ID CVE-2015-8158
Summary The getresponse function in ntpq in NTP versions before 4.2.8p9 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (infinite loop) via crafted packets with incorrect values.
References
Vulnerable Configurations
  • NTP 4.2.8 Patch 5
    cpe:2.3:a:ntp:ntp:4.2.8:p5
  • NTP 4.3.0
    cpe:2.3:a:ntp:ntp:4.3.0
  • NTP 4.3.1
    cpe:2.3:a:ntp:ntp:4.3.1
  • NTP 4.3.2
    cpe:2.3:a:ntp:ntp:4.3.2
  • NTP 4.3.3
    cpe:2.3:a:ntp:ntp:4.3.3
  • NTP 4.3.4
    cpe:2.3:a:ntp:ntp:4.3.4
  • NTP 4.3.5
    cpe:2.3:a:ntp:ntp:4.3.5
  • NTP 4.3.6
    cpe:2.3:a:ntp:ntp:4.3.6
  • NTP 4.3.7
    cpe:2.3:a:ntp:ntp:4.3.7
  • NTP 4.3.8
    cpe:2.3:a:ntp:ntp:4.3.8
  • NTP 4.3.10
    cpe:2.3:a:ntp:ntp:4.3.10
  • NTP 4.3.11
    cpe:2.3:a:ntp:ntp:4.3.11
  • NTP 4.3.12
    cpe:2.3:a:ntp:ntp:4.3.12
  • NTP 4.3.13
    cpe:2.3:a:ntp:ntp:4.3.13
  • NTP 4.3.14
    cpe:2.3:a:ntp:ntp:4.3.14
  • NTP 4.3.15
    cpe:2.3:a:ntp:ntp:4.3.15
  • NTP 4.3.16
    cpe:2.3:a:ntp:ntp:4.3.16
  • NTP 4.3.17
    cpe:2.3:a:ntp:ntp:4.3.17
  • NTP 4.3.18
    cpe:2.3:a:ntp:ntp:4.3.18
  • NTP 4.3.19
    cpe:2.3:a:ntp:ntp:4.3.19
  • NTP 4.3.20
    cpe:2.3:a:ntp:ntp:4.3.20
  • NTP 4.3.21
    cpe:2.3:a:ntp:ntp:4.3.21
  • NTP 4.3.22
    cpe:2.3:a:ntp:ntp:4.3.22
  • NTP 4.3.23
    cpe:2.3:a:ntp:ntp:4.3.23
  • NTP 4.3.24
    cpe:2.3:a:ntp:ntp:4.3.24
  • NTP 4.3.25
    cpe:2.3:a:ntp:ntp:4.3.25
  • NTP 4.3.26
    cpe:2.3:a:ntp:ntp:4.3.26
  • NTP 4.3.27
    cpe:2.3:a:ntp:ntp:4.3.27
  • NTP 4.3.28
    cpe:2.3:a:ntp:ntp:4.3.28
  • NTP 4.3.29
    cpe:2.3:a:ntp:ntp:4.3.29
  • NTP 4.3.30
    cpe:2.3:a:ntp:ntp:4.3.30
  • NTP 4.3.31
    cpe:2.3:a:ntp:ntp:4.3.31
  • NTP 4.3.32
    cpe:2.3:a:ntp:ntp:4.3.32
  • NTP 4.3.33
    cpe:2.3:a:ntp:ntp:4.3.33
  • NTP 4.3.34
    cpe:2.3:a:ntp:ntp:4.3.34
  • NTP 4.3.35
    cpe:2.3:a:ntp:ntp:4.3.35
  • NTP 4.3.36
    cpe:2.3:a:ntp:ntp:4.3.36
  • NTP 4.3.37
    cpe:2.3:a:ntp:ntp:4.3.37
  • NTP 4.3.38
    cpe:2.3:a:ntp:ntp:4.3.38
  • NTP 4.3.39
    cpe:2.3:a:ntp:ntp:4.3.39
  • NTP 4.3.40
    cpe:2.3:a:ntp:ntp:4.3.40
  • NTP 4.3.41
    cpe:2.3:a:ntp:ntp:4.3.41
  • NTP 4.3.42
    cpe:2.3:a:ntp:ntp:4.3.42
  • NTP 4.3.43
    cpe:2.3:a:ntp:ntp:4.3.43
  • NTP 4.3.44
    cpe:2.3:a:ntp:ntp:4.3.44
  • NTP 4.3.45
    cpe:2.3:a:ntp:ntp:4.3.45
  • NTP 4.3.46
    cpe:2.3:a:ntp:ntp:4.3.46
  • NTP 4.3.47
    cpe:2.3:a:ntp:ntp:4.3.47
  • NTP 4.3.48
    cpe:2.3:a:ntp:ntp:4.3.48
  • NTP 4.3.49
    cpe:2.3:a:ntp:ntp:4.3.49
  • NTP 4.3.50
    cpe:2.3:a:ntp:ntp:4.3.50
  • NTP 4.3.51
    cpe:2.3:a:ntp:ntp:4.3.51
  • NTP 4.3.52
    cpe:2.3:a:ntp:ntp:4.3.52
  • NTP 4.3.53
    cpe:2.3:a:ntp:ntp:4.3.53
  • NTP 4.3.54
    cpe:2.3:a:ntp:ntp:4.3.54
  • NTP 4.3.55
    cpe:2.3:a:ntp:ntp:4.3.55
  • NTP 4.3.56
    cpe:2.3:a:ntp:ntp:4.3.56
  • NTP 4.3.57
    cpe:2.3:a:ntp:ntp:4.3.57
  • NTP 4.3.58
    cpe:2.3:a:ntp:ntp:4.3.58
  • NTP 4.3.59
    cpe:2.3:a:ntp:ntp:4.3.59
  • NTP 4.3.60
    cpe:2.3:a:ntp:ntp:4.3.60
  • NTP 4.3.61
    cpe:2.3:a:ntp:ntp:4.3.61
  • NTP 4.3.62
    cpe:2.3:a:ntp:ntp:4.3.62
  • NTP 4.3.63
    cpe:2.3:a:ntp:ntp:4.3.63
  • NTP 4.3.64
    cpe:2.3:a:ntp:ntp:4.3.64
  • NTP 4.3.65
    cpe:2.3:a:ntp:ntp:4.3.65
  • NTP 4.3.66
    cpe:2.3:a:ntp:ntp:4.3.66
  • NTP 4.3.67
    cpe:2.3:a:ntp:ntp:4.3.67
  • NTP 4.3.68
    cpe:2.3:a:ntp:ntp:4.3.68
  • NTP 4.3.69
    cpe:2.3:a:ntp:ntp:4.3.69
  • NTP 4.3.70
    cpe:2.3:a:ntp:ntp:4.3.70
  • NTP 4.3.71
    cpe:2.3:a:ntp:ntp:4.3.71
  • NTP 4.3.72
    cpe:2.3:a:ntp:ntp:4.3.72
  • NTP 4.3.73
    cpe:2.3:a:ntp:ntp:4.3.73
  • NTP 4.3.74
    cpe:2.3:a:ntp:ntp:4.3.74
  • NTP 4.3.75
    cpe:2.3:a:ntp:ntp:4.3.75
  • NTP 4.3.76
    cpe:2.3:a:ntp:ntp:4.3.76
  • NTP 4.3.77
    cpe:2.3:a:ntp:ntp:4.3.77
  • NTP 4.3.78
    cpe:2.3:a:ntp:ntp:4.3.78
  • NTP 4.3.79
    cpe:2.3:a:ntp:ntp:4.3.79
  • NTP 4.3.80
    cpe:2.3:a:ntp:ntp:4.3.80
  • NTP 4.3.81
    cpe:2.3:a:ntp:ntp:4.3.81
  • NTP 4.3.82
    cpe:2.3:a:ntp:ntp:4.3.82
  • NTP 4.3.83
    cpe:2.3:a:ntp:ntp:4.3.83
  • NTP 4.3.84
    cpe:2.3:a:ntp:ntp:4.3.84
  • NTP 4.3.85
    cpe:2.3:a:ntp:ntp:4.3.85
  • NTP 4.3.86
    cpe:2.3:a:ntp:ntp:4.3.86
  • NTP 4.3.87
    cpe:2.3:a:ntp:ntp:4.3.87
  • NTP 4.3.88
    cpe:2.3:a:ntp:ntp:4.3.88
  • NTP 4.3.89
    cpe:2.3:a:ntp:ntp:4.3.89
CVSS
Base: 4.3 (as of 02-02-2017 - 13:42)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Firewalls
    NASL id PFSENSE_SA-16_02.NASL
    description According to its self-reported version number, the remote pfSense install is prior to 2.3. It is, therefore, affected by multiple vulnerabilities.
    last seen 2019-02-21
    modified 2018-09-17
    plugin id 106499
    published 2018-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106499
    title pfSense < 2.3 Multiple Vulnerabilities (SA-16_01 - SA-16_02)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL01324833.NASL
    description The getresponse function in ntpq in NTP versions before 4.2.8p9 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (infinite loop) via crafted packets with incorrect values. (CVE-2015-8158)
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 96052
    published 2016-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96052
    title F5 Networks BIG-IP : NTP vulnerability (K01324833)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1311-1.NASL
    description This network time protocol server ntp was updated to 4.2.8p6 to fix the following issues : Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837) Major functional changes : - The 'sntp' commandline tool changed its option handling in a major way. - 'controlkey 1' is added during update to ntp.conf to allow sntp to work. - The local clock is being disabled during update. - ntpd is no longer running chrooted. Other functional changes : - ntp-signd is installed. - 'enable mode7' can be added to the configuration to allow ntdpc to work as compatibility mode option. - 'kod' was removed from the default restrictions. - SHA1 keys are used by default instead of MD5 keys. These security issues were fixed : - CVE-2015-5219: An endless loop due to incorrect precision to double conversion (bsc#943216). - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629). - CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK (bsc#951608). - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (bsc#951608). - CVE-2015-7854: Password Length Memory Corruption Vulnerability (bsc#951608). - CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow (bsc#951608). - CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability (bsc#951608). - CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#951608). - CVE-2015-7850: remote config logfile-keyfile (bsc#951608). - CVE-2015-7849: trusted key use-after-free (bsc#951608). - CVE-2015-7848: mode 7 loop counter underrun (bsc#951608). - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#951608). - CVE-2015-7703: configuration directives 'pidfile' and 'driftfile' should only be allowed locally (bsc#951608). - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD should validate the origin timestamp field (bsc#951608). - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete autokey data packet length checks (bsc#951608). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 91248
    published 2016-05-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91248
    title SUSE SLES11 Security Update : ntp (SUSE-SU-2016:1311-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201607-15.NASL
    description The remote host is affected by the vulnerability described in GLSA-201607-15 (NTP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 92485
    published 2016-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92485
    title GLSA-201607-15 : NTP: Multiple vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1247-1.NASL
    description ntp was updated to version 4.2.8p6 to fix 28 security issues. Major functional changes : - The 'sntp' commandline tool changed its option handling in a major way, some options have been renamed or dropped. - 'controlkey 1' is added during update to ntp.conf to allow sntp to work. - The local clock is being disabled during update. - ntpd is no longer running chrooted. Other functional changes : - ntp-signd is installed. - 'enable mode7' can be added to the configuration to allow ntdpc to work as compatibility mode option. - 'kod' was removed from the default restrictions. - SHA1 keys are used by default instead of MD5 keys. Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837) These security issues were fixed : - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629). - CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK (bsc#951608). - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (bsc#951608). - CVE-2015-7854: Password Length Memory Corruption Vulnerability (bsc#951608). - CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow (bsc#951608). - CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability (bsc#951608). - CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#951608). - CVE-2015-7850: remote config logfile-keyfile (bsc#951608). - CVE-2015-7849: trusted key use-after-free (bsc#951608). - CVE-2015-7848: mode 7 loop counter underrun (bsc#951608). - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#951608). - CVE-2015-7703: configuration directives 'pidfile' and 'driftfile' should only be allowed locally (bsc#951608). - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD should validate the origin timestamp field (bsc#951608). - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete autokey data packet length checks (bsc#951608). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 90991
    published 2016-05-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90991
    title SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1247-1)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2016-1060.NASL
    description According to the versions of the ntp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands.(CVE-2015-5194) - It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command.(CVE-2015-5195) - It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals).(CVE-2015-5196) - It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet.(CVE-2015-5219) - It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd.(CVE-2015-7691) - It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd.(CVE-2015-7692) - A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory.(CVE-2015-7701) - It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd.(CVE-2015-7702) - It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals).(CVE-2015-7703) - An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash.(CVE-2015-7852) - A flaw was found in the way NTP verified trusted keys during symmetric key authentication. An authenticated client (A) could use this flaw to modify a packet sent between a server (B) and a client (C) using a key that is different from the one known to the client (A).(CVE-2015-7974) - A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd.(CVE-2015-7977) - A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd.(CVE-2015-7978) - It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time.(CVE-2015-7979) - A flaw was found in the way the ntpq client processed certain incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance.(CVE-2015-8158) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 99822
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99822
    title EulerOS 2.0 SP1 : ntp (EulerOS-SA-2016-1060)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-649.NASL
    description This update for ntp fixes the following issues : - Update to 4.2.8p7 (boo#977446) : - CVE-2016-1547, boo#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, boo#977461: Interleave-pivot - CVE-2016-1549, boo#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, boo#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, boo#977450: Refclock impersonation vulnerability - CVE-2016-2516, boo#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, boo#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, boo#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, boo#977458: ctl_getitem() return value not always checked. - integrate ntp-fork.patch - Improve the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 - Restrict the parser in the startup script to the first occurrance of 'keys' and 'controlkey' in ntp.conf (boo#957226). - Enable compile-time support for MS-SNTP (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added the authreg directive. (fate#320758). - Fix ntp-sntp-dst.patch (boo#975496). - Call /usr/sbin/sntp with full path to synchronize in start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which caused the synchronization to fail. (boo#962318) - Speedup ntpq (boo#782060, ntp-speedup-ntpq.patch). - Sync service files with openSUSE Factory. - Fix the TZ offset output of sntp during DST (boo#951559). - Add ntp-fork.patch and build with threads disabled to allow name resolution even when running chrooted. - Update to 4.2.8p6 : - CVE-2015-8158, boo#962966: Potential Infinite Loop in ntpq. - CVE-2015-8138, boo#963002: origin: Zero Origin Timestamp Bypass. - CVE-2015-7979, boo#962784: Off-path Denial of Service (DoS) attack on authenticated broadcast mode. - CVE-2015-7978, boo#963000: Stack exhaustion in recursive traversal of restriction list. - CVE-2015-7977, boo#962970: reslist NULL pointer dereference. - CVE-2015-7976, boo#962802: ntpq saveconfig command allows dangerous characters in filenames. - CVE-2015-7975, boo#962988: nextvar() missing length check. - CVE-2015-7974, boo#962960: Skeleton Key: Missing key check allows impersonation between authenticated peers. - CVE-2015-7973, boo#962995: Deja Vu: Replay attack on authenticated broadcast mode. - CVE-2015-8140: ntpq vulnerable to replay attacks. - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. - CVE-2015-5300, boo#951629: Small-step/Big-step. - Add /var/db/ntp-kod (boo#916617). - Add ntp-ENOBUFS.patch to limit a warning that might happen quite a lot on loaded systems (boo#956773). - add ntp.bug2965.diff (boo#954982) - fixes regression in 4.2.8p4 update - Update to 4.2.8p4 to fix several security issues (boo#951608) : - CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values - CVE-2015-7854: Password Length Memory Corruption Vulnerability - CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow - CVE-2015-7852 ntpq atoascii() Memory Corruption Vulnerability - CVE-2015-7851 saveconfig Directory Traversal Vulnerability - CVE-2015-7850 remote config logfile-keyfile - CVE-2015-7849 trusted key use-after-free - CVE-2015-7848 mode 7 loop counter underrun - CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC - CVE-2015-7703 configuration directives 'pidfile' and 'driftfile' should only be allowed locally - CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should validate the origin timestamp field - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey data packet length checks - obsoletes ntp-memlock.patch. - Add a controlkey line to /etc/ntp.conf if one does not already exist to allow runtime configuuration via ntpq. - Temporarily disable memlock to avoid problems due to high memory usage during name resolution (boo#946386, ntp-memlock.patch). - Use SHA1 instead of MD5 for symmetric keys (boo#905885). - Improve runtime configuration : - Read keytype from ntp.conf - Don't write ntp keys to syslog. - Fix legacy action scripts to pass on command line arguments. - Remove ntp.1.gz, it wasn't installed anymore. - Remove ntp-4.2.7-rh-manpages.tar.gz and only keep ntptime.8.gz. The rest is partially irrelevant, partially redundant and potentially outdated (boo#942587). - Remove 'kod' from the restrict line in ntp.conf (boo#944300). - Use ntpq instead of deprecated ntpdc in start-ntpd (boo#936327). - Add a controlkey to ntp.conf to make the above work. - Don't let 'keysdir' lines in ntp.conf trigger the 'keys' parser. - Disable mode 7 (ntpdc) again, now that we don't use it anymore. - Add 'addserver' as a new legacy action. - Fix the comment regarding addserver in ntp.conf (boo#910063). - Update to version 4.2.8p3 which incorporates all security fixes and most other patches we have so far (fate#319040). More information on: http://archive.ntp.org/ntp4/ChangeLog-stable - Disable chroot by default (boo#926510). - Enable ntpdc for backwards compatibility (boo#920238). - Security fix: ntp-keygen may generate non-random symmetric keys
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 91403
    published 2016-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91403
    title openSUSE Security Update : ntp (openSUSE-2016-649)
  • NASL family AIX Local Security Checks
    NASL id AIX_NTP_V4_ADVISORY6.NASL
    description The version of NTP installed on the remote AIX host is affected by the following vulnerabilities : - A flaw exists in the receive() function due to the use of authenticated broadcast mode. A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-7973) - A NULL pointer dereference flaw exists in ntp_request.c that is triggered when handling ntpdc relist commands. A remote attacker can exploit this, via a specially crafted request, to crash the service, resulting in a denial of service condition. (CVE-2015-7977) - An unspecified flaw exists in authenticated broadcast mode. A remote attacker can exploit this, via specially crafted packets, to cause a denial of service condition. (CVE-2015-7979) - A flaw exists in ntpq and ntpdc that allows a remote attacker to disclose sensitive information in timestamps. (CVE-2015-8139) - A flaw exists in the ntpq protocol that is triggered during the handling of an improper sequence of numbers. A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-8140) - A flaw exists in the ntpq client that is triggered when handling packets that cause a loop in the getresponse() function. A remote attacker can exploit this to cause an infinite loop, resulting in a denial of service condition. (CVE-2015-8158)
    last seen 2019-02-21
    modified 2018-07-17
    plugin id 92357
    published 2016-07-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92357
    title AIX NTP v4 Advisory : ntp_advisory6.asc (IV83983) (IV83992)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-2583.NASL
    description From Red Hat Security Advisory 2016:2583 : An update for ntp is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix(es) : * It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702) * A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701) * An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852) * A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977) * A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978) * It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time. (CVE-2015-7979) * It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194) * It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195) * It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-5196, CVE-2015-7703) * It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219) * A flaw was found in the way NTP verified trusted keys during symmetric key authentication. An authenticated client (A) could use this flaw to modify a packet sent between a server (B) and a client (C) using a key that is different from the one known to the client (A). (CVE-2015-7974) * A flaw was found in the way the ntpq client processed certain incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance. (CVE-2015-8158) The CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichvar (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 94705
    published 2016-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94705
    title Oracle Linux 7 : ntp (ELSA-2016-2583)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-2583.NASL
    description An update for ntp is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix(es) : * It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702) * A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701) * An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852) * A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977) * A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978) * It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time. (CVE-2015-7979) * It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194) * It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195) * It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-5196, CVE-2015-7703) * It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219) * A flaw was found in the way NTP verified trusted keys during symmetric key authentication. An authenticated client (A) could use this flaw to modify a packet sent between a server (B) and a client (C) using a key that is different from the one known to the client (A). (CVE-2015-7974) * A flaw was found in the way the ntpq client processed certain incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance. (CVE-2015-8158) The CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichvar (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 94546
    published 2016-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94546
    title RHEL 7 : ntp (RHSA-2016:2583)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-2583.NASL
    description An update for ntp is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix(es) : * It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702) * A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701) * An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852) * A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977) * A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978) * It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time. (CVE-2015-7979) * It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194) * It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195) * It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-5196, CVE-2015-7703) * It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219) * A flaw was found in the way NTP verified trusted keys during symmetric key authentication. An authenticated client (A) could use this flaw to modify a packet sent between a server (B) and a client (C) using a key that is different from the one known to the client (A). (CVE-2015-7974) * A flaw was found in the way the ntpq client processed certain incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance. (CVE-2015-8158) The CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichvar (Red Hat). Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 95330
    published 2016-11-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95330
    title CentOS 7 : ntp (CESA-2016:2583)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20161103_NTP_ON_SL7_X.NASL
    description Security Fix(es) : - It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in NTP's ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. A remote attacker could use a specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702) - A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory. (CVE-2015-7701) - An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. (CVE-2015-7852) - A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could potentially use this flaw to crash ntpd. (CVE-2015-7977) - A stack-based buffer overflow flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash ntpd. (CVE-2015-7978) - It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time. (CVE-2015-7979) - It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands. (CVE-2015-5194) - It was found that ntpd would exit with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) was referenced by the statistics or filegen configuration command. (CVE-2015-5195) - It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). (CVE-2015-5196, CVE-2015-7703) - It was discovered that the sntp utility could become unresponsive due to being caught in an infinite loop when processing a crafted NTP packet. (CVE-2015-5219) - A flaw was found in the way NTP verified trusted keys during symmetric key authentication. An authenticated client (A) could use this flaw to modify a packet sent between a server (B) and a client (C) using a key that is different from the one known to the client (A). (CVE-2015-7974) - A flaw was found in the way the ntpq client processed certain incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance. (CVE-2015-8158) The CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav Lichvr (Red Hat). Additional Changes :
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 95850
    published 2016-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95850
    title Scientific Linux Security Update : ntp on SL7.x x86_64
  • NASL family AIX Local Security Checks
    NASL id AIX_IV83994.NASL
    description http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop. This plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.
    last seen 2017-10-29
    modified 2017-01-19
    plugin id 91518
    published 2016-06-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91518
    title AIX 7.1 TL 4 : ntp (IV83994) (deprecated)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1175-1.NASL
    description ntp was updated to version 4.2.8p6 to fix 12 security issues. These security issues were fixed : - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 90820
    published 2016-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90820
    title SUSE SLES11 Security Update : ntp (SUSE-SU-2016:1175-1)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3096-1.NASL
    description Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to perform a replay attack. (CVE-2015-7973) Matt Street discovered that NTP incorrectly verified peer associations of symmetric keys. A remote attacker could use this issue to perform an impersonation attack. (CVE-2015-7974) Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled memory. An attacker could possibly use this issue to cause ntpq to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-7975) Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled dangerous characters in filenames. An attacker could possibly use this issue to overwrite arbitrary files. (CVE-2015-7976) Stephen Gray discovered that NTP incorrectly handled large restrict lists. An attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7977, CVE-2015-7978) Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7979) Jonathan Gardner discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could use this issue to spoof peer servers. (CVE-2015-8138) Jonathan Gardner discovered that the NTP ntpq utility did not properly handle certain incorrect values. An attacker could possibly use this issue to cause ntpq to hang, resulting in a denial of service. (CVE-2015-8158) It was discovered that the NTP cronjob incorrectly cleaned up the statistics directory. A local attacker could possibly use this to escalate privileges. (CVE-2016-0727) Stephen Gray and Matthew Van Gundy discovered that NTP incorrectly validated crypto-NAKs. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1547) Miroslav Lichvar and Jonathan Gardner discovered that NTP incorrectly handled switching to interleaved symmetric mode. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1548) Matthew Van Gundy, Stephen Gray and Loganaden Velvindron discovered that NTP incorrectly handled message authentication. A remote attacker could possibly use this issue to recover the message digest key. (CVE-2016-1550) Yihan Lian discovered that NTP incorrectly handled duplicate IPs on unconfig directives. An authenticated remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2516) Yihan Lian discovered that NTP incorrectly handled certail peer associations. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2518) Jakub Prokes discovered that NTP incorrectly handled certain spoofed packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4954) Miroslav Lichvar discovered that NTP incorrectly handled certain packets when autokey is enabled. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4955) Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed broadcast packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4956) In the default installation, attackers would be isolated by the NTP AppArmor profile. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 93896
    published 2016-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93896
    title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : ntp vulnerabilities (USN-3096-1)
  • NASL family AIX Local Security Checks
    NASL id AIX_IV84269.NASL
    description http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop. This plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.
    last seen 2017-10-29
    modified 2017-01-19
    plugin id 91520
    published 2016-06-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91520
    title AIX 5.3 TL 12 : ntp (IV84269) (deprecated)
  • NASL family AIX Local Security Checks
    NASL id AIX_NTP_V3_ADVISORY6.NASL
    description The version of NTP installed on the remote AIX host is affected by the following vulnerabilities : - A flaw exists in the receive() function due to the use of authenticated broadcast mode. A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-7973) - A NULL pointer dereference flaw exists in ntp_request.c that is triggered when handling ntpdc relist commands. A remote attacker can exploit this, via a specially crafted request, to crash the service, resulting in a denial of service condition. (CVE-2015-7977) - An unspecified flaw exists in authenticated broadcast mode. A remote attacker can exploit this, via specially crafted packets, to cause a denial of service condition. (CVE-2015-7979) - A flaw exists in ntpq and ntpdc that allows a remote attacker to disclose sensitive information in timestamps. (CVE-2015-8139) - A flaw exists in the ntpq protocol that is triggered during the handling of an improper sequence of numbers. A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-8140) - A flaw exists in the ntpq client that is triggered when handling packets that cause a loop in the getresponse() function. A remote attacker can exploit this to cause an infinite loop, resulting in a denial of service condition. (CVE-2015-8158)
    last seen 2019-02-21
    modified 2018-07-17
    plugin id 92356
    published 2016-07-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92356
    title AIX NTP v3 Advisory : ntp_advisory6.asc (IV83984) (IV83993) (IV83994) (IV83995) (IV84269)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2016-054-04.NASL
    description New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
    last seen 2019-02-21
    modified 2017-02-13
    plugin id 88912
    published 2016-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88912
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2016-054-04)
  • NASL family AIX Local Security Checks
    NASL id AIX_IV83995.NASL
    description http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop. This plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.
    last seen 2017-10-29
    modified 2017-01-19
    plugin id 91519
    published 2016-06-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91519
    title AIX 7.2 TL 0 : ntp (IV83995) (deprecated)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-559.NASL
    description Several vulnerabilities were discovered in the Network Time Protocol daemon and utility programs : CVE-2015-7974 Matt Street discovered that insufficient key validation allows impersonation attacks between authenticated peers. CVE-2015-7977 / CVE-2015-7978 Stephen Gray discovered that a NULL pointer dereference and a buffer overflow in the handling of 'ntpdc reslist' commands may result in denial of service. CVE-2015-7979 Aanchal Malhotra discovered that if NTP is configured for broadcast mode, an attacker can send malformed authentication packets which break associations with the server for other broadcast clients. CVE-2015-8138 Matthew van Gundy and Jonathan Gardner discovered that missing validation of origin timestamps in ntpd clients may result in denial of service. CVE-2015-8158 Jonathan Gardner discovered that missing input sanitising in ntpq may result in denial of service. CVE-2016-1547 Stephen Gray and Matthew van Gundy discovered that incorrect handling of crypto NAK packets my result in denial of service. CVE-2016-1548 Jonathan Gardner and Miroslav Lichvar discovered that ntpd clients could be forced to change from basic client/server mode to interleaved symmetric mode, preventing time synchronisation. CVE-2016-1550 Matthew van Gundy, Stephen Gray and Loganaden Velvindron discovered that timing leaks in the the packet authentication code could result in recovery of a message digest. CVE-2016-2516 Yihan Lian discovered that duplicate IPs on 'unconfig' directives will trigger an assert. CVE-2016-2518 Yihan Lian discovered that an OOB memory access could potentially crash ntpd. For Debian 7 'Wheezy', these problems have been fixed in version 1:4.2.6.p5+dfsg-2+deb7u7. We recommend that you upgrade your ntp packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 92546
    published 2016-07-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92546
    title Debian DLA-559-1 : ntp security update
  • NASL family AIX Local Security Checks
    NASL id AIX_IV83993.NASL
    description http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop. This plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.
    last seen 2017-10-29
    modified 2017-01-19
    plugin id 91517
    published 2016-06-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91517
    title AIX 7.1 TL 3 : ntp (IV83993) (deprecated)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-578.NASL
    description ntp was updated to version 4.2.8p6 to fix 12 security issues. Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837) These security issues were fixed : - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629). These non-security issues were fixed : - fate#320758 bsc#975981: Enable compile-time support for MS-SNTP (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added the authreg directive. - bsc#962318: Call /usr/sbin/sntp with full path to synchronize in start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which caused the synchronization to fail. - bsc#782060: Speedup ntpq. - bsc#916617: Add /var/db/ntp-kod. - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning that might happen quite a lot on loaded systems. - bsc#951559,bsc#975496: Fix the TZ offset output of sntp during DST. - Add ntp-fork.patch and build with threads disabled to allow name resolution even when running chrooted. This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen 2019-02-21
    modified 2017-02-13
    plugin id 91111
    published 2016-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91111
    title openSUSE Security Update : ntp (openSUSE-2016-578)
  • NASL family Misc.
    NASL id NTP_4_2_8P6.NASL
    description The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p6. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the receive() function due to the use of authenticated broadcast mode. A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-7973) - A time serving flaw exists in the trusted key system due to improper key checks. An authenticated, remote attacker can exploit this to perform impersonation attacks between authenticated peers. (CVE-2015-7974) - An overflow condition exists in the nextvar() function due to improper validation of user-supplied input. A local attacker can exploit this to cause a buffer overflow, resulting in a denial of service condition. (CVE-2015-7975) - A flaw exists in ntp_control.c due to improper filtering of special characters in filenames by the saveconfig command. An authenticated, remote attacker can exploit this to inject arbitrary content. (CVE-2015-7976) - A NULL pointer dereference flaw exists in ntp_request.c that is triggered when handling ntpdc relist commands. A remote attacker can exploit this, via a specially crafted request, to crash the service, resulting in a denial of service condition. (CVE-2015-7977) - A flaw exists in ntpdc that is triggered during the handling of the relist command. A remote attacker can exploit this, via recursive traversals of the restriction list, to exhaust available space on the call stack, resulting in a denial of service condition. CVE-2015-7978) - An unspecified flaw exists in authenticated broadcast mode. A remote attacker can exploit this, via specially crafted packets, to cause a denial of service condition. (CVE-2015-7979) - A flaw exists in the receive() function that allows packets with an origin timestamp of zero to bypass security checks. A remote attacker can exploit this to spoof arbitrary content. (CVE-2015-8138) - A flaw exists in ntpq and ntpdc that allows a remote attacker to disclose sensitive information in timestamps. (CVE-2015-8139) - A flaw exists in the ntpq protocol that is triggered during the handling of an improper sequence of numbers. A man-in-the-middle attacker can exploit this to conduct a replay attack. (CVE-2015-8140) - A flaw exists in the ntpq client that is triggered when handling packets that cause a loop in the getresponse() function. A remote attacker can exploit this to cause an infinite loop, resulting in a denial of service condition. (CVE-2015-8158)
    last seen 2019-02-21
    modified 2018-09-17
    plugin id 88054
    published 2016-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88054
    title Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p6 Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-34BC10A2C8.NASL
    description Security fix for CVE-2015-7974, CVE-2015-8138, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8158 ---- Security fix for CVE-2015-7704, CVE-2015-5300, CVE-2015-7692, CVE-2015-7871, CVE-2015-7702, CVE-2015-7691, CVE-2015-7852, CVE-2015-7701 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-02-01
    plugin id 89510
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89510
    title Fedora 22 : ntp-4.2.6p5-36.fc22 (2016-34bc10a2c8)
  • NASL family AIX Local Security Checks
    NASL id AIX_IV83984.NASL
    description http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7973 NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using authenticated broadcast mode packets to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by a NULL pointer dereference. By sending a specially crafted ntpdc reslist command, an attacker could exploit this vulnerability to cause a segmentation fault. NTP could allow a remote attacker to bypass security restrictions. By sending specially crafted broadcast packets with bad authentication, an attacker could exploit this vulnerability to cause the target broadcast client to tear down the association with the broadcast server. NTP could allow a remote attacker to obtain sensitive information, caused by an origin leak in ntpq and ntpdc. An attacker could exploit this vulnerability to obtain sensitive information. NTP could allow a remote attacker to launch a replay attack. An attacker could exploit this vulnerability using ntpq to conduct a replay attack and gain unauthorized access to the system. NTP is vulnerable to a denial of service, caused by the improper processing of incoming packets by ntpq. By sending specially crafted data, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop. This plugin has been deprecated due to manual logic changes and advisory issues. Use aix_ntp_v3_advisory6.nasl (plugin ID 92356) instead.
    last seen 2017-10-29
    modified 2017-01-19
    plugin id 91516
    published 2016-06-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91516
    title AIX 6.1 TL 9 : ntp (IV83984) (deprecated)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-8BB1932088.NASL
    description Security fix for CVE-2015-7974, CVE-2015-8138, CVE-2015-7977, CVE-2015-7978, CVE-2015-7979, CVE-2015-8158 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2017-02-15
    plugin id 89577
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89577
    title Fedora 23 : ntp-4.2.6p5-36.fc23 (2016-8bb1932088)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1177-1.NASL
    description ntp was updated to version 4.2.8p6 to fix 12 security issues. Also yast2-ntp-client was updated to match some sntp syntax changes. (bsc#937837) These security issues were fixed : - CVE-2015-8158: Fixed potential infinite loop in ntpq (bsc#962966). - CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). - CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). - CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). - CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). - CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames (bsc#962802). - CVE-2015-7975: nextvar() missing length check (bsc#962988). - CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers (bsc#962960). - CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). - CVE-2015-8140: ntpq vulnerable to replay attacks (bsc#962994). - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin (bsc#962997). - CVE-2015-5300: MITM attacker could have forced ntpd to make a step larger than the panic threshold (bsc#951629). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 90821
    published 2016-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90821
    title SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1177-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1912-1.NASL
    description NTP was updated to version 4.2.8p8 to fix several security issues and to ensure the continued maintainability of the package. These security issues were fixed : CVE-2016-4953: Bad authentication demobilized ephemeral associations (bsc#982065). CVE-2016-4954: Processing spoofed server packets (bsc#982066). CVE-2016-4955: Autokey association reset (bsc#982067). CVE-2016-4956: Broadcast interleave (bsc#982068). CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS (bsc#977459). CVE-2016-1548: Prevent the change of time of an ntpd client or denying service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode (bsc#977461). CVE-2016-1549: Sybil vulnerability: ephemeral association attack (bsc#977451). CVE-2016-1550: Improve security against buffer comparison timing attacks (bsc#977464). CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y CVE-2016-2516: Duplicate IPs on unconfig directives could have caused an assertion botch in ntpd (bsc#977452). CVE-2016-2517: Remote configuration trustedkey/ requestkey/controlkey values are not properly validated (bsc#977455). CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966). CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). CVE-2015-7976: ntpq saveconfig command allowed dangerous characters in filenames (bsc#962802). CVE-2015-7975: nextvar() missing length check (bsc#962988). CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might have allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a 'skeleton' key (bsc#962960). CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). CVE-2015-5300: MITM attacker can force ntpd to make a step larger than the panic threshold (bsc#951629). CVE-2015-5194: Crash with crafted logconfig configuration command (bsc#943218). CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK (bsc#952611). CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (bsc#952611). CVE-2015-7854: Password Length Memory Corruption Vulnerability (bsc#952611). CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow (bsc#952611). CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability (bsc#952611). CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#952611). CVE-2015-7850: Clients that receive a KoD now validate the origin timestamp field (bsc#952611). CVE-2015-7849: Prevent use-after-free trusted key (bsc#952611). CVE-2015-7848: Prevent mode 7 loop counter underrun (bsc#952611). CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#952611). CVE-2015-7703: Configuration directives 'pidfile' and 'driftfile' should only be allowed locally (bsc#943221). CVE-2015-7704: Clients that receive a KoD should validate the origin timestamp field (bsc#952611). CVE-2015-7705: Clients that receive a KoD should validate the origin timestamp field (bsc#952611). CVE-2015-7691: Incomplete autokey data packet length checks (bsc#952611). CVE-2015-7692: Incomplete autokey data packet length checks (bsc#952611). CVE-2015-7702: Incomplete autokey data packet length checks (bsc#952611). CVE-2015-1798: The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP required a correct MAC only if the MAC field has a nonzero length, which made it easier for man-in-the-middle attackers to spoof packets by omitting the MAC (bsc#924202). CVE-2015-1799: The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP performed state-variable updates upon receiving certain invalid packets, which made it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer (bsc#924202). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93186
    published 2016-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93186
    title SUSE SLES10 Security Update : ntp (SUSE-SU-2016:1912-1)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_5237F5D7C02011E5B397D050996490D0.NASL
    description Network Time Foundation reports : NTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p6, released on Tuesday, 19 January 2016 : - Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported by Cisco ASIG. - Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass. Reported by Cisco ASIG. - Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode. Reported by Cisco ASIG. - Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list. Reported by Cisco ASIG. - Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported by Cisco ASIG. - Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames. Reported by Cisco ASIG. - Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported by Cisco ASIG. - Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers. Reported by Cisco ASIG. - Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode. Reported by Cisco ASIG. Additionally, mitigations are published for the following two issues : - Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks. Reported by Cisco ASIG. - Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. Reported by Cisco ASIG.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 88068
    published 2016-01-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88068
    title FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-649.NASL
    description It was discovered that ntpd as a client did not correctly check the originate timestamp in received packets. A remote attacker could use this flaw to send a crafted packet to an ntpd client that would effectively disable synchronization with the server, or push arbitrary offset/delay measurements to modify the time on the client. (CVE-2015-8138) A NULL pointer dereference flaw was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process. (CVE-2015-7977) It was found that NTP does not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key. (CVE-2015-7974) A stack-based buffer overflow was found in the way ntpd processed 'ntpdc reslist' commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process. (CVE-2015-7978) It was found that when NTP is configured in broadcast mode, an off-path attacker could broadcast packets with bad authentication (wrong key, mismatched key, incorrect MAC, etc) to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server. This could cause the time on affected clients to become out of sync over a longer period of time. (CVE-2015-7979) A flaw was found in the way the ntpq client certain processed incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance. (CVE-2015-8158) A flaw was found in ntpd that allows remote attackers to cause a denial of service (ephemeral-association demobilization) by sending a spoofed crypto-NAK packet with incorrect authentication data at a certain time. (CVE-2016-4953) (Updated 2016-10-18: CVE-2016-4953 was fixed in this release but was not previously part of this errata.)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 88661
    published 2016-02-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=88661
    title Amazon Linux AMI : ntp (ALAS-2016-649)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3629.NASL
    description Several vulnerabilities were discovered in the Network Time Protocol daemon and utility programs : - CVE-2015-7974 Matt Street discovered that insufficient key validation allows impersonation attacks between authenticated peers. - CVE-2015-7977 CVE-2015-7978 Stephen Gray discovered that a NULL pointer dereference and a buffer overflow in the handling of 'ntpdc reslist' commands may result in denial of service. - CVE-2015-7979 Aanchal Malhotra discovered that if NTP is configured for broadcast mode, an attacker can send malformed authentication packets which break associations with the server for other broadcast clients. - CVE-2015-8138 Matthew van Gundy and Jonathan Gardner discovered that missing validation of origin timestamps in ntpd clients may result in denial of service. - CVE-2015-8158 Jonathan Gardner discovered that missing input sanitising in ntpq may result in denial of service. - CVE-2016-1547 Stephen Gray and Matthew van Gundy discovered that incorrect handling of crypto NAK packets may result in denial of service. - CVE-2016-1548 Jonathan Gardner and Miroslav Lichvar discovered that ntpd clients could be forced to change from basic client/server mode to interleaved symmetric mode, preventing time synchronisation. - CVE-2016-1550 Matthew van Gundy, Stephen Gray and Loganaden Velvindron discovered that timing leaks in the packet authentication code could result in recovery of a message digest. - CVE-2016-2516 Yihan Lian discovered that duplicate IPs on 'unconfig' directives will trigger an assert. - CVE-2016-2518 Yihan Lian discovered that an OOB memory access could potentially crash ntpd.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 92571
    published 2016-07-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92571
    title Debian DSA-3629-1 : ntp - security update
redhat via4
advisories
bugzilla
id 1300273
title CVE-2015-8158 ntp: potential infinite loop in ntpq
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhsa:tst:20140675001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhsa:tst:20140675002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhsa:tst:20140675003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhsa:tst:20140675004
  • OR
    • AND
      • comment ntp is earlier than 0:4.2.6p5-25.el7
        oval oval:com.redhat.rhsa:tst:20162583009
      • comment ntp is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20142024006
    • AND
      • comment ntp-doc is earlier than 0:4.2.6p5-25.el7
        oval oval:com.redhat.rhsa:tst:20162583011
      • comment ntp-doc is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20142024010
    • AND
      • comment ntp-perl is earlier than 0:4.2.6p5-25.el7
        oval oval:com.redhat.rhsa:tst:20162583013
      • comment ntp-perl is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20142024014
    • AND
      • comment ntpdate is earlier than 0:4.2.6p5-25.el7
        oval oval:com.redhat.rhsa:tst:20162583007
      • comment ntpdate is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20142024012
    • AND
      • comment sntp is earlier than 0:4.2.6p5-25.el7
        oval oval:com.redhat.rhsa:tst:20162583005
      • comment sntp is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20142024008
rhsa
id RHSA-2016:2583
released 2016-11-03
severity Moderate
title RHSA-2016:2583: ntp security and bug fix update (Moderate)
rpms
  • ntp-0:4.2.6p5-25.el7
  • ntp-doc-0:4.2.6p5-25.el7
  • ntp-perl-0:4.2.6p5-25.el7
  • ntpdate-0:4.2.6p5-25.el7
  • sntp-0:4.2.6p5-25.el7
refmap via4
bid 81814
cert-vn VU#718152
confirm
debian DSA-3629
freebsd FreeBSD-SA-16:09
gentoo GLSA-201607-15
sectrack 1034782
talos via4
id TALOS-2016-0080
last seen 2018-08-31
published 2016-01-19
reporter Talos Intelligence
source http://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0080
title Network Time Protocol ntpq and ntpdc Infinite Loop Vulnerability
Last major update 07-02-2017 - 10:18
Published 30-01-2017 - 16:59
Last modified 04-01-2018 - 21:30
Back to Top