Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability
2016-01-19T00:00:00
ID TALOS-2016-0075 Type talos Reporter Talos Intelligence Modified 2016-01-19T00:00:00
Description
Talos Vulnerability Report
TALOS-2016-0075
Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability
January 19, 2016
CVE Number
CVE-2015-7978
CERT VU#357792
Summary
An unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by exhausting the call stack.
The following conditions must be met:
Mode 7 must be enabled. By default, mode 7 is disabled.
A large enough number of entries must be in the restrict lists to cause enough calls to list_restrict4() or list_restrict6() that the stack space is exhausted.
Expected Behavior:
The ntpdc reslist command is used to query the restrictions currently enforced by ntpd. If the number of restrictions is too large, enough function calls to list_restrict4() or list_restric6() will occur to exhaust the space on the call stack. The reslist command does not require authentication.
The ntpd process should be able to traverse any number of entries in the restrict list without exhausting the call stack.
Actual Behavior:
The IPv4 and IPv6 restriction lists are kept sorted in reverse order. To correctly display the output, the functions list_restrict4() and list_restrict6() traverse the list recursively and dump the lists in reverse. If enough entries exist in the restrict list, the recursion will eventually exhaust the available space on the call stack.
Implications of the defect:
An attacker that can increase the size of the restrict list on a server with request mode enabled can crash ntpd. The attacker might be able to increase the number of restrictions dynamically via the "restrict source" mechanism. Additionally, an authenticated user can add restrict lines to the configuration with mode 6 if it is enabled.
Recommendations:
Use iteration to traverse the restrict list or terminate the recursion after some number of entries have been processed.
2015-10-07 - Vendor Disclosure
2016-01-19 - Public Release
Credit
Stephen Gray
Vulnerability Reports Next Report
TALOS-2016-0076
Previous Report
TALOS-2016-0074
{"id": "TALOS-2016-0075", "bulletinFamily": "info", "title": "Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability", "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0075\n\n## Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability\n\n##### January 19, 2016\n\n##### CVE Number\n\nCVE-2015-7978\n\nCERT VU#357792\n\n### Summary\n\nAn unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by exhausting the call stack.\n\nThe following conditions must be met:\n\n 1. Mode 7 must be enabled. By default, mode 7 is disabled.\n 2. A large enough number of entries must be in the restrict lists to cause enough calls to list_restrict4() or list_restrict6() that the stack space is exhausted.\n\n### Expected Behavior:\n\nThe ntpdc reslist command is used to query the restrictions currently enforced by ntpd. If the number of restrictions is too large, enough function calls to list_restrict4() or list_restric6() will occur to exhaust the space on the call stack. The reslist command does not require authentication.\n\nThe ntpd process should be able to traverse any number of entries in the restrict list without exhausting the call stack.\n\n### Actual Behavior:\n\nThe IPv4 and IPv6 restriction lists are kept sorted in reverse order. To correctly display the output, the functions list_restrict4() and list_restrict6() traverse the list recursively and dump the lists in reverse. If enough entries exist in the restrict list, the recursion will eventually exhaust the available space on the call stack.\n\n### Implications of the defect:\n\nAn attacker that can increase the size of the restrict list on a server with request mode enabled can crash ntpd. The attacker might be able to increase the number of restrictions dynamically via the \"restrict source\" mechanism. Additionally, an authenticated user can add restrict lines to the configuration with mode 6 if it is enabled.\n\n### Recommendations:\n\nUse iteration to traverse the restrict list or terminate the recursion after some number of entries have been processed.\n\n### Tested Versions\n\nntp 4.2.8p3 \nNTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92\n\n### Product URLs\n\n<http://www.ntp.org> \n<http://www.ntpsec.org/>\n\n### CVSS Score\n\nCVSSv2: 5.4 - AV:N/AC:H/Au:N/C:N/I:N/A:C \nCVSSv3: 5.9 - AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### Timeline\n\n2015-10-07 - Vendor Disclosure \n2016-01-19 - Public Release\n\n##### Credit\n\nStephen Gray\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0076\n\nPrevious Report\n\nTALOS-2016-0074\n", "published": "2016-01-19T00:00:00", "modified": "2016-01-19T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0075", "reporter": "Talos Intelligence", "references": [], "cvelist": ["CVE-2015-7978"], "type": "talos", "lastseen": "2017-07-26T06:23:59", "history": [{"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2015-7978"], "cvss": {"score": 0.0, "vector": "NONE"}, "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0075\n\n## Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability\n\n##### January 19, 2016\n\n##### CVE Number\n\nCVE-2015-7978\n\nCERT VU#357792\n\n### Summary\n\nAn unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by exhausting the call stack.\n\nThe following conditions must be met:\n\n 1. Mode 7 must be enabled. By default, mode 7 is disabled.\n 2. A large enough number of entries must be in the restrict lists to cause enough calls to list_restrict4() or list_restrict6() that the stack space is exhausted.\n\n### Expected Behavior:\n\nThe ntpdc reslist command is used to query the restrictions currently enforced by ntpd. If the number of restrictions is too large, enough function calls to list_restrict4() or list_restric6() will occur to exhaust the space on the call stack. The reslist command does not require authentication.\n\nThe ntpd process should be able to traverse any number of entries in the restrict list without exhausting the call stack.\n\n### Actual Behavior:\n\nThe IPv4 and IPv6 restriction lists are kept sorted in reverse order. To correctly display the output, the functions list_restrict4() and list_restrict6() traverse the list recursively and dump the lists in reverse. If enough entries exist in the restrict list, the recursion will eventually exhaust the available space on the call stack.\n\n### Implications of the defect:\n\nAn attacker that can increase the size of the restrict list on a server with request mode enabled can crash ntpd. The attacker might be able to increase the number of restrictions dynamically via the \"restrict source\" mechanism. Additionally, an authenticated user can add restrict lines to the configuration with mode 6 if it is enabled.\n\n### Recommendations:\n\nUse iteration to traverse the restrict list or terminate the recursion after some number of entries have been processed.\n\n### Tested Versions\n\nntp 4.2.8p3 \nNTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92\n\n### Product URLs\n\n<http://www.ntp.org> \n<http://www.ntpsec.org/>\n\n### CVSS Score\n\nCVSSv2: 5.4 - AV:N/AC:H/Au:N/C:N/I:N/A:C \nCVSSv3: 5.9 - AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### Timeline\n\n2015-10-07 - Vendor Disclosure \n2016-01-19 - Public Release\n\n##### Credit\n\nStephen Gray\n\n* * *\n\nBack\n", "edition": 2, "hash": "f7c64b2c36f8b0ae6c082ac18b59e86d89d71a0d031b47c356bbac9c4f25f852", "hashmap": [{"hash": "84c08cb9f8f093887ac14c9ea07fcd0c", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "modified"}, {"hash": "0afd20de3dc97cf9f0412ac5ef720a4f", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "published"}, {"hash": "f2cee3fd74aadb43c91396f206bcf3e8", "key": "type"}, {"hash": "11f1ed18c7bd1e05a18ddbd32fb48f83", "key": "description"}, {"hash": "ca965bf058afad33ff775c6b5f29ad68", "key": "href"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "34956ac0a726126687502bf9088bc7bb", "key": "reporter"}], "history": [], "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0075", "id": "TALOS-2016-0075", "lastseen": "2017-05-13T14:24:51", "modified": "2016-01-19T00:00:00", "objectVersion": "1.2", "published": "2016-01-19T00:00:00", "references": [], "reporter": "Talos Intelligence", "title": "Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability", "type": "talos", "viewCount": 0}, "differentElements": ["cvss"], "edition": 2, "lastseen": "2017-05-13T14:24:51"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2015-7978"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0075\n\n## Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability\n\n##### January 19, 2016\n\n##### CVE Number\n\nCVE-2015-7978\n\nCERT VU#357792\n\n### Summary\n\nAn unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by exhausting the call stack.\n\nThe following conditions must be met:\n\n 1. Mode 7 must be enabled. By default, mode 7 is disabled.\n 2. A large enough number of entries must be in the restrict lists to cause enough calls to list_restrict4() or list_restrict6() that the stack space is exhausted.\n\n### Expected Behavior:\n\nThe ntpdc reslist command is used to query the restrictions currently enforced by ntpd. If the number of restrictions is too large, enough function calls to list_restrict4() or list_restric6() will occur to exhaust the space on the call stack. The reslist command does not require authentication.\n\nThe ntpd process should be able to traverse any number of entries in the restrict list without exhausting the call stack.\n\n### Actual Behavior:\n\nThe IPv4 and IPv6 restriction lists are kept sorted in reverse order. To correctly display the output, the functions list_restrict4() and list_restrict6() traverse the list recursively and dump the lists in reverse. If enough entries exist in the restrict list, the recursion will eventually exhaust the available space on the call stack.\n\n### Implications of the defect:\n\nAn attacker that can increase the size of the restrict list on a server with request mode enabled can crash ntpd. The attacker might be able to increase the number of restrictions dynamically via the \"restrict source\" mechanism. Additionally, an authenticated user can add restrict lines to the configuration with mode 6 if it is enabled.\n\n### Recommendations:\n\nUse iteration to traverse the restrict list or terminate the recursion after some number of entries have been processed.\n\n### Tested Versions\n\nntp 4.2.8p3 \nNTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92\n\n### Product URLs\n\n<http://www.ntp.org> \n<http://www.ntpsec.org/>\n\n### CVSS Score\n\nCVSSv2: 5.4 - AV:N/AC:H/Au:N/C:N/I:N/A:C \nCVSSv3: 5.9 - AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### Timeline\n\n2015-10-07 - Vendor Disclosure \n2016-01-19 - Public Release\n\n##### Credit\n\nStephen Gray\n\n* * *\n\nVulnerability Reports Next Report Previous Report\n", "edition": 4, "enchantments": {}, "hash": "cf4210f092dbb5b06d76dd5aa711c16208ed6db7d1102bd33c5948d6c315ab59", "hashmap": [{"hash": "84c08cb9f8f093887ac14c9ea07fcd0c", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "modified"}, {"hash": "0afd20de3dc97cf9f0412ac5ef720a4f", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "published"}, {"hash": "f2cee3fd74aadb43c91396f206bcf3e8", "key": "type"}, {"hash": "ca965bf058afad33ff775c6b5f29ad68", "key": "href"}, {"hash": "84813b1457b92d6ba1174abffbb83a2f", "key": "cvss"}, {"hash": "34956ac0a726126687502bf9088bc7bb", "key": "reporter"}, {"hash": "10f248c46f722778312a81433ff95edc", "key": "description"}], "history": [], "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0075", "id": "TALOS-2016-0075", "lastseen": "2017-07-24T22:18:10", "modified": "2016-01-19T00:00:00", "objectVersion": "1.3", "published": "2016-01-19T00:00:00", "references": [], "reporter": "Talos Intelligence", "title": "Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability", "type": "talos", "viewCount": 0}, "differentElements": ["description"], "edition": 4, "lastseen": "2017-07-24T22:18:10"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2015-7978"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0075\n\n## Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability\n\n##### January 19, 2016\n\n##### CVE Number\n\nCVE-2015-7978\n\nCERT VU#357792\n\n### Summary\n\nAn unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by exhausting the call stack.\n\nThe following conditions must be met:\n\n 1. Mode 7 must be enabled. By default, mode 7 is disabled.\n 2. A large enough number of entries must be in the restrict lists to cause enough calls to list_restrict4() or list_restrict6() that the stack space is exhausted.\n\n### Expected Behavior:\n\nThe ntpdc reslist command is used to query the restrictions currently enforced by ntpd. If the number of restrictions is too large, enough function calls to list_restrict4() or list_restric6() will occur to exhaust the space on the call stack. The reslist command does not require authentication.\n\nThe ntpd process should be able to traverse any number of entries in the restrict list without exhausting the call stack.\n\n### Actual Behavior:\n\nThe IPv4 and IPv6 restriction lists are kept sorted in reverse order. To correctly display the output, the functions list_restrict4() and list_restrict6() traverse the list recursively and dump the lists in reverse. If enough entries exist in the restrict list, the recursion will eventually exhaust the available space on the call stack.\n\n### Implications of the defect:\n\nAn attacker that can increase the size of the restrict list on a server with request mode enabled can crash ntpd. The attacker might be able to increase the number of restrictions dynamically via the \"restrict source\" mechanism. Additionally, an authenticated user can add restrict lines to the configuration with mode 6 if it is enabled.\n\n### Recommendations:\n\nUse iteration to traverse the restrict list or terminate the recursion after some number of entries have been processed.\n\n### Tested Versions\n\nntp 4.2.8p3 \nNTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92\n\n### Product URLs\n\n<http://www.ntp.org> \n<http://www.ntpsec.org/>\n\n### CVSS Score\n\nCVSSv2: 5.4 - AV:N/AC:H/Au:N/C:N/I:N/A:C \nCVSSv3: 5.9 - AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### Timeline\n\n2015-10-07 - Vendor Disclosure \n2016-01-19 - Public Release\n\n##### Credit\n\nStephen Gray\n\n* * *\n\nBack\n", "edition": 3, "enchantments": {}, "hash": "cd147caa2d9c93977882c1f25f19d7b4401b82aef843d10de1b7314ee2bc936b", "hashmap": [{"hash": "84c08cb9f8f093887ac14c9ea07fcd0c", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "modified"}, {"hash": "0afd20de3dc97cf9f0412ac5ef720a4f", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "published"}, {"hash": "f2cee3fd74aadb43c91396f206bcf3e8", "key": "type"}, {"hash": "11f1ed18c7bd1e05a18ddbd32fb48f83", "key": "description"}, {"hash": "ca965bf058afad33ff775c6b5f29ad68", "key": "href"}, {"hash": "84813b1457b92d6ba1174abffbb83a2f", "key": "cvss"}, {"hash": "34956ac0a726126687502bf9088bc7bb", "key": "reporter"}], "history": [], "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0075", "id": "TALOS-2016-0075", "lastseen": "2017-05-30T18:45:37", "modified": "2016-01-19T00:00:00", "objectVersion": "1.2", "published": "2016-01-19T00:00:00", "references": [], "reporter": "Talos Intelligence", "title": "Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability", "type": "talos", "viewCount": 0}, "differentElements": ["description"], "edition": 3, "lastseen": "2017-05-30T18:45:37"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2015-7978"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0075\n\n## Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability\n\n##### January 19, 2016\n\n##### CVE Number\n\nCVE-2015-7978\n\nCERT VU#357792\n\n### Summary\n\nAn unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by exhausting the call stack.\n\nThe following conditions must be met:\n\n 1. Mode 7 must be enabled. By default, mode 7 is disabled.\n 2. A large enough number of entries must be in the restrict lists to cause enough calls to list_restrict4() or list_restrict6() that the stack space is exhausted.\n\n### Expected Behavior:\n\nThe ntpdc reslist command is used to query the restrictions currently enforced by ntpd. If the number of restrictions is too large, enough function calls to list_restrict4() or list_restric6() will occur to exhaust the space on the call stack. The reslist command does not require authentication.\n\nThe ntpd process should be able to traverse any number of entries in the restrict list without exhausting the call stack.\n\n### Actual Behavior:\n\nThe IPv4 and IPv6 restriction lists are kept sorted in reverse order. To correctly display the output, the functions list_restrict4() and list_restrict6() traverse the list recursively and dump the lists in reverse. If enough entries exist in the restrict list, the recursion will eventually exhaust the available space on the call stack.\n\n### Implications of the defect:\n\nAn attacker that can increase the size of the restrict list on a server with request mode enabled can crash ntpd. The attacker might be able to increase the number of restrictions dynamically via the \"restrict source\" mechanism. Additionally, an authenticated user can add restrict lines to the configuration with mode 6 if it is enabled.\n\n### Recommendations:\n\nUse iteration to traverse the restrict list or terminate the recursion after some number of entries have been processed.\n\n### Tested Versions\n\nntp 4.2.8p3 \nNTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92\n\n### Product URLs\n\n<http://www.ntp.org> \n<http://www.ntpsec.org/>\n\n### CVSS Score\n\nCVSSv2: 5.4 - AV:N/AC:H/Au:N/C:N/I:N/A:C \nCVSSv3: 5.9 - AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### Timeline\n\n2015-10-07 - Vendor Disclosure \n2016-01-19 - Public Release\n\n##### Credit\n\nStephen Gray\n\n* * *\n\nVulnerability Reports Next Report Previous Report\n", "edition": 6, "enchantments": {}, "hash": "cf4210f092dbb5b06d76dd5aa711c16208ed6db7d1102bd33c5948d6c315ab59", "hashmap": [{"hash": "84c08cb9f8f093887ac14c9ea07fcd0c", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "modified"}, {"hash": "0afd20de3dc97cf9f0412ac5ef720a4f", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "published"}, {"hash": "f2cee3fd74aadb43c91396f206bcf3e8", "key": "type"}, {"hash": "ca965bf058afad33ff775c6b5f29ad68", "key": "href"}, {"hash": "84813b1457b92d6ba1174abffbb83a2f", "key": "cvss"}, {"hash": "34956ac0a726126687502bf9088bc7bb", "key": "reporter"}, {"hash": "10f248c46f722778312a81433ff95edc", "key": "description"}], "history": [], "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0075", "id": "TALOS-2016-0075", "lastseen": "2017-07-26T04:23:36", "modified": "2016-01-19T00:00:00", "objectVersion": "1.3", "published": "2016-01-19T00:00:00", "references": [], "reporter": "Talos Intelligence", "title": "Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability", "type": "talos", "viewCount": 0}, "differentElements": ["description"], "edition": 6, "lastseen": "2017-07-26T04:23:36"}, {"bulletin": {"bulletinFamily": "info", "cvelist": ["CVE-2015-7978"], "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "description": "# Talos Vulnerability Report\n\n### TALOS-2016-0075\n\n## Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability\n\n##### January 19, 2016\n\n##### CVE Number\n\nCVE-2015-7978\n\nCERT VU#357792\n\n### Summary\n\nAn unauthenticated ntpdc reslist command can cause a segmentation fault in ntpd by exhausting the call stack.\n\nThe following conditions must be met:\n\n 1. Mode 7 must be enabled. By default, mode 7 is disabled.\n 2. A large enough number of entries must be in the restrict lists to cause enough calls to list_restrict4() or list_restrict6() that the stack space is exhausted.\n\n### Expected Behavior:\n\nThe ntpdc reslist command is used to query the restrictions currently enforced by ntpd. If the number of restrictions is too large, enough function calls to list_restrict4() or list_restric6() will occur to exhaust the space on the call stack. The reslist command does not require authentication.\n\nThe ntpd process should be able to traverse any number of entries in the restrict list without exhausting the call stack.\n\n### Actual Behavior:\n\nThe IPv4 and IPv6 restriction lists are kept sorted in reverse order. To correctly display the output, the functions list_restrict4() and list_restrict6() traverse the list recursively and dump the lists in reverse. If enough entries exist in the restrict list, the recursion will eventually exhaust the available space on the call stack.\n\n### Implications of the defect:\n\nAn attacker that can increase the size of the restrict list on a server with request mode enabled can crash ntpd. The attacker might be able to increase the number of restrictions dynamically via the \"restrict source\" mechanism. Additionally, an authenticated user can add restrict lines to the configuration with mode 6 if it is enabled.\n\n### Recommendations:\n\nUse iteration to traverse the restrict list or terminate the recursion after some number of entries have been processed.\n\n### Tested Versions\n\nntp 4.2.8p3 \nNTPsec a5fb34b9cc89b92a8fef2f459004865c93bb7f92\n\n### Product URLs\n\n<http://www.ntp.org> \n<http://www.ntpsec.org/>\n\n### CVSS Score\n\nCVSSv2: 5.4 - AV:N/AC:H/Au:N/C:N/I:N/A:C \nCVSSv3: 5.9 - AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H\n\n### Timeline\n\n2015-10-07 - Vendor Disclosure \n2016-01-19 - Public Release\n\n##### Credit\n\nStephen Gray\n\n* * *\n\nVulnerability Reports Next Report\n\nTALOS-2016-0076\n\nPrevious Report\n\nTALOS-2016-0074\n", "edition": 5, "enchantments": {}, "hash": "10fe5c963d563c38b86cc51d86eb4ced98b8a5a185c1394e729cdd5995770b98", "hashmap": [{"hash": "84c08cb9f8f093887ac14c9ea07fcd0c", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "modified"}, {"hash": "0afd20de3dc97cf9f0412ac5ef720a4f", "key": "cvelist"}, {"hash": "caf9b6b99962bf5c2264824231d7a40c", "key": "bulletinFamily"}, {"hash": "023c2ac5b7ebb9c0b61f61354ada163f", "key": "published"}, {"hash": "f2cee3fd74aadb43c91396f206bcf3e8", "key": "type"}, {"hash": "ca965bf058afad33ff775c6b5f29ad68", "key": "href"}, {"hash": "1c41341f50b7090ace083cce336515ed", "key": "description"}, {"hash": "84813b1457b92d6ba1174abffbb83a2f", "key": "cvss"}, {"hash": "34956ac0a726126687502bf9088bc7bb", "key": "reporter"}], "history": [], "href": "http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0075", "id": "TALOS-2016-0075", "lastseen": "2017-07-25T22:18:33", "modified": "2016-01-19T00:00:00", "objectVersion": "1.3", "published": "2016-01-19T00:00:00", "references": [], "reporter": "Talos Intelligence", "title": "Network Time Protocol Private Mode 'reslist' Stack Memory Exhaustion Vulnerability", "type": "talos", "viewCount": 0}, "differentElements": ["description"], "edition": 5, "lastseen": "2017-07-25T22:18:33"}], "edition": 7, "hashmap": [{"key": "bulletinFamily", "hash": "caf9b6b99962bf5c2264824231d7a40c"}, {"key": "cvelist", "hash": "0afd20de3dc97cf9f0412ac5ef720a4f"}, {"key": "cvss", "hash": "84813b1457b92d6ba1174abffbb83a2f"}, {"key": "description", "hash": "1c41341f50b7090ace083cce336515ed"}, {"key": "href", "hash": "ca965bf058afad33ff775c6b5f29ad68"}, {"key": "modified", "hash": "023c2ac5b7ebb9c0b61f61354ada163f"}, {"key": "published", "hash": "023c2ac5b7ebb9c0b61f61354ada163f"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "34956ac0a726126687502bf9088bc7bb"}, {"key": "title", "hash": "84c08cb9f8f093887ac14c9ea07fcd0c"}, {"key": "type", "hash": "f2cee3fd74aadb43c91396f206bcf3e8"}], "hash": "10fe5c963d563c38b86cc51d86eb4ced98b8a5a185c1394e729cdd5995770b98", "viewCount": 0, "enchantments": {"vulnersScore": 5.0}, "objectVersion": "1.3"}
{"result": {"cve": [{"id": "CVE-2015-7978", "type": "cve", "title": "CVE-2015-7978", "description": "NTP before 4.2.8p6 and 4.3.0 before 4.3.90 allows a remote attackers to cause a denial of service (stack exhaustion) via an ntpdc relist command, which triggers recursive traversal of the restriction list.", "published": "2017-01-30T16:59:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7978", "cvelist": ["CVE-2015-7978"], "lastseen": "2017-11-25T11:37:06"}], "f5": [{"id": "F5:K06288381", "type": "f5", "title": "NTP vulnerabilities CVE-2015-7977 and CVE-2015-7978", "description": "\nF5 Product Development has assigned ID 573343 (BIG-IP), ID 573411 (BIG-IQ), ID 573413 (Enterprise Manager), and ID 507785 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. Additionally, [BIG-IP iHealth](<http://www.f5.com/support/support-tools/big-ip-ihealth/>) may list Heuristic H574750 on the **Diagnostics** > **Identified** > **Low** screen. \n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP AAM| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP AFM| 12.0.0 - 12.1.1 \n11.3.0 - 11.6.1| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP Analytics| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP APM| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP ASM| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP DNS| 12.0.0 - 12.1.1| 12.1.2| Low| ntpd \nBIG-IP Edge Gateway| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpd \nBIG-IP GTM| 11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP Link Controller| 12.0.0 - 12.1.1 \n11.0.0 - 11.6.1 \n10.1.0 - 10.2.4| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP PEM| 12.0.0 - 12.1.1 \n11.3.0 - 11.6.1| 12.1.2 \n11.6.1 HF2 \n11.5.4 HF3| Low| ntpd \nBIG-IP PSM| 11.0.0 - 11.4.1 \n10.1.0 - 10.2.4| None| Low| ntpd \nBIG-IP WebAccelerator| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpd \nBIG-IP WOM| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| None| Low| ntpd \nARX| 6.0.0 - 6.4.0| None| Low| ntpq and ntpd \nEnterprise Manager| 3.0.0 - 3.1.1| None| Low| ntpd \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| 4.0.0 - 4.5.0| None| Low| ntpd \nBIG-IQ Device| 4.2.0 - 4.5.0| None| Low| ntpd \nBIG-IQ Security| 4.0.0 - 4.5.0| None| Low| ntpd \nBIG-IQ ADC| 4.5.0| None| Low| ntpd \nBIG-IQ Centralized Management| 4.6.0| None| Low| ntpd \nBIG-IQ Cloud and Orchestration| 1.0.0| None| Low| ntpd \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.4.0 \n3.3.2 - 3.5.1| Not vulnerable| None\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nTo mitigate this vulnerability for affected BIG-IP, BIG-IQ, and Enterprise Manager systems, ensure that there are no more than 500 'restrict' directives in the **/config/ntp.conf** configuration file.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 13.x)](<https://support.f5.com/csp/article/K13123>)\n * [K9502: BIG-IP hotfix matrix](<https://support.f5.com/csp/article/K9502>)\n", "published": "2016-02-23T02:20:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://support.f5.com/csp/article/K06288381", "cvelist": ["CVE-2015-7977", "CVE-2015-7978"], "lastseen": "2017-06-08T00:16:04"}, {"id": "SOL06288381", "type": "f5", "title": "SOL06288381 - NTP vulnerabilities CVE-2015-7977 and CVE-2015-7978", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable **column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo mitigate this vulnerability for affected BIG-IP, BIG-IQ, and Enterprise Manager systems, ensure that there are no more than 500 'restrict' directives in the **/config/ntp.conf** configuration file.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n * SOL167: Downloading software and firmware from F5\n * SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x)\n * SOL10025: Managing BIG-IP product hotfixes (10.x)\n * SOL9502: BIG-IP hotfix matrix\n * SOL15106: Managing BIG-IQ product hotfixes\n * SOL15113: BIG-IQ hotfix matrix\n * SOL12766: ARX hotfix matrix\n", "published": "2016-02-22T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "http://support.f5.com/kb/en-us/solutions/public/k/06/sol06288381.html", "cvelist": ["CVE-2015-7977", "CVE-2015-7978"], "lastseen": "2016-11-28T21:27:45"}], "nessus": [{"id": "F5_BIGIP_SOL06288381.NASL", "type": "nessus", "title": "F5 Networks BIG-IP : NTP vulnerabilities (K06288381)", "description": "CVE-2015-7977 ntpd in NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (NULL pointer dereference) via a ntpdc reslist command.\n\nCVE-2015-7978 NTP before 4.2.8p6 and 4.3.0 before 4.3.90 allows a remote attackers to cause a denial of service (stack exhaustion) via an ntpdc relist command, which triggers recursive traversal of the restriction list.", "published": "2016-12-22T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=96054", "cvelist": ["CVE-2015-7977", "CVE-2015-7978"], "lastseen": "2017-10-29T13:39:36"}, {"id": "FEDORA_2016-8BB1932088.NASL", "type": "nessus", "title": "Fedora 23 : ntp-4.2.6p5-36.fc23 (2016-8bb1932088)", "description": "Security fix for CVE-2015-7974, CVE-2015-8138, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8158\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2016-03-04T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=89577", "cvelist": ["CVE-2015-8138", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-10-29T13:37:19"}, {"id": "ALA_ALAS-2016-649.NASL", "type": "nessus", "title": "Amazon Linux AMI : ntp (ALAS-2016-649)", "description": "It was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client.\n(CVE-2015-8138)\n\nA NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process. (CVE-2015-7977)\n\nIt was found that NTP does not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key.\n(CVE-2015-7974)\n\nA stack-based buffer overflow was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process. (CVE-2015-7978)\n\nIt was found that when NTP is configured in broadcast mode, an off-path attacker could broadcast packets with bad authentication (wrong key, mismatched key, incorrect MAC, etc) to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server. This could cause the time on affected clients to become out of sync over a longer period of time.\n(CVE-2015-7979)\n\nA flaw was found in the way the ntpq client certain processed incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance.\n(CVE-2015-8158)\n\nA flaw was found in ntpd that allows remote attackers to cause a denial of service (ephemeral-association demobilization) by sending a spoofed crypto-NAK packet with incorrect authentication data at a certain time. (CVE-2016-4953)\n\n(Updated 2016-10-18: CVE-2016-4953 was fixed in this release but was not previously part of this errata.)", "published": "2016-02-10T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=88661", "cvelist": ["CVE-2015-8138", "CVE-2016-4953", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2018-04-19T08:12:28"}, {"id": "FREEBSD_PKG_5237F5D7C02011E5B397D050996490D0.NASL", "type": "nessus", "title": "FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)", "description": "Network Time Foundation reports :\n\nNTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p6, released on Tuesday, 19 January 2016 :\n\n- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported by Cisco ASIG.\n\n- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.\nReported by Cisco ASIG.\n\n- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\n- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list. Reported by Cisco ASIG.\n\n- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported by Cisco ASIG.\n\n- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames. Reported by Cisco ASIG.\n\n- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported by Cisco ASIG.\n\n- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers. Reported by Cisco ASIG.\n\n- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following two issues :\n\n- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.\nReported by Cisco ASIG.\n\n- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. Reported by Cisco ASIG.", "published": "2016-01-22T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=88068", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-10-29T13:41:06"}, {"id": "DEBIAN_DSA-3629.NASL", "type": "nessus", "title": "Debian DSA-3629-1 : ntp - security update", "description": "Several vulnerabilities were discovered in the Network Time Protocol daemon and utility programs :\n\n - CVE-2015-7974 Matt Street discovered that insufficient key validation allows impersonation attacks between authenticated peers.\n\n - CVE-2015-7977 CVE-2015-7978 Stephen Gray discovered that a NULL pointer dereference and a buffer overflow in the handling of 'ntpdc reslist' commands may result in denial of service.\n\n - CVE-2015-7979 Aanchal Malhotra discovered that if NTP is configured for broadcast mode, an attacker can send malformed authentication packets which break associations with the server for other broadcast clients.\n\n - CVE-2015-8138 Matthew van Gundy and Jonathan Gardner discovered that missing validation of origin timestamps in ntpd clients may result in denial of service.\n\n - CVE-2015-8158 Jonathan Gardner discovered that missing input sanitising in ntpq may result in denial of service.\n\n - CVE-2016-1547 Stephen Gray and Matthew van Gundy discovered that incorrect handling of crypto NAK packets may result in denial of service.\n\n - CVE-2016-1548 Jonathan Gardner and Miroslav Lichvar discovered that ntpd clients could be forced to change from basic client/server mode to interleaved symmetric mode, preventing time synchronisation.\n\n - CVE-2016-1550 Matthew van Gundy, Stephen Gray and Loganaden Velvindron discovered that timing leaks in the packet authentication code could result in recovery of a message digest.\n\n - CVE-2016-2516 Yihan Lian discovered that duplicate IPs on 'unconfig' directives will trigger an assert.\n\n - CVE-2016-2518 Yihan Lian discovered that an OOB memory access could potentially crash ntpd.", "published": "2016-07-27T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=92571", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-8138", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7979", "CVE-2016-1547", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-10-29T13:42:26"}, {"id": "OPENSUSE-2016-578.NASL", "type": "nessus", "title": "openSUSE Security Update : ntp (openSUSE-2016-578)", "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\nAlso yast2-ntp-client was updated to match some sntp syntax changes.\n(bsc#937837)\n\nThese security issues were fixed :\n\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784).\n\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000).\n\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802).\n\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960).\n\n - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995).\n\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629).\n\nThese non-security issues were fixed :\n\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added the authreg directive.\n\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which caused the synchronization to fail.\n\n - bsc#782060: Speedup ntpq.\n\n - bsc#916617: Add /var/db/ntp-kod.\n\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen quite a lot on loaded systems.\n\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n\n - Add ntp-fork.patch and build with threads disabled to allow name resolution even when running chrooted.\n\nThis update was imported from the SUSE:SLE-12-SP1:Update update project.", "published": "2016-05-13T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=91111", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-10-29T13:33:14"}, {"id": "SL_20160510_NTP_ON_SL6_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : ntp on SL6.x i386/x86_64", "description": "Security Fix(es) :\n\n - It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n - A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)\n\n - An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)\n\n - A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)\n\n - A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd.\n (CVE-2015-7978)\n\n - It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194)\n\n - It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command.\n (CVE-2015-5195)\n\n - It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)\n\n - It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-7703)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichvr (Red Hat).", "published": "2016-06-09T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=91539", "cvelist": ["CVE-2015-7703", "CVE-2015-7977", "CVE-2015-5219", "CVE-2014-9750", "CVE-2015-7701", "CVE-2015-7692", "CVE-2015-7702", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7691", "CVE-2015-5195", "CVE-2015-7978"], "lastseen": "2017-10-29T13:44:01"}, {"id": "DEBIAN_DLA-559.NASL", "type": "nessus", "title": "Debian DLA-559-1 : ntp security update", "description": "Several vulnerabilities were discovered in the Network Time Protocol daemon and utility programs :\n\nCVE-2015-7974\n\nMatt Street discovered that insufficient key validation allows impersonation attacks between authenticated peers.\n\nCVE-2015-7977 / CVE-2015-7978\n\nStephen Gray discovered that a NULL pointer dereference and a buffer overflow in the handling of 'ntpdc reslist' commands may result in denial of service.\n\nCVE-2015-7979\n\nAanchal Malhotra discovered that if NTP is configured for broadcast mode, an attacker can send malformed authentication packets which break associations with the server for other broadcast clients.\n\nCVE-2015-8138\n\nMatthew van Gundy and Jonathan Gardner discovered that missing validation of origin timestamps in ntpd clients may result in denial of service.\n\nCVE-2015-8158\n\nJonathan Gardner discovered that missing input sanitising in ntpq may result in denial of service.\n\nCVE-2016-1547\n\nStephen Gray and Matthew van Gundy discovered that incorrect handling of crypto NAK packets my result in denial of service.\n\nCVE-2016-1548\n\nJonathan Gardner and Miroslav Lichvar discovered that ntpd clients could be forced to change from basic client/server mode to interleaved symmetric mode, preventing time synchronisation.\n\nCVE-2016-1550\n\nMatthew van Gundy, Stephen Gray and Loganaden Velvindron discovered that timing leaks in the the packet authentication code could result in recovery of a message digest.\n\nCVE-2016-2516\n\nYihan Lian discovered that duplicate IPs on 'unconfig' directives will trigger an assert.\n\nCVE-2016-2518\n\nYihan Lian discovered that an OOB memory access could potentially crash ntpd.\n\nFor Debian 7 'Wheezy', these problems have been fixed in version 1:4.2.6.p5+dfsg-2+deb7u7.\n\nWe recommend that you upgrade your ntp packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2016-07-26T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=92546", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-8138", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7979", "CVE-2016-1547", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-10-29T13:40:37"}, {"id": "SLACKWARE_SSA_2016-054-04.NASL", "type": "nessus", "title": "Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2016-054-04)", "description": "New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.", "published": "2016-02-24T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=88912", "cvelist": ["CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-10-29T13:36:31"}, {"id": "NTP_4_2_8P6.NASL", "type": "nessus", "title": "Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p6 Multiple Vulnerabilities", "description": "The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p6.\nIt is, therefore, affected by the following vulnerabilities :\n\n - A flaw exists in the receive() function due to the use of authenticated broadcast mode. A man-in-the-middle attacker can exploit this to conduct a replay attack.\n (CVE-2015-7973)\n\n - A time serving flaw exists in the trusted key system due to improper key checks. An authenticated, remote attacker can exploit this to perform impersonation attacks between authenticated peers. (CVE-2015-7974)\n\n - An overflow condition exists in the nextvar() function due to improper validation of user-supplied input. A local attacker can exploit this to cause a buffer overflow, resulting in a denial of service condition.\n (CVE-2015-7975)\n\n - A flaw exists in ntp_control.c due to improper filtering of special characters in filenames by the saveconfig command. An authenticated, remote attacker can exploit this to inject arbitrary content. (CVE-2015-7976)\n\n - A NULL pointer dereference flaw exists in ntp_request.c that is triggered when handling ntpdc relist commands.\n A remote attacker can exploit this, via a specially crafted request, to crash the service, resulting in a denial of service condition. (CVE-2015-7977)\n\n - A flaw exists in ntpdc that is triggered during the handling of the relist command. A remote attacker can exploit this, via recursive traversals of the restriction list, to exhaust available space on the call stack, resulting in a denial of service condition.\n CVE-2015-7978)\n\n - An unspecified flaw exists in authenticated broadcast mode. A remote attacker can exploit this, via specially crafted packets, to cause a denial of service condition.\n (CVE-2015-7979)\n\n - A flaw exists in the receive() function that allows packets with an origin timestamp of zero to bypass security checks. A remote attacker can exploit this to spoof arbitrary content. (CVE-2015-8138)\n\n - A flaw exists in ntpq and ntpdc that allows a remote attacker to disclose sensitive information in timestamps. (CVE-2015-8139)\n\n - A flaw exists in the ntpq protocol that is triggered during the handling of an improper sequence of numbers.\n A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-8140)\n\n - A flaw exists in the ntpq client that is triggered when handling packets that cause a loop in the getresponse() function. A remote attacker can exploit this to cause an infinite loop, resulting in a denial of service condition. (CVE-2015-8158)", "published": "2016-01-21T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=88054", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2018-02-21T23:32:31"}], "openvas": [{"id": "OPENVAS:1361412562310120639", "type": "openvas", "title": "Amazon Linux Local Check: alas-2016-649", "description": "Amazon Linux Local Security Checks", "published": "2016-02-11T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120639", "cvelist": ["CVE-2015-8138", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-07-24T12:54:42"}, {"id": "OPENVAS:1361412562310807227", "type": "openvas", "title": "Fedora Update for ntp FEDORA-2016-8", "description": "Check the version of ntp", "published": "2016-02-05T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807227", "cvelist": ["CVE-2015-8138", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-07-25T10:54:03"}, {"id": "OPENVAS:1361412562310105726", "type": "openvas", "title": "Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016", "description": "Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package.\nVersions of this package are affected by one or more vulnerabilities that could allow an\nunauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time\nbeing advertised by a device acting as a Network Time Protocol (NTP) server.\n\nOn January 19, 2016, NTP Consortium at Network Time Foundation released a security advisory\ndetailing 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities,\nand logic issues that may allow an attacker to shift a client", "published": "2016-05-18T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105726", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-07-02T21:13:20"}, {"id": "OPENVAS:1361412562310131203", "type": "openvas", "title": "Mageia Linux Local Check: mgasa-2016-0039", "description": "Mageia Linux Local Security Checks mgasa-2016-0039", "published": "2016-02-02T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310131203", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-07-24T12:54:56"}, {"id": "OPENVAS:1361412562310871612", "type": "openvas", "title": "RedHat Update for ntp RHSA-2016:0780-01", "description": "Check the version of ntp", "published": "2016-05-11T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871612", "cvelist": ["CVE-2015-7703", "CVE-2015-7977", "CVE-2015-5219", "CVE-2014-9750", "CVE-2015-7701", "CVE-2015-7692", "CVE-2015-7702", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7691", "CVE-2015-5195", "CVE-2015-7978"], "lastseen": "2017-09-04T14:18:52"}, {"id": "OPENVAS:1361412562310703629", "type": "openvas", "title": "Debian Security Advisory DSA 3629-1 (ntp - security update)", "description": "Several vulnerabilities were discovered\nin the Network Time Protocol daemon and utility programs:\n\nCVE-2015-7974 \nMatt Street discovered that insufficient key validation allows\nimpersonation attacks between authenticated peers.\n\nCVE-2015-7977CVE-2015-7978Stephen Gray discovered that a NULL pointer dereference\nand a buffer overflow in the handling of ntpdc reslist \ncommands may\nresult in denial of service.\n\nCVE-2015-7979 \nAanchal Malhotra discovered that if NTP is configured for broadcast\nmode, an attacker can send malformed authentication packets which\nbreak associations with the server for other broadcast clients.\n\nCVE-2015-8138 \nMatthew van Gundy and Jonathan Gardner discovered that missing\nvalidation of origin timestamps in ntpd clients may result in denial\nof service.\n\nCVE-2015-8158 \nJonathan Gardner discovered that missing input sanitising in ntpq\nmay result in denial of service.\n\nCVE-2016-1547 \nStephen Gray and Matthew van Gundy discovered that incorrect handling\nof crypto NAK packets may result in denial of service.\n\nCVE-2016-1548 \nJonathan Gardner and Miroslav Lichvar discovered that ntpd clients\ncould be forced to change from basic client/server mode to interleaved\nsymmetric mode, preventing time synchronisation.\n\nCVE-2016-1550 \nMatthew van Gundy, Stephen Gray and Loganaden Velvindron discovered\nthat timing leaks in the the packet authentication code could result\nin recovery of a message digest.\n\nCVE-2016-2516Yihan Lian discovered that duplicate IPs on unconfig \ndirectives will\ntrigger an assert.\n\nCVE-2016-2518 \nYihan Lian discovered that an OOB memory access could potentially\ncrash ntpd.", "published": "2016-08-02T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703629", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-8138", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7979", "CVE-2016-1547", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-12-18T11:06:24"}, {"id": "OPENVAS:1361412562310851310", "type": "openvas", "title": "SuSE Update for ntp openSUSE-SU-2016:1292-1 (ntp)", "description": "Check the version of ntp", "published": "2016-05-17T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851310", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-12-12T11:18:10"}, {"id": "OPENVAS:703629", "type": "openvas", "title": "Debian Security Advisory DSA 3629-1 (ntp - security update)", "description": "Several vulnerabilities were discovered\nin the Network Time Protocol daemon and utility programs:\n\nCVE-2015-7974 \nMatt Street discovered that insufficient key validation allows\nimpersonation attacks between authenticated peers.\n\nCVE-2015-7977CVE-2015-7978Stephen Gray discovered that a NULL pointer dereference\nand a buffer overflow in the handling of ntpdc reslist \ncommands may\nresult in denial of service.\n\nCVE-2015-7979 \nAanchal Malhotra discovered that if NTP is configured for broadcast\nmode, an attacker can send malformed authentication packets which\nbreak associations with the server for other broadcast clients.\n\nCVE-2015-8138 \nMatthew van Gundy and Jonathan Gardner discovered that missing\nvalidation of origin timestamps in ntpd clients may result in denial\nof service.\n\nCVE-2015-8158 \nJonathan Gardner discovered that missing input sanitising in ntpq\nmay result in denial of service.\n\nCVE-2016-1547 \nStephen Gray and Matthew van Gundy discovered that incorrect handling\nof crypto NAK packets may result in denial of service.\n\nCVE-2016-1548 \nJonathan Gardner and Miroslav Lichvar discovered that ntpd clients\ncould be forced to change from basic client/server mode to interleaved\nsymmetric mode, preventing time synchronisation.\n\nCVE-2016-1550 \nMatthew van Gundy, Stephen Gray and Loganaden Velvindron discovered\nthat timing leaks in the the packet authentication code could result\nin recovery of a message digest.\n\nCVE-2016-2516Yihan Lian discovered that duplicate IPs on unconfig \ndirectives will\ntrigger an assert.\n\nCVE-2016-2518 \nYihan Lian discovered that an OOB memory access could potentially\ncrash ntpd.", "published": "2016-08-02T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=703629", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-8138", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7979", "CVE-2016-1547", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-07-24T12:55:11"}, {"id": "OPENVAS:1361412562310105666", "type": "openvas", "title": "Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016", "description": "Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.\n\nOn January 19, 2016, NTP Consortium at Network Time Foundation released a security advisory detailing 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities, and logic issues that may allow an attacker to shift a client", "published": "2016-05-09T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105666", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-07-02T21:12:44"}, {"id": "OPENVAS:1361412562310807293", "type": "openvas", "title": "Fedora Update for ntp FEDORA-2016-34", "description": "Check the version of ntp", "published": "2016-02-21T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310807293", "cvelist": ["CVE-2015-8138", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7704", "CVE-2015-7979", "CVE-2015-7701", "CVE-2015-7692", "CVE-2015-7702", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7691", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-09-04T14:18:30"}], "amazon": [{"id": "ALAS-2016-649", "type": "amazon", "title": "Important: ntp", "description": "**Issue Overview:**\n\nIt was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client. ([CVE-2015-8138 __](<https://access.redhat.com/security/cve/CVE-2015-8138>))\n\nA NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process. ([CVE-2015-7977 __](<https://access.redhat.com/security/cve/CVE-2015-7977>))\n\nIt was found that NTP does not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key. ([CVE-2015-7974 __](<https://access.redhat.com/security/cve/CVE-2015-7974>))\n\nA stack-based buffer overflow was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process. ([CVE-2015-7978 __](<https://access.redhat.com/security/cve/CVE-2015-7978>))\n\nIt was found that when NTP is configured in broadcast mode, an off-path attacker could broadcast packets with bad authentication (wrong key, mismatched key, incorrect MAC, etc) to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server. This could cause the time on affected clients to become out of sync over a longer period of time. ([CVE-2015-7979 __](<https://access.redhat.com/security/cve/CVE-2015-7979>))\n\nA flaw was found in the way the ntpq client certain processed incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance. ([CVE-2015-8158 __](<https://access.redhat.com/security/cve/CVE-2015-8158>))\n\n \n**Affected Packages:** \n\n\nntp\n\n \n**Issue Correction:** \nRun _yum update ntp_ to update your system. \n\n\n \n**New Packages:**\n \n \n i686: \n ntp-4.2.6p5-36.29.amzn1.i686 \n ntpdate-4.2.6p5-36.29.amzn1.i686 \n ntp-debuginfo-4.2.6p5-36.29.amzn1.i686 \n \n noarch: \n ntp-doc-4.2.6p5-36.29.amzn1.noarch \n ntp-perl-4.2.6p5-36.29.amzn1.noarch \n \n src: \n ntp-4.2.6p5-36.29.amzn1.src \n \n x86_64: \n ntpdate-4.2.6p5-36.29.amzn1.x86_64 \n ntp-4.2.6p5-36.29.amzn1.x86_64 \n ntp-debuginfo-4.2.6p5-36.29.amzn1.x86_64 \n \n \n", "published": "2016-02-09T13:30:00", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://alas.aws.amazon.com/ALAS-2016-649.html", "cvelist": ["CVE-2015-8138", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2016-09-28T21:04:12"}], "paloalto": [{"id": "PAN-SA-2016-0019", "type": "paloalto", "title": "NTP Vulnerabilities", "description": "The open source ntp project has been found to contain several vulnerabilities (CVE-2015-8158, CVE-2015-8138, CVE-2015-7979, CVE-2015-7978, CVE-2015-7977, CVE-2015-7976, CVE-2015-7975, CVE-2015-7974, CVE-2015-7973, all released in January 2016). Palo Alto...\n", "published": "2016-08-15T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://securityadvisories.paloaltonetworks.com/Home/Detail/52", "cvelist": ["CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-04-26T19:18:52"}], "suse": [{"id": "OPENSUSE-SU-2016:1292-1", "type": "suse", "title": "Security update for ntp (important)", "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n\n This update was imported from the SUSE:SLE-12-SP1:Update update project.\n\n", "published": "2016-05-12T21:07:47", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00038.html", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2016-09-04T12:22:35"}, {"id": "SUSE-SU-2016:1177-1", "type": "suse", "title": "Security update for ntp (important)", "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n\n", "published": "2016-04-28T19:13:09", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00060.html", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2016-09-04T12:46:49"}, {"id": "SUSE-SU-2016:1175-1", "type": "suse", "title": "Security update for ntp (important)", "description": "ntp was updated to version 4.2.8p6 to fix 12 security issues.\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n - bsc#784760: Remove local clock from default configuration\n\n", "published": "2016-04-28T19:09:34", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00059.html", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2016-09-04T11:47:01"}, {"id": "SUSE-SU-2016:1311-1", "type": "suse", "title": "Security update for ntp (important)", "description": "This network time protocol server ntp was updated to 4.2.8p6 to fix the\n following issues:\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n Major functional changes:\n - The "sntp" commandline tool changed its option handling in a major way.\n - "controlkey 1" is added during update to ntp.conf to allow sntp to work.\n - The local clock is being disabled during update.\n - ntpd is no longer running chrooted.\n\n\n Other functional changes:\n - ntp-signd is installed.\n - "enable mode7" can be added to the configuration to allow ntdpc to work\n as compatibility mode option.\n - "kod" was removed from the default restrictions.\n - SHA1 keys are used by default instead of MD5 keys.\n\n These security issues were fixed:\n - CVE-2015-5219: An endless loop due to incorrect precision to double\n conversion (bsc#943216).\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n - CVE-2015-7871: NAK to the Future: Symmetric association authentication\n bypass via crypto-NAK (bsc#951608).\n - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning\n FAIL on some bogus values (bsc#951608).\n - CVE-2015-7854: Password Length Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7853: Invalid length data provided by a custom refclock driver\n could cause a buffer overflow (bsc#951608).\n - CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#951608).\n - CVE-2015-7850: remote config logfile-keyfile (bsc#951608).\n - CVE-2015-7849: trusted key use-after-free (bsc#951608).\n - CVE-2015-7848: mode 7 loop counter underrun (bsc#951608).\n - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#951608).\n - CVE-2015-7703: configuration directives "pidfile" and "driftfile" should\n only be allowed locally (bsc#951608).\n - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD should validate\n the origin timestamp field (bsc#951608).\n - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete autokey data\n packet length checks (bsc#951608).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n - Add a controlkey line to /etc/ntp.conf if one does not already exist to\n allow runtime configuuration via ntpq.\n - bsc#946386: Temporarily disable memlock to avoid problems due to high\n memory usage during name resolution.\n - bsc#905885: Use SHA1 instead of MD5 for symmetric keys.\n - Improve runtime configuration:\n * Read keytype from ntp.conf\n * Don't write ntp keys to syslog.\n - Fix legacy action scripts to pass on command line arguments.\n - bsc#944300: Remove "kod" from the restrict line in ntp.conf.\n - bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.\n - Don't let "keysdir" lines in ntp.conf trigger the "keys" parser.\n - Disable mode 7 (ntpdc) again, now that we don't use it anymore.\n - Add "addserver" as a new legacy action.\n - bsc#910063: Fix the comment regarding addserver in ntp.conf.\n - bsc#926510: Disable chroot by default.\n - bsc#920238: Enable ntpdc for backwards compatibility.\n - bsc#784760: Remove local clock from default configuration.\n - bsc#942441/fate#319496: Require perl-Socket6.\n - Improve runtime configuration:\n * Read keytype from ntp.conf\n * Don't write ntp keys to syslog.\n - bsc#920183: Allow -4 and -6 address qualifiers in "server" directives.\n - Use upstream ntp-wait, because our version is incompatible with the new\n ntpq command line syntax.\n\n", "published": "2016-05-17T15:09:17", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00048.html", "cvelist": ["CVE-2015-7703", "CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7855", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-5219", "CVE-2015-7704", "CVE-2015-7979", "CVE-2015-7701", "CVE-2015-7976", "CVE-2015-7848", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7692", "CVE-2015-7851", "CVE-2015-7702", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7849", "CVE-2015-7691", "CVE-2015-7705", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7850", "CVE-2015-7854", "CVE-2015-7978", "CVE-2015-7853"], "lastseen": "2016-09-04T12:46:49"}, {"id": "SUSE-SU-2016:1247-1", "type": "suse", "title": "Security update for ntp (important)", "description": "ntp was updated to version 4.2.8p6 to fix 28 security issues.\n\n Major functional changes:\n - The "sntp" commandline tool changed its option handling in a major way,\n some options have been renamed or dropped.\n - "controlkey 1" is added during update to ntp.conf to allow sntp to work.\n - The local clock is being disabled during update.\n - ntpd is no longer running chrooted.\n\n Other functional changes:\n - ntp-signd is installed.\n - "enable mode7" can be added to the configuration to allow ntdpc to work\n as compatibility mode option.\n - "kod" was removed from the default restrictions.\n - SHA1 keys are used by default instead of MD5 keys.\n\n Also yast2-ntp-client was updated to match some sntp syntax changes.\n (bsc#937837)\n\n These security issues were fixed:\n - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966).\n - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated\n broadcast mode (bsc#962784).\n - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction\n list (bsc#963000).\n - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in\n filenames (bsc#962802).\n - CVE-2015-7975: nextvar() missing length check (bsc#962988).\n - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation\n between authenticated peers (bsc#962960).\n - CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994).\n - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997).\n - CVE-2015-5300: MITM attacker could have forced ntpd to make a step\n larger than the panic threshold (bsc#951629).\n - CVE-2015-7871: NAK to the Future: Symmetric association authentication\n bypass via crypto-NAK (bsc#951608).\n - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning\n FAIL on some bogus values (bsc#951608).\n - CVE-2015-7854: Password Length Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7853: Invalid length data provided by a custom refclock driver\n could cause a buffer overflow (bsc#951608).\n - CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability\n (bsc#951608).\n - CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#951608).\n - CVE-2015-7850: remote config logfile-keyfile (bsc#951608).\n - CVE-2015-7849: trusted key use-after-free (bsc#951608).\n - CVE-2015-7848: mode 7 loop counter underrun (bsc#951608).\n - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#951608).\n - CVE-2015-7703: configuration directives "pidfile" and "driftfile" should\n only be allowed locally (bsc#951608).\n - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD should validate\n the origin timestamp field (bsc#951608).\n - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete autokey data\n packet length checks (bsc#951608).\n\n These non-security issues were fixed:\n - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP\n (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added\n the authreg directive.\n - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which\n caused the synchronization to fail.\n - bsc#782060: Speedup ntpq.\n - bsc#916617: Add /var/db/ntp-kod.\n - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen\n quite a lot on loaded systems.\n - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST.\n - Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n - Add a controlkey line to /etc/ntp.conf if one does not already exist to\n allow runtime configuuration via ntpq.\n - bsc#946386: Temporarily disable memlock to avoid problems due to high\n memory usage during name resolution.\n - bsc#905885: Use SHA1 instead of MD5 for symmetric keys.\n - Improve runtime configuration:\n * Read keytype from ntp.conf\n * Don't write ntp keys to syslog.\n - Fix legacy action scripts to pass on command line arguments.\n - bsc#944300: Remove "kod" from the restrict line in ntp.conf.\n - bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.\n - Add a controlkey to ntp.conf to make the above work.\n - Don't let "keysdir" lines in ntp.conf trigger the "keys" parser.\n - Disable mode 7 (ntpdc) again, now that we don't use it anymore.\n - Add "addserver" as a new legacy action.\n - bsc#910063: Fix the comment regarding addserver in ntp.conf.\n - bsc#926510: Disable chroot by default.\n - bsc#920238: Enable ntpdc for backwards compatibility.\n\n", "published": "2016-05-06T13:07:50", "cvss": {"score": 2.1, "vector": "AV:NETWORK/AC:HIGH/Au:SINGLE_INSTANCE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00020.html", "cvelist": ["CVE-2015-7703", "CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7855", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7704", "CVE-2015-7979", "CVE-2015-7701", "CVE-2015-7976", "CVE-2015-7848", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7692", "CVE-2015-7851", "CVE-2015-7702", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7849", "CVE-2015-7691", "CVE-2015-7705", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7850", "CVE-2015-7854", "CVE-2015-7978", "CVE-2015-7853"], "lastseen": "2016-09-04T12:27:22"}, {"id": "SUSE-SU-2016:1912-1", "type": "suse", "title": "Security update for ntp (important)", "description": "NTP was updated to version 4.2.8p8 to fix several security issues and to\n ensure the continued maintainability of the package.\n\n These security issues were fixed:\n\n * CVE-2016-4953: Bad authentication demobilized ephemeral associations\n (bsc#982065).\n * CVE-2016-4954: Processing spoofed server packets (bsc#982066).\n * CVE-2016-4955: Autokey association reset (bsc#982067).\n * CVE-2016-4956: Broadcast interleave (bsc#982068).\n * CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).\n * CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS\n (bsc#977459).\n * CVE-2016-1548: Prevent the change of time of an ntpd client or\n denying service to an ntpd client by forcing it to change from basic\n client/server mode to interleaved symmetric mode (bsc#977461).\n * CVE-2016-1549: Sybil vulnerability: ephemeral association attack\n (bsc#977451).\n * CVE-2016-1550: Improve security against buffer comparison timing\n attacks (bsc#977464).\n * CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y\n * CVE-2016-2516: Duplicate IPs on unconfig directives could have\n caused an assertion botch in ntpd (bsc#977452).\n * CVE-2016-2517: Remote configuration trustedkey/\n requestkey/controlkey values are not properly validated (bsc#977455).\n * CVE-2016-2518: Crafted addpeer with hmode > 7 causes array\n wraparound with MATCH_ASSOC (bsc#977457).\n * CVE-2016-2519: ctl_getitem() return value not always checked\n (bsc#977458).\n * CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966).\n * CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).\n * CVE-2015-7979: Off-path Denial of Service (DoS) attack on\n authenticated broadcast mode (bsc#962784).\n * CVE-2015-7978: Stack exhaustion in recursive traversal of\n restriction list (bsc#963000).\n * CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).\n * CVE-2015-7976: ntpq saveconfig command allowed dangerous characters\n in filenames (bsc#962802).\n * CVE-2015-7975: nextvar() missing length check (bsc#962988).\n * CVE-2015-7974: NTP did not verify peer associations of symmetric\n keys when authenticating packets, which might have allowed remote\n attackers to conduct impersonation attacks via an arbitrary trusted\n key, aka a "skeleton" key (bsc#962960).\n * CVE-2015-7973: Replay attack on authenticated broadcast mode\n (bsc#962995).\n * CVE-2015-5300: MITM attacker can force ntpd to make a step larger\n than the panic threshold (bsc#951629).\n * CVE-2015-5194: Crash with crafted logconfig configuration command\n (bsc#943218).\n * CVE-2015-7871: NAK to the Future: Symmetric association\n authentication bypass via crypto-NAK (bsc#952611).\n * CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning\n FAIL on some bogus values (bsc#952611).\n * CVE-2015-7854: Password Length Memory Corruption Vulnerability\n (bsc#952611).\n * CVE-2015-7853: Invalid length data provided by a custom refclock\n driver could cause a buffer overflow (bsc#952611).\n * CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability\n (bsc#952611).\n * CVE-2015-7851: saveconfig Directory Traversal Vulnerability\n (bsc#952611).\n * CVE-2015-7850: Clients that receive a KoD now validate the origin\n timestamp field (bsc#952611).\n * CVE-2015-7849: Prevent use-after-free trusted key (bsc#952611).\n * CVE-2015-7848: Prevent mode 7 loop counter underrun (bsc#952611).\n * CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#952611).\n * CVE-2015-7703: Configuration directives "pidfile" and "driftfile"\n should only be allowed locally (bsc#943221).\n * CVE-2015-7704: Clients that receive a KoD should validate the origin\n timestamp field (bsc#952611).\n * CVE-2015-7705: Clients that receive a KoD should validate the origin\n timestamp field (bsc#952611).\n * CVE-2015-7691: Incomplete autokey data packet length checks\n (bsc#952611).\n * CVE-2015-7692: Incomplete autokey data packet length checks\n (bsc#952611).\n * CVE-2015-7702: Incomplete autokey data packet length checks\n (bsc#952611).\n * CVE-2015-1798: The symmetric-key feature in the receive function in\n ntp_proto.c in ntpd in NTP required a correct MAC only if the MAC\n field has a nonzero length, which made it easier for\n man-in-the-middle attackers to spoof packets by omitting the MAC\n (bsc#924202).\n * CVE-2015-1799: The symmetric-key feature in the receive function in\n ntp_proto.c in ntpd in NTP performed state-variable updates upon\n receiving certain invalid packets, which made it easier for\n man-in-the-middle attackers to cause a denial of service\n (synchronization loss) by spoofing the source IP address of a peer\n (bsc#924202).\n\n These non-security issues were fixed:\n\n * Keep the parent process alive until the daemon has finished\n initialisation, to make sure that the PID file exists when the\n parent returns.\n * bsc#979302: Change the process name of the forking DNS worker\n process to avoid the impression that ntpd is started twice.\n * bsc#981422: Don't ignore SIGCHILD because it breaks wait().\n * Separate the creation of ntp.keys and key #1 in it to avoid problems\n when upgrading installations that have the file, but no key #1,\n which is needed e.g. by "rcntp addserver".\n * bsc#957226: Restrict the parser in the startup script to the first\n occurrance of "keys" and "controlkey" in ntp.conf.\n * Enable compile-time support for MS-SNTP (--enable-ntp-signd)\n * bsc#975496: Fix ntp-sntp-dst.patch.\n * bsc#962318: Call /usr/sbin/sntp with full path to synchronize in\n start-ntpd. When run as cron job, /usr/sbin/ is not in the path,\n which caused the synchronization to fail.\n * bsc#782060: Speedup ntpq.\n * bsc#951559: Fix the TZ offset output of sntp during DST.\n * bsc#916617: Add /var/db/ntp-kod.\n * bsc#951351: Add ntp-ENOBUFS.patch to limit a warning that might\n happen quite a lot on loaded systems.\n * Add ntp-fork.patch and build with threads disabled to allow name\n resolution even when running chrooted.\n * bnc#784760: Remove local clock from default configuration.\n * Fix incomplete backporting of "rcntp ntptimemset".\n * bsc#936327: Use ntpq instead of deprecated ntpdc in start-ntpd.\n * Don't let "keysdir" lines in ntp.conf trigger the "keys" parser.\n * bsc#910063: Fix the comment regarding addserver in ntp.conf.\n * bsc#944300: Remove "kod" from the restrict line in ntp.conf.\n * bsc#905885: Use SHA1 instead of MD5 for symmetric keys.\n * bsc#926510: Re-add chroot support, but mark it as deprecated and\n disable it by default.\n * bsc#920895: Drop support for running chrooted, because it is an\n ongoing source of problems and not really needed anymore, given that\n ntp now drops privileges and runs under apparmor.\n * bsc#920183: Allow -4 and -6 address qualifiers in "server"\n directives.\n * Use upstream ntp-wait, because our version is incompatible with the\n new ntpq command line syntax.\n * bsc#920905: Adjust Util.pm to the Perl version on SLE11.\n * bsc#920238: Enable ntpdc for backwards compatibility.\n * bsc#920893: Don't use %exclude.\n * bsc#988417: Default to NTPD_FORCE_SYNC_ON_STARTUP="yes"\n * bsc#988565: Ignore errors when removing extra files during\n uninstallation\n * bsc#988558: Don't blindly guess the value to use for IP_TOS\n\n Security Issues:\n\n * CVE-2016-4953\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953</a>>\n * CVE-2016-4954\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954</a>>\n * CVE-2016-4955\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955</a>>\n * CVE-2016-4956\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956</a>>\n * CVE-2016-4957\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957</a>>\n * CVE-2016-1547\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547</a>>\n * CVE-2016-1548\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548</a>>\n * CVE-2016-1549\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549</a>>\n * CVE-2016-1550\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550</a>>\n * CVE-2016-1551\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551</a>>\n * CVE-2016-2516\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516</a>>\n * CVE-2016-2517\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517</a>>\n * CVE-2016-2518\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518</a>>\n * CVE-2016-2519\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519</a>>\n * CVE-2015-8158\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158</a>>\n * CVE-2015-8138\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138</a>>\n * CVE-2015-7979\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979</a>>\n * CVE-2015-7978\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978</a>>\n * CVE-2015-7977\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977</a>>\n * CVE-2015-7976\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976</a>>\n * CVE-2015-7975\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975</a>>\n * CVE-2015-7974\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974</a>>\n * CVE-2015-7973\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973</a>>\n * CVE-2015-5300\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300</a>>\n * CVE-2015-5194\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194</a>>\n * CVE-2015-7871\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871</a>>\n * CVE-2015-7855\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855</a>>\n * CVE-2015-7854\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854</a>>\n * CVE-2015-7853\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853</a>>\n * CVE-2015-7852\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852</a>>\n * CVE-2015-7851\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851</a>>\n * CVE-2015-7850\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850</a>>\n * CVE-2015-7849\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849</a>>\n * CVE-2015-7848\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848</a>>\n * CVE-2015-7701\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701</a>>\n * CVE-2015-7703\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703</a>>\n * CVE-2015-7704\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704</a>>\n * CVE-2015-7705\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705</a>>\n * CVE-2015-7691\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691</a>>\n * CVE-2015-7692\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692</a>>\n * CVE-2015-7702\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702</a>>\n * CVE-2015-1798\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798</a>>\n * CVE-2015-1799\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799</a>>\n\n\n", "published": "2016-07-29T19:08:48", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00026.html", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-7703", "CVE-2016-4956", "CVE-2016-4955", "CVE-2015-8138", "CVE-2015-7855", "CVE-2016-4953", "CVE-2015-7973", "CVE-2015-1799", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7704", "CVE-2016-1551", "CVE-2015-7979", "CVE-2016-4954", "CVE-2015-7701", "CVE-2015-7976", "CVE-2015-7848", "CVE-2015-7975", "CVE-2015-7692", "CVE-2016-1547", "CVE-2015-7851", "CVE-2015-7702", "CVE-2016-4957", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7849", "CVE-2015-7691", "CVE-2016-2519", "CVE-2016-2517", "CVE-2015-7705", "CVE-2015-1798", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7850", "CVE-2016-1549", "CVE-2015-7854", "CVE-2015-7978", "CVE-2015-7853"], "lastseen": "2016-09-04T11:46:06"}, {"id": "SUSE-SU-2016:2094-1", "type": "suse", "title": "Security update for yast2-ntp-client (important)", "description": "The YaST2 NTP Client was updated to handle the presence of both xntp and\n ntp packages.\n\n If none are installed, "ntp" will be installed.\n\n Security Issues:\n\n * CVE-2016-4953\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4953</a>>\n * CVE-2016-4954\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4954</a>>\n * CVE-2016-4955\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4955</a>>\n * CVE-2016-4956\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4956</a>>\n * CVE-2016-4957\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957</a>>\n * CVE-2016-1547\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1547</a>>\n * CVE-2016-1548\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548</a>>\n * CVE-2016-1549\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1549</a>>\n * CVE-2016-1550\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1550</a>>\n * CVE-2016-1551\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1551</a>>\n * CVE-2016-2516\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2516</a>>\n * CVE-2016-2517\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2517</a>>\n * CVE-2016-2518\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2518</a>>\n * CVE-2016-2519\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2519</a>>\n * CVE-2015-8158\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158</a>>\n * CVE-2015-8138\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138</a>>\n * CVE-2015-7979\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979</a>>\n * CVE-2015-7978\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978</a>>\n * CVE-2015-7977\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977</a>>\n * CVE-2015-7976\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976</a>>\n * CVE-2015-7975\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975</a>>\n * CVE-2015-7974\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974</a>>\n * CVE-2015-7973\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973</a>>\n * CVE-2015-5300\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300</a>>\n * CVE-2015-5194\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5194</a>>\n * CVE-2015-7871\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7871</a>>\n * CVE-2015-7855\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7855</a>>\n * CVE-2015-7854\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7854</a>>\n * CVE-2015-7853\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7853</a>>\n * CVE-2015-7852\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7852</a>>\n * CVE-2015-7851\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7851</a>>\n * CVE-2015-7850\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7850</a>>\n * CVE-2015-7849\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7849</a>>\n * CVE-2015-7848\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7848</a>>\n * CVE-2015-7701\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7701</a>>\n * CVE-2015-7703\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7703</a>>\n * CVE-2015-7704\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7704</a>>\n * CVE-2015-7705\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7705</a>>\n * CVE-2015-7691\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7691</a>>\n * CVE-2015-7692\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7692</a>>\n * CVE-2015-7702\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7702</a>>\n * CVE-2015-1798\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1798</a>>\n * CVE-2015-1799\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1799</a>>\n\n\n", "published": "2016-08-17T21:08:25", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00042.html", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-7703", "CVE-2016-4956", "CVE-2016-4955", "CVE-2015-8138", "CVE-2015-7855", "CVE-2016-4953", "CVE-2015-7973", "CVE-2015-1799", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7704", "CVE-2016-1551", "CVE-2015-7979", "CVE-2016-4954", "CVE-2015-7701", "CVE-2015-7976", "CVE-2015-7848", "CVE-2015-7975", "CVE-2015-7692", "CVE-2016-1547", "CVE-2015-7851", "CVE-2015-7702", "CVE-2016-4957", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7849", "CVE-2015-7691", "CVE-2016-2519", "CVE-2016-2517", "CVE-2015-7705", "CVE-2015-1798", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7850", "CVE-2016-1549", "CVE-2015-7854", "CVE-2015-7978", "CVE-2015-7853"], "lastseen": "2016-09-04T12:46:49"}], "centos": [{"id": "CESA-2016:0780", "type": "centos", "title": "ntp, ntpdate security update", "description": "**CentOS Errata and Security Advisory** CESA-2016:0780\n\n\nThe Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.\n\nSecurity Fix(es):\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978)\n\n* It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195)\n\n* It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)\n\n* It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-7703)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichv\u00e1r (Red Hat).\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 6.8 Release Notes and Red Hat Enterprise Linux 6.8 Technical Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2016-May/002927.html\n\n**Affected packages:**\nntp\nntp-doc\nntp-perl\nntpdate\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-0780.html", "published": "2016-05-16T10:19:19", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-cr-announce/2016-May/002927.html", "cvelist": ["CVE-2015-7703", "CVE-2015-7977", "CVE-2015-5219", "CVE-2014-9750", "CVE-2015-7701", "CVE-2015-7692", "CVE-2015-7702", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7691", "CVE-2015-5195", "CVE-2015-7978"], "lastseen": "2017-10-03T18:26:08"}, {"id": "CESA-2016:2583", "type": "centos", "title": "ntp, ntpdate, sntp security update", "description": "**CentOS Errata and Security Advisory** CESA-2016:2583\n\n\nThe Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.\n\nSecurity Fix(es):\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978)\n\n* It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time. (CVE-2015-7979)\n\n* It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195)\n\n* It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-5196, CVE-2015-7703)\n\n* It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)\n\n* A flaw was found in the way NTP verified trusted keys during symmetric key authentication. An authenticated client (A) could use this flaw to modify a packet sent between a server (B) and a client (C) using a key that is different from the one known to the client (A). (CVE-2015-7974)\n\n* A flaw was found in the way the ntpq client processed certain incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance. (CVE-2015-8158)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichv\u00e1r (Red Hat).\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2016-November/003635.html\n\n**Affected packages:**\nntp\nntp-doc\nntp-perl\nntpdate\nsntp\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-2583.html", "published": "2016-11-25T16:00:55", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-cr-announce/2016-November/003635.html", "cvelist": ["CVE-2015-7703", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-5219", "CVE-2015-7979", "CVE-2014-9750", "CVE-2015-7701", "CVE-2015-7692", "CVE-2015-7702", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7691", "CVE-2015-5196", "CVE-2015-5195", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-10-03T18:27:01"}], "freebsd": [{"id": "5237F5D7-C020-11E5-B397-D050996490D0", "type": "freebsd", "title": "ntp -- multiple vulnerabilities", "description": "\nNetwork Time Foundation reports:\n\nNTF's NTP Project has been notified of the following low-\n\t and medium-severity vulnerabilities that are fixed in\n\t ntp-4.2.8p6, released on Tuesday, 19 January 2016:\n\nBug 2948 / CVE-2015-8158: Potential Infinite Loop\n\t in ntpq. Reported by Cisco ASIG.\nBug 2945 / CVE-2015-8138: origin: Zero Origin\n\t Timestamp Bypass. Reported by Cisco ASIG.\nBug 2942 / CVE-2015-7979: Off-path Denial of\n\t Service (DoS) attack on authenticated broadcast\n\t mode. Reported by Cisco ASIG.\nBug 2940 / CVE-2015-7978: Stack exhaustion in\n\t recursive traversal of restriction list.\n\t Reported by Cisco ASIG.\nBug 2939 / CVE-2015-7977: reslist NULL pointer\n\t dereference. Reported by Cisco ASIG.\nBug 2938 / CVE-2015-7976: ntpq saveconfig command\n\t allows dangerous characters in filenames.\n\t Reported by Cisco ASIG.\nBug 2937 / CVE-2015-7975: nextvar() missing length\n\t check. Reported by Cisco ASIG.\nBug 2936 / CVE-2015-7974: Skeleton Key: Missing\n\t key check allows impersonation between authenticated\n\t peers. Reported by Cisco ASIG.\nBug 2935 / CVE-2015-7973: Deja Vu: Replay attack on\n\t authenticated broadcast mode. Reported by Cisco ASIG.\n\nAdditionally, mitigations are published for the following\n\t two issues:\n\nBug 2947 / CVE-2015-8140: ntpq vulnerable to replay\n\t attacks. Reported by Cisco ASIG.\nBug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc,\n\t disclose origin. Reported by Cisco ASIG.\n\n\n", "published": "2016-01-20T00:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://vuxml.freebsd.org/freebsd/5237f5d7-c020-11e5-b397-d050996490d0.html", "cvelist": ["CVE-2015-8140", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-04-18T17:18:10"}], "redhat": [{"id": "RHSA-2016:0780", "type": "redhat", "title": "(RHSA-2016:0780) Moderate: ntp security and bug fix update", "description": "The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.\n\nSecurity Fix(es):\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978)\n\n* It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195)\n\n* It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)\n\n* It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-7703)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichv\u00e1r (Red Hat).\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 6.8 Release Notes and Red Hat Enterprise Linux 6.8 Technical Notes linked from the References section.", "published": "2016-05-10T10:42:20", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2016:0780", "cvelist": ["CVE-2014-9750", "CVE-2015-5194", "CVE-2015-5195", "CVE-2015-5219", "CVE-2015-7691", "CVE-2015-7692", "CVE-2015-7701", "CVE-2015-7702", "CVE-2015-7703", "CVE-2015-7852", "CVE-2015-7977", "CVE-2015-7978"], "lastseen": "2017-08-16T08:13:47"}, {"id": "RHSA-2016:2583", "type": "redhat", "title": "(RHSA-2016:2583) Moderate: ntp security and bug fix update", "description": "The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service.\n\nSecurity Fix(es):\n\n* It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\n* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701)\n\n* An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852)\n\n* A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977)\n\n* A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978)\n\n* It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time. (CVE-2015-7979)\n\n* It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194)\n\n* It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195)\n\n* It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-5196, CVE-2015-7703)\n\n* It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219)\n\n* A flaw was found in the way NTP verified trusted keys during symmetric key authentication. An authenticated client (A) could use this flaw to modify a packet sent between a server (B) and a client (C) using a key that is different from the one known to the client (A). (CVE-2015-7974)\n\n* A flaw was found in the way the ntpq client processed certain incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance. (CVE-2015-8158)\n\nThe CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichv\u00e1r (Red Hat).\n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.", "published": "2016-11-03T10:07:15", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2016:2583", "cvelist": ["CVE-2014-9750", "CVE-2015-5194", "CVE-2015-5195", "CVE-2015-5196", "CVE-2015-5219", "CVE-2015-7691", "CVE-2015-7692", "CVE-2015-7701", "CVE-2015-7702", "CVE-2015-7703", "CVE-2015-7852", "CVE-2015-7974", "CVE-2015-7977", "CVE-2015-7978", "CVE-2015-7979", "CVE-2015-8158"], "lastseen": "2018-04-15T16:22:25"}], "cisco": [{"id": "CISCO-SA-20160127-NTPD", "type": "cisco", "title": "Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: January 2016", "description": "A vulnerability in the Network Time Protocol daemon (ntpd) could allow an authenticated, remote attacker to leverage any trusted key, not just the trusted key for its address.\n\nThe vulnerability is exists because ntpd does not properly verify that the key being used matches the proper servers' key. An attacker could exploit this vulnerability by sending packets with any trusted key, as long as the keyid references another key the systems share and that key is used to compute the message authentication code (MAC). An exploit could allow the attacker to masquerade as another configured trusted association.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow an unauthenticated, adjacent attacker to replay broadcast server packets.\n\nThe vulnerability is due to no replay protection on NTP broadcast packets. An attacker could exploit this vulnerability by capturing and retransmiting NTP broadcast packets to a targeted system. An exploit could allow the attacker to cause time settings on a targeted system to stop updating and maintain a particular time value.\n\nA vulnerability in the Network Time Protocol daemon (ntpd) could allow an unauthenticated, remote attacker to modify time settings on a targeted system.\n\nThe vulnerability is due to incorrect processing of NTP update packets. An attacker could exploit this vulnerability by sending crafted updates that contain an a zero-origin timestamp to the clients' peer server. An exploit could allow the attacker to modify the time values received by the client, preventing client systems from receiving further updates from its legitimately configured time server.\n\nA vulnerability in the Standard Network Time Protocol query program (ntpq) could allow an unauthenticated, remote attacker to replay a previously captured ntpq command.\n\nThe vulnerability is due to an invalid checking of the sequence number. An attacker could exploit this vulnerability by capturing an authenticated ntpq command that was executed and then replaying back the command at a later stage. An exploit could allow the attacker to replay previously captured ntpq commands.\n\nA vulnerability in the list_restrict4() and list_restrict6() routines of the Network Time Protocol daemon (ntpd) could allow an authenticated, remote attacker to cause the ntpd to crash.\n\nThe vulnerability is due to a null pointer dereference in the list_restrict4() and list_restrict6() routines. An attacker could exploit this vulnerability by performing an ntpdc reslist command against a device that has a large number of NTP restrictions in place. An exploit could allow the attacker to cause the ntpd to crash.\n\nA vulnerability in the standard Network Time Protocol query program (ntpq) could allow a unauthenticated, local attacker to execute a buffer overflow attack.\n\nThe vulnerability is due to the function nextvar() executing a memcpy() into the name buffer without a proper length check. An attacker could exploit this vulnerability by calling ntpq to read variable names from an untrusted source, such as a user or environment variable. An exploit could allow the attacker to trigger a buffer overflow.\n\nA vulnerability in the standard and special Network Time Protocol query program (ntpq and ntpdc) could allow an unauthenticated, remote attacker to cause the ntpq or ntpdc program to remain in a processing loop.\n\nThe vulnerability is due to a loop that is not exited under certain conditions in the ntpq and ntpdc processes. An attacker could exploit this vulnerability by sending malicious packets to an ntpq or ntpdc client from a malicious NTP server or from a privileged network position by conducting a man-in-the-middle attack between a targeted client and the NTP server. An exploit could allow the attacker to cause the ntpq or ntpdc process to enter an infinite loop, resulting in a denial of service (DoS) condition.\n\nA vulnerability in the standard and the special Network Time Protocol query program (ntpq and ntpdc) could allow an unauthenticated, remote attacker to obtain the value of the origin timestamp expected in the next peer response.\n\nThe vulnerability is due to ntpq and ntpdc providing this information without requiring authentication. An attacker could exploit this issue by querying the client with the appropriate ntpq or ntpdc commands. An exploit could allow the attacker to obtain the next peer response origin timestamp, which could be leveraged in further attacks.\n\nA vulnerability of the Network Time Protocol daemon (ntpd) could allow an authenticated, remote attacker to cause the ntpd to crash by exhausting the call stack.\n\nThe vulnerability exists because function calls to list_restrict4() or list_restrict6() can be made to exhaust space on the call stack. An attacker could exploit this vulnerability by performing an ntpdc reslist command against a device that has a large number of NTP restrictions in place. An exploit could allow the attacker to cause the ntpd to crash.\n\nA vulnerability the Network Time Protocol daemon (ntpd) could allow an unauthenticated, remote attacker to prevent clients from synchronizing to a time server.\n\nThe vulnerability is due to the improper handling of malicious packets by the broadcast server. An attacker could exploit this vulnerability by sending malicious, authenticated packets to the broadcast network. An exploit could allow the attacker to prevent the broadcast clients from synchronizing with configured time servers.\n\nAn issue in the standard Network Time Protocol query program (ntpq) could allow an authenticated, remote attacker to create files on the system with dangerous characters in the filename.\n\nThe issue is due to to improper validation of characters within filenames. An attacker could exploit this issue by saving a filename with the saveconfig command. An exploit could allow the attacker to write filenames to the system that may contain potentially dangerous character sequences.\n\nMultiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to create a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.\n\nOn January 19, 2016, NTP Consortium at Network Time Foundation released a security advisory detailing 12 issues regarding multiple DoS vulnerabilities, information disclosure vulnerabilities, and logic issues that may allow an attacker to shift a client's time. The vulnerabilities covered in this document are as follows:\n\n CVE-2015-7973: Network Time Protocol Replay Attack on Authenticated Broadcast Mode Vulnerability \n CVE-2015-7974: Network Time Protocol Missing Trusted Key Check\n CVE-2015-7975: Standard Network Time Protocol Query Program nextvar() Missing Length Check\n CVE-2015-7976: Standard Network Time Protocol Query Program saveconfig Command Allows Dangerous Characters in Filenames\n CVE-2015-7978: Network Time Protocol Daemon reslist NULL Pointer Deference Denial of Service Vulnerability\n CVE-2015-7977: Network Time Protocol Stack Exhaustion Denial of Service\n CVE-2015-7979: Network Time Protocol Off-Path Broadcast Mode Denial of Service \n CVE-2015-8138: Network Time Protocol Zero Origin Timestamp Bypass\n CVE-2015-8139: Network Time Protocol Information Disclosure of Origin Timestamp\n CVE-2015-8140: Standard Network Time Protocol Query Program Replay Attack\n CVE-2015-8158: Standard and Special Network Time Protocol Query Program Infinite loop\n\nAdditional details on each of the vulnerabilities are in the official security advisory from the NTP Consortium at Network Time Foundation at the following link: Security Notice[\"http://nwtime.org/security-policy/\"]\n\nCisco has released software updates that address these vulnerabilities.\n\nWorkarounds that address some of these vulnerabilities may be available. Available workarounds will be documented in the corresponding Cisco bug for each affected product. \n\nThis advisory is available at the following link:\n\nhttp://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd", "published": "2016-01-27T20:00:00", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd", "cvelist": ["CVE-2015-7973", "CVE-2015-7974", "CVE-2015-7975", "CVE-2015-7976", "CVE-2015-7977", "CVE-2015-7978", "CVE-2015-7979", "CVE-2015-8138", "CVE-2015-8139", "CVE-2015-8140", "CVE-2015-8158"], "lastseen": "2018-04-07T14:09:58"}], "slackware": [{"id": "SSA-2016-054-04", "type": "slackware", "title": "ntp", "description": "New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,\nand -current to fix security issues.\n\n\nHere are the details from the Slackware 14.1 ChangeLog:\n\npatches/packages/ntp-4.2.8p6-i486-1_slack14.1.txz: Upgraded.\n In addition to bug fixes and enhancements, this release fixes\n several low and medium severity vulnerabilities.\n For more information, see:\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7975\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7976\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7977\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7978\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7979\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8138\n http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8158\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the "Get Slack" section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated package for Slackware 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware-13.0/patches/packages/ntp-4.2.8p6-i486-1_slack13.0.txz\n\nUpdated package for Slackware x86_64 13.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.0/patches/packages/ntp-4.2.8p6-x86_64-1_slack13.0.txz\n\nUpdated package for Slackware 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/ntp-4.2.8p6-i486-1_slack13.1.txz\n\nUpdated package for Slackware x86_64 13.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/ntp-4.2.8p6-x86_64-1_slack13.1.txz\n\nUpdated package for Slackware 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/ntp-4.2.8p6-i486-1_slack13.37.txz\n\nUpdated package for Slackware x86_64 13.37:\nftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/ntp-4.2.8p6-x86_64-1_slack13.37.txz\n\nUpdated package for Slackware 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/ntp-4.2.8p6-i486-1_slack14.0.txz\n\nUpdated package for Slackware x86_64 14.0:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/ntp-4.2.8p6-x86_64-1_slack14.0.txz\n\nUpdated package for Slackware 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/ntp-4.2.8p6-i486-1_slack14.1.txz\n\nUpdated package for Slackware x86_64 14.1:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/ntp-4.2.8p6-x86_64-1_slack14.1.txz\n\nUpdated package for Slackware -current:\nftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/ntp-4.2.8p6-i586-1.txz\n\nUpdated package for Slackware x86_64 -current:\nftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/ntp-4.2.8p6-x86_64-1.txz\n\n\nMD5 signatures:\n\nSlackware 13.0 package:\n31365ae4f12849e65d4ad1c8c7d5f89a ntp-4.2.8p6-i486-1_slack13.0.txz\n\nSlackware x86_64 13.0 package:\n5a2d24bdacd8dd05ab9e0613c829212b ntp-4.2.8p6-x86_64-1_slack13.0.txz\n\nSlackware 13.1 package:\ne70f7422bc81c144e6fac1df2c202634 ntp-4.2.8p6-i486-1_slack13.1.txz\n\nSlackware x86_64 13.1 package:\nf6637f6d24b94a6b17c68467956a6283 ntp-4.2.8p6-x86_64-1_slack13.1.txz\n\nSlackware 13.37 package:\n82601e105f95e324dfd1e2f0df513673 ntp-4.2.8p6-i486-1_slack13.37.txz\n\nSlackware x86_64 13.37 package:\nd3ba32d46f7eef8f75a3444bbee4c677 ntp-4.2.8p6-x86_64-1_slack13.37.txz\n\nSlackware 14.0 package:\nc5ff13e58fbbea0b7a677e947449e7b1 ntp-4.2.8p6-i486-1_slack14.0.txz\n\nSlackware x86_64 14.0 package:\n9e2abfaf0b0b7bf84a8a4db89f60eff6 ntp-4.2.8p6-x86_64-1_slack14.0.txz\n\nSlackware 14.1 package:\ne1e6b84808b7562314e0e29479153553 ntp-4.2.8p6-i486-1_slack14.1.txz\n\nSlackware x86_64 14.1 package:\n8db0a4ca68805c7f5e487d5bcd69d098 ntp-4.2.8p6-x86_64-1_slack14.1.txz\n\nSlackware -current package:\nf96f443f54a74c20b5eb67467f5958ea n/ntp-4.2.8p6-i586-1.txz\n\nSlackware x86_64 -current package:\n5e256f2e1906b4c75047a966996a7a41 n/ntp-4.2.8p6-x86_64-1.txz\n\n\nInstallation instructions:\n\nUpgrade the package as root:\n > upgradepkg ntp-4.2.8p6-i486-1_slack14.1.txz\n\nThen, restart the NTP daemon:\n\n > sh /etc/rc.d/rc.ntpd restart", "published": "2016-02-23T11:51:20", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2016&m=slackware-security.546478", "cvelist": ["CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-8158", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-7975", "CVE-2015-5300", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2018-02-02T18:11:31"}], "debian": [{"id": "DSA-3629", "type": "debian", "title": "ntp -- security update", "description": "Several vulnerabilities were discovered in the Network Time Protocol daemon and utility programs:\n\n * [CVE-2015-7974](<https://security-tracker.debian.org/tracker/CVE-2015-7974>)\n\nMatt Street discovered that insufficient key validation allows impersonation attacks between authenticated peers.\n\n * [CVE-2015-7977](<https://security-tracker.debian.org/tracker/CVE-2015-7977>) [CVE-2015-7978](<https://security-tracker.debian.org/tracker/CVE-2015-7978>)\n\nStephen Gray discovered that a NULL pointer dereference and a buffer overflow in the handling of ntpdc reslist commands may result in denial of service.\n\n * [CVE-2015-7979](<https://security-tracker.debian.org/tracker/CVE-2015-7979>)\n\nAanchal Malhotra discovered that if NTP is configured for broadcast mode, an attacker can send malformed authentication packets which break associations with the server for other broadcast clients.\n\n * [CVE-2015-8138](<https://security-tracker.debian.org/tracker/CVE-2015-8138>)\n\nMatthew van Gundy and Jonathan Gardner discovered that missing validation of origin timestamps in ntpd clients may result in denial of service.\n\n * [CVE-2015-8158](<https://security-tracker.debian.org/tracker/CVE-2015-8158>)\n\nJonathan Gardner discovered that missing input sanitising in ntpq may result in denial of service.\n\n * [CVE-2016-1547](<https://security-tracker.debian.org/tracker/CVE-2016-1547>)\n\nStephen Gray and Matthew van Gundy discovered that incorrect handling of crypto NAK packets may result in denial of service.\n\n * [CVE-2016-1548](<https://security-tracker.debian.org/tracker/CVE-2016-1548>)\n\nJonathan Gardner and Miroslav Lichvar discovered that ntpd clients could be forced to change from basic client/server mode to interleaved symmetric mode, preventing time synchronisation.\n\n * [CVE-2016-1550](<https://security-tracker.debian.org/tracker/CVE-2016-1550>)\n\nMatthew van Gundy, Stephen Gray and Loganaden Velvindron discovered that timing leaks in the packet authentication code could result in recovery of a message digest.\n\n * [CVE-2016-2516](<https://security-tracker.debian.org/tracker/CVE-2016-2516>)\n\nYihan Lian discovered that duplicate IPs on unconfig directives will trigger an assert.\n\n * [CVE-2016-2518](<https://security-tracker.debian.org/tracker/CVE-2016-2518>)\n\nYihan Lian discovered that an OOB memory access could potentially crash ntpd.\n\nFor the stable distribution (jessie), these problems have been fixed in version 1:4.2.6.p5+dfsg-7+deb8u2.\n\nFor the testing distribution (stretch), these problems have been fixed in version 1:4.2.8p7+dfsg-1.\n\nFor the unstable distribution (sid), these problems have been fixed in version 1:4.2.8p7+dfsg-1.\n\nWe recommend that you upgrade your ntp packages.", "published": "2016-07-25T00:00:00", "cvss": {"score": 7.1, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-3629", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-8138", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7979", "CVE-2016-1547", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-10-05T13:14:19"}], "oraclelinux": [{"id": "ELSA-2016-0780", "type": "oraclelinux", "title": "ntp security and bug fix update", "description": "[4.2.6p5-10]\n- don't accept server/peer packets with zero origin timestamp (CVE-2015-8138)\n- fix crash with reslist command (CVE-2015-7977, CVE-2015-7978)\n[4.2.6p5-9]\n- fix crash with invalid logconfig command (CVE-2015-5194)\n- fix crash when referencing disabled statistic type (CVE-2015-5195)\n- don't hang in sntp with crafted reply (CVE-2015-5219)\n- don't crash with crafted autokey packet (CVE-2015-7691, CVE-2015-7692,\n CVE-2015-7702)\n- fix memory leak with autokey (CVE-2015-7701)\n- don't allow setting driftfile and pidfile remotely (CVE-2015-7703)\n- don't crash in ntpq with crafted packet (CVE-2015-7852)\n- add option to set Differentiated Services Code Point (DSCP) (#1228314)\n- extend rawstats log (#1242895)\n- fix resetting of leap status (#1243034)\n- report clock state changes related to leap seconds (#1242937)\n- allow -4/-6 on restrict lines with mask (#1232146)\n- retry joining multicast groups (#1288534)\n- explain synchronised state in ntpstat man page (#1286969)\n[4.2.6p5-7]\n- check origin timestamp before accepting KoD RATE packet (CVE-2015-7704)\n- allow only one step larger than panic threshold with -g (CVE-2015-5300)", "published": "2016-05-12T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2016-0780.html", "cvelist": ["CVE-2015-7703", "CVE-2015-8138", "CVE-2015-7977", "CVE-2015-5219", "CVE-2015-7704", "CVE-2015-7701", "CVE-2015-7692", "CVE-2015-7702", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7691", "CVE-2015-5300", "CVE-2015-5195", "CVE-2015-7978"], "lastseen": "2017-08-16T11:10:48"}, {"id": "ELSA-2016-2583", "type": "oraclelinux", "title": "ntp security and bug fix update", "description": "[4.2.6p5-25.0.1]\n- add disable monitor to default ntp.conf [CVE-2013-5211]\n[4.2.6p5-25]\n- don't allow spoofed packet to enable symmetric interleaved mode\n (CVE-2016-1548)\n- check mode of new source in config command (CVE-2016-2518)\n- make MAC check resilient against timing attack (CVE-2016-1550)\n[4.2.6p5-24]\n- fix crash with invalid logconfig command (CVE-2015-5194)\n- fix crash when referencing disabled statistic type (CVE-2015-5195)\n- don't hang in sntp with crafted reply (CVE-2015-5219)\n- don't crash with crafted autokey packet (CVE-2015-7691, CVE-2015-7692,\n CVE-2015-7702)\n- fix memory leak with autokey (CVE-2015-7701)\n- don't allow setting driftfile and pidfile remotely (CVE-2015-7703)\n- don't crash in ntpq with crafted packet (CVE-2015-7852)\n- check key ID in packets authenticated with symmetric key (CVE-2015-7974)\n- fix crash with reslist command (CVE-2015-7977, CVE-2015-7978)\n- don't allow spoofed packets to demobilize associations (CVE-2015-7979,\n CVE-2016-1547)\n- don't accept server/peer packets with zero origin timestamp (CVE-2015-8138)\n- fix infinite loop in ntpq/ntpdc (CVE-2015-8158)\n- fix resetting of leap status (#1242553)\n- extend rawstats log (#1242877)\n- report clock state changes related to leap seconds (#1242935)\n- allow -4/-6 on restrict lines with mask (#1304492)\n- explain synchronised state in ntpstat man page (#1309594)", "published": "2016-11-09T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2016-2583.html", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-7703", "CVE-2015-8138", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2015-5219", "CVE-2013-5211", "CVE-2015-7979", "CVE-2015-7701", "CVE-2015-7692", "CVE-2016-1547", "CVE-2015-7702", "CVE-2015-5194", "CVE-2015-7852", "CVE-2015-7691", "CVE-2015-5196", "CVE-2015-5195", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2017-08-16T11:11:48"}], "cloudfoundry": [{"id": "CFOUNDRY:0B67E4FF46553AC705FD601C96C1A6B6", "type": "cloudfoundry", "title": "USN-3096-1: NTP vulnerabilities - Cloud Foundry", "description": "USN-3096-1 NTP vulnerabilities\n\n# \n\nMedium\n\n# Vendor\n\nCanonical Ubuntu\n\n# Versions Affected\n\nCanonical Ubuntu 14.04 LTS\n\n# Description\n\nAanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to perform a replay attack. (CVE-2015-7973)\n\nMatt Street discovered that NTP incorrectly verified peer associations of symmetric keys. A remote attacker could use this issue to perform an impersonation attack. (CVE-2015-7974)\n\nJonathan Gardner discovered that the NTP ntpq utility incorrectly handled dangerous characters in filenames. An attacker could possibly use this issue to overwrite arbitrary files. (CVE-2015-7976)\n\nStephen Gray discovered that NTP incorrectly handled large restrict lists. An attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7977, CVE-2015-7978)\n\nAanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7979)\n\nJonathan Gardner discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could use this issue to spoof peer servers. (CVE-2015-8138)\n\nJonathan Gardner discovered that the NTP ntpq utility did not properly handle certain incorrect values. An attacker could possibly use this issue to cause ntpq to hang, resulting in a denial of service. (CVE-2015-8158)\n\nIt was discovered that the NTP cronjob incorrectly cleaned up the statistics directory. A local attacker could possibly use this to escalate privileges. (CVE-2016-0727)\n\nStephen Gray and Matthew Van Gundy discovered that NTP incorrectly validated crypto-NAKs. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1547)\n\nMiroslav Lichvar and Jonathan Gardner discovered that NTP incorrectly handled switching to interleaved symmetric mode. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1548)\n\nMatthew Van Gundy, Stephen Gray and Loganaden Velvindron discovered that NTP incorrectly handled message authentication. A remote attacker could possibly use this issue to recover the message digest key. (CVE-2016-1550)\n\nYihan Lian discovered that NTP incorrectly handled duplicate IPs on unconfig directives. An authenticated remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2516)\n\nYihan Lian discovered that NTP incorrectly handled certain peer associations. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2518)\n\nJakub Prokes discovered that NTP incorrectly handled certain spoofed packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4954)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain packets when autokey is enabled. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4955)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain spoofed broadcast packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4956)\n\nIn the default installation, attackers would be isolated by the NTP AppArmor profile.\n\n# Affected Cloud Foundry Products and Versions\n\nSeverity is medium unless otherwise noted.\n\nCloud Foundry BOSH stemcells are vulnerable, including:\n\n * All versions prior to 3146.24\n * 3151.x versions prior to 3151.2\n * 3232.x versions prior to 3232.22\n * 3233.x versions prior to 3233.2\n * 3262.x versions prior to 3262.21\n * Other versions prior to 3263.7\n\n# Mitigation\n\nThe Cloud Foundry team recommends upgrading to the following BOSH stemcells:\n\n * Upgrade all versions prior to 3146.x to 3146.24\n * Upgrade 3151.x versions to 3151.2\n * Upgrade 3232.x versions to 3232.22\n * Upgrade 3233.x versions to 3233.2\n * Upgrade 3262.x versions to 3262.21\n * Upgrade other versions to 3263.7\n\n# Credit\n\nMatt Street, Aanchal Malhotra, Jonathan Gardner, Matthew Van Gundy, Stephen Gray, Loganaden Velvindron, Yihan Lian, Jakub Prokes, Miroslav Lichvar\n\n# References\n\n * <https://www.ubuntu.com/usn/usn-3096-1/>\n", "published": "2016-12-21T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.cloudfoundry.org/blog/usn-3096-1/", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2016-4956", "CVE-2016-4955", "CVE-2015-8138", "CVE-2016-0727", "CVE-2015-7973", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7979", "CVE-2016-4954", "CVE-2015-7976", "CVE-2016-1547", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2018-01-12T14:52:51"}], "ubuntu": [{"id": "USN-3096-1", "type": "ubuntu", "title": "NTP vulnerabilities", "description": "Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to perform a replay attack. (CVE-2015-7973)\n\nMatt Street discovered that NTP incorrectly verified peer associations of symmetric keys. A remote attacker could use this issue to perform an impersonation attack. (CVE-2015-7974)\n\nJonathan Gardner discovered that the NTP ntpq utility incorrectly handled memory. An attacker could possibly use this issue to cause ntpq to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-7975)\n\nJonathan Gardner discovered that the NTP ntpq utility incorrectly handled dangerous characters in filenames. An attacker could possibly use this issue to overwrite arbitrary files. (CVE-2015-7976)\n\nStephen Gray discovered that NTP incorrectly handled large restrict lists. An attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7977, CVE-2015-7978)\n\nAanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7979)\n\nJonathan Gardner discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could use this issue to spoof peer servers. (CVE-2015-8138)\n\nJonathan Gardner discovered that the NTP ntpq utility did not properly handle certain incorrect values. An attacker could possibly use this issue to cause ntpq to hang, resulting in a denial of service. (CVE-2015-8158)\n\nIt was discovered that the NTP cronjob incorrectly cleaned up the statistics directory. A local attacker could possibly use this to escalate privileges. (CVE-2016-0727)\n\nStephen Gray and Matthew Van Gundy discovered that NTP incorrectly validated crypto-NAKs. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1547)\n\nMiroslav Lichvar and Jonathan Gardner discovered that NTP incorrectly handled switching to interleaved symmetric mode. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1548)\n\nMatthew Van Gundy, Stephen Gray and Loganaden Velvindron discovered that NTP incorrectly handled message authentication. A remote attacker could possibly use this issue to recover the message digest key. (CVE-2016-1550)\n\nYihan Lian discovered that NTP incorrectly handled duplicate IPs on unconfig directives. An authenticated remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2516)\n\nYihan Lian discovered that NTP incorrectly handled certail peer associations. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2518)\n\nJakub Prokes discovered that NTP incorrectly handled certain spoofed packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4954)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain packets when autokey is enabled. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4955)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain spoofed broadcast packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4956)\n\nIn the default installation, attackers would be isolated by the NTP AppArmor profile.", "published": "2016-10-05T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/3096-1/", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2016-4956", "CVE-2016-4955", "CVE-2015-8138", "CVE-2016-0727", "CVE-2015-7973", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7979", "CVE-2016-4954", "CVE-2015-7976", "CVE-2015-7975", "CVE-2016-1547", "CVE-2015-7974", "CVE-2015-7978"], "lastseen": "2018-03-29T18:17:58"}], "cert": [{"id": "VU:718152", "type": "cert", "title": "NTP.org ntpd contains multiple vulnerabilities", "description": "### Overview\n\nThe NTP.org reference implementation of `ntpd` contains multiple vulnerabilities.\n\n### Description\n\nNTP.org's reference implementation of NTP server, `ntpd`, contains multiple vulnerabilities. \n\n[**CWE-294**](<http://cwe.mitre.org/data/definitions/294.html>)**: Authentication Bypass by Capture-replay - **CVE-2015-7973 \n \nAn attacker on the network can record and replay authenticated broadcast mode packets. Also known as the \"Deja Vu\" attack. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7974 \n \nA missing key check allows impersonation between authenticated peers. Also known as the \"Skeleton Key\" attack. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7975 \n \nThe `nextvar()` function does not properly validate length. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7976 \n \n`ntpq saveconfig` command allows dangerous characters in filenames \n \n[**CWE-476**](<http://cwe.mitre.org/data/definitions/476.html>)**: NULL Pointer Dereference - **CVE-2015-7977 \n \n`reslist` NULL pointer dereference \n \n[**CWE-400**](<http://cwe.mitre.org/data/definitions/400.html>)**: Uncontrolled Resource Consumption ('Resource Exhaustion') - **CVE-2015-7978 \n \nStack exhaustion in recursive traversal of restriction list \n \n[**CWE-821**](<http://cwe.mitre.org/data/definitions/821.html>)**: Incorrect Synchronization - **CVE-2015-7979 \n \nOff-path Denial of Service (DoS) attack on authenticated broadcast and other pre-emptable modes \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-8138 \n \nZero Origin Timestamp Bypass \n \n[**CWE-200**](<http://cwe.mitre.org/data/definitions/200.html>)**: Information Exposure - **CVE-2015-8139 \n \nNetwork Time Protocol ntpq and ntpdc Origin Timestamp Disclosure Vulnerability \n<http://support.ntp.org/bin/view/Main/NtpBug2946> \n \n[**CWE-294**](<http://cwe.mitre.org/data/definitions/294.html>)**: Authentication Bypass by Capture-replay - **CVE-2015-8140 \n \nNetwork Time Protocol ntpq Control Protocol Replay Vulnerability \n<http://support.ntp.org/bin/view/Main/NtpBug2947> \n \n[**CWE-400**](<http://cwe.mitre.org/data/definitions/400.html>)**: Uncontrolled Resource Consumption ('Resource Exhaustion') - **CVE-2015-8158 \n \nPotential Infinite Loop in ntpq \n<http://support.ntp.org/bin/view/Main/NtpBug2948> \n \n[**CWE-821**](<http://cwe.mitre.org/data/definitions/821.html>)**: Incorrect Synchronization - **CVE-2016-1547 \n \nAn off-path attacker can deny service to `ntpd` clients by demobilizing preemptable associations using spoofed crypto-NAK packets. This vulnerability involves different code paths than those used by CVE-2015-7979. \n \n[**CWE-290**](<http://cwe.mitre.org/data/definitions/290.html>)**: Authentication Bypass by Spoofing - **CVE-2016-1548 \n \nBy spoofing packets from a legitimate server, an attacker can change the time of an` ntpd` client or deny service to an `ntpd` client by forcing it to change from basic client/server mode to interleaved symmetric mode. \n \n[**CWE-362**](<http://cwe.mitre.org/data/definitions/362.html>)**: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') - **CVE-2016-1549 \n \nntpd does not prevent Sybil attacks from authenticated peers. An malicious authenticated peer can create any number of ephemeral associations in order to win ntpd's clock selection algorithm and modify a victim's clock. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2016-1550 \n \nntpd does not use a constant-time memory comparison function when validating the authentication digest on incoming packets. In some situations this may allow an attacker to conduct a timing attack to compute the value of the valid authentication digest causing forged packets to be accepted by `ntpd`. \n \n[**CWE-290**](<http://cwe.mitre.org/data/definitions/290.html>)**: Authentication Bypass by Spoofing - **CVE-2016-1551 \n \nntpd does not filter IPv4 bogon packets received from the network. This allows unauthenticated network attackers to spoof refclock packets to ntpd processes on systems that do not implement bogon filtering. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2016-2516, CVE-2016-2517 \n \nDuplicate IPs on `unconfig` directives will cause an assertion botch in `ntpd`. A regression caused by the patch for CVE-2016-2516 was fixed and identified as CVE-2016-2517. \n \n[**CWE-125**](<http://cwe.mitre.org/data/definitions/125.html>)**: Out-of-bounds Read - **CVE-2016-2518 \n \nUsing a crafted packet to create a peer association with hmode > 7 causes the MATCH_ASSOC() lookup to make an out-of-bounds reference. \n \n[**CWE-119**](<http://cwe.mitre.org/data/definitions/119.html>)**: Improper Restriction of Operations within the Bounds of a Memory Buffer - **CVE-2016-2519 \n \n`ntpq` and `ntpdc` can be used to store and retrieve information in `ntpd`. It is possible to store a data value that is larger than the size of the buffer that the `ctl_getitem()` function of `ntpd` uses to report the return value. If the length of the requested data value returned by `ctl_getitem()` is too large, the value NULL is returned instead. There are 2 cases where the return value from `ctl_getitem()` was not directly checked to make sure it's not NULL, but there are subsequent INSIST() checks that make sure the return value is not NULL. There are no data values ordinarily stored in `ntpd` that would exceed this buffer length. But if one has permission to store values and one stores a value that is \"too large\", then `ntpd` will abort if an attempt is made to read that oversized value. \n \n[**CWE-20**](<http://cwe.mitre.org/data/definitions/20.html>)**: Improper Input Validation - **CVE-2015-7704**, **CVE-2015-7705 \n \nAn ntpd client that honors Kiss-of-Death (KoD) responses will honor KoD messages that have been forged by an attacker, causing it to delay or stop querying its servers for time updates. Also, an attacker can forge packets that claim to be from the target and send them to servers often enough that a server that implements KoD rate limiting will send the target machine a KoD response to attempt to reduce the rate of incoming packets, or it may also trigger a firewall block at the server for packets from the target machine. For either of these attacks to succeed, the attacker must know what servers the target is communicating with. An attacker can be anywhere on the Internet and can frequently learn the identity of the target's time source by sending the target a time query. \n \nFor more information on these vulnerabilities, please see NTP.org's [April 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security>) as well as the [January 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit>). \n \n--- \n \n### Impact\n\nUnauthenticated remote attackers may be able to spoof packets to cause denial of service, authentication bypass on commands, or certain configuration changes. For more information on these vulnerabilities, please see NTP.org's [April 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security>) as well as the [January 2016 security advisory](<http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit>). \n \n--- \n \n### Solution\n\n**Apply an update** \n \nPartial patches for some of these issues were initially released in January 2016 as version 4.2.8p6. Complete patches for all of these issues are now available in version [4.2.8p7](<http://www.ntp.org/downloads.html>), released 2016-04-26. Affected users are encouraged to update as soon as possible. \n \n--- \n \n### Vendor Information \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nNTP Project| | 19 Jan 2016| 22 Apr 2016 \nACCESS| | 25 Apr 2016| 25 Apr 2016 \nAlcatel-Lucent| | 25 Apr 2016| 25 Apr 2016 \nApple| | 25 Apr 2016| 25 Apr 2016 \nArista Networks, Inc.| | 25 Apr 2016| 25 Apr 2016 \nAruba Networks| | 25 Apr 2016| 25 Apr 2016 \nAT&T;| | 25 Apr 2016| 25 Apr 2016 \nAvaya, Inc.| | 25 Apr 2016| 25 Apr 2016 \nBelkin, Inc.| | 25 Apr 2016| 25 Apr 2016 \nBlue Coat Systems| | 25 Apr 2016| 25 Apr 2016 \nCA Technologies| | 25 Apr 2016| 25 Apr 2016 \nCentOS| | 25 Apr 2016| 25 Apr 2016 \nCheck Point Software Technologies| | 25 Apr 2016| 25 Apr 2016 \nCisco| | 08 Jan 2016| 08 Jan 2016 \nCoreOS| | 25 Apr 2016| 25 Apr 2016 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23718152 Vendor Status Inquiry>). \n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 6.8 | AV:N/AC:M/Au:N/C:P/I:P/A:P \nTemporal | 5.3 | E:POC/RL:OF/RC:C \nEnvironmental | 5.3 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n### References\n\n * <http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security>\n * <http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit>\n\n### Credit\n\nThanks to Cisco TALOS for reporting many of these issues to us. The Network Time Foundation credits many researchers for these vulnerabilities; see NTP.org's [January 2016](<http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit>) and [April 2016](<http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security>) security advisories for the complete list.\n\nThis document was written by Garret Wassermann.\n\n### Other Information\n\n * CVE IDs: [CVE-2015-7704](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7704>) [CVE-2015-7705](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7705>) [CVE-2015-7973](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7973>) [CVE-2015-7974](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7974>) [CVE-2015-7975](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7975>) [CVE-2015-7976](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7976>) [CVE-2015-7977](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7977>) [CVE-2015-7978](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7978>) [CVE-2015-7979](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7979>) [CVE-2015-8138](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8138>) [CVE-2015-8139](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8139>) [CVE-2015-8140](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8140>) [CVE-2015-8158](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8158>) [CVE-2016-1547](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1547>) [CVE-2016-1548](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1548>) [CVE-2016-1549](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1549>) [CVE-2016-1550](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1550>) [CVE-2016-1551](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1551>) [CVE-2016-2516](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2516>) [CVE-2016-2517](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2517>) [CVE-2016-2518](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2518>) [CVE-2016-2519](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2519>)\n * Date Public: 26 Apr 2016\n * Date First Published: 27 Apr 2016\n * Date Last Updated: 28 Apr 2016\n * Document Revision: 48\n\n", "published": "2016-04-27T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.kb.cert.org/vuls/id/718152", "cvelist": ["CVE-2016-1548", "CVE-2016-1548", "CVE-2016-1548", "CVE-2016-2518", "CVE-2016-2518", "CVE-2016-2518", "CVE-2015-8140", "CVE-2015-8140", "CVE-2015-8140", "CVE-2015-8138", "CVE-2015-8138", "CVE-2015-8138", "CVE-2015-7973", "CVE-2015-7973", "CVE-2015-7973", "CVE-2015-7977", "CVE-2015-7977", "CVE-2015-7977", "CVE-2016-1550", "CVE-2016-1550", "CVE-2016-1550", "CVE-2015-8158", "CVE-2015-8158", "CVE-2015-8158", "CVE-2016-2516", "CVE-2016-2516", "CVE-2016-2516", "CVE-2016-2516", "CVE-2015-7704", "CVE-2015-7704", "CVE-2015-7704", "CVE-2016-1551", "CVE-2016-1551", "CVE-2016-1551", "CVE-2015-7979", "CVE-2015-7979", "CVE-2015-7979", "CVE-2015-7979", "CVE-2015-7976", "CVE-2015-7976", "CVE-2015-7976", "CVE-2015-8139", "CVE-2015-8139", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7975", "CVE-2015-7975", "CVE-2016-1547", "CVE-2016-1547", "CVE-2016-1547", "CVE-2016-2519", "CVE-2016-2519", "CVE-2016-2519", "CVE-2016-2517", "CVE-2016-2517", "CVE-2016-2517", "CVE-2016-2517", "CVE-2015-7705", "CVE-2015-7705", "CVE-2015-7705", "CVE-2015-7974", "CVE-2015-7974", "CVE-2015-7974", "CVE-2016-1549", "CVE-2016-1549", "CVE-2016-1549", "CVE-2015-7978", "CVE-2015-7978", "CVE-2015-7978"], "lastseen": "2017-08-16T11:10:15"}], "gentoo": [{"id": "GLSA-201607-15", "type": "gentoo", "title": "NTP: Multiple vulnerabilities", "description": "### Background\n\nNTP contains software for the Network Time Protocol.\n\n### Description\n\nMultiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker could possibly cause a Denial of Service condition.\n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll NTP users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=net-misc/ntp-4.2.8_p8\"", "published": "2016-07-20T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/201607-15", "cvelist": ["CVE-2016-1548", "CVE-2016-2518", "CVE-2015-7703", "CVE-2016-4956", "CVE-2015-8140", "CVE-2016-4955", "CVE-2015-8138", "CVE-2015-7855", "CVE-2016-4953", "CVE-2015-7973", "CVE-2015-7977", "CVE-2016-1550", "CVE-2015-8158", "CVE-2016-2516", "CVE-2015-7704", "CVE-2016-1551", "CVE-2015-7979", "CVE-2016-4954", "CVE-2015-7701", "CVE-2015-7976", "CVE-2015-7848", "CVE-2015-8139", "CVE-2015-7975", "CVE-2015-7692", "CVE-2016-1547", "CVE-2015-7851", "CVE-2015-7702", "CVE-2016-4957", "CVE-2015-7852", "CVE-2015-7871", "CVE-2015-7849", "CVE-2015-7691", "CVE-2016-2519", "CVE-2016-2517", "CVE-2015-7705", "CVE-2015-7974", "CVE-2015-7850", "CVE-2016-1549", "CVE-2015-7854", "CVE-2015-7978", "CVE-2015-7853"], "lastseen": "2016-09-06T19:47:00"}]}}