO',\n\t\t'3.4.0S',\n\t\t'3.4.1S',\n\t\t'3.4.2S',\n\t\t'3.4.3S',\n\t\t'3.4.4S',\n\t\t'3.4.5S',\n\t\t'3.4.6S',\n\t\t'3.4.0SG',\n\t\t'3.4.1SG',\n\t\t'3.4.2SG',\n\t\t'3.4.3SG',\n\t\t'3.4.4SG',\n\t\t'3.4.5SG',\n\t\t'3.4.0SQ',\n\t\t'3.4.1SQ',\n\t\t'3.5.0E',\n\t\t'3.5.1E',\n\t\t'3.5.2E',\n\t\t'3.5.3E',\n\t\t'3.5.0S',\n\t\t'3.5.1S',\n\t\t'3.5.2S',\n\t\t'3.6.0E',\n\t\t'3.6.1E',\n\t\t'3.6.0S',\n\t\t'3.6.1S',\n\t\t'3.6.2S',\n\t\t'3.7.0E',\n\t\t'3.7.0S',\n\t\t'3.7.1S',\n\t\t'3.7.2S',\n\t\t'3.7.3S',\n\t\t'3.7.4S',\n\t\t'3.7.5S',\n\t\t'3.7.6S',\n\t\t'3.7.7S',\n\t\t'3.8.0S',\n\t\t'3.8.1S',\n\t\t'3.8.2S',\n\t\t'3.9.0S',\n\t\t'3.9.1S',\n\t\t'3.9.2S',\n\t\t'3.10.0S',\n\t\t'3.10.0aS',\n\t\t'3.10.1S',\n\t\t'3.10.2S',\n\t\t'3.10.3S',\n\t\t'3.10.4S',\n\t\t'3.10.5S',\n\t\t'3.10.6S',\n\t\t'3.11.0S',\n\t\t'3.11.1S',\n\t\t'3.11.2S',\n\t\t'3.11.3S',\n\t\t'3.11.4S',\n\t\t'3.12.0S',\n\t\t'3.12.1S',\n\t\t'3.12.2S',\n\t\t'3.12.3S',\n\t\t'3.13.0S',\n\t\t'3.13.1S',\n\t\t'3.13.2S',\n\t\t'3.14.0S',\n\t\t'3.14.1S',\n\t\t'3.14.2S',\n\t\t'3.14.3S',\n\t\t'3.14.4S',\n\t\t'3.15.0S' );\n\nforeach af ( affected )\n{\n if( version == af )\n {\n report = report_fixed_ver( installed_version:version, fixed_version: \"See advisory\" );\n security_message( port:0, data:report );\n exit( 0 );\n }\n}\n\nexit( 99 );\n\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-09-01T23:46:35", "references": ["https://www.kb.cert.org/vuls/id/718152"], "pluginID": "1361412562310807567", "description": "The host is running NTP.org", "edition": 6, "reporter": "Copyright (C) 2016 Greenbone Networks GmbH", "published": "2016-04-28T00:00:00", "title": "NTP.org 'ntpd' Multiple Vulnerabilities", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "General", "bulletinFamily": "scanner", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7704", "CVE-2016-1551", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2016-1547", "CVE-2016-2519", "CVE-2016-2517", "CVE-2015-7705", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2018-08-23T00:00:00", "id": "OPENVAS:1361412562310807567", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807567", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ntp_mult_vuln_apr16.nasl 11092 2018-08-23 09:40:58Z santu $\n#\n# NTP.org 'ntpd' Multiple Vulnerabilities\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.807567\");\n script_version(\"$Revision: 11092 $\");\n script_cve_id(\"CVE-2015-7973\", \"CVE-2015-7974\", \"CVE-2015-7975\", \"CVE-2015-7976\",\n \"CVE-2015-7977\", \"CVE-2015-7978\", \"CVE-2015-7979\", \"CVE-2015-8138\",\n \"CVE-2015-8139\", \"CVE-2015-8140\", \"CVE-2015-8158\", \"CVE-2016-1547\",\n \"CVE-2016-1548\", \"CVE-2015-7705\", \"CVE-2016-1550\", \"CVE-2016-1551\",\n \"CVE-2016-2516\", \"CVE-2016-2517\", \"CVE-2016-2518\", \"CVE-2016-2519\",\n \"CVE-2015-7704\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-08-23 11:40:58 +0200 (Thu, 23 Aug 2018) $\");\n script_tag(name:\"creation_date\", value:\"2016-04-28 15:41:24 +0530 (Thu, 28 Apr 2016)\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_name(\"NTP.org 'ntpd' Multiple Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"The host is running NTP.org's reference\n implementation of NTP server, ntpd and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws are due to,\n - The ntpd does not filter IPv4 bogon packets received from the network.\n - The duplicate IPs on unconfig directives will cause an assertion botch.\n - Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC.\n - An improper Restriction of Operations within the Bounds of a Memory Buffer.\n - Replay attack on authenticated broadcast mode.\n - The nextvar() function does not properly validate length.\n - The ntpq saveconfig command allows dangerous characters in filenames.\n - Restriction list NULL pointer dereference.\n - Uncontrolled Resource Consumption in recursive traversal of restriction list.\n - An off-path attacker can send broadcast packets with bad authentication to\n broadcast clients.\n - An improper sanity check for the origin timestamp.\n - Origin Leak: ntpq and ntpdc Disclose Origin Timestamp to Unauthenticated Clients.\n - The sequence number being included under the signature fails to prevent\n replay attacks in ntpq protocol.\n - An uncontrolled Resource Consumption in ntpq.\n - An off-path attacker can deny service to ntpd clients by demobilizing\n preemptable associations using spoofed crypto-NAK packets.\n - Multiple input validation errors.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow\n unauthenticated remote attackers to spoof packets to cause denial of service,\n authentication bypass, or certain configuration changes.\n\n Impact Level: Application\");\n\n script_tag(name:\"affected\", value:\"NTP version before 4.2.8p7\");\n\n script_tag(name:\"solution\", value:\"Upgrade to NTP version 4.2.8p7 or later.\n For updates refer to http://www.ntp.org\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"https://www.kb.cert.org/vuls/id/718152\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"ntp_open.nasl\");\n script_mandatory_keys(\"NTP/Running\", \"NTP/Linux/Ver\");\n script_require_udp_ports(123);\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\ninclude(\"revisions-lib.inc\");\n\n##Port\nntpPort = 123;\n\nif(\"ntpd\" >!< get_kb_item(\"NTP/Linux/FullVer\")){\n exit(0);\n}\n\nif(!ntpVer = get_kb_item(\"NTP/Linux/Ver\")){\n exit(0);\n}\n\nif (revcomp(a: ntpVer, b: \"4.2.8p7\") < 0)\n{\n report = report_fixed_ver(installed_version:ntpVer, fixed_version:\"4.2.8p7\");\n security_message(data:report, port:ntpPort, proto:\"udp\");\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "paloalto": [{"lastseen": "2018-08-31T00:11:40", "references": [], "description": "The open source ntp project has been found to contain several vulnerabilities (CVE-2015-8158, CVE-2015-8138, CVE-2015-7979, CVE-2015-7978, CVE-2015-7977, CVE-2015-7976, CVE-2015-7975, CVE-2015-7974, CVE-2015-7973, all released in January 2016). Palo Alto...\n", "edition": 3, "reporter": "Palo Alto Networks Product Security Incident Response Team", "published": "2016-08-15T00:00:00", "title": "NTP Vulnerabilities", "type": "paloalto", "enchantments": {"score": {"modified": "2018-08-31T00:11:40", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "PAN-OS", "version": "7.1.3", "operator": "le"}, {"name": "PAN-OS", "version": "7.0.8", "operator": "le"}, {"name": "PAN-OS", "version": "6.1.12", "operator": "le"}, {"name": "PAN-OS", "version": "5.1.12", "operator": "le"}, {"name": "PAN-OS", "version": "6.0.1", "operator": "le"}, {"name": "PAN-OS", "version": "5.0.19", "operator": "le"}], "cvelist": ["CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2016-10-18T00:00:00", "id": "PAN-SA-2016-0019", "href": "https://securityadvisories.paloaltonetworks.com/Home/Detail/52", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "redhat": [{"lastseen": "2018-06-12T21:09:26", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "i686", "packageName": "ntp", "packageFilename": "ntp-4.2.6p5-10.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "ppc64", "packageName": "ntp", "packageFilename": "ntp-4.2.6p5-10.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "s390x", "packageName": "ntp", "packageFilename": "ntp-4.2.6p5-10.el6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "src", "packageName": "ntp", "packageFilename": "ntp-4.2.6p5-10.el6.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "x86_64", "packageName": "ntp", "packageFilename": "ntp-4.2.6p5-10.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "i686", "packageName": "ntp-debuginfo", "packageFilename": "ntp-debuginfo-4.2.6p5-10.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "ppc64", "packageName": "ntp-debuginfo", "packageFilename": "ntp-debuginfo-4.2.6p5-10.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "s390x", "packageName": "ntp-debuginfo", "packageFilename": "ntp-debuginfo-4.2.6p5-10.el6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "x86_64", "packageName": "ntp-debuginfo", "packageFilename": "ntp-debuginfo-4.2.6p5-10.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "noarch", "packageName": "ntp-doc", "packageFilename": "ntp-doc-4.2.6p5-10.el6.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "i686", "packageName": "ntp-perl", "packageFilename": "ntp-perl-4.2.6p5-10.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "ppc64", "packageName": "ntp-perl", "packageFilename": "ntp-perl-4.2.6p5-10.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "s390x", "packageName": "ntp-perl", "packageFilename": "ntp-perl-4.2.6p5-10.el6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "x86_64", "packageName": "ntp-perl", "packageFilename": "ntp-perl-4.2.6p5-10.el6.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "i686", "packageName": "ntpdate", "packageFilename": "ntpdate-4.2.6p5-10.el6.i686.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "ppc64", "packageName": "ntpdate", "packageFilename": "ntpdate-4.2.6p5-10.el6.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "s390x", "packageName": "ntpdate", "packageFilename": "ntpdate-4.2.6p5-10.el6.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "x86_64", "packageName": "ntpdate", "packageFilename": "ntpdate-4.2.6p5-10.el6.x86_64.rpm", "operator": "lt"}], "description": "The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.\n\nSecurity Fix(es):\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978)\n\n* It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195)\n\n* It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)\n\n* It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-7703)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichv\u00e1r (Red Hat).\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 6.8 Release Notes and Red Hat Enterprise Linux 6.8 Technical Notes linked from the References section.", "reporter": "RedHat", "published": "2016-05-10T10:42:20", "type": "redhat", "title": "(RHSA-2016:0780) Moderate: ntp security and bug fix update", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-9750", "CVE-2015-5194", "CVE-2015-5195", "CVE-2015-5219", "CVE-2015-7691", "CVE-2015-7692", "CVE-2015-7701", "CVE-2015-7702", "CVE-2015-7703", "CVE-2015-7852", "CVE-2015-7977", "CVE-2015-7978"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-06-06T20:24:20", "id": "RHSA-2016:0780", "href": "https://access.redhat.com/errata/RHSA-2016:0780", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-04-15T16:22:25", "_object_types": ["robots.models.base.Bulletin", "robots.models.redhat.RedHatBulletin"], "references": [], "affectedPackage": [{"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "aarch64", "packageName": "ntp", "packageFilename": "ntp-4.2.6p5-25.el7.aarch64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "ppc64", "packageName": "ntp", "packageFilename": "ntp-4.2.6p5-25.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "ppc64le", "packageName": "ntp", "packageFilename": "ntp-4.2.6p5-25.el7.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "s390x", "packageName": "ntp", "packageFilename": "ntp-4.2.6p5-25.el7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "src", "packageName": "ntp", "packageFilename": "ntp-4.2.6p5-25.el7.src.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "x86_64", "packageName": "ntp", "packageFilename": "ntp-4.2.6p5-25.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "aarch64", "packageName": "ntp-debuginfo", "packageFilename": "ntp-debuginfo-4.2.6p5-25.el7.aarch64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "ppc64", "packageName": "ntp-debuginfo", "packageFilename": "ntp-debuginfo-4.2.6p5-25.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "ppc64le", "packageName": "ntp-debuginfo", "packageFilename": "ntp-debuginfo-4.2.6p5-25.el7.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "s390x", "packageName": "ntp-debuginfo", "packageFilename": "ntp-debuginfo-4.2.6p5-25.el7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "x86_64", "packageName": "ntp-debuginfo", "packageFilename": "ntp-debuginfo-4.2.6p5-25.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "noarch", "packageName": "ntp-doc", "packageFilename": "ntp-doc-4.2.6p5-25.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "noarch", "packageName": "ntp-perl", "packageFilename": "ntp-perl-4.2.6p5-25.el7.noarch.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "aarch64", "packageName": "ntpdate", "packageFilename": "ntpdate-4.2.6p5-25.el7.aarch64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "ppc64", "packageName": "ntpdate", "packageFilename": "ntpdate-4.2.6p5-25.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "ppc64le", "packageName": "ntpdate", "packageFilename": "ntpdate-4.2.6p5-25.el7.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "s390x", "packageName": "ntpdate", "packageFilename": "ntpdate-4.2.6p5-25.el7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "x86_64", "packageName": "ntpdate", "packageFilename": "ntpdate-4.2.6p5-25.el7.x86_64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "aarch64", "packageName": "sntp", "packageFilename": "sntp-4.2.6p5-25.el7.aarch64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "ppc64", "packageName": "sntp", "packageFilename": "sntp-4.2.6p5-25.el7.ppc64.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "ppc64le", "packageName": "sntp", "packageFilename": "sntp-4.2.6p5-25.el7.ppc64le.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "s390x", "packageName": "sntp", "packageFilename": "sntp-4.2.6p5-25.el7.s390x.rpm", "operator": "lt"}, {"OS": "RedHat", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7", "arch": "x86_64", "packageName": "sntp", "packageFilename": "sntp-4.2.6p5-25.el7.x86_64.rpm", "operator": "lt"}], "description": "The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.\n\nSecurity Fix(es):\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978)\n\n* It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time. (CVE-2015-7979)\n\n* It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195)\n\n* It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-5196, CVE-2015-7703)\n\n* It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)\n\n* A flaw was found in the way NTP verified trusted keys during symmetric key authentication. An authenticated client (A) could use this flaw to modify a packet sent between a server (B) and a client (C) using a key that is different from the one known to the client (A). (CVE-2015-7974)\n\n* A flaw was found in the way the ntpq client processed certain incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance. (CVE-2015-8158)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichv\u00e1r (Red Hat).\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.", "reporter": "RedHat", "published": "2016-11-03T10:07:15", "type": "redhat", "title": "(RHSA-2016:2583) Moderate: ntp security and bug fix update", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2014-9750", "CVE-2015-5194", "CVE-2015-5195", "CVE-2015-5196", "CVE-2015-5219", "CVE-2015-7691", "CVE-2015-7692", "CVE-2015-7701", "CVE-2015-7702", "CVE-2015-7703", "CVE-2015-7852", "CVE-2015-7974", "CVE-2015-7977", "CVE-2015-7978", "CVE-2015-7979", "CVE-2015-8158"], "_object_type": "robots.models.redhat.RedHatBulletin", "modified": "2018-04-12T03:33:11", "id": "RHSA-2016:2583", "href": "https://access.redhat.com/errata/RHSA-2016:2583", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "suse": [{"lastseen": "2016-09-04T11:47:01", "references": ["https://bugzilla.suse.com/962966", "https://bugzilla.suse.com/962995", "https://bugzilla.suse.com/956773", "https://bugzilla.suse.com/962970", "https://bugzilla.suse.com/916617", "https://bugzilla.suse.com/784760", "https://bugzilla.suse.com/962784", "https://bugzilla.suse.com/962988", "https://bugzilla.suse.com/951559", "https://bugzilla.suse.com/975981", "https://bugzilla.suse.com/975496", "https://bugzilla.suse.com/782060", "https://bugzilla.suse.com/962318", "https://bugzilla.suse.com/951629", "https://bugzilla.suse.com/962802", "https://bugzilla.suse.com/962960", "https://bugzilla.suse.com/962997", "https://bugzilla.suse.com/963000", "https://bugzilla.suse.com/962994", "https://bugzilla.suse.com/963002"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "4.2.8p6-8.2", "arch": "ppc64", "packageFilename": "ntp-4.2.8p6-8.2.ppc64.rpm", "packageName": "ntp", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "4.2.8p6-8.2", "arch": "ppc64", "packageFilename": "ntp-debugsource-4.2.8p6-8.2.ppc64.rpm", "packageName": "ntp-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "4.2.8p6-8.2", "arch": "i586", "packageFilename": "ntp-debugsource-4.2.8p6-8.2.i586.rpm", "packageName": "ntp-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "4.2.8p6-8.2", "arch": "ia64", "packageFilename": "ntp-doc-4.2.8p6-8.2.ia64.rpm", "packageName": "ntp-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "4.2.8p6-8.2", "arch": "ppc64", "packageFilename": "ntp-doc-4.2.8p6-8.2.ppc64.rpm", "packageName": "ntp-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "4.2.8p6-8.2", "arch": "i586", "packageFilename": "ntp-debuginfo-4.2.8p6-8.2.i586.rpm", "packageName": "ntp-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "4.2.8p6-8.2", "arch": "ia64", "packageFilename": "ntp-debuginfo-4.2.8p6-8.2.ia64.rpm", "packageName": "ntp-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "4.2.8p6-8.2", "arch": "ppc64", "packageFilename": "ntp-debuginfo-4.2.8p6-8.2.ppc64.rpm", "packageName": "ntp-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "4.2.8p6-8.2", "arch": "s390x", "packageFilename": "ntp-debugsource-4.2.8p6-8.2.s390x.rpm", "packageName": "ntp-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "4.2.8p6-8.2", "arch": "x86_64", "packageFilename": "ntp-doc-4.2.8p6-8.2.x86_64.rpm", "packageName": "ntp-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "4.2.8p6-8.2", "arch": "ia64", "packageFilename": "ntp-debugsource-4.2.8p6-8.2.ia64.rpm", "packageName": "ntp-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "4.2.8p6-8.2", "arch": "x86_64", "packageFilename": "ntp-debugsource-4.2.8p6-8.2.x86_64.rpm", "packageName": "ntp-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "4.2.8p6-8.2", "arch": "i586", "packageFilename": "ntp-4.2.8p6-8.2.i586.rpm", "packageName": "ntp", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "4.2.8p6-8.2", "arch": "x86_64", "packageFilename": "ntp-4.2.8p6-8.2.x86_64.rpm", "packageName": "ntp", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "4.2.8p6-8.2", "arch": "i586", "packageFilename": "ntp-doc-4.2.8p6-8.2.i586.rpm", "packageName": "ntp-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "4.2.8p6-8.2", "arch": "ia64", "packageFilename": "ntp-4.2.8p6-8.2.ia64.rpm", "packageName": "ntp", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "4.2.8p6-8.2", "arch": "s390x", "packageFilename": "ntp-doc-4.2.8p6-8.2.s390x.rpm", "packageName": "ntp-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "4.2.8p6-8.2", "arch": "x86_64", "packageFilename": "ntp-debuginfo-4.2.8p6-8.2.x86_64.rpm", "packageName": "ntp-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "11.4", "packageVersion": "4.2.8p6-8.2", "arch": "s390x", "packageFilename": "ntp-4.2.8p6-8.2.s390x.rpm", "packageName": "ntp", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.4", "packageVersion": "4.2.8p6-8.2", "arch": "s390x", "packageFilename": "ntp-debuginfo-4.2.8p6-8.2.s390x.rpm", "packageName": "ntp-debuginfo", "operator": "lt"}], "edition": 1, "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n - bsc#784760: Remove local clock from default configuration\n\n", "reporter": "Suse", "published": "2016-04-28T19:09:34", "title": "Security update for ntp (important)", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "suse", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2016-04-28T19:09:34", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00059.html", "id": "SUSE-SU-2016:1175-1", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T12:46:49", "references": ["https://bugzilla.suse.com/962966", "https://bugzilla.suse.com/962995", "https://bugzilla.suse.com/956773", "https://bugzilla.suse.com/962970", "https://bugzilla.suse.com/916617", "https://bugzilla.suse.com/962784", "https://bugzilla.suse.com/962988", "https://bugzilla.suse.com/951559", "https://bugzilla.suse.com/975981", "https://bugzilla.suse.com/975496", "https://bugzilla.suse.com/782060", "https://bugzilla.suse.com/962318", "https://bugzilla.suse.com/951629", "https://bugzilla.suse.com/962802", "https://bugzilla.suse.com/962960", "https://bugzilla.suse.com/937837", "https://bugzilla.suse.com/962997", "https://bugzilla.suse.com/963000", "https://bugzilla.suse.com/962994", "https://bugzilla.suse.com/963002"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12.1", "packageVersion": "4.2.8p6-8.2", "arch": "x86_64", "packageFilename": "ntp-doc-4.2.8p6-8.2.x86_64.rpm", "packageName": "ntp-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "12.1", "packageVersion": "3.1.22-6.2", "arch": "noarch", "packageFilename": "yast2-ntp-client-devel-doc-3.1.22-6.2.noarch.rpm", "packageName": "yast2-ntp-client-devel-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "4.2.8p6-8.2", "arch": "s390x", "packageFilename": "ntp-debugsource-4.2.8p6-8.2.s390x.rpm", "packageName": "ntp-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "4.2.8p6-8.2", "arch": "s390x", "packageFilename": "ntp-debuginfo-4.2.8p6-8.2.s390x.rpm", "packageName": "ntp-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "3.1.22-6.2", "arch": "noarch", "packageFilename": "yast2-ntp-client-3.1.22-6.2.noarch.rpm", "packageName": "yast2-ntp-client", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "4.2.8p6-8.2", "arch": "ppc64le", "packageFilename": "ntp-doc-4.2.8p6-8.2.ppc64le.rpm", "packageName": "ntp-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "4.2.8p6-8.2", "arch": "ppc64le", "packageFilename": "ntp-4.2.8p6-8.2.ppc64le.rpm", "packageName": "ntp", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12.1", "packageVersion": "4.2.8p6-8.2", "arch": "x86_64", "packageFilename": "ntp-debugsource-4.2.8p6-8.2.x86_64.rpm", "packageName": "ntp-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "4.2.8p6-8.2", "arch": "s390x", "packageFilename": "ntp-4.2.8p6-8.2.s390x.rpm", "packageName": "ntp", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "4.2.8p6-8.2", "arch": "ppc64le", "packageFilename": "ntp-debugsource-4.2.8p6-8.2.ppc64le.rpm", "packageName": "ntp-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "4.2.8p6-8.2", "arch": "x86_64", "packageFilename": "ntp-debugsource-4.2.8p6-8.2.x86_64.rpm", "packageName": "ntp-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "4.2.8p6-8.2", "arch": "x86_64", "packageFilename": "ntp-doc-4.2.8p6-8.2.x86_64.rpm", "packageName": "ntp-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "4.2.8p6-8.2", "arch": "s390x", "packageFilename": "ntp-doc-4.2.8p6-8.2.s390x.rpm", "packageName": "ntp-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12.1", "packageVersion": "3.1.22-6.2", "arch": "noarch", "packageFilename": "yast2-ntp-client-3.1.22-6.2.noarch.rpm", "packageName": "yast2-ntp-client", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "4.2.8p6-8.2", "arch": "ppc64le", "packageFilename": "ntp-debuginfo-4.2.8p6-8.2.ppc64le.rpm", "packageName": "ntp-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "4.2.8p6-8.2", "arch": "x86_64", "packageFilename": "ntp-debuginfo-4.2.8p6-8.2.x86_64.rpm", "packageName": "ntp-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12.1", "packageVersion": "4.2.8p6-8.2", "arch": "x86_64", "packageFilename": "ntp-4.2.8p6-8.2.x86_64.rpm", "packageName": "ntp", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12.1", "packageVersion": "4.2.8p6-8.2", "arch": "x86_64", "packageFilename": "ntp-debuginfo-4.2.8p6-8.2.x86_64.rpm", "packageName": "ntp-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12.1", "packageVersion": "4.2.8p6-8.2", "arch": "x86_64", "packageFilename": "ntp-4.2.8p6-8.2.x86_64.rpm", "packageName": "ntp", "operator": "lt"}], "edition": 1, "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n\n", "reporter": "Suse", "published": "2016-04-28T19:13:09", "title": "Security update for ntp (important)", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "suse", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2016-04-28T19:13:09", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00060.html", "id": "SUSE-SU-2016:1177-1", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T12:22:35", "references": ["https://bugzilla.suse.com/962966", "https://bugzilla.suse.com/962995", "https://bugzilla.suse.com/956773", "https://bugzilla.suse.com/962970", "https://bugzilla.suse.com/916617", "https://bugzilla.suse.com/962784", "https://bugzilla.suse.com/962988", "https://bugzilla.suse.com/951559", "https://bugzilla.suse.com/975981", "https://bugzilla.suse.com/975496", "https://bugzilla.suse.com/782060", "https://bugzilla.suse.com/962318", "https://bugzilla.suse.com/951629", "https://bugzilla.suse.com/962802", "https://bugzilla.suse.com/962960", "https://bugzilla.suse.com/937837", "https://bugzilla.suse.com/962997", "https://bugzilla.suse.com/963000", "https://bugzilla.suse.com/962994", "https://bugzilla.suse.com/963002"], "affectedPackage": [{"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "4.2.8p6-15.1", "packageFilename": "ntp-debuginfo-4.2.8p6-15.1.x86_64.rpm", "packageName": "ntp-debuginfo", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "4.2.8p6-15.1", "packageFilename": "ntp-doc-4.2.8p6-15.1.i586.rpm", "packageName": "ntp-doc", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "3.1.22-6.1", "packageFilename": "yast2-ntp-client-3.1.22-6.1.noarch.rpm", "packageName": "yast2-ntp-client", "arch": "noarch", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "3.1.22-6.1", "packageFilename": "yast2-ntp-client-devel-doc-3.1.22-6.1.noarch.rpm", "packageName": "yast2-ntp-client-devel-doc", "arch": "noarch", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "4.2.8p6-15.1", "packageFilename": "ntp-4.2.8p6-15.1.x86_64.rpm", "packageName": "ntp", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "4.2.8p6-15.1", "packageFilename": "ntp-debuginfo-4.2.8p6-15.1.i586.rpm", "packageName": "ntp-debuginfo", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "4.2.8p6-15.1", "packageFilename": "ntp-debugsource-4.2.8p6-15.1.x86_64.rpm", "packageName": "ntp-debugsource", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "4.2.8p6-15.1", "packageFilename": "ntp-doc-4.2.8p6-15.1.x86_64.rpm", "packageName": "ntp-doc", "arch": "x86_64", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "4.2.8p6-15.1", "packageFilename": "ntp-4.2.8p6-15.1.i586.rpm", "packageName": "ntp", "arch": "i586", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.1", "packageVersion": "4.2.8p6-15.1", "packageFilename": "ntp-debugsource-4.2.8p6-15.1.i586.rpm", "packageName": "ntp-debugsource", "arch": "i586", "operator": "lt"}], "edition": 1, "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n\n This update was imported from the SUSE:SLE-12-SP1:Update update project.\n\n", "reporter": "Suse", "published": "2016-05-12T21:07:47", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "Security update for ntp (important)", "type": "suse", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2016-05-12T21:07:47", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00038.html", "id": "OPENSUSE-SU-2016:1292-1", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T12:46:49", "references": ["https://bugzilla.suse.com/905885", "https://bugzilla.suse.com/962966", "https://bugzilla.suse.com/946386", "https://bugzilla.suse.com/962995", "https://bugzilla.suse.com/956773", "https://bugzilla.suse.com/962970", "https://bugzilla.suse.com/916617", "https://bugzilla.suse.com/936327", "https://bugzilla.suse.com/920183", "https://bugzilla.suse.com/784760", "https://bugzilla.suse.com/962784", "https://bugzilla.suse.com/962988", "https://bugzilla.suse.com/951559", "https://bugzilla.suse.com/951351", "https://bugzilla.suse.com/975981", "https://bugzilla.suse.com/975496", "https://bugzilla.suse.com/782060", "https://bugzilla.suse.com/962318", "https://bugzilla.suse.com/942441", "https://bugzilla.suse.com/951629", "https://bugzilla.suse.com/942587", "https://bugzilla.suse.com/962802", "https://bugzilla.suse.com/920238", "https://bugzilla.suse.com/962960", "https://bugzilla.suse.com/937837", "https://bugzilla.suse.com/926510", "https://bugzilla.suse.com/962997", "https://bugzilla.suse.com/910063", "https://bugzilla.suse.com/943216", "https://bugzilla.suse.com/944300", "https://bugzilla.suse.com/963000", "https://bugzilla.suse.com/962994", "https://bugzilla.suse.com/963002", "https://bugzilla.suse.com/943218", "https://bugzilla.suse.com/951608", "https://bugzilla.suse.com/954982"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.2", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp-debuginfo", "packageFilename": "ntp-debuginfo-4.2.8p6-41.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Manager", "OSVersion": "2.1", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp-doc", "packageFilename": "ntp-doc-4.2.8p6-41.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp-doc", "packageFilename": "ntp-doc-4.2.8p6-41.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.2", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp-debugsource", "packageFilename": "ntp-debugsource-4.2.8p6-41.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp", "packageFilename": "ntp-4.2.8p6-41.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp-doc", "packageFilename": "ntp-doc-4.2.8p6-41.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp-doc", "packageFilename": "ntp-doc-4.2.8p6-41.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "2.17.14.1-1.12.1", "packageName": "yast2-ntp-client", "packageFilename": "yast2-ntp-client-2.17.14.1-1.12.1.noarch.rpm", "arch": "noarch", "operator": "lt"}, {"OS": "SUSE Manager", "OSVersion": "2.1", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp", "packageFilename": "ntp-4.2.8p6-41.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.3", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp-debuginfo", "packageFilename": "ntp-debuginfo-4.2.8p6-41.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.3", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp-debugsource", "packageFilename": "ntp-debugsource-4.2.8p6-41.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Manager Proxy", "OSVersion": "2.1", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp", "packageFilename": "ntp-4.2.8p6-41.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp-doc", "packageFilename": "ntp-doc-4.2.8p6-41.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.3", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp-debugsource", "packageFilename": "ntp-debugsource-4.2.8p6-41.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp", "packageFilename": "ntp-4.2.8p6-41.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.2", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp-debuginfo", "packageFilename": "ntp-debuginfo-4.2.8p6-41.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.2", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp-debuginfo", "packageFilename": "ntp-debuginfo-4.2.8p6-41.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.3", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp-debuginfo", "packageFilename": "ntp-debuginfo-4.2.8p6-41.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp", "packageFilename": "ntp-4.2.8p6-41.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Manager", "OSVersion": "2.1", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp-doc", "packageFilename": "ntp-doc-4.2.8p6-41.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp-doc", "packageFilename": "ntp-doc-4.2.8p6-41.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE OpenStack Cloud", "OSVersion": "5", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp-doc", "packageFilename": "ntp-doc-4.2.8p6-41.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp", "packageFilename": "ntp-4.2.8p6-41.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Manager", "OSVersion": "2.1", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp", "packageFilename": "ntp-4.2.8p6-41.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.2", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp-debugsource", "packageFilename": "ntp-debugsource-4.2.8p6-41.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.3", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp-debuginfo", "packageFilename": "ntp-debuginfo-4.2.8p6-41.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp-doc", "packageFilename": "ntp-doc-4.2.8p6-41.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.2", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp", "packageFilename": "ntp-4.2.8p6-41.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.3", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp-debugsource", "packageFilename": "ntp-debugsource-4.2.8p6-41.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "11.3", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp", "packageFilename": "ntp-4.2.8p6-41.1.i586.rpm", "arch": "i586", "operator": "lt"}, {"OS": "SUSE OpenStack Cloud", "OSVersion": "5", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp", "packageFilename": "ntp-4.2.8p6-41.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Debuginfo", "OSVersion": "11.2", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp-debugsource", "packageFilename": "ntp-debugsource-4.2.8p6-41.1.s390x.rpm", "arch": "s390x", "operator": "lt"}, {"OS": "SUSE Manager Proxy", "OSVersion": "2.1", "packageVersion": "4.2.8p6-41.1", "packageName": "ntp-doc", "packageFilename": "ntp-doc-4.2.8p6-41.1.x86_64.rpm", "arch": "x86_64", "operator": "lt"}], "description": "This network time protocol server ntp was updated to 4.2.8p6 to fix the\n following issues:\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n Major functional changes:\n - The &quot;sntp&quot; commandline tool changed its option handling in a major way.\n - &quot;controlkey 1&quot; is added during update to ntp.conf to allow sntp to work.\n - The local clock is being disabled during update.\n - ntpd is no longer running chrooted.\n\n\n Other functional changes:\n - ntp-signd is installed.\n - &quot;enable mode7&quot; can be added to the configuration to allow ntdpc to work\n as compatibility mode option.\n - &quot;kod&quot; was removed from the default restrictions.\n - SHA1 keys are used by default instead of MD5 keys.\n\n These security issues were fixed:\n - CVE-2015-5219: An endless loop due to incorrect precision to double\n conversion (bsc#943216).\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n - CVE-2015-7871: NAK to the Future: Symmetric association authentication\n bypass via crypto-NAK (bsc#951608).\n - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning\n FAIL on some bogus values (bsc#951608).\n - CVE-2015-7854: Password Length Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7853: Invalid length data provided by a custom refclock driver\n could cause a buffer overflow (bsc#951608).\n - CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#951608).\n - CVE-2015-7850: remote config logfile-keyfile (bsc#951608).\n - CVE-2015-7849: trusted key use-after-free (bsc#951608).\n - CVE-2015-7848: mode 7 loop counter underrun (bsc#951608).\n - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#951608).\n - CVE-2015-7703: configuration directives &quot;pidfile&quot; and &quot;driftfile&quot; should\n only be allowed locally (bsc#951608).\n - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD should validate\n the origin timestamp field (bsc#951608).\n - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete autokey data\n packet length checks (bsc#951608).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n - Add a controlkey line to /etc/ntp.conf if one does not already exist to\n allow runtime configuuration via ntpq.\n - bsc#946386: Temporarily disable memlock to avoid problems due to high\n memory usage during name resolution.\n - bsc#905885: Use SHA1 instead of MD5 for symmetric keys.\n - Improve runtime configuration:\n * Read keytype from ntp.conf\n * Don't write ntp keys to syslog.\n - Fix legacy action scripts to pass on command line arguments.\n - bsc#944300: Remove &quot;kod&quot; from the restrict line in ntp.conf.\n - bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.\n - Don't let &quot;keysdir&quot; lines in ntp.conf trigger the &quot;keys&quot; parser.\n - Disable mode 7 (ntpdc) again, now that we don't use it anymore.\n - Add &quot;addserver&quot; as a new legacy action.\n - bsc#910063: Fix the comment regarding addserver in ntp.conf.\n - bsc#926510: Disable chroot by default.\n - bsc#920238: Enable ntpdc for backwards compatibility.\n - bsc#784760: Remove local clock from default configuration.\n - bsc#942441/fate#319496: Require perl-Socket6.\n - Improve runtime configuration:\n * Read keytype from ntp.conf\n * Don't write ntp keys to syslog.\n - bsc#920183: Allow -4 and -6 address qualifiers in &quot;server&quot; directives.\n - Use upstream ntp-wait, because our version is incompatible with the new\n ntpq command line syntax.\n\n", "edition": 1, "reporter": "Suse", "published": "2016-05-17T15:09:17", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "suse", "title": "Security update for ntp (important)", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7703", "CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7855", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-5219", "CVE-2015-7704", "CVE-2015-7979", "CVE-2015-7701", "CVE-2015-7976", "CVE-2015-7848", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7692", "CVE-2015-7851", "CVE-2015-7702", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7849", "CVE-2015-7691", "CVE-2015-7705", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7850", "CVE-2015-7854", "CVE-2015-7978", "CVE-2015-7853"], "modified": "2016-05-17T15:09:17", "id": "SUSE-SU-2016:1311-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00048.html", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T12:27:22", "references": ["https://bugzilla.suse.com/905885", "https://bugzilla.suse.com/962966", "https://bugzilla.suse.com/946386", "https://bugzilla.suse.com/962995", "https://bugzilla.suse.com/956773", "https://bugzilla.suse.com/962970", "https://bugzilla.suse.com/916617", "https://bugzilla.suse.com/936327", "https://bugzilla.suse.com/962784", "https://bugzilla.suse.com/962988", "https://bugzilla.suse.com/951559", "https://bugzilla.suse.com/975981", "https://bugzilla.suse.com/975496", "https://bugzilla.suse.com/782060", "https://bugzilla.suse.com/962318", "https://bugzilla.suse.com/951629", "https://bugzilla.suse.com/942587", "https://bugzilla.suse.com/962802", "https://bugzilla.suse.com/920238", "https://bugzilla.suse.com/962960", "https://bugzilla.suse.com/937837", "https://bugzilla.suse.com/926510", "https://bugzilla.suse.com/962997", "https://bugzilla.suse.com/910063", "https://bugzilla.suse.com/944300", "https://bugzilla.suse.com/963000", "https://bugzilla.suse.com/962994", "https://bugzilla.suse.com/963002", "https://bugzilla.suse.com/951608", "https://bugzilla.suse.com/954982"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12", "packageVersion": "4.2.8p6-46.5.2", "arch": "x86_64", "packageFilename": "ntp-debugsource-4.2.8p6-46.5.2.x86_64.rpm", "packageName": "ntp-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "4.2.8p6-46.5.2", "arch": "ppc64le", "packageFilename": "ntp-debuginfo-4.2.8p6-46.5.2.ppc64le.rpm", "packageName": "ntp-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "3.1.12.4-8.2", "arch": "noarch", "packageFilename": "yast2-ntp-client-3.1.12.4-8.2.noarch.rpm", "packageName": "yast2-ntp-client", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "4.2.8p6-46.5.2", "arch": "ppc64le", "packageFilename": "ntp-4.2.8p6-46.5.2.ppc64le.rpm", "packageName": "ntp", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "4.2.8p6-46.5.2", "arch": "x86_64", "packageFilename": "ntp-debugsource-4.2.8p6-46.5.2.x86_64.rpm", "packageName": "ntp-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Software Development Kit", "OSVersion": "12", "packageVersion": "3.1.12.4-8.2", "arch": "noarch", "packageFilename": "yast2-ntp-client-devel-doc-3.1.12.4-8.2.noarch.rpm", "packageName": "yast2-ntp-client-devel-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12", "packageVersion": "4.2.8p6-46.5.2", "arch": "x86_64", "packageFilename": "ntp-doc-4.2.8p6-46.5.2.x86_64.rpm", "packageName": "ntp-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12", "packageVersion": "4.2.8p6-46.5.2", "arch": "x86_64", "packageFilename": "ntp-4.2.8p6-46.5.2.x86_64.rpm", "packageName": "ntp", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "4.2.8p6-46.5.2", "arch": "s390x", "packageFilename": "ntp-debugsource-4.2.8p6-46.5.2.s390x.rpm", "packageName": "ntp-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "4.2.8p6-46.5.2", "arch": "s390x", "packageFilename": "ntp-debuginfo-4.2.8p6-46.5.2.s390x.rpm", "packageName": "ntp-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "4.2.8p6-46.5.2", "arch": "ppc64le", "packageFilename": "ntp-doc-4.2.8p6-46.5.2.ppc64le.rpm", "packageName": "ntp-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12", "packageVersion": "4.2.8p6-46.5.2", "arch": "x86_64", "packageFilename": "ntp-debuginfo-4.2.8p6-46.5.2.x86_64.rpm", "packageName": "ntp-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "4.2.8p6-46.5.2", "arch": "x86_64", "packageFilename": "ntp-4.2.8p6-46.5.2.x86_64.rpm", "packageName": "ntp", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "4.2.8p6-46.5.2", "arch": "ppc64le", "packageFilename": "ntp-debugsource-4.2.8p6-46.5.2.ppc64le.rpm", "packageName": "ntp-debugsource", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Desktop", "OSVersion": "12", "packageVersion": "3.1.12.4-8.2", "arch": "noarch", "packageFilename": "yast2-ntp-client-3.1.12.4-8.2.noarch.rpm", "packageName": "yast2-ntp-client", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "4.2.8p6-46.5.2", "arch": "s390x", "packageFilename": "ntp-4.2.8p6-46.5.2.s390x.rpm", "packageName": "ntp", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "4.2.8p6-46.5.2", "arch": "x86_64", "packageFilename": "ntp-debuginfo-4.2.8p6-46.5.2.x86_64.rpm", "packageName": "ntp-debuginfo", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "4.2.8p6-46.5.2", "arch": "x86_64", "packageFilename": "ntp-doc-4.2.8p6-46.5.2.x86_64.rpm", "packageName": "ntp-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server", "OSVersion": "12", "packageVersion": "4.2.8p6-46.5.2", "arch": "s390x", "packageFilename": "ntp-doc-4.2.8p6-46.5.2.s390x.rpm", "packageName": "ntp-doc", "operator": "lt"}], "description": "ntp was updated to version 4.2.8p6 to fix 28 security issues.\n\n Major functional changes:\n - The &quot;sntp&quot; commandline tool changed its option handling in a major way,\n some options have been renamed or dropped.\n - &quot;controlkey 1&quot; is added during update to ntp.conf to allow sntp to work.\n - The local clock is being disabled during update.\n - ntpd is no longer running chrooted.\n\n Other functional changes:\n - ntp-signd is installed.\n - &quot;enable mode7&quot; can be added to the configuration to allow ntdpc to work\n as compatibility mode option.\n - &quot;kod&quot; was removed from the default restrictions.\n - SHA1 keys are used by default instead of MD5 keys.\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n - CVE-2015-7871: NAK to the Future: Symmetric association authentication\n bypass via crypto-NAK (bsc#951608).\n - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning\n FAIL on some bogus values (bsc#951608).\n - CVE-2015-7854: Password Length Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7853: Invalid length data provided by a custom refclock driver\n could cause a buffer overflow (bsc#951608).\n - CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#951608).\n - CVE-2015-7850: remote config logfile-keyfile (bsc#951608).\n - CVE-2015-7849: trusted key use-after-free (bsc#951608).\n - CVE-2015-7848: mode 7 loop counter underrun (bsc#951608).\n - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#951608).\n - CVE-2015-7703: configuration directives &quot;pidfile&quot; and &quot;driftfile&quot; should\n only be allowed locally (bsc#951608).\n - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD should validate\n the origin timestamp field (bsc#951608).\n - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete autokey data\n packet length checks (bsc#951608).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n - Add a controlkey line to /etc/ntp.conf if one does not already exist to\n allow runtime configuuration via ntpq.\n - bsc#946386: Temporarily disable memlock to avoid problems due to high\n memory usage during name resolution.\n - bsc#905885: Use SHA1 instead of MD5 for symmetric keys.\n - Improve runtime configuration:\n * Read keytype from ntp.conf\n * Don't write ntp keys to syslog.\n - Fix legacy action scripts to pass on command line arguments.\n - bsc#944300: Remove &quot;kod&quot; from the restrict line in ntp.conf.\n - bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.\n - Add a controlkey to ntp.conf to make the above work.\n - Don't let &quot;keysdir&quot; lines in ntp.conf trigger the &quot;keys&quot; parser.\n - Disable mode 7 (ntpdc) again, now that we don't use it anymore.\n - Add &quot;addserver&quot; as a new legacy action.\n - bsc#910063: Fix the comment regarding addserver in ntp.conf.\n - bsc#926510: Disable chroot by default.\n - bsc#920238: Enable ntpdc for backwards compatibility.\n\n", "edition": 1, "reporter": "Suse", "published": "2016-05-06T13:07:50", "title": "Security update for ntp (important)", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "suse", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7703", "CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7855", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7704", "CVE-2015-7979", "CVE-2015-7701", "CVE-2015-7976", "CVE-2015-7848", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7692", "CVE-2015-7851", "CVE-2015-7702", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7849", "CVE-2015-7691", "CVE-2015-7705", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7850", "CVE-2015-7854", "CVE-2015-7978", "CVE-2015-7853"], "modified": "2016-05-06T13:07:50", "id": "SUSE-SU-2016:1247-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00020.html", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}}, {"lastseen": "2016-09-04T11:46:06", "references": ["https://bugzilla.suse.com/905885", "https://bugzilla.suse.com/962966", "https://bugzilla.suse.com/920905", "https://bugzilla.suse.com/982056", "https://bugzilla.suse.com/977461", "https://bugzilla.suse.com/979302", "https://bugzilla.suse.com/962995", "https://bugzilla.suse.com/962970", "https://bugzilla.suse.com/916617", "https://bugzilla.suse.com/952611", "https://bugzilla.suse.com/982066", "https://bugzilla.suse.com/936327", "https://bugzilla.suse.com/977458", "https://bugzilla.suse.com/920183", "https://bugzilla.suse.com/784760", "https://bugzilla.suse.com/962784", "https://bugzilla.suse.com/982064", "https://bugzilla.suse.com/962988", "https://bugzilla.suse.com/988417", "https://download.suse.com/patch/finder/?keywords=e7685b9a0cc48dfc1cea383e011b438b", "https://bugzilla.suse.com/988558", "https://bugzilla.suse.com/951559", "https://bugzilla.suse.com/951351", "https://bugzilla.suse.com/975496", "https://bugzilla.suse.com/920895", "https://bugzilla.suse.com/977450", "https://bugzilla.suse.com/782060", "https://bugzilla.suse.com/982068", "https://bugzilla.suse.com/962318", "https://bugzilla.suse.com/981422", "https://bugzilla.suse.com/982065", "https://bugzilla.suse.com/943221", "https://bugzilla.suse.com/977455", "https://bugzilla.suse.com/977451", "https://bugzilla.suse.com/951629", "https://bugzilla.suse.com/962802", "https://bugzilla.suse.com/977452", "https://bugzilla.suse.com/920238", "https://bugzilla.suse.com/962960", "https://bugzilla.suse.com/926510", "https://bugzilla.suse.com/982067", "https://bugzilla.suse.com/924202", "https://bugzilla.suse.com/957226", "https://bugzilla.suse.com/920893", "https://bugzilla.suse.com/910063", "https://bugzilla.suse.com/944300", "https://bugzilla.suse.com/963000", "https://bugzilla.suse.com/977464", "https://bugzilla.suse.com/963002", "https://bugzilla.suse.com/943218", "https://bugzilla.suse.com/977457", "https://bugzilla.suse.com/988565", "https://bugzilla.suse.com/977459"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "10.4", "packageVersion": "4.2.8p8-0.7.1", "arch": "i586", "packageFilename": "ntp-4.2.8p8-0.7.1.i586.rpm", "packageName": "ntp", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "10.4", "packageVersion": "4.2.8p8-0.7.1", "arch": "s390x", "packageFilename": "ntp-4.2.8p8-0.7.1.s390x.rpm", "packageName": "ntp", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "10.4", "packageVersion": "4.2.8p8-0.7.1", "arch": "i586", "packageFilename": "ntp-doc-4.2.8p8-0.7.1.i586.rpm", "packageName": "ntp-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "10.4", "packageVersion": "4.2.8p8-0.7.1", "arch": "x86_64", "packageFilename": "ntp-4.2.8p8-0.7.1.x86_64.rpm", "packageName": "ntp", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "10.4", "packageVersion": "4.2.8p8-0.7.1", "arch": "x86_64", "packageFilename": "ntp-doc-4.2.8p8-0.7.1.x86_64.rpm", "packageName": "ntp-doc", "operator": "lt"}, {"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "10.4", "packageVersion": "4.2.8p8-0.7.1", "arch": "s390x", "packageFilename": "ntp-doc-4.2.8p8-0.7.1.s390x.rpm", "packageName": "ntp-doc", "operator": "lt"}], "description": "NTP was updated to version 4.2.8p8 to fix several security issues and to\n ensure the continued maintainability of the package.\n\n These security issues were fixed:\n\n * CVE-2016-4953: Bad authentication demobilized ephemeral associations\n (bsc#982065).\n * CVE-2016-4954: Processing spoofed server packets (bsc#982066).\n * CVE-2016-4955: Autokey association reset (bsc#982067).\n * CVE-2016-4956: Broadcast interleave (bsc#982068).\n * CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).\n * CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS\n (bsc#977459).\n * CVE-2016-1548: Prevent the change of time of an ntpd client or\n denying service to an ntpd client by forcing it to change from basic\n client/server mode to interleaved symmetric mode (bsc#977461).\n * CVE-2016-1549: Sybil vulnerability: ephemeral association attack\n (bsc#977451).\n * CVE-2016-1550: Improve security against buffer comparison timing\n attacks (bsc#977464).\n * CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y\n * CVE-2016-2516: Duplicate IPs on unconfig directives could have\n caused an assertion botch in ntpd (bsc#977452).\n * CVE-2016-2517: Remote configuration trustedkey/\n requestkey/controlkey values are not properly validated (bsc#977455).\n * CVE-2016-2518: Crafted addpeer with hmode &gt; 7 causes array\n wraparound with MATCH_ASSOC (bsc#977457).\n * CVE-2016-2519: ctl_getitem() return value not always checked\n (bsc#977458).\n * CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966).\n * CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n * CVE-2015-7979: Off-path Denial of Service (DoS) attack on\n authenticated broadcast mode (bsc#962784).\n * CVE-2015-7978: Stack exhaustion in recursive traversal of\n restriction list (bsc#963000).\n * CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n * CVE-2015-7976: ntpq saveconfig command allowed dangerous characters\n in filenames (bsc#962802).\n * CVE-2015-7975: nextvar() missing length check (bsc#962988).\n * CVE-2015-7974: NTP did not verify peer associations of symmetric\n keys when authenticating packets, which might have allowed remote\n attackers to conduct impersonation attacks via an arbitrary trusted\n key, aka a &quot;skeleton&quot; key (bsc#962960).\n * CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n * CVE-2015-5300: MITM attacker can force ntpd to make a step larger\n than the panic threshold (bsc#951629).\n * CVE-2015-5194: Crash with crafted logconfig configuration command\n (bsc#943218).\n * CVE-2015-7871: NAK to the Future: Symmetric association\n authentication bypass via crypto-NAK (bsc#952611).\n * CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning\n FAIL on some bogus values (bsc#952611).\n * CVE-2015-7854: Password Length Memory Corruption Vulnerability\n (bsc#952611).\n * CVE-2015-7853: Invalid length data provided by a custom refclock\n driver could cause a buffer overflow (bsc#952611).\n * CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability\n (bsc#952611).\n * CVE-2015-7851: saveconfig Directory Traversal Vulnerability\n (bsc#952611).\n * CVE-2015-7850: Clients that receive a KoD now validate the origin\n timestamp field (bsc#952611).\n * CVE-2015-7849: Prevent use-after-free trusted key (bsc#952611).\n * CVE-2015-7848: Prevent mode 7 loop counter underrun (bsc#952611).\n * CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#952611).\n * CVE-2015-7703: Configuration directives &quot;pidfile&quot; and &quot;driftfile&quot;\n should only be allowed locally (bsc#943221).\n * CVE-2015-7704: Clients that receive a KoD should validate the origin\n timestamp field (bsc#952611).\n * CVE-2015-7705: Clients that receive a KoD should validate the origin\n timestamp field (bsc#952611).\n * CVE-2015-7691: Incomplete autokey data packet length checks\n (bsc#952611).\n * CVE-2015-7692: Incomplete autokey data packet length checks\n (bsc#952611).\n * CVE-2015-7702: Incomplete autokey data packet length checks\n (bsc#952611).\n * CVE-2015-1798: The symmetric-key feature in the receive function in\n ntp_proto.c in ntpd in NTP required a correct MAC only if the MAC\n field has a nonzero length, which made it easier for\n man-in-the-middle attackers to spoof packets by omitting the MAC\n (bsc#924202).\n * CVE-2015-1799: The symmetric-key feature in the receive function in\n ntp_proto.c in ntpd in NTP performed state-variable updates upon\n receiving certain invalid packets, which made it easier for\n man-in-the-middle attackers to cause a denial of service\n (synchronization loss) by spoofing the source IP address of a peer\n (bsc#924202).\n\n These non-security issues were fixed:\n\n * Keep the parent process alive until the daemon has finished\n initialisation, to make sure that the PID file exists when the\n parent returns.\n * bsc#979302: Change the process name of the forking DNS worker\n process to avoid the impression that ntpd is started twice.\n * bsc#981422: Don't ignore SIGCHILD because it breaks wait().\n * Separate the creation of ntp.keys and key #1 in it to avoid problems\n when upgrading installations that have the file, but no key #1,\n which is needed e.g. by &quot;rcntp addserver&quot;.\n * bsc#957226: Restrict the parser in the startup script to the first\n occurrance of &quot;keys&quot; and &quot;controlkey&quot; in ntp.conf.\n * Enable compile-time support for MS-SNTP (--enable-ntp-signd)\n * bsc#975496: Fix ntp-sntp-dst.patch.\n * bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path,\n which caused the synchronization to fail.\n * bsc#782060: Speedup ntpq.\n * bsc#951559: Fix the TZ offset output of sntp during DST.\n * bsc#916617: Add /var/db/ntp-kod.\n * bsc#951351: Add ntp-ENOBUFS.patch to limit a warning that might\n happen quite a lot on loaded systems.\n * Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n * bnc#784760: Remove local clock from default configuration.\n * Fix incomplete backporting of &quot;rcntp ntptimemset&quot;.\n * bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.\n * Don't let &quot;keysdir&quot; lines in ntp.conf trigger the &quot;keys&quot; parser.\n * bsc#910063: Fix the comment regarding addserver in ntp.conf.\n * bsc#944300: Remove &quot;kod&quot; from the restrict line in ntp.conf.\n * bsc#905885: Use SHA1 instead of MD5 for symmetric keys.\n * bsc#926510: Re-add chroot support, but mark it as deprecated and\n disable it by default.\n * bsc#920895: Drop support for running chrooted, because it is an\n ongoing source of problems and not really needed anymore, given that\n ntp now drops privileges and runs under apparmor.\n * bsc#920183: Allow -4 and -6 address qualifiers in &quot;server&quot;\n directives.\n * Use upstream ntp-wait, because our version is incompatible with the\n new ntpq command line syntax.\n * bsc#920905: Adjust Util.pm to the Perl version on SLE11.\n * bsc#920238: Enable ntpdc for backwards compatibility.\n * bsc#920893: Don't use %exclude.\n * bsc#988417: Default to NTPD_FORCE_SYNC_ON_STARTUP=&quot;yes&quot;\n * bsc#988565: Ignore errors when removing extra files during\n uninstallation\n * bsc#988558: Don't blindly guess the value to use for IP_TOS\n\n Security Issues:\n\n * CVE-2016-4953\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953</a>&gt;\n * CVE-2016-4954\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954</a>&gt;\n * CVE-2016-4955\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955</a>&gt;\n * CVE-2016-4956\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956</a>&gt;\n * CVE-2016-4957\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957</a>&gt;\n * CVE-2016-1547\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547</a>&gt;\n * CVE-2016-1548\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548</a>&gt;\n * CVE-2016-1549\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549</a>&gt;\n * CVE-2016-1550\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550</a>&gt;\n * CVE-2016-1551\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551</a>&gt;\n * CVE-2016-2516\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516</a>&gt;\n * CVE-2016-2517\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517</a>&gt;\n * CVE-2016-2518\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518</a>&gt;\n * CVE-2016-2519\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519</a>&gt;\n * CVE-2015-8158\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158</a>&gt;\n * CVE-2015-8138\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138</a>&gt;\n * CVE-2015-7979\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979</a>&gt;\n * CVE-2015-7978\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978</a>&gt;\n * CVE-2015-7977\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977</a>&gt;\n * CVE-2015-7976\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976</a>&gt;\n * CVE-2015-7975\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975</a>&gt;\n * CVE-2015-7974\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974</a>&gt;\n * CVE-2015-7973\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973</a>&gt;\n * CVE-2015-5300\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300</a>&gt;\n * CVE-2015-5194\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194</a>&gt;\n * CVE-2015-7871\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871</a>&gt;\n * CVE-2015-7855\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855</a>&gt;\n * CVE-2015-7854\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854</a>&gt;\n * CVE-2015-7853\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853</a>&gt;\n * CVE-2015-7852\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852</a>&gt;\n * CVE-2015-7851\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851</a>&gt;\n * CVE-2015-7850\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850</a>&gt;\n * CVE-2015-7849\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849</a>&gt;\n * CVE-2015-7848\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848</a>&gt;\n * CVE-2015-7701\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701</a>&gt;\n * CVE-2015-7703\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703</a>&gt;\n * CVE-2015-7704\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704</a>&gt;\n * CVE-2015-7705\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705</a>&gt;\n * CVE-2015-7691\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691</a>&gt;\n * CVE-2015-7692\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692</a>&gt;\n * CVE-2015-7702\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702</a>&gt;\n * CVE-2015-1798\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798</a>&gt;\n * CVE-2015-1799\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799</a>&gt;\n\n\n", "edition": 1, "reporter": "Suse", "published": "2016-07-29T19:08:48", "title": "Security update for ntp (important)", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "type": "suse", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-7703", "CVE-2016-4956", "CVE-2016-4955", "CVE-2015-8138", "CVE-2015-7855", "CVE-2016-4953", "CVE-2015-7973", "CVE-2015-1799", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7704", "CVE-2016-1551", "CVE-2015-7979", "CVE-2016-4954", "CVE-2015-7701", "CVE-2015-7976", "CVE-2015-7848", "CVE-2015-7975", "CVE-2015-7692", "CVE-2016-1547", "CVE-2015-7851", "CVE-2015-7702", "CVE-2016-4957", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7849", "CVE-2015-7691", "CVE-2016-2519", "CVE-2016-2517", "CVE-2015-7705", "CVE-2015-1798", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7850", "CVE-2016-1549", "CVE-2015-7854", "CVE-2015-7978", "CVE-2015-7853"], "modified": "2016-07-29T19:08:48", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00026.html", "id": "SUSE-SU-2016:1912-1", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}, {"lastseen": "2016-09-04T12:46:49", "references": ["https://download.suse.com/patch/finder/?keywords=005fabcea379ebb53725d3077bfa4ba8", "https://bugzilla.suse.com/985065"], "affectedPackage": [{"OS": "SUSE Linux Enterprise Server LTSS", "OSVersion": "10.4", "packageVersion": "2.13.18-0.20.1", "packageFilename": "yast2-ntp-client-2.13.18-0.20.1.noarch.rpm", "packageName": "yast2-ntp-client", "arch": "noarch", "operator": "lt"}], "edition": 1, "description": "The YaST2 NTP Client was updated to handle the presence of both xntp and\n ntp packages.\n\n If none are installed, &quot;ntp&quot; will be installed.\n\n Security Issues:\n\n * CVE-2016-4953\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953</a>&gt;\n * CVE-2016-4954\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954</a>&gt;\n * CVE-2016-4955\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955</a>&gt;\n * CVE-2016-4956\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956</a>&gt;\n * CVE-2016-4957\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957</a>&gt;\n * CVE-2016-1547\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547</a>&gt;\n * CVE-2016-1548\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548</a>&gt;\n * CVE-2016-1549\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549</a>&gt;\n * CVE-2016-1550\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550</a>&gt;\n * CVE-2016-1551\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551</a>&gt;\n * CVE-2016-2516\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516</a>&gt;\n * CVE-2016-2517\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517</a>&gt;\n * CVE-2016-2518\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518</a>&gt;\n * CVE-2016-2519\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519</a>&gt;\n * CVE-2015-8158\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158</a>&gt;\n * CVE-2015-8138\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138</a>&gt;\n * CVE-2015-7979\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979</a>&gt;\n * CVE-2015-7978\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978</a>&gt;\n * CVE-2015-7977\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977</a>&gt;\n * CVE-2015-7976\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976</a>&gt;\n * CVE-2015-7975\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975</a>&gt;\n * CVE-2015-7974\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974</a>&gt;\n * CVE-2015-7973\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973</a>&gt;\n * CVE-2015-5300\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300</a>&gt;\n * CVE-2015-5194\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194</a>&gt;\n * CVE-2015-7871\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871</a>&gt;\n * CVE-2015-7855\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855</a>&gt;\n * CVE-2015-7854\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854</a>&gt;\n * CVE-2015-7853\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853</a>&gt;\n * CVE-2015-7852\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852</a>&gt;\n * CVE-2015-7851\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851</a>&gt;\n * CVE-2015-7850\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850</a>&gt;\n * CVE-2015-7849\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849</a>&gt;\n * CVE-2015-7848\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848</a>&gt;\n * CVE-2015-7701\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701</a>&gt;\n * CVE-2015-7703\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703</a>&gt;\n * CVE-2015-7704\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704</a>&gt;\n * CVE-2015-7705\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705</a>&gt;\n * CVE-2015-7691\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691</a>&gt;\n * CVE-2015-7692\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692</a>&gt;\n * CVE-2015-7702\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702</a>&gt;\n * CVE-2015-1798\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798</a>&gt;\n * CVE-2015-1799\n &lt;<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799</a>&gt;\n\n\n", "reporter": "Suse", "published": "2016-08-17T21:08:25", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "suse", "title": "Security update for yast2-ntp-client (important)", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-7703", "CVE-2016-4956", "CVE-2016-4955", "CVE-2015-8138", "CVE-2015-7855", "CVE-2016-4953", "CVE-2015-7973", "CVE-2015-1799", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7704", "CVE-2016-1551", "CVE-2015-7979", "CVE-2016-4954", "CVE-2015-7701", "CVE-2015-7976", "CVE-2015-7848", "CVE-2015-7975", "CVE-2015-7692", "CVE-2016-1547", "CVE-2015-7851", "CVE-2015-7702", "CVE-2016-4957", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7849", "CVE-2015-7691", "CVE-2016-2519", "CVE-2016-2517", "CVE-2015-7705", "CVE-2015-1798", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7850", "CVE-2016-1549", "CVE-2015-7854", "CVE-2015-7978", "CVE-2015-7853"], "modified": "2016-08-17T21:08:25", "href": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00042.html", "id": "SUSE-SU-2016:2094-1", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "centos": [{"lastseen": "2017-10-03T18:26:08", "references": ["https://rhn.redhat.com/errata/RHSA-2016-0780.html"], "affectedPackage": [{"OS": "CentOS", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6.centos", "packageFilename": "ntpdate-4.2.6p5-10.el6.centos.x86_64.rpm", "packageName": "ntpdate", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6.centos", "packageFilename": "ntp-4.2.6p5-10.el6.centos.i686.rpm", "packageName": "ntp", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6.centos", "packageFilename": "ntp-perl-4.2.6p5-10.el6.centos.i686.rpm", "packageName": "ntp-perl", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6.centos", "packageFilename": "ntp-4.2.6p5-10.el6.centos.x86_64.rpm", "packageName": "ntp", "arch": "x86_64", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6.centos", "packageFilename": "ntp-doc-4.2.6p5-10.el6.centos.noarch.rpm", "packageName": "ntp-doc", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6.centos", "packageFilename": "ntp-doc-4.2.6p5-10.el6.centos.noarch.rpm", "packageName": "ntp-doc", "arch": "noarch", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6.centos", "packageFilename": "ntpdate-4.2.6p5-10.el6.centos.i686.rpm", "packageName": "ntpdate", "arch": "i686", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6.centos", "packageFilename": "ntp-perl-4.2.6p5-10.el6.centos.x86_64.rpm", "packageName": "ntp-perl", "arch": "x86_64", "operator": "lt"}], "description": "**CentOS Errata and Security Advisory** CESA-2016:0780\n\n\nThe Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.\n\nSecurity Fix(es):\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978)\n\n* It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195)\n\n* It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)\n\n* It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-7703)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichv\u00e1r (Red Hat).\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 6.8 Release Notes and Red Hat Enterprise Linux 6.8 Technical Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2016-May/002927.html\n\n**Affected packages:**\nntp\nntp-doc\nntp-perl\nntpdate\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-0780.html", "edition": 1, "reporter": "CentOS Project", "published": "2016-05-16T10:19:19", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "title": "ntp, ntpdate security update", "type": "centos", "bulletinFamily": "unix", "cvelist": ["CVE-2015-7703", "CVE-2015-7977", "CVE-2015-5219", "CVE-2014-9750", "CVE-2015-7701", "CVE-2015-7692", "CVE-2015-7702", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7691", "CVE-2015-5195", "CVE-2015-7978"], "modified": "2016-05-16T10:19:19", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2016-May/002927.html", "id": "CESA-2016:0780", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2017-10-03T18:27:01", "references": ["https://rhn.redhat.com/errata/RHSA-2016-2583.html"], "affectedPackage": [{"OS": "CentOS", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7.centos", "arch": "noarch", "packageName": "ntp-perl", "packageFilename": "ntp-perl-4.2.6p5-25.el7.centos.noarch.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7.centos", "arch": "x86_64", "packageName": "ntpdate", "packageFilename": "ntpdate-4.2.6p5-25.el7.centos.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7.centos", "arch": "x86_64", "packageName": "sntp", "packageFilename": "sntp-4.2.6p5-25.el7.centos.x86_64.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7.centos", "arch": "noarch", "packageName": "ntp-doc", "packageFilename": "ntp-doc-4.2.6p5-25.el7.centos.noarch.rpm", "operator": "lt"}, {"OS": "CentOS", "OSVersion": "7", "packageVersion": "4.2.6p5-25.el7.centos", "arch": "x86_64", "packageName": "ntp", "packageFilename": "ntp-4.2.6p5-25.el7.centos.x86_64.rpm", "operator": "lt"}], "description": "**CentOS Errata and Security Advisory** CESA-2016:2583\n\n\nThe Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.\n\nSecurity Fix(es):\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978)\n\n* It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time. (CVE-2015-7979)\n\n* It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195)\n\n* It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-5196, CVE-2015-7703)\n\n* It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)\n\n* A flaw was found in the way NTP verified trusted keys during symmetric key authentication. An authenticated client (A) could use this flaw to modify a packet sent between a server (B) and a client (C) using a key that is different from the one known to the client (A). (CVE-2015-7974)\n\n* A flaw was found in the way the ntpq client processed certain incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance. (CVE-2015-8158)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichv\u00e1r (Red Hat).\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2016-November/003635.html\n\n**Affected packages:**\nntp\nntp-doc\nntp-perl\nntpdate\nsntp\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-2583.html", "edition": 1, "reporter": "CentOS Project", "published": "2016-11-25T16:00:55", "title": "ntp, ntpdate, sntp security update", "type": "centos", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "unix", "cvelist": ["CVE-2015-7703", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-5219", "CVE-2015-7979", "CVE-2014-9750", "CVE-2015-7701", "CVE-2015-7692", "CVE-2015-7702", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7691", "CVE-2015-5196", "CVE-2015-5195", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2016-11-25T16:00:55", "href": "http://lists.centos.org/pipermail/centos-cr-announce/2016-November/003635.html", "id": "CESA-2016:2583", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "freebsd": [{"lastseen": "2018-08-31T01:14:25", "references": ["http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit"], "affectedPackage": [{"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "10.2_11", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "FreeBSD", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "10.2", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "FreeBSD", "operator": "eq"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "4.3.90", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "ntp-devel", "operator": "lt"}, {"OS": "FreeBSD", "OSVersion": "any", "packageVersion": "4.2.8p6", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "ntp", "operator": "lt"}], "description": "\nNetwork Time Foundation reports:\n\nNTF's NTP Project has been notified of the following low-\n\t and medium-severity vulnerabilities that are fixed in\n\t ntp-4.2.8p6, released on Tuesday, 19 January 2016:\n\nBug 2948 / CVE-2015-8158: Potential Infinite Loop\n\t in ntpq. Reported by Cisco ASIG.\nBug 2945 / CVE-2015-8138: origin: Zero Origin\n\t Timestamp Bypass. Reported by Cisco ASIG.\nBug 2942 / CVE-2015-7979: Off-path Denial of\n\t Service (DoS) attack on authenticated broadcast\n\t mode. Reported by Cisco ASIG.\nBug 2940 / CVE-2015-7978: Stack exhaustion in\n\t recursive traversal of restriction list.\n\t Reported by Cisco ASIG.\nBug 2939 / CVE-2015-7977: reslist NULL pointer\n\t dereference. Reported by Cisco ASIG.\nBug 2938 / CVE-2015-7976: ntpq saveconfig command\n\t allows dangerous characters in filenames.\n\t Reported by Cisco ASIG.\nBug 2937 / CVE-2015-7975: nextvar() missing length\n\t check. Reported by Cisco ASIG.\nBug 2936 / CVE-2015-7974: Skeleton Key: Missing\n\t key check allows impersonation between authenticated\n\t peers. Reported by Cisco ASIG.\nBug 2935 / CVE-2015-7973: Deja Vu: Replay attack on\n\t authenticated broadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following\n\t two issues:\n\nBug 2947 / CVE-2015-8140: ntpq vulnerable to replay\n\t attacks. Reported by Cisco ASIG.\nBug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc,\n\t disclose origin. Reported by Cisco ASIG.\n\n\n", "edition": 4, "reporter": "FreeBSD", "published": "2016-01-20T00:00:00", "title": "ntp -- multiple vulnerabilities", "type": "freebsd", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2016-08-09T00:00:00", "id": "5237F5D7-C020-11E5-B397-D050996490D0", "href": "https://vuxml.freebsd.org/freebsd/5237f5d7-c020-11e5-b397-d050996490d0.html", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "cisco": [{"lastseen": "2018-07-14T16:40:18", "_object_types": ["robots.models.base.Bulletin", "robots.models.cisco.CiscoBulletin"], "references": ["http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd"], "description": "A vulnerability in the Network Time Protocol daemon (ntpd) could allow an authenticated, remote attacker to leverage any trusted key, not just the trusted key for its address.\n\nThe vulnerability is exists because ntpd does not properly verify that the key being used matches the proper servers' key. An attacker could exploit this vulnerability by sending packets with any trusted key, as long as the keyid references another key the systems share and that key is used to compute the message authentication code (MAC). An exploit could allow the attacker to masquerade as another configured trusted association.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow an unauthenticated, adjacent attacker to replay broadcast server packets.\n\nThe vulnerability is due to no replay protection on NTP broadcast packets. An attacker could exploit this vulnerability by capturing and retransmiting NTP broadcast packets to a targeted system. An exploit could allow the attacker to cause time settings on a targeted system to stop updating and maintain a particular time value.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow an unauthenticated, remote attacker to modify time settings on a targeted system.\n\nThe vulnerability is due to incorrect processing of NTP update packets. An attacker could exploit this vulnerability by sending crafted updates that contain an a zero-origin timestamp to the clients' peer server. An exploit could allow the attacker to modify the time values received by the client, preventing client systems from receiving further updates from its legitimately configured time server.\n\nA vulnerability in the Standard Network Time Protocol query program (ntpq) could allow an unauthenticated, remote attacker to replay a previously captured ntpq command.\n\nThe vulnerability is due to an invalid checking of the sequence number. An attacker could exploit this vulnerability by capturing an authenticated ntpq command that was executed and then replaying back the command at a later stage. An exploit could allow the attacker to replay previously captured ntpq commands.\n\nA vulnerability in the list_restrict4() and list_restrict6() routines of the Network Time Protocol daemon (ntpd) could allow an authenticated, remote attacker to cause the ntpd to crash.\n\nThe vulnerability is due to a null pointer dereference in the list_restrict4() and list_restrict6() routines. An attacker could exploit this vulnerability by performing an ntpdc reslist command against a device that has a large number of NTP restrictions in place. An exploit could allow the attacker to cause the ntpd to crash.\n\nA vulnerability in the standard Network Time Protocol query program (ntpq) could allow a unauthenticated, local attacker to execute a buffer overflow attack.\n\nThe vulnerability is due to the function nextvar() executing a memcpy() into the name buffer without a proper length check. An attacker could exploit this vulnerability by calling ntpq to read variable names from an untrusted source, such as a user or environment variable. An exploit could allow the attacker to trigger a buffer overflow.\n\nA vulnerability in the standard and special Network Time Protocol query program (ntpq and ntpdc) could allow an unauthenticated, remote attacker to cause the ntpq or ntpdc program to remain in a processing loop.\n\nThe vulnerability is due to a loop that is not exited under certain conditions in the ntpq and ntpdc processes. An attacker could exploit this vulnerability by sending malicious packets to an ntpq or ntpdc client from a malicious NTP server or from a privileged network position by conducting a man-in-the-middle attack between a targeted client and the NTP server. An exploit could allow the attacker to cause the ntpq or ntpdc process to enter an infinite loop, resulting in a denial of service (DoS) condition.\n\nA vulnerability in the standard and the special Network Time Protocol query program (ntpq and ntpdc) could allow an unauthenticated, remote attacker to obtain the value of the origin timestamp expected in the next peer response.\n\nThe vulnerability is due to ntpq and ntpdc providing this information without requiring authentication. An attacker could exploit this issue by querying the client with the appropriate ntpq or ntpdc commands. An exploit could allow the attacker to obtain the next peer response origin timestamp, which could be leveraged in further attacks.\n\nA vulnerability of the Network Time Protocol daemon (ntpd) could allow an authenticated, remote attacker to cause the ntpd to crash by exhausting the call stack.\n\nThe vulnerability exists because function calls to list_restrict4() or list_restrict6() can be made to exhaust space on the call stack. An attacker could exploit this vulnerability by performing an ntpdc reslist command against a device that has a large number of NTP restrictions in place. An exploit could allow the attacker to cause the ntpd to crash.\n\nA vulnerability the Network Time Protocol daemon (ntpd) could allow an unauthenticated, remote attacker to prevent clients from synchronizing to a time server.\n\nThe vulnerability is due to the improper handling of malicious packets by the broadcast server. An attacker could exploit this vulnerability by sending malicious, authenticated packets to the broadcast network. An exploit could allow the attacker to prevent the broadcast clients from synchronizing with configured time servers.\n\nAn issue in the standard Network Time Protocol query program (ntpq) could allow an authenticated, remote attacker to create files on the system with dangerous characters in the filename.\n\nThe issue is due to to improper validation of characters within filenames. An attacker could exploit this issue by saving a filename with the saveconfig command. An exploit could allow the attacker to write filenames to the system that may contain potentially dangerous character sequences.\n\nMultiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.\n\nOn January 19, 2016, NTP Consortium at Network Time Foundation released a security advisory detailing 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities, and logic issues that may allow an attacker to shift a client's time. The vulnerabilities covered in this document are as follows:\n\n CVE-2015-7973: Network Time Protocol Replay Attack on Authenticated Broadcast Mode Vulnerability \n CVE-2015-7974: Network Time Protocol Missing Trusted Key Check\n CVE-2015-7975: Standard Network Time Protocol Query Program nextvar() Missing Length Check\n CVE-2015-7976: Standard Network Time Protocol Query Program saveconfig Command Allows Dangerous Characters in Filenames\n CVE-2015-7978: Network Time Protocol Daemon reslist NULL Pointer Deference Denial of Service Vulnerability\n CVE-2015-7977: Network Time Protocol Stack Exhaustion Denial of Service\n CVE-2015-7979: Network Time Protocol Off-Path Broadcast Mode Denial of Service \n CVE-2015-8138: Network Time Protocol Zero Origin Timestamp Bypass\n CVE-2015-8139: Network Time Protocol Information Disclosure of Origin Timestamp\n CVE-2015-8140: Standard Network Time Protocol Query Program Replay Attack\n CVE-2015-8158: Standard and Special Network Time Protocol Query Program Infinite loop\n\nAdditional details on each of the vulnerabilities are in the official security advisory from the NTP Consortium at Network Time Foundation at the following link: Security Notice[\"http://nwtime.org/security-policy/\"]\n\nCisco has released software updates that address these vulnerabilities.\n\nWorkarounds that address some of these vulnerabilities may be available. Available workarounds will be documented in the corresponding Cisco bug for each affected product. \n\nThis advisory is available at the following link:\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd", "reporter": "Cisco", "published": "2016-01-27T20:00:00", "type": "cisco", "title": "Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Cisco Application and Content Networking System (ACNS) Software", "version": "any", "operator": "eq"}, {"name": "Cisco Secure Access Control System (ACS)", "version": "any", "operator": "eq"}, {"name": "Cisco Unity", "version": "any", "operator": "eq"}, {"name": "IOS", "version": "12.1XG", "operator": "eq"}, {"name": "IOS", "version": "12.1", "operator": "eq"}, {"name": "IOS", "version": "12.1XI", "operator": "eq"}, {"name": "IOS", "version": "12.0XC", "operator": "eq"}, {"name": "IOS", "version": "12.1XJ", "operator": "eq"}, {"name": "IOS", "version": "12.0XD", "operator": "eq"}, {"name": "IOS", "version": "12.0S", "operator": "eq"}, {"name": "IOS", "version": "12.0ST", "operator": "eq"}, {"name": "IOS", "version": "12.1XF", "operator": "eq"}, {"name": "IOS", "version": "12.0SP", "operator": "eq"}, {"name": "IOS", "version": "12.1XL", "operator": "eq"}, {"name": "IOS", "version": "12.1XQ", "operator": "eq"}, {"name": "IOS", "version": "12.1XU", "operator": "eq"}, {"name": "IOS", "version": "12.1YD", "operator": "eq"}, {"name": "IOS", "version": "12.1YI", "operator": "eq"}, {"name": "IOS", "version": "12.2B", "operator": "eq"}, {"name": "IOS", "version": "12.2DA", "operator": "eq"}, {"name": "IOS", "version": "12.2S", "operator": "eq"}, {"name": "IOS", "version": "12.2XA", "operator": "eq"}, {"name": "IOS", "version": "12.2XB", "operator": "eq"}, {"name": "IOS", "version": "12.2XG", "operator": "eq"}, {"name": "IOS", "version": "12.2XL", "operator": "eq"}, {"name": "IOS", "version": "12.2XM", "operator": "eq"}, {"name": "IOS", "version": "12.2", "operator": "eq"}, {"name": "IOS", "version": "12.2XN", "operator": "eq"}, {"name": "IOS", "version": "12.2XR", "operator": "eq"}, {"name": "IOS", "version": "12.2XS", "operator": "eq"}, {"name": "IOS", "version": "12.2XT", "operator": "eq"}, {"name": "IOS", "version": "12.2XW", "operator": "eq"}, {"name": "IOS", "version": "12.2YA", "operator": "eq"}, {"name": "IOS", "version": "12.2YB", "operator": "eq"}, {"name": "IOS", "version": "12.2YC", "operator": "eq"}, {"name": "IOS", "version": "12.2YD", "operator": "eq"}, {"name": "IOS", "version": "12.2YF", "operator": "eq"}, {"name": "IOS", "version": "12.2YG", "operator": "eq"}, {"name": "IOS", "version": "12.2YH", "operator": "eq"}, {"name": "IOS", "version": "12.1YF", "operator": "eq"}, {"name": "IOS", "version": "12.0", "operator": "eq"}, {"name": "IOS", "version": "12.1XB", "operator": "eq"}, {"name": "IOS", "version": "12.1XK", "operator": "eq"}, {"name": "IOS", "version": "12.0XE", "operator": "eq"}, {"name": "IOS", "version": "12.0SC", "operator": "eq"}, {"name": "IOS", "version": "12.1CX", "operator": "eq"}, {"name": "IOS", "version": "12.1EC", "operator": "eq"}, {"name": "IOS", "version": "12.2BC", "operator": "eq"}, {"name": "IOS", "version": "12.2XF", "operator": "eq"}, {"name": "IOS", "version": "12.0XG", "operator": "eq"}, {"name": "IOS", "version": "12.0XI", "operator": "eq"}, {"name": "IOS", "version": "12.0XK", "operator": "eq"}, {"name": "IOS", "version": "12.0XM", "operator": "eq"}, {"name": "IOS", "version": "12.0XQ", "operator": "eq"}, {"name": "IOS", "version": "12.0XR", "operator": "eq"}, {"name": "IOS", "version": "12.0XV", "operator": "eq"}, {"name": "IOS", "version": "12.1E", "operator": "eq"}, {"name": "IOS", "version": "12.1XC", "operator": "eq"}, {"name": "IOS", "version": "12.1XH", "operator": "eq"}, {"name": "IOS", "version": "12.1XM", "operator": "eq"}, {"name": "IOS", "version": "12.1XP", "operator": "eq"}, {"name": "IOS", "version": "12.1XT", "operator": "eq"}, {"name": "IOS", "version": "12.1YB", "operator": "eq"}, {"name": "IOS", "version": "12.1YC", "operator": "eq"}, {"name": "IOS", "version": "12.2DD", "operator": "eq"}, {"name": "IOS", "version": "12.2XD", "operator": "eq"}, {"name": "IOS", "version": "12.2XE", "operator": "eq"}, {"name": "IOS", "version": "12.2XH", "operator": "eq"}, {"name": "IOS", "version": "12.2XI", "operator": "eq"}, {"name": "IOS", "version": "12.2XJ", "operator": "eq"}, {"name": "IOS", "version": "12.2XK", "operator": "eq"}, {"name": "IOS", "version": "12.2XQ", "operator": "eq"}, {"name": "IOS", "version": "12.0T", "operator": "eq"}, {"name": "IOS", "version": "12.1YE", "operator": "eq"}, {"name": "IOS", "version": "12.1T", "operator": "eq"}, {"name": "IOS", "version": "12.0XA", "operator": "eq"}, {"name": "IOS", "version": "12.0XB", "operator": "eq"}, {"name": "IOS", "version": "12.1EZ", "operator": "eq"}, {"name": "IOS", "version": "12.1YA", "operator": "eq"}, {"name": "IOS", "version": "12.1XV", "operator": "eq"}, {"name": "IOS", "version": "12.1XA", "operator": "eq"}, {"name": "IOS", "version": "12.1XD", "operator": "eq"}, {"name": "IOS", "version": "12.1XE", "operator": "eq"}, {"name": "IOS", "version": "12.1XR", "operator": "eq"}, {"name": "IOS", "version": "12.1XS", "operator": "eq"}, {"name": "IOS", "version": "12.1EY", "operator": "eq"}, {"name": "IOS", "version": "12.1DB", "operator": "eq"}, {"name": "IOS", "version": "12.1DC", "operator": "eq"}, {"name": "IOS", "version": "12.0DA", "operator": "eq"}, {"name": "IOS", "version": "12.0SL", "operator": "eq"}, {"name": "IOS", "version": "12.0XH", "operator": "eq"}, {"name": "IOS", "version": "12.0XJ", "operator": "eq"}, {"name": "IOS", "version": "12.1AA", "operator": "eq"}, {"name": "IOS", "version": "12.1DA", "operator": "eq"}, {"name": "IOS", "version": "12.0SX", "operator": "eq"}, {"name": "IOS", "version": "12.1EX", "operator": "eq"}, {"name": "IOS", "version": "12.1EA", "operator": "eq"}, {"name": "IOS", "version": "12.0SY", "operator": "eq"}, {"name": "IOS", "version": "12.0SZ", "operator": "eq"}, {"name": "IOS", "version": "12.1AX", "operator": "eq"}, {"name": "IOS", "version": "12.1AY", "operator": "eq"}, {"name": "IOS", "version": "12.1EB", "operator": "eq"}, {"name": "IOS", "version": "12.1EV", "operator": "eq"}, {"name": "IOS", "version": "12.1EW", "operator": "eq"}, {"name": "IOS", "version": "12.1YJ", "operator": "eq"}, {"name": "IOS", "version": "12.1YH", "operator": "eq"}, {"name": "IOS", "version": "12.2BW", "operator": "eq"}, {"name": "IOS", "version": "12.2BX", "operator": "eq"}, {"name": "IOS", "version": "12.2BZ", "operator": "eq"}, {"name": "IOS", "version": "12.2CX", "operator": "eq"}, {"name": "IOS", "version": "12.2CY", "operator": "eq"}, {"name": "IOS", "version": "12.2DX", "operator": "eq"}, {"name": "IOS", "version": "12.2JA", "operator": "eq"}, {"name": "IOS", "version": "12.2MB", "operator": "eq"}, {"name": "IOS", "version": "12.2MC", "operator": "eq"}, {"name": "IOS", "version": "12.2MX", "operator": "eq"}, {"name": "IOS", "version": "12.2SZ", "operator": "eq"}, {"name": "IOS", "version": "12.2XU", "operator": "eq"}, {"name": "IOS", "version": "12.2YJ", "operator": "eq"}, {"name": "IOS", "version": "12.2YT", "operator": "eq"}, {"name": "IOS", "version": "12.2YN", "operator": "eq"}, {"name": "IOS", "version": "12.2YO", "operator": "eq"}, {"name": "IOS", "version": "12.2XC", "operator": "eq"}, {"name": "IOS", "version": "12.2YP", "operator": "eq"}, {"name": "IOS", "version": "12.2YK", "operator": "eq"}, {"name": "IOS", "version": "12.2YL", "operator": "eq"}, {"name": "IOS", "version": "12.2YM", "operator": "eq"}, {"name": "IOS", "version": "12.2YU", "operator": "eq"}, {"name": "IOS", "version": "12.2YV", "operator": "eq"}, {"name": "IOS", "version": "12.2YQ", "operator": "eq"}, {"name": "IOS", "version": "12.2YR", "operator": "eq"}, {"name": "IOS", "version": "12.2YW", "operator": "eq"}, {"name": "IOS", "version": "12.2YX", "operator": "eq"}, {"name": "IOS", "version": "12.2YY", "operator": "eq"}, {"name": "IOS", "version": "12.2YZ", "operator": "eq"}, {"name": "IOS", "version": "12.2ZA", "operator": "eq"}, {"name": "IOS", "version": "12.2ZB", "operator": "eq"}, {"name": "IOS", "version": "12.2ZC", "operator": "eq"}, {"name": "IOS", "version": "12.2ZD", "operator": "eq"}, {"name": "IOS", "version": "12.2ZE", "operator": "eq"}, {"name": "IOS", "version": "12.2ZF", "operator": "eq"}, {"name": "IOS", "version": "12.2ZG", "operator": "eq"}, {"name": "IOS", "version": "12.2ZH", "operator": "eq"}, {"name": "IOS", "version": "12.2ZJ", "operator": "eq"}, {"name": "IOS", "version": "12.2ZL", "operator": "eq"}, {"name": "IOS", "version": "12.0XL", "operator": "eq"}, {"name": "IOS", "version": "12.0XN", "operator": "eq"}, {"name": "IOS", "version": "12.0XT", "operator": "eq"}, {"name": "IOS", "version": "12.1XW", "operator": "eq"}, {"name": "IOS", "version": "12.2YE", "operator": "eq"}, {"name": "IOS", "version": "12.3", "operator": "eq"}, {"name": "IOS", "version": "12.3B", "operator": "eq"}, {"name": "IOS", "version": "12.3T", "operator": "eq"}, {"name": "IOS", "version": "12.2CZ", "operator": "eq"}, {"name": "IOS", "version": "12.2JK", "operator": "eq"}, {"name": "IOS", "version": "12.2XZ", "operator": "eq"}, {"name": "IOS", "version": "12.2ZK", "operator": "eq"}, {"name": "IOS", "version": "12.2ZO", "operator": "eq"}, {"name": "IOS", "version": "12.2ZP", "operator": "eq"}, {"name": "IOS", "version": "12.3XA", "operator": "eq"}, {"name": "IOS", "version": "12.3XQ", "operator": "eq"}, {"name": "IOS", "version": "12.3XN", "operator": "eq"}, {"name": "IOS", "version": "12.3XL", "operator": "eq"}, {"name": "IOS", "version": "12.3XK", "operator": "eq"}, {"name": "IOS", "version": "12.3XJ", "operator": "eq"}, {"name": "IOS", "version": "12.3XI", "operator": "eq"}, {"name": "IOS", "version": "12.3XH", "operator": "eq"}, {"name": "IOS", "version": "12.3XG", "operator": "eq"}, {"name": "IOS", "version": "12.3XF", "operator": "eq"}, {"name": "IOS", "version": "12.3XE", "operator": "eq"}, {"name": "IOS", "version": "12.3XD", "operator": "eq"}, {"name": "IOS", "version": "12.3XC", "operator": "eq"}, {"name": "IOS", "version": "12.3XB", "operator": "eq"}, {"name": "IOS", "version": "12.2EW", "operator": "eq"}, {"name": "IOS", "version": "12.2EWA", "operator": "eq"}, {"name": "IOS", "version": "12.2SU", "operator": "eq"}, {"name": "IOS", "version": "12.2SE", "operator": "eq"}, {"name": "IOS", "version": "12.2SV", "operator": "eq"}, {"name": "IOS", "version": "12.2SW", "operator": "eq"}, {"name": "IOS", "version": "12.2SXB", "operator": "eq"}, {"name": "IOS", "version": "12.2SXA", "operator": "eq"}, {"name": "IOS", "version": "12.2SXD", "operator": "eq"}, {"name": "IOS", "version": "12.2ZI", "operator": "eq"}, {"name": "IOS", "version": "12.2ZN", "operator": "eq"}, {"name": "IOS", "version": "12.3XM", "operator": "eq"}, {"name": "IOS", "version": "12.3XR", "operator": "eq"}, {"name": "IOS", "version": "12.3XS", "operator": "eq"}, {"name": "IOS", "version": "12.3XT", "operator": "eq"}, {"name": "IOS", "version": "12.3XU", "operator": "eq"}, {"name": "IOS", "version": "12.3XX", "operator": "eq"}, {"name": "IOS", "version": "12.3XW", "operator": "eq"}, {"name": "IOS", "version": "12.3XY", "operator": "eq"}, {"name": "IOS", "version": "12.3XZ", "operator": "eq"}, {"name": "IOS", "version": "12.3YA", "operator": "eq"}, {"name": "IOS", "version": "12.3YD", "operator": "eq"}, {"name": "IOS", "version": "12.3YE", "operator": "eq"}, {"name": "IOS", "version": "12.3YF", "operator": "eq"}, {"name": "IOS", "version": "12.3YH", "operator": "eq"}, {"name": "IOS", "version": "12.3YG", "operator": "eq"}, {"name": "IOS", "version": "12.2M", "operator": "eq"}, {"name": "IOS", "version": "12.2BY", "operator": "eq"}, {"name": "IOS", "version": "12.2XV", "operator": "eq"}, {"name": "IOS", "version": "12.3BC", "operator": "eq"}, {"name": "IOS", "version": "12.3BW", "operator": "eq"}, {"name": "IOS", "version": "12.0DB", "operator": "eq"}, {"name": "IOS", "version": "12.0DC", "operator": "eq"}, {"name": "IOS", "version": "12.0XF", "operator": "eq"}, {"name": "IOS", "version": "12.0XS", "operator": "eq"}, {"name": "IOS", "version": "12.1AZ", "operator": "eq"}, {"name": "IOS", "version": "12.1EO", "operator": "eq"}, {"name": "IOS", "version": "12.3YC", "operator": "eq"}, {"name": "IOS", "version": "12.3YJ", "operator": "eq"}, {"name": "IOS", "version": "12.3YL", "operator": "eq"}, {"name": "IOS", "version": "12.0SV", "operator": "eq"}, {"name": "IOS", "version": "12.3YI", "operator": "eq"}, {"name": "IOS", "version": "12.3YK", "operator": "eq"}, {"name": "IOS", "version": "12.1EU", "operator": "eq"}, {"name": "IOS", "version": "12.2EU", "operator": "eq"}, {"name": "IOS", "version": "12.2EX", "operator": "eq"}, {"name": "IOS", "version": "12.2SEB", "operator": "eq"}, {"name": "IOS", "version": "12.2SEA", "operator": "eq"}, {"name": "IOS", "version": "12.2EY", "operator": "eq"}, {"name": "IOS", "version": "12.2SO", "operator": "eq"}, {"name": "IOS", "version": "12.3JA", "operator": "eq"}, {"name": "IOS", "version": "12.3YQ", "operator": "eq"}, {"name": "IOS", "version": "12.3YB", "operator": "eq"}, {"name": "IOS", "version": "12.3YR", "operator": "eq"}, {"name": "IOS", "version": "12.3YS", "operator": "eq"}, {"name": "IOS", "version": "12.4", "operator": "eq"}, {"name": "IOS", "version": "12.2EZ", "operator": "eq"}, {"name": "IOS", "version": "12.2SEC", "operator": "eq"}, {"name": "IOS", "version": "12.3JK", "operator": "eq"}, {"name": "IOS", "version": "12.3YU", "operator": "eq"}, {"name": "IOS", "version": "12.4MR", "operator": "eq"}, {"name": "IOS", "version": "12.4T", "operator": "eq"}, {"name": "IOS", "version": "12.3YT", "operator": "eq"}, {"name": "IOS", "version": "12.3YW", "operator": "eq"}, {"name": "IOS", "version": "12.2SXF", "operator": "eq"}, {"name": "IOS", "version": "12.2SG", "operator": "eq"}, {"name": "IOS", "version": "12.1XX", "operator": "eq"}, {"name": "IOS", "version": "12.1XY", "operator": "eq"}, {"name": "IOS", "version": "12.2FX", "operator": "eq"}, {"name": "IOS", "version": "12.2FY", "operator": "eq"}, {"name": "IOS", "version": "12.2SBC", "operator": "eq"}, {"name": "IOS", "version": "12.2SXE", "operator": "eq"}, {"name": "IOS", "version": "12.2tpc", "operator": "eq"}, {"name": "IOS", "version": "12.3JX", "operator": "eq"}, {"name": "IOS", "version": "12.3TPC", "operator": "eq"}, {"name": "IOS", "version": "12.4XB", "operator": "eq"}, {"name": "IOS", "version": "12.4XA", "operator": "eq"}, {"name": "IOS", "version": "12.3YM", "operator": "eq"}, {"name": "IOS", "version": "12.1GA", "operator": "eq"}, {"name": "IOS", "version": "12.1GB", "operator": "eq"}, {"name": "IOS", "version": "12.1XZ", "operator": "eq"}, {"name": "IOS", "version": "12.2SB", "operator": "eq"}, {"name": "IOS", "version": "12.2SRA", "operator": "eq"}, {"name": "IOS", "version": "12.2ZV", "operator": "eq"}, {"name": "IOS", "version": "12.2ZW", "operator": "eq"}, {"name": "IOS", "version": "12.2ZX", "operator": "eq"}, {"name": "IOS", "version": "12.4XC", "operator": "eq"}, {"name": "IOS", "version": "12.4XD", "operator": "eq"}, {"name": "IOS", "version": "12.4XE", "operator": "eq"}, {"name": "IOS", "version": "12.2SEF", "operator": "eq"}, {"name": "IOS", "version": "12.2SEE", "operator": "eq"}, {"name": "IOS", "version": "12.2SED", "operator": "eq"}, {"name": "IOS", "version": "12.3YZ", "operator": "eq"}, {"name": "IOS", "version": "12.0XW", "operator": "eq"}, {"name": "IOS", "version": "12.4SW", "operator": "eq"}, {"name": "IOS", "version": "12.4XG", "operator": "eq"}, {"name": "IOS", "version": "12.4XJ", "operator": "eq"}, {"name": "IOS", "version": "12.4XT", "operator": "eq"}, {"name": "IOS", "version": "12.4XP", "operator": "eq"}, {"name": "IOS", "version": "12.2SGA", "operator": "eq"}, {"name": "IOS", "version": "12.2UZ", "operator": "eq"}, {"name": "IOS", "version": "12.2VZ", "operator": "eq"}, {"name": "IOS", "version": "12.2ZR", "operator": "eq"}, {"name": "IOS", "version": "12.2ZT", "operator": "eq"}, {"name": "IOS", "version": "12.2IXA", "operator": "eq"}, {"name": "IOS", "version": "12.2IXB", "operator": "eq"}, {"name": "IOS", "version": "12.2IXC", "operator": "eq"}, {"name": "IOS", "version": "12.2IXD", "operator": "eq"}, {"name": "IOS", "version": "12.2SEG", "operator": "eq"}, {"name": "IOS", "version": "12.2ZU", "operator": "eq"}, {"name": "IOS", "version": "12.2ZY", "operator": "eq"}, {"name": "IOS", "version": "12.3JEA", "operator": "eq"}, {"name": "IOS", "version": "12.3VA", "operator": "eq"}, {"name": "IOS", "version": "12.4JA", "operator": "eq"}, {"name": "IOS", "version": "12.4MD", "operator": "eq"}, {"name": "IOS", "version": "12.4XK", "operator": "eq"}, {"name": "IOS", "version": "12.4XV", "operator": "eq"}, {"name": "IOS", "version": "12.4XW", "operator": "eq"}, {"name": "IOS", "version": "12.2SRB", "operator": "eq"}, {"name": "IOS", "version": "12.0SYA", "operator": "eq"}, {"name": "IOS", "version": "12.1XO", "operator": "eq"}, {"name": "IOS", "version": "12.1XN", "operator": "eq"}, {"name": "IOS", "version": "12.2SVC", "operator": "eq"}, {"name": "IOS", "version": "12.4JMA", "operator": "eq"}, {"name": "IOS", "version": "12.3JEB", "operator": "eq"}, {"name": "IOS", "version": "12.3JEC", "operator": "eq"}, {"name": "IOS", "version": "12.2IXE", "operator": "eq"}, {"name": "IOS", "version": "12.2FZ", "operator": "eq"}, {"name": "IOS", "version": "12.4XF", "operator": "eq"}, {"name": "IOS", "version": "12.3JL", "operator": "eq"}, {"name": "IOS", "version": "12.2SBA", "operator": "eq"}, {"name": "IOS", "version": "12.2SBB", "operator": "eq"}, {"name": "IOS", "version": "12.2SCA", "operator": "eq"}, {"name": "IOS", "version": "12.2SRC", "operator": "eq"}, {"name": "IOS", "version": "12.2SVA", "operator": "eq"}, {"name": "IOS", "version": "12.2SVD", "operator": "eq"}, {"name": "IOS", "version": "12.2SXH", "operator": "eq"}, {"name": "IOS", "version": "12.4XQ", "operator": "eq"}, {"name": "IOS", "version": "12.4XY", "operator": "eq"}, {"name": "IOS", "version": "12.4XZ", "operator": "eq"}, {"name": "IOS", "version": "12.4XL", "operator": "eq"}, {"name": "IOS", "version": "12.3ZA", "operator": "eq"}, {"name": "IOS", "version": "12.3ZB", "operator": "eq"}, {"name": "IOS", "version": "12.4XM", "operator": "eq"}, {"name": "IOS", "version": "12.4XN", "operator": "eq"}, {"name": "IOS", "version": "12.4XR", "operator": "eq"}, {"name": "IOS", "version": "12.4YA", "operator": "eq"}, {"name": "IOS", "version": "12.2IRA", "operator": "eq"}, {"name": "IOS", "version": "12.2IRB", "operator": "eq"}, {"name": "IOS", "version": "12.2IXG", "operator": "eq"}, {"name": "IOS", "version": "12.2IXF", "operator": "eq"}, {"name": "IOS", "version": "12.2SCB", "operator": "eq"}, {"name": "IOS", "version": "12.2SRD", "operator": "eq"}, {"name": "IOS", "version": "12.2STE", "operator": "eq"}, {"name": "IOS", "version": "12.2SVE", "operator": "eq"}, {"name": "IOS", "version": "12.2SXI", "operator": "eq"}, {"name": "IOS", "version": "12.2XO", "operator": "eq"}, {"name": "IOS", "version": "12.2ZYA", "operator": "eq"}, {"name": "IOS", "version": "12.4JDA", "operator": "eq"}, {"name": "IOS", "version": "12.4JL", "operator": "eq"}, {"name": "IOS", "version": "12.4JK", "operator": "eq"}, {"name": "IOS", "version": "12.4JMB", "operator": "eq"}, {"name": "IOS", "version": "12.4JX", "operator": "eq"}, {"name": "IOS", "version": "12.4JY", "operator": "eq"}, {"name": "IOS", "version": "12.2SL", "operator": "eq"}, {"name": "IOS", "version": "12.2SQ", "operator": "eq"}, {"name": "IOS", "version": "12.4JDC", "operator": "eq"}, {"name": "IOS", "version": "12.4JDD", "operator": "eq"}, {"name": "IOS", "version": "12.4YB", "operator": "eq"}, {"name": "IOS", "version": "12.4YD", "operator": "eq"}, {"name": "IOS", "version": "12.2IRC", "operator": "eq"}, {"name": "IOS", "version": "12.2ZM", "operator": "eq"}, {"name": "IOS", "version": "12.2IXH", "operator": "eq"}, {"name": "IOS", "version": "12.4MDA", "operator": "eq"}, {"name": "IOS", "version": "12.2SCC", "operator": "eq"}, {"name": "IOS", "version": "12.2SCD", "operator": "eq"}, {"name": "IOS", "version": "12.3JED", "operator": "eq"}, {"name": "IOS", "version": "12.4YG", "operator": "eq"}, {"name": "IOS", "version": "15.0M", "operator": "eq"}, {"name": "IOS", "version": "15.0XA", "operator": "eq"}, {"name": "IOS", "version": "15.1T", "operator": "eq"}, {"name": "IOS", "version": "15.1XB", "operator": "eq"}, {"name": "IOS", "version": "12.2SRE", "operator": "eq"}, {"name": "IOS", "version": "15.0XO", "operator": "eq"}, {"name": "IOS", "version": "15.0S", "operator": "eq"}, {"name": "IOS", "version": "12.2IRD", "operator": "eq"}, {"name": "IOS", "version": "12.2IRE", "operator": "eq"}, {"name": "IOS", "version": "12.2MRA", "operator": "eq"}, {"name": "IOS", "version": "12.2MRB", "operator": "eq"}, {"name": "IOS", "version": "12.2SR", "operator": "eq"}, {"name": "IOS", "version": "12.4JHA", "operator": "eq"}, {"name": "IOS", "version": "12.4M", "operator": "eq"}, {"name": "IOS", "version": "15.2S", "operator": "eq"}, {"name": "IOS", "version": "12.2SXG", "operator": "eq"}, {"name": "IOS", "version": "12.4JD", "operator": "eq"}, {"name": "IOS", "version": "15.3T", "operator": "eq"}, {"name": "IOS", "version": "12.4JDE", "operator": "eq"}, {"name": "IOS", "version": "12.2XNH", "operator": "eq"}, {"name": "IOS", "version": "15.0EY", "operator": "eq"}, {"name": "IOS", "version": "12.4MRB", "operator": "eq"}, {"name": "IOS", "version": "15.2T", "operator": "eq"}, {"name": "IOS", "version": "12.3M", "operator": "eq"}, {"name": "IOS", "version": "12.3JEE", "operator": "eq"}, {"name": "IOS", "version": "12.2WO", "operator": "eq"}, {"name": "IOS", "version": "12.3YV", "operator": "eq"}, {"name": "IOS", "version": "12.2ZZ", "operator": "eq"}, {"name": "IOS", "version": "15.1S", "operator": "eq"}, {"name": "IOS", "version": "12.2ZS", "operator": "eq"}, {"name": "IOS", "version": "12.3EU", "operator": "eq"}, {"name": "IOS", "version": "12.4MF", "operator": "eq"}, {"name": "IOS", "version": "15.1M", "operator": "eq"}, {"name": "IOS", "version": "12.2IRF", "operator": "eq"}, {"name": "IOS", "version": "12.4JMC", "operator": "eq"}, {"name": "IOS", "version": "15.0SE", "operator": "eq"}, {"name": "IOS", "version": "15.1GC", "operator": "eq"}, {"name": "IOS", "version": "15.0SY", "operator": "eq"}, {"name": "IOS", "version": "12.2SXJ", "operator": "eq"}, {"name": "IOS", "version": "12.4MX", "operator": "eq"}, {"name": "IOS", "version": "15.1SG", "operator": "eq"}, {"name": "IOS", "version": "12.1YG", "operator": "eq"}, {"name": "IOS", "version": "12.2ZQ", "operator": "eq"}, {"name": "IOS", "version": "15.0MR", "operator": "eq"}, {"name": "IOS", "version": "12.3ZC", "operator": "eq"}, {"name": "IOS", "version": "12.4JZ", "operator": "eq"}, {"name": "IOS", "version": "12.2SCF", "operator": "eq"}, {"name": "IOS", "version": "12.2SVB", "operator": "eq"}, {"name": "IOS", "version": "15.2M", "operator": "eq"}, {"name": "IOS", "version": "12.2SCE", "operator": "eq"}, {"name": "IOS", "version": "15.0SG", "operator": "eq"}, {"name": "IOS", "version": "12.4MDB", "operator": "eq"}, {"name": "IOS", "version": "12.3TO", "operator": "eq"}, {"name": "IOS", "version": "12.4TST", "operator": "eq"}, {"name": "IOS", "version": "12.2IRG", "operator": "eq"}, {"name": "IOS", "version": "12.4JHC", "operator": "eq"}, {"name": "IOS", "version": "15.0EX", "operator": "eq"}, {"name": "IOS", "version": "15.2GC", "operator": "eq"}, {"name": "IOS", "version": "12.4JAX", "operator": "eq"}, {"name": "IOS", "version": "12.2SCG", "operator": "eq"}, {"name": "IOS", "version": "15.1MWR", "operator": "eq"}, {"name": "IOS", "version": "12.4MDC", "operator": "eq"}, {"name": "IOS", "version": "12.2IRH", "operator": "eq"}, {"name": "IOS", "version": "15.1SY", "operator": "eq"}, {"name": "IOS", "version": "15.3S", "operator": "eq"}, {"name": "IOS", "version": "15.2SB", "operator": "eq"}, {"name": "IOS", "version": "15.1SVA", "operator": "eq"}, {"name": "IOS", "version": "15.4T", "operator": "eq"}, {"name": "IOS", "version": "12.4JAZ", "operator": "eq"}, {"name": "IOS", "version": "12.4JB", "operator": "eq"}, {"name": "IOS", "version": "12.2SCH", "operator": "eq"}, {"name": "IOS", "version": "12.4JAL", "operator": "eq"}, {"name": "IOS", "version": "12.4JAM", "operator": "eq"}, {"name": "IOS", "version": "12.4JAN", "operator": "eq"}, {"name": "IOS", "version": "15.2JA", "operator": "eq"}, {"name": "IOS", "version": "15.2E", "operator": "eq"}, {"name": "IOS", "version": "15.0EW", "operator": "eq"}, {"name": "IOS", "version": "15.1MRA", "operator": "eq"}, {"name": "IOS", "version": "15.1SVB", "operator": "eq"}, {"name": "IOS", "version": "15.0ED", "operator": "eq"}, {"name": "IOS", "version": "15.2JB", "operator": "eq"}, {"name": "IOS", "version": "15.4S", "operator": "eq"}, {"name": "IOS", "version": "15.2JAX", "operator": "eq"}, {"name": "IOS", "version": "15.3M", "operator": "eq"}, {"name": "IOS", "version": "15.1SVC", "operator": "eq"}, {"name": "IOS", "version": "15.2JN", "operator": "eq"}, {"name": "IOS", "version": "15.2GCA", "operator": "eq"}, {"name": "IOS", "version": "15.0EZ", "operator": "eq"}, {"name": "IOS", "version": "15.2SC", "operator": "eq"}, {"name": "IOS", "version": "12.4YS", "operator": "eq"}, {"name": "IOS", "version": "15.0EF", "operator": "eq"}, {"name": "IOS", "version": "15.0EG", "operator": "eq"}, {"name": "IOS", "version": "15.1SVD", "operator": "eq"}, {"name": "IOS", "version": "15.2EY", "operator": "eq"}, {"name": "IOS", "version": "15.0EJ", "operator": "eq"}, {"name": "IOS", "version": "15.0EH", "operator": "eq"}, {"name": "IOS", "version": "15.2EZ", "operator": "eq"}, {"name": "IOS", "version": "15.2SY", "operator": "eq"}, {"name": "IOS", "version": "15.1SVF", "operator": "eq"}, {"name": "IOS", "version": "15.1SVE", "operator": "eq"}, {"name": "IOS", "version": "15.4M", "operator": "eq"}, {"name": "IOS", "version": "15.2SD", "operator": "eq"}, {"name": "IOS", "version": "12.4JAO", "operator": "eq"}, {"name": "IOS", "version": "15.2JAZ", "operator": "eq"}, {"name": "IOS", "version": "15.0EK", "operator": "eq"}, {"name": "IOS", "version": "15.3XB", "operator": "eq"}, {"name": "IOS", "version": "15.4CG", "operator": "eq"}, {"name": "IOS", "version": "15.5S", "operator": "eq"}, {"name": "IOS", "version": "15.1SVG", "operator": "eq"}, {"name": "IOS", "version": "15.2EB", "operator": "eq"}, {"name": "IOS", "version": "15.5T", "operator": "eq"}, {"name": "IOS", "version": "15.2EA", "operator": "eq"}, {"name": "IOS", "version": "15.4SN", "operator": "eq"}, {"name": "IOS", "version": "15.3JN", "operator": "eq"}, {"name": "IOS", "version": "15.1SVH", "operator": "eq"}, {"name": "IOS", "version": "12.2SCI", "operator": "eq"}, {"name": "IOS", "version": "12.4JAP", "operator": "eq"}, {"name": "IOS", "version": "15.3JA", "operator": "eq"}, {"name": "IOS", "version": "15.3JAA", "operator": "eq"}, {"name": "IOS", "version": "15.3JAB", "operator": "eq"}, {"name": "IOS", "version": "15.3JB", "operator": "eq"}, {"name": "IOS", "version": "15.5SN", "operator": "eq"}, {"name": "IOS", "version": "15.0SQD", "operator": "eq"}, {"name": "IOS", "version": "15.6S", "operator": "eq"}, {"name": "IOS", "version": "15.1SVI", "operator": "eq"}, {"name": "IOS", "version": "15.6T", "operator": "eq"}, {"name": "IOS", "version": "15.3JNB", "operator": "eq"}, {"name": "IOS", "version": "15.3JAX", "operator": "eq"}, {"name": "IOS", "version": "15.3JBB", "operator": "eq"}, {"name": "IOS", "version": "15.3JC", "operator": "eq"}, {"name": "Cisco Emergency Responder", "version": "any", "operator": "eq"}, {"name": "Cisco IOS XR Software", "version": "any", "operator": "eq"}, {"name": "Cisco NAC Appliance Software", "version": "any", "operator": "eq"}, {"name": "Intrusion Prevention System (IPS)", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Presence Server", "version": "any", "operator": "eq"}, {"name": "Cisco ACE Application Control Engine Module", "version": "any", "operator": "eq"}, {"name": "Cisco Wide Area Application Services (WAAS)", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Contact Center Enterprise", "version": "any", "operator": "eq"}, {"name": "Cisco IP Interoperability and Collaboration System (IPICS)", "version": "any", "operator": "eq"}, {"name": "Cisco Service Control Engine (SCE)", "version": "any", "operator": "eq"}, {"name": "Cisco Unity Connection", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence", "version": "any", "operator": "eq"}, {"name": "Cisco NX-OS Software", "version": "any", "operator": "eq"}, {"name": "Cisco ACE 4700 Series Application Control Engine Appliances", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Communications Manager", "version": "any", "operator": "eq"}, {"name": "Cisco Application Networking Manager (ANM)", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Provisioning Manager", "version": "any", "operator": "eq"}, {"name": "Cisco Physical Access Gateway", "version": "any", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.4S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.1SG", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.2SG", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.5S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.6S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.7S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.2XO", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.3SG", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.8S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.9S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.2SE", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.3SE", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.3XO", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.4SG", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.5E", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.10S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.11S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.12S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.13S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.6E", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.14S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.15S", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.3SQ", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.4SQ", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "3.7E", "operator": "eq"}, {"name": "Cisco IOS XE Software", "version": "any", "operator": "eq"}, {"name": "Cisco Video Surveillance Media Server Software", "version": "any", "operator": "eq"}, {"name": "Cisco Digital Media Manager Software", "version": "any", "operator": "eq"}, {"name": "Cisco IP Interoperability and Communications System (IPICS)", "version": "any", "operator": "eq"}, {"name": "Cisco Network Analysis Module (NAM) Software", "version": "any", "operator": "eq"}, {"name": "Cisco IronPort Encryption Appliance", "version": "any", "operator": "eq"}, {"name": "Cisco Network Admission Control Guest Server", "version": "any", "operator": "eq"}, {"name": "Cisco Telepresence MXP Series Endpoints", "version": "any", "operator": "eq"}, {"name": "Cisco Show and Share", "version": "any", "operator": "eq"}, {"name": "Cisco Identity Services Engine Software", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence Video Communication Server (VCS)", "version": "any", "operator": "eq"}, {"name": "Cisco MDS 9000 NX-OS Software", "version": "any", "operator": "eq"}, {"name": "Cisco Virtual Security Gateway for Nexus 1000V Series Switches", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence Manager", "version": "any", "operator": "eq"}, {"name": "Cisco ASA CX Context-Aware Security Software", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Security Manager (PRSM)", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Data Center Network Manager (DCNM)", "version": "any", "operator": "eq"}, {"name": "Cisco Prime LAN Management Solution (LMS)", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Collaboration", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Infrastructure", "version": "any", "operator": "eq"}, {"name": "Cisco Connected Grid Network Management System (CG-NMS)", "version": "any", "operator": "eq"}, {"name": "Cisco WebEx Meetings Server", "version": "any", "operator": "eq"}, {"name": "Cisco WebEx Node for MCS", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Computing System Central Software", "version": "any", "operator": "eq"}, {"name": "Cisco Enterprise Content Delivery System (ECDS)", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence TC Software", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence TE Software", "version": "any", "operator": "eq"}, {"name": "Cisco Virtualization Experience Client 6000 Series Firmware", "version": "any", "operator": "eq"}, {"name": "Cisco Finesse", "version": "any", "operator": "eq"}, {"name": "Cisco SocialMiner", "version": "any", "operator": "eq"}, {"name": "Cisco MediaSense", "version": "any", "operator": "eq"}, {"name": "Cisco Unified SIP Proxy", "version": "any", "operator": "eq"}, {"name": "Cisco MXE 3500 (Media Experience Engine)", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Computing System Director", "version": "any", "operator": "eq"}, {"name": "Cisco Digital Content Manager (DCM) Software", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Intelligence Center", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Service Catalog", "version": "any", "operator": "eq"}, {"name": "Cisco Nexus 1000V Switch", "version": "any", "operator": "eq"}, {"name": "Cisco Application Policy Infrastructure Controller (APIC)", "version": "any", "operator": "eq"}, {"name": "Cisco Expressway", "version": "any", "operator": "eq"}, {"name": "Cisco Edge 300 Series", "version": "any", "operator": "eq"}, {"name": "Cisco Jabber Guest", "version": "any", "operator": "eq"}, {"name": "Cisco Visual Quality Experience", "version": "any", "operator": "eq"}, {"name": "Cisco Unified Computing System (Management Software)", "version": "any", "operator": "eq"}, {"name": "Cisco Prime License Manager", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Collaboration Deployment", "version": "any", "operator": "eq"}, {"name": "Cisco TelePresence ISDN Link", "version": "any", "operator": "eq"}, {"name": "Cisco Telepresence Conductor", "version": "any", "operator": "eq"}, {"name": "Cisco Modular Encoding Platform D9036", "version": "any", "operator": "eq"}, {"name": "Cisco FireSIGHT System Software", "version": "any", "operator": "eq"}, {"name": "Cisco Videoscape Policy Resource Manager", "version": "any", "operator": "eq"}, {"name": "Cisco Prime Collaboration Assurance", "version": "any", "operator": "eq"}, {"name": "Cisco Virtual Topology System (VTS)", "version": "any", "operator": "eq"}, {"name": "Cisco Nexus 3000 Series Switch", "version": "any", "operator": "eq"}, {"name": "Cisco Policy Suite (CPS) Software", "version": "any", "operator": "eq"}, {"name": "Cisco Hosted Collaboration Mediation Fulfillment", "version": "any", "operator": "eq"}, {"name": "Cisco Cloud Services Platform 2100", "version": "any", "operator": "eq"}], "cvelist": ["CVE-2015-7973", "CVE-2015-7974", "CVE-2015-7975", "CVE-2015-7976", "CVE-2015-7977", "CVE-2015-7978", "CVE-2015-7979", "CVE-2015-8138", "CVE-2015-8139", "CVE-2015-8140", "CVE-2015-8158"], "_object_type": "robots.models.cisco.CiscoBulletin", "modified": "2016-03-07T14:02:40", "id": "CISCO-SA-20160127-NTPD", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "slackware": [{"lastseen": "2018-08-31T00:36:47", "references": [], "affectedPackage": [{"OS": "Slackware", "OSVersion": "13.37", "packageVersion": "4.2.8p6", "arch": "i486", "packageFilename": "ntp-4.2.8p6-i486-1_slack13.37.txz", "packageName": "ntp", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "4.2.8p6", "arch": "i486", "packageFilename": "ntp-4.2.8p6-i486-1_slack13.0.txz", "packageName": "ntp", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.1", "packageVersion": "4.2.8p6", "arch": "i486", "packageFilename": "ntp-4.2.8p6-i486-1_slack14.1.txz", "packageName": "ntp", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.0", "packageVersion": "4.2.8p6", "arch": "x86_64", "packageFilename": "ntp-4.2.8p6-x86_64-1_slack14.0.txz", "packageName": "ntp", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.37", "packageVersion": "4.2.8p6", "arch": "x86_64", "packageFilename": "ntp-4.2.8p6-x86_64-1_slack13.37.txz", "packageName": "ntp", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.0", "packageVersion": "4.2.8p6", "arch": "i486", "packageFilename": "ntp-4.2.8p6-i486-1_slack14.0.txz", "packageName": "ntp", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.1", "packageVersion": "4.2.8p6", "arch": "x86_64", "packageFilename": "ntp-4.2.8p6-x86_64-1_slack14.1.txz", "packageName": "ntp", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.1", "packageVersion": "4.2.8p6", "arch": "x86_64", "packageFilename": "ntp-4.2.8p6-x86_64-1_slack13.1.txz", "packageName": "ntp", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.0", "packageVersion": "4.2.8p6", "arch": "x86_64", "packageFilename": "ntp-4.2.8p6-x86_64-1_slack13.0.txz", "packageName": "ntp", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "13.1", "packageVersion": "4.2.8p6", "arch": "i486", "packageFilename": "ntp-4.2.8p6-i486-1_slack13.1.txz", "packageName": "ntp", "operator": "lt"}], "description": "New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix security issues.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/ntp-4.2.8p6-i486-1_slack14.1.txz: Upgraded.\n In addition to bug fixes and enhancements, this release fixes\n several low and medium severity vulnerabilities.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the &quot;Get Slack&quot; section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ntp-4.2.8p6-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/ntp-4.2.8p6-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ntp-4.2.8p6-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ntp-4.2.8p6-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ntp-4.2.8p6-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ntp-4.2.8p6-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8p6-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8p6-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8p6-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8p6-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8p6-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8p6-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\n31365ae4f12849e65d4ad1c8c7d5f89a ntp-4.2.8p6-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n5a2d24bdacd8dd05ab9e0613c829212b ntp-4.2.8p6-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\ne70f7422bc81c144e6fac1df2c202634 ntp-4.2.8p6-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\nf6637f6d24b94a6b17c68467956a6283 ntp-4.2.8p6-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\n82601e105f95e324dfd1e2f0df513673 ntp-4.2.8p6-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\nd3ba32d46f7eef8f75a3444bbee4c677 ntp-4.2.8p6-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\nc5ff13e58fbbea0b7a677e947449e7b1 ntp-4.2.8p6-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n9e2abfaf0b0b7bf84a8a4db89f60eff6 ntp-4.2.8p6-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\ne1e6b84808b7562314e0e29479153553 ntp-4.2.8p6-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n8db0a4ca68805c7f5e487d5bcd69d098 ntp-4.2.8p6-x86_64-1_slack14.1.txz\n\nSlackware -current package:\nf96f443f54a74c20b5eb67467f5958ea n/ntp-4.2.8p6-i586-1.txz\n\nSlackware x86_64 -current package:\n5e256f2e1906b4c75047a966996a7a41 n/ntp-4.2.8p6-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg ntp-4.2.8p6-i486-1_slack14.1.txz\n\nThen, restart the NTP daemon:\n\n > sh /etc/rc.d/rc.ntpd restart", "edition": 3, "reporter": "Slackware Linux Project", "published": "2016-02-23T11:51:20", "title": "ntp", "type": "slackware", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2016-02-23T11:51:20", "id": "SSA-2016-054-04", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.546478", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "debian": [{"lastseen": "2017-10-05T13:14:19", "references": [], "affectedPackage": [{"OS": "Debian GNU/Linux", "OSVersion": "8", "packageVersion": "1:4.2.6.p5+dfsg-7+deb8u2", "arch": "all", "packageFilename": "ntpdate_1:4.2.6.p5+dfsg-7+deb8u2_all.deb", "packageName": "ntpdate", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "8", "packageVersion": "1:4.2.6.p5+dfsg-7+deb8u2", "arch": "all", "packageFilename": "ntp_1:4.2.6.p5+dfsg-7+deb8u2_all.deb", "packageName": "ntp", "operator": "lt"}, {"OS": "Debian GNU/Linux", "OSVersion": "8", "packageVersion": "1:4.2.6.p5+dfsg-7+deb8u2", "arch": "all", "packageFilename": "ntp-doc_1:4.2.6.p5+dfsg-7+deb8u2_all.deb", "packageName": "ntp-doc", "operator": "lt"}], "edition": 2, "description": "Several vulnerabilities were discovered in the Network Time Protocol daemon and utility programs:\n\n * [CVE-2015-7974](<https://security-tracker.debian.org/tracker/CVE-2015-7974>)\n\nMatt Street discovered that insufficient key validation allows impersonation attacks between authenticated peers.\n\n * [CVE-2015-7977](<https://security-tracker.debian.org/tracker/CVE-2015-7977>) [CVE-2015-7978](<https://security-tracker.debian.org/tracker/CVE-2015-7978>)\n\nStephen Gray discovered that a NULL pointer dereference and a buffer overflow in the handling of ntpdc reslist commands may result in denial of service.\n\n * [CVE-2015-7979](<https://security-tracker.debian.org/tracker/CVE-2015-7979>)\n\nAanchal Malhotra discovered that if NTP is configured for broadcast mode, an attacker can send malformed authentication packets which break associations with the server for other broadcast clients.\n\n * [CVE-2015-8138](<https://security-tracker.debian.org/tracker/CVE-2015-8138>)\n\nMatthew van Gundy and Jonathan Gardner discovered that missing validation of origin timestamps in ntpd clients may result in denial of service.\n\n * [CVE-2015-8158](<https://security-tracker.debian.org/tracker/CVE-2015-8158>)\n\nJonathan Gardner discovered that missing input sanitising in ntpq may result in denial of service.\n\n * [CVE-2016-1547](<https://security-tracker.debian.org/tracker/CVE-2016-1547>)\n\nStephen Gray and Matthew van Gundy discovered that incorrect handling of crypto NAK packets may result in denial of service.\n\n * [CVE-2016-1548](<https://security-tracker.debian.org/tracker/CVE-2016-1548>)\n\nJonathan Gardner and Miroslav Lichvar discovered that ntpd clients could be forced to change from basic client/server mode to interleaved symmetric mode, preventing time synchronisation.\n\n * [CVE-2016-1550](<https://security-tracker.debian.org/tracker/CVE-2016-1550>)\n\nMatthew van Gundy, Stephen Gray and Loganaden Velvindron discovered that timing leaks in the packet authentication code could result in recovery of a message digest.\n\n * [CVE-2016-2516](<https://security-tracker.debian.org/tracker/CVE-2016-2516>)\n\nYihan Lian discovered that duplicate IPs on unconfig directives will trigger an assert.\n\n * [CVE-2016-2518](<https://security-tracker.debian.org/tracker/CVE-2016-2518>)\n\nYihan Lian discovered that an OOB memory access could potentially crash ntpd.\n\nFor the stable distribution (jessie), these problems have been fixed in version 1:4.2.6.p5+dfsg-7+deb8u2.\n\nFor the testing distribution (stretch), these problems have been fixed in version 1:4.2.8p7+dfsg-1.\n\nFor the unstable distribution (sid), these problems have been fixed in version 1:4.2.8p7+dfsg-1.\n\nWe recommend that you upgrade your ntp packages.", "reporter": "Debian", "published": "2016-07-25T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "debian", "title": "ntp -- security update", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-8138", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7979", "CVE-2016-1547", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2016-07-25T00:00:00", "id": "DSA-3629", "href": "http://www.debian.org/security/dsa-3629", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "oraclelinux": [{"lastseen": "2018-08-31T01:48:38", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "i686", "packageFilename": "ntpdate-4.2.6p5-10.el6.i686.rpm", "packageName": "ntpdate", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "x86_64", "packageFilename": "ntp-4.2.6p5-10.el6.x86_64.rpm", "packageName": "ntp", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "noarch", "packageFilename": "ntp-doc-4.2.6p5-10.el6.noarch.rpm", "packageName": "ntp-doc", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "noarch", "packageFilename": "ntp-doc-4.2.6p5-10.el6.noarch.rpm", "packageName": "ntp-doc", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "x86_64", "packageFilename": "ntpdate-4.2.6p5-10.el6.x86_64.rpm", "packageName": "ntpdate", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "i686", "packageFilename": "ntp-4.2.6p5-10.el6.i686.rpm", "packageName": "ntp", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "i686", "packageFilename": "ntp-perl-4.2.6p5-10.el6.i686.rpm", "packageName": "ntp-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "x86_64", "packageFilename": "ntp-perl-4.2.6p5-10.el6.x86_64.rpm", "packageName": "ntp-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "src", "packageFilename": "ntp-4.2.6p5-10.el6.src.rpm", "packageName": "ntp", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "6", "packageVersion": "4.2.6p5-10.el6", "arch": "src", "packageFilename": "ntp-4.2.6p5-10.el6.src.rpm", "packageName": "ntp", "operator": "lt"}], "description": "[4.2.6p5-10]\n- don't accept server/peer packets with zero origin timestamp (CVE-2015-8138)\n- fix crash with reslist command (CVE-2015-7977, CVE-2015-7978)\n[4.2.6p5-9]\n- fix crash with invalid logconfig command (CVE-2015-5194)\n- fix crash when referencing disabled statistic type (CVE-2015-5195)\n- don't hang in sntp with crafted reply (CVE-2015-5219)\n- don't crash with crafted autokey packet (CVE-2015-7691, CVE-2015-7692,\n CVE-2015-7702)\n- fix memory leak with autokey (CVE-2015-7701)\n- don't allow setting driftfile and pidfile remotely (CVE-2015-7703)\n- don't crash in ntpq with crafted packet (CVE-2015-7852)\n- add option to set Differentiated Services Code Point (DSCP) (#1228314)\n- extend rawstats log (#1242895)\n- fix resetting of leap status (#1243034)\n- report clock state changes related to leap seconds (#1242937)\n- allow -4/-6 on restrict lines with mask (#1232146)\n- retry joining multicast groups (#1288534)\n- explain synchronised state in ntpstat man page (#1286969)\n[4.2.6p5-7]\n- check origin timestamp before accepting KoD RATE packet (CVE-2015-7704)\n- allow only one step larger than panic threshold with -g (CVE-2015-5300)", "edition": 5, "reporter": "Oracle", "published": "2016-05-12T00:00:00", "title": "ntp security and bug fix update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2015-7703", "CVE-2015-8138", "CVE-2015-7977", "CVE-2015-5219", "CVE-2015-7704", "CVE-2015-7701", "CVE-2015-7692", "CVE-2015-7702", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7691", "CVE-2015-5300", "CVE-2015-5195", "CVE-2015-7978"], "modified": "2016-05-12T00:00:00", "id": "ELSA-2016-0780", "href": "http://linux.oracle.com/errata/ELSA-2016-0780.html", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T01:41:05", "references": [], "affectedPackage": [{"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "4.2.6p5-25.0.1.el7", "arch": "x86_64", "packageFilename": "ntpdate-4.2.6p5-25.0.1.el7.x86_64.rpm", "packageName": "ntpdate", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "4.2.6p5-25.0.1.el7", "arch": "src", "packageFilename": "ntp-4.2.6p5-25.0.1.el7.src.rpm", "packageName": "ntp", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "4.2.6p5-25.0.1.el7", "arch": "x86_64", "packageFilename": "sntp-4.2.6p5-25.0.1.el7.x86_64.rpm", "packageName": "sntp", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "4.2.6p5-25.0.1.el7", "arch": "noarch", "packageFilename": "ntp-doc-4.2.6p5-25.0.1.el7.noarch.rpm", "packageName": "ntp-doc", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "4.2.6p5-25.0.1.el7", "arch": "noarch", "packageFilename": "ntp-perl-4.2.6p5-25.0.1.el7.noarch.rpm", "packageName": "ntp-perl", "operator": "lt"}, {"OS": "Oracle Linux", "OSVersion": "7", "packageVersion": "4.2.6p5-25.0.1.el7", "arch": "x86_64", "packageFilename": "ntp-4.2.6p5-25.0.1.el7.x86_64.rpm", "packageName": "ntp", "operator": "lt"}], "description": "[4.2.6p5-25.0.1]\n- add disable monitor to default ntp.conf [CVE-2013-5211]\n[4.2.6p5-25]\n- don't allow spoofed packet to enable symmetric interleaved mode\n (CVE-2016-1548)\n- check mode of new source in config command (CVE-2016-2518)\n- make MAC check resilient against timing attack (CVE-2016-1550)\n[4.2.6p5-24]\n- fix crash with invalid logconfig command (CVE-2015-5194)\n- fix crash when referencing disabled statistic type (CVE-2015-5195)\n- don't hang in sntp with crafted reply (CVE-2015-5219)\n- don't crash with crafted autokey packet (CVE-2015-7691, CVE-2015-7692,\n CVE-2015-7702)\n- fix memory leak with autokey (CVE-2015-7701)\n- don't allow setting driftfile and pidfile remotely (CVE-2015-7703)\n- don't crash in ntpq with crafted packet (CVE-2015-7852)\n- check key ID in packets authenticated with symmetric key (CVE-2015-7974)\n- fix crash with reslist command (CVE-2015-7977, CVE-2015-7978)\n- don't allow spoofed packets to demobilize associations (CVE-2015-7979,\n CVE-2016-1547)\n- don't accept server/peer packets with zero origin timestamp (CVE-2015-8138)\n- fix infinite loop in ntpq/ntpdc (CVE-2015-8158)\n- fix resetting of leap status (#1242553)\n- extend rawstats log (#1242877)\n- report clock state changes related to leap seconds (#1242935)\n- allow -4/-6 on restrict lines with mask (#1304492)\n- explain synchronised state in ntpstat man page (#1309594)", "edition": 4, "reporter": "Oracle", "published": "2016-11-09T00:00:00", "title": "ntp security and bug fix update", "type": "oraclelinux", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-7703", "CVE-2015-8138", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2015-5219", "CVE-2013-5211", "CVE-2015-7979", "CVE-2015-7701", "CVE-2015-7692", "CVE-2016-1547", "CVE-2015-7702", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7691", "CVE-2015-5196", "CVE-2015-5195", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2016-11-09T00:00:00", "id": "ELSA-2016-2583", "href": "http://linux.oracle.com/errata/ELSA-2016-2583.html", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}}], "cloudfoundry": [{"lastseen": "2018-09-07T03:26:09", "references": [], "description": "USN-3096-1 NTP vulnerabilities\n\n# \n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\nCanonical Ubuntu 14.04 LTS\n\n# Description\n\nAanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to perform a replay attack. (CVE-2015-7973)\n\nMatt Street discovered that NTP incorrectly verified peer associations of symmetric keys. A remote attacker could use this issue to perform an impersonation attack. (CVE-2015-7974)\n\nJonathan Gardner discovered that the NTP ntpq utility incorrectly handled dangerous characters in filenames. An attacker could possibly use this issue to overwrite arbitrary files. (CVE-2015-7976)\n\nStephen Gray discovered that NTP incorrectly handled large restrict lists. An attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7977, CVE-2015-7978)\n\nAanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7979)\n\nJonathan Gardner discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could use this issue to spoof peer servers. (CVE-2015-8138)\n\nJonathan Gardner discovered that the NTP ntpq utility did not properly handle certain incorrect values. An attacker could possibly use this issue to cause ntpq to hang, resulting in a denial of service. (CVE-2015-8158)\n\nIt was discovered that the NTP cronjob incorrectly cleaned up the statistics directory. A local attacker could possibly use this to escalate privileges. (CVE-2016-0727)\n\nStephen Gray and Matthew Van Gundy discovered that NTP incorrectly validated crypto-NAKs. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1547)\n\nMiroslav Lichvar and Jonathan Gardner discovered that NTP incorrectly handled switching to interleaved symmetric mode. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1548)\n\nMatthew Van Gundy, Stephen Gray and Loganaden Velvindron discovered that NTP incorrectly handled message authentication. A remote attacker could possibly use this issue to recover the message digest key. (CVE-2016-1550)\n\nYihan Lian discovered that NTP incorrectly handled duplicate IPs on unconfig directives. An authenticated remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2516)\n\nYihan Lian discovered that NTP incorrectly handled certain peer associations. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2518)\n\nJakub Prokes discovered that NTP incorrectly handled certain spoofed packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4954)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain packets when autokey is enabled. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4955)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain spoofed broadcast packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4956)\n\nIn the default installation, attackers would be isolated by the NTP AppArmor profile.\n\n# Affected Cloud Foundry Products and Versions\n\nSeverity is medium unless otherwise noted.\n\nCloud Foundry BOSH stemcells are vulnerable, including:\n\n * All versions prior to 3146.24\n * 3151.x versions prior to 3151.2\n * 3232.x versions prior to 3232.22\n * 3233.x versions prior to 3233.2\n * 3262.x versions prior to 3262.21\n * Other versions prior to 3263.7\n\n# Mitigation\n\nThe Cloud Foundry team recommends upgrading to the following BOSH stemcells:\n\n * Upgrade all versions prior to 3146.x to 3146.24\n * Upgrade 3151.x versions to 3151.2\n * Upgrade 3232.x versions to 3232.22\n * Upgrade 3233.x versions to 3233.2\n * Upgrade 3262.x versions to 3262.21\n * Upgrade other versions to 3263.7\n\n# Credit\n\nMatt Street, Aanchal Malhotra, Jonathan Gardner, Matthew Van Gundy, Stephen Gray, Loganaden Velvindron, Yihan Lian, Jakub Prokes, Miroslav Lichvar\n\n# References\n\n * <https://www.ubuntu.com/usn/usn-3096-1/>\n", "edition": 4, "reporter": "Cloud Foundry", "published": "2016-12-21T00:00:00", "title": "USN-3096-1: NTP vulnerabilities | Cloud Foundry", "type": "cloudfoundry", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2016-4956", "CVE-2016-4955", "CVE-2015-8138", "CVE-2016-0727", "CVE-2015-7973", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7979", "CVE-2016-4954", "CVE-2015-7976", "CVE-2016-1547", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2016-12-21T00:00:00", "id": "CFOUNDRY:0B67E4FF46553AC705FD601C96C1A6B6", "href": "https://www.cloudfoundry.org/blog/usn-3096-1/", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "ubuntu": [{"lastseen": "2018-08-31T00:09:38", "references": ["https://people.canonical.com/~ubuntu-security/cve/CVE-2016-2516", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-8138", "https://people.canonical.com/~ubuntu-security/cve/CVE-2016-4956", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-7979", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-7974", "https://people.canonical.com/~ubuntu-security/cve/CVE-2016-4955", "https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1547", "https://people.canonical.com/~ubuntu-security/cve/CVE-2016-2518", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-8158", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-7975", "https://people.canonical.com/~ubuntu-security/cve/CVE-2016-4954", "https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1550", "https://people.canonical.com/~ubuntu-security/cve/CVE-2016-0727", "https://people.canonical.com/~ubuntu-security/cve/CVE-2016-1548", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-7973", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-7976", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-7978", "https://people.canonical.com/~ubuntu-security/cve/CVE-2015-7977"], "affectedPackage": [{"OS": "Ubuntu", "OSVersion": "14.04", "packageVersion": "1:4.2.6.p5+dfsg-3ubuntu2.14.04.10", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "ntp", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "12.04", "packageVersion": "1:4.2.6.p3+dfsg-1ubuntu3.11", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "ntp", "operator": "lt"}, {"OS": "Ubuntu", "OSVersion": "16.04", "packageVersion": "1:4.2.8p4+dfsg-3ubuntu5.3", "arch": "noarch", "packageFilename": "UNKNOWN", "packageName": "ntp", "operator": "lt"}], "description": "Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to perform a replay attack. (CVE-2015-7973)\n\nMatt Street discovered that NTP incorrectly verified peer associations of symmetric keys. A remote attacker could use this issue to perform an impersonation attack. (CVE-2015-7974)\n\nJonathan Gardner discovered that the NTP ntpq utility incorrectly handled memory. An attacker could possibly use this issue to cause ntpq to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-7975)\n\nJonathan Gardner discovered that the NTP ntpq utility incorrectly handled dangerous characters in filenames. An attacker could possibly use this issue to overwrite arbitrary files. (CVE-2015-7976)\n\nStephen Gray discovered that NTP incorrectly handled large restrict lists. An attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7977, CVE-2015-7978)\n\nAanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7979)\n\nJonathan Gardner discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could use this issue to spoof peer servers. (CVE-2015-8138)\n\nJonathan Gardner discovered that the NTP ntpq utility did not properly handle certain incorrect values. An attacker could possibly use this issue to cause ntpq to hang, resulting in a denial of service. (CVE-2015-8158)\n\nIt was discovered that the NTP cronjob incorrectly cleaned up the statistics directory. A local attacker could possibly use this to escalate privileges. (CVE-2016-0727)\n\nStephen Gray and Matthew Van Gundy discovered that NTP incorrectly validated crypto-NAKs. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1547)\n\nMiroslav Lichvar and Jonathan Gardner discovered that NTP incorrectly handled switching to interleaved symmetric mode. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1548)\n\nMatthew Van Gundy, Stephen Gray and Loganaden Velvindron discovered that NTP incorrectly handled message authentication. A remote attacker could possibly use this issue to recover the message digest key. (CVE-2016-1550)\n\nYihan Lian discovered that NTP incorrectly handled duplicate IPs on unconfig directives. An authenticated remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2516)\n\nYihan Lian discovered that NTP incorrectly handled certail peer associations. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2518)\n\nJakub Prokes discovered that NTP incorrectly handled certain spoofed packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4954)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain packets when autokey is enabled. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4955)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain spoofed broadcast packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4956)\n\nIn the default installation, attackers would be isolated by the NTP AppArmor profile.", "edition": 3, "reporter": "Ubuntu", "published": "2016-10-05T00:00:00", "title": "NTP vulnerabilities", "type": "ubuntu", "enchantments": {"score": {"vector": "NONE", "value": 7.2}}, "bulletinFamily": "unix", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2016-4956", "CVE-2016-4955", "CVE-2015-8138", "CVE-2016-0727", "CVE-2015-7973", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7979", "CVE-2016-4954", "CVE-2015-7976", "CVE-2015-7975", "CVE-2016-1547", "CVE-2015-7974", "CVE-2015-7978"], "modified": "2016-10-05T00:00:00", "id": "USN-3096-1", "href": "https://usn.ubuntu.com/3096-1/", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2018-09-05T16:46:03", "references": ["http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2519", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2518", "http://cwe.mitre.org/data/definitions/821.html", "http://cwe.mitre.org/data/definitions/821.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8138", "http://cwe.mitre.org/data/definitions/200.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2516", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7975", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1548", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8139", "http://cwe.mitre.org/data/definitions/476.html", "http://support.ntp.org/bin/view/Main/NtpBug2948", "http://support.ntp.org/bin/view/Main/NtpBug2946", "http://support.ntp.org/bin/view/Main/NtpBug2947", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2517", "http://cwe.mitre.org/data/definitions/294.html", "http://cwe.mitre.org/data/definitions/294.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1549", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1551", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8158", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8140", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7979", "http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit", "http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit", "http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit", "http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security", "http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security", "http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7977", "http://cwe.mitre.org/data/definitions/119.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7704", "http://cwe.mitre.org/data/definitions/290.html", "http://cwe.mitre.org/data/definitions/290.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1550", "http://cwe.mitre.org/data/definitions/125.html", "http://cwe.mitre.org/data/definitions/20.html", "http://cwe.mitre.org/data/definitions/20.html", "http://cwe.mitre.org/data/definitions/20.html", "http://cwe.mitre.org/data/definitions/20.html", "http://cwe.mitre.org/data/definitions/20.html", "http://cwe.mitre.org/data/definitions/20.html", "http://cwe.mitre.org/data/definitions/20.html", "http://cwe.mitre.org/data/definitions/362.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1547", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7705", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7973", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7978", "http://www.ntp.org/downloads.html", "http://cwe.mitre.org/data/definitions/400.html", "http://cwe.mitre.org/data/definitions/400.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7976", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7974"], "description": "### Overview\n\nThe NTP.org reference implementation of `ntpd` contains multiple vulnerabilities.\n\n### Description\n\nNTP.org's reference implementation of NTP server, `ntpd`, contains multiple vulnerabilities. \n\n[**CWE-294**](<http://cwe.mitre.org/data/definitions/294.html>)**: Authentication Bypass by Capture-replay - **CVE-2015-7973 \n \nAn attacker on the network can record and replay authenticated broadcast mode packets. Also known as the \"Deja Vu\" attack. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7974 \n \nA missing key check allows impersonation between authenticated peers. Also known as the \"Skeleton Key\" attack. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7975 \n \nThe `nextvar()` function does not properly validate length. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7976 \n \n`ntpq saveconfig` command allows dangerous characters in filenames \n \n[**CWE-476**](<http://cwe.mitre.org/data/definitions/476.html>)**: NULL Pointer Dereference - **CVE-2015-7977 \n \n`reslist` NULL pointer dereference \n \n[**CWE-400**](<http://cwe.mitre.org/data/definitions/400.html>)**: Uncontrolled Resource Consumption ('Resource Exhaustion') - **CVE-2015-7978 \n \nStack exhaustion in recursive traversal of restriction list \n \n[**CWE-821**](<http://cwe.mitre.org/data/definitions/821.html>)**: Incorrect Synchronization - **CVE-2015-7979 \n \nOff-path Denial of Service (DoS) attack on authenticated broadcast and other pre-emptable modes \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-8138 \n \nZero Origin Timestamp Bypass \n \n[**CWE-200**](<http://cwe.mitre.org/data/definitions/200.html>)**: Information Exposure - **CVE-2015-8139 \n \nNetwork Time Protocol ntpq and ntpdc Origin Timestamp Disclosure Vulnerability \n<http://support.ntp.org/bin/view/Main/NtpBug2946> \n \n[**CWE-294**](<http://cwe.mitre.org/data/definitions/294.html>)**: Authentication Bypass by Capture-replay - **CVE-2015-8140 \n \nNetwork Time Protocol ntpq Control Protocol Replay Vulnerability \n<http://support.ntp.org/bin/view/Main/NtpBug2947> \n \n[**CWE-400**](<http://cwe.mitre.org/data/definitions/400.html>)**: Uncontrolled Resource Consumption ('Resource Exhaustion') - **CVE-2015-8158 \n \nPotential Infinite Loop in ntpq \n<http://support.ntp.org/bin/view/Main/NtpBug2948> \n \n[**CWE-821**](<http://cwe.mitre.org/data/definitions/821.html>)**: Incorrect Synchronization - **CVE-2016-1547 \n \nAn off-path attacker can deny service to `ntpd` clients by demobilizing preemptable associations using spoofed crypto-NAK packets. This vulnerability involves different code paths than those used by CVE-2015-7979. \n \n[**CWE-290**](<http://cwe.mitre.org/data/definitions/290.html>)**: Authentication Bypass by Spoofing - **CVE-2016-1548 \n \nBy spoofing packets from a legitimate server, an attacker can change the time of an` ntpd` client or deny service to an `ntpd` client by forcing it to change from basic client/server mode to interleaved symmetric mode. \n \n[**CWE-362**](<http://cwe.mitre.org/data/definitions/362.html>)**: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') - **CVE-2016-1549 \n \nntpd does not prevent Sybil attacks from authenticated peers. An malicious authenticated peer can create any number of ephemeral associations in order to win ntpd's clock selection algorithm and modify a victim's clock. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2016-1550 \n \nntpd does not use a constant-time memory comparison function when validating the authentication digest on incoming packets. In some situations this may allow an attacker to conduct a timing attack to compute the value of the valid authentication digest causing forged packets to be accepted by `ntpd`. \n \n[**CWE-290**](<http://cwe.mitre.org/data/definitions/290.html>)**: Authentication Bypass by Spoofing - **CVE-2016-1551 \n \nntpd does not filter IPv4 bogon packets received from the network. This allows unauthenticated network attackers to spoof refclock packets to ntpd processes on systems that do not implement bogon filtering. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2016-2516, CVE-2016-2517 \n \nDuplicate IPs on `unconfig` directives will cause an assertion botch in `ntpd`. A regression caused by the patch for CVE-2016-2516 was fixed and identified as CVE-2016-2517. \n \n[**CWE-125**](<http://cwe.mitre.org/data/definitions/125.html>)**: Out-of-bounds Read - **CVE-2016-2518 \n \nUsing a crafted packet to create a peer association with hmode &gt; 7 causes the MATCH_ASSOC() lookup to make an out-of-bounds reference. \n \n[**CWE-119**](<http://cwe.mitre.org/data/definitions/119.html>)**: Improper Restriction of Operations within the Bounds of a Memory Buffer - **CVE-2016-2519 \n \n`ntpq` and `ntpdc` can be used to store and retrieve information in `ntpd`. It is possible to store a data value that is larger than the size of the buffer that the `ctl_getitem()` function of `ntpd` uses to report the return value. If the length of the requested data value returned by `ctl_getitem()` is too large, the value NULL is returned instead. There are 2 cases where the return value from `ctl_getitem()` was not directly checked to make sure it's not NULL, but there are subsequent INSIST() checks that make sure the return value is not NULL. There are no data values ordinarily stored in `ntpd` that would exceed this buffer length. But if one has permission to store values and one stores a value that is \"too large\", then `ntpd` will abort if an attempt is made to read that oversized value. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7704**, **CVE-2015-7705 \n \nAn ntpd client that honors Kiss-of-Death (KoD) responses will honor KoD messages that have been forged by an attacker, causing it to delay or stop querying its servers for time updates. Also, an attacker can forge packets that claim to be from the target and send them to servers often enough that a server that implements KoD rate limiting will send the target machine a KoD response to attempt to reduce the rate of incoming packets, or it may also trigger a firewall block at the server for packets from the target machine. For either of these attacks to succeed, the attacker must know what servers the target is communicating with. An attacker can be anywhere on the Internet and can frequently learn the identity of the target's time source by sending the target a time query. \n \nFor more information on these vulnerabilities, please see NTP.org's [April 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security>) as well as the [January 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit>). \n \n--- \n \n### Impact\n\nUnauthenticated remote attackers may be able to spoof packets to cause denial of service, authentication bypass on commands, or certain configuration changes. For more information on these vulnerabilities, please see NTP.org's [April 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security>) as well as the [January 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit>). \n \n--- \n \n### Solution\n\n**Apply an update** \n \nPartial patches for some of these issues were initially released in January 2016 as version 4.2.8p6. Complete patches for all of these issues are now available in version [4.2.8p7](<http://www.ntp.org/downloads.html>), released 2016-04-26. Affected users are encouraged to update as soon as possible. \n \n--- \n \n### Vendor Information \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nNTP Project| | 19 Jan 2016| 22 Apr 2016 \nACCESS| | 25 Apr 2016| 25 Apr 2016 \nAlcatel-Lucent| | 25 Apr 2016| 25 Apr 2016 \nApple| | 25 Apr 2016| 25 Apr 2016 \nArista Networks, Inc.| | 25 Apr 2016| 25 Apr 2016 \nAruba Networks| | 25 Apr 2016| 25 Apr 2016 \nAT&amp;T;| | 25 Apr 2016| 25 Apr 2016 \nAvaya, Inc.| | 25 Apr 2016| 25 Apr 2016 \nBelkin, Inc.| | 25 Apr 2016| 25 Apr 2016 \nBlue Coat Systems| | 25 Apr 2016| 25 Apr 2016 \nCA Technologies| | 25 Apr 2016| 25 Apr 2016 \nCentOS| | 25 Apr 2016| 25 Apr 2016 \nCheck Point Software Technologies| | 25 Apr 2016| 25 Apr 2016 \nCisco| | 08 Jan 2016| 08 Jan 2016 \nCoreOS| | 25 Apr 2016| 25 Apr 2016 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23718152 Vendor Status Inquiry>). \n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P \nTemporal | 5.3 | E:POC/RL:OF/RC:C \nEnvironmental | 5.3 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n### References\n\n * <http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security>\n * <http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit>\n\n### Credit\n\nThanks to Cisco TALOS for reporting many of these issues to us. The Network Time Foundation credits many researchers for these vulnerabilities; see NTP.org's January 2016 and April 2016 security advisories for the complete list.\n\nThis document was written by Garret Wassermann.\n\n### Other Information\n\n * CVE IDs: [CVE-2015-7704](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7704>) [CVE-2015-7705](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7705>) [CVE-2015-7973](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7973>) [CVE-2015-7974](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7974>) [CVE-2015-7975](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7975>) [CVE-2015-7976](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7976>) [CVE-2015-7977](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7977>) [CVE-2015-7978](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7978>) [CVE-2015-7979](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7979>) [CVE-2015-8138](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8138>) [CVE-2015-8139](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8139>) [CVE-2015-8140](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8140>) [CVE-2015-8158](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8158>) [CVE-2016-1547](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1547>) [CVE-2016-1548](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1548>) [CVE-2016-1549](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1549>) [CVE-2016-1550](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1550>) [CVE-2016-1551](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1551>) [CVE-2016-2516](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2516>) [CVE-2016-2517](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2517>) [CVE-2016-2518](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2518>) [CVE-2016-2519](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2519>)\n * Date Public: 26 Apr 2016\n * Date First Published: 27 Apr 2016\n * Date Last Updated: 28 Apr 2016\n * Document Revision: 48\n\n", "edition": 7, "reporter": "CERT", "published": "2016-04-27T00:00:00", "title": "NTP.org ntpd contains multiple vulnerabilities", "type": "cert", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "info", "cvelist": ["CVE-2016-1548", "CVE-2016-1548", "CVE-2016-1548", "CVE-2016-2518", "CVE-2016-2518", "CVE-2016-2518", "CVE-2015-8140", "CVE-2015-8140", "CVE-2015-8140", "CVE-2015-8138", "CVE-2015-8138", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7973", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-7977", "CVE-2015-7977", "CVE-2016-1550", "CVE-2016-1550", "CVE-2016-1550", "CVE-2015-8158", "CVE-2015-8158", "CVE-2015-8158", "CVE-2016-2516", "CVE-2016-2516", "CVE-2016-2516", "CVE-2016-2516", "CVE-2015-7704", "CVE-2015-7704", "CVE-2015-7704", "CVE-2016-1551", "CVE-2016-1551", "CVE-2016-1551", "CVE-2015-7979", "CVE-2015-7979", "CVE-2015-7979", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-7976", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-8139", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7975", "CVE-2015-7975", "CVE-2016-1547", "CVE-2016-1547", "CVE-2016-1547", "CVE-2016-2519", "CVE-2016-2519", "CVE-2016-2519", "CVE-2016-2517", "CVE-2016-2517", "CVE-2016-2517", "CVE-2016-2517", "CVE-2015-7705", "CVE-2015-7705", "CVE-2015-7705", "CVE-2015-7974", "CVE-2015-7974", "CVE-2015-7974", "CVE-2016-1549", "CVE-2016-1549", "CVE-2016-1549", "CVE-2015-7978", "CVE-2015-7978", "CVE-2015-7978"], "modified": "2016-04-28T00:00:00", "id": "VU:718152", "href": "https://www.kb.cert.org/vuls/id/718152", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "gentoo": [{"lastseen": "2016-09-06T19:47:00", "references": ["https://bugs.gentoo.org/show_bug.cgi?id=572452", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4957", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8158", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1551", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4956", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7854", "https://bugs.gentoo.org/show_bug.cgi?id=563774", "https://bugs.gentoo.org/show_bug.cgi?id=584954", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1550", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2518", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7975", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7973", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7704", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2517", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7853", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7849", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7979", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7851", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1547", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7703", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1549", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7974", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7978", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2519", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7692", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4953", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4955", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7871", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7701", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7976", "https://bugs.gentoo.org/show_bug.cgi?id=581528", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8139", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7852", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7977", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1548", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7850", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8140", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-2516", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7705", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7691", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4954", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-8138", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7848", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7855", "http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-7702"], "affectedPackage": [{"OS": "Gentoo", "OSVersion": "any", "packageVersion": "4.2.8_p8", "packageFilename": "UNKNOWN", "packageName": "net-misc/ntp", "arch": "all", "operator": "lt"}], "description": "### Background\n\nNTP contains software for the Network Time Protocol.\n\n### Description\n\nMultiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly cause a Denial of Service condition.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll NTP users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/ntp-4.2.8_p8\"", "edition": 1, "reporter": "Gentoo Foundation", "published": "2016-07-20T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "type": "gentoo", "title": "NTP: Multiple vulnerabilities", "bulletinFamily": "unix", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-7703", "CVE-2016-4956", "CVE-2015-8140", "CVE-2016-4955", "CVE-2015-8138", "CVE-2015-7855", "CVE-2016-4953", "CVE-2015-7973", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7704", "CVE-2016-1551", "CVE-2015-7979", "CVE-2016-4954", "CVE-2015-7701", "CVE-2015-7976", "CVE-2015-7848", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7692", "CVE-2016-1547", "CVE-2015-7851", "CVE-2015-7702", "CVE-2016-4957", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7849", "CVE-2015-7691", "CVE-2016-2519", "CVE-2016-2517", "CVE-2015-7705", "CVE-2015-7974", "CVE-2015-7850", "CVE-2016-1549", "CVE-2015-7854", "CVE-2015-7978", "CVE-2015-7853"], "modified": "2016-07-20T00:00:00", "id": "GLSA-201607-15", "href": "https://security.gentoo.org/glsa/201607-15", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}]}