ID CVE-2016-2518
Summary The MATCH_ASSOC function in NTP before version 4.2.8p9 and 4.3.x before 4.3.92 allows remote attackers to cause an out-of-bounds reference via an addpeer request with a large hmode value.
References
Vulnerable Configurations
  • cpe:2.3:a:ntp:ntp:4.2.8:p8
    cpe:2.3:a:ntp:ntp:4.2.8:p8
  • NTP 4.3.0
    cpe:2.3:a:ntp:ntp:4.3.0
  • NTP 4.3.1
    cpe:2.3:a:ntp:ntp:4.3.1
  • NTP 4.3.2
    cpe:2.3:a:ntp:ntp:4.3.2
  • NTP 4.3.3
    cpe:2.3:a:ntp:ntp:4.3.3
  • NTP 4.3.4
    cpe:2.3:a:ntp:ntp:4.3.4
  • NTP 4.3.5
    cpe:2.3:a:ntp:ntp:4.3.5
  • NTP 4.3.6
    cpe:2.3:a:ntp:ntp:4.3.6
  • NTP 4.3.7
    cpe:2.3:a:ntp:ntp:4.3.7
  • NTP 4.3.8
    cpe:2.3:a:ntp:ntp:4.3.8
  • NTP 4.3.9
    cpe:2.3:a:ntp:ntp:4.3.9
  • NTP 4.3.10
    cpe:2.3:a:ntp:ntp:4.3.10
  • NTP 4.3.11
    cpe:2.3:a:ntp:ntp:4.3.11
  • NTP 4.3.12
    cpe:2.3:a:ntp:ntp:4.3.12
  • NTP 4.3.13
    cpe:2.3:a:ntp:ntp:4.3.13
  • NTP 4.3.14
    cpe:2.3:a:ntp:ntp:4.3.14
  • NTP 4.3.15
    cpe:2.3:a:ntp:ntp:4.3.15
  • NTP 4.3.16
    cpe:2.3:a:ntp:ntp:4.3.16
  • NTP 4.3.17
    cpe:2.3:a:ntp:ntp:4.3.17
  • NTP 4.3.18
    cpe:2.3:a:ntp:ntp:4.3.18
  • NTP 4.3.19
    cpe:2.3:a:ntp:ntp:4.3.19
  • NTP 4.3.20
    cpe:2.3:a:ntp:ntp:4.3.20
  • NTP 4.3.21
    cpe:2.3:a:ntp:ntp:4.3.21
  • NTP 4.3.22
    cpe:2.3:a:ntp:ntp:4.3.22
  • NTP 4.3.23
    cpe:2.3:a:ntp:ntp:4.3.23
  • NTP 4.3.24
    cpe:2.3:a:ntp:ntp:4.3.24
  • NTP 4.3.25
    cpe:2.3:a:ntp:ntp:4.3.25
  • NTP 4.3.26
    cpe:2.3:a:ntp:ntp:4.3.26
  • NTP 4.3.27
    cpe:2.3:a:ntp:ntp:4.3.27
  • NTP 4.3.28
    cpe:2.3:a:ntp:ntp:4.3.28
  • NTP 4.3.29
    cpe:2.3:a:ntp:ntp:4.3.29
  • NTP 4.3.30
    cpe:2.3:a:ntp:ntp:4.3.30
  • NTP 4.3.31
    cpe:2.3:a:ntp:ntp:4.3.31
  • NTP 4.3.32
    cpe:2.3:a:ntp:ntp:4.3.32
  • NTP 4.3.33
    cpe:2.3:a:ntp:ntp:4.3.33
  • NTP 4.3.34
    cpe:2.3:a:ntp:ntp:4.3.34
  • NTP 4.3.35
    cpe:2.3:a:ntp:ntp:4.3.35
  • NTP 4.3.36
    cpe:2.3:a:ntp:ntp:4.3.36
  • NTP 4.3.37
    cpe:2.3:a:ntp:ntp:4.3.37
  • NTP 4.3.38
    cpe:2.3:a:ntp:ntp:4.3.38
  • NTP 4.3.39
    cpe:2.3:a:ntp:ntp:4.3.39
  • NTP 4.3.40
    cpe:2.3:a:ntp:ntp:4.3.40
  • NTP 4.3.41
    cpe:2.3:a:ntp:ntp:4.3.41
  • NTP 4.3.42
    cpe:2.3:a:ntp:ntp:4.3.42
  • NTP 4.3.43
    cpe:2.3:a:ntp:ntp:4.3.43
  • NTP 4.3.44
    cpe:2.3:a:ntp:ntp:4.3.44
  • NTP 4.3.45
    cpe:2.3:a:ntp:ntp:4.3.45
  • NTP 4.3.46
    cpe:2.3:a:ntp:ntp:4.3.46
  • NTP 4.3.47
    cpe:2.3:a:ntp:ntp:4.3.47
  • NTP 4.3.48
    cpe:2.3:a:ntp:ntp:4.3.48
  • NTP 4.3.49
    cpe:2.3:a:ntp:ntp:4.3.49
  • NTP 4.3.50
    cpe:2.3:a:ntp:ntp:4.3.50
  • NTP 4.3.51
    cpe:2.3:a:ntp:ntp:4.3.51
  • NTP 4.3.52
    cpe:2.3:a:ntp:ntp:4.3.52
  • NTP 4.3.53
    cpe:2.3:a:ntp:ntp:4.3.53
  • NTP 4.3.54
    cpe:2.3:a:ntp:ntp:4.3.54
  • NTP 4.3.55
    cpe:2.3:a:ntp:ntp:4.3.55
  • NTP 4.3.56
    cpe:2.3:a:ntp:ntp:4.3.56
  • NTP 4.3.57
    cpe:2.3:a:ntp:ntp:4.3.57
  • NTP 4.3.58
    cpe:2.3:a:ntp:ntp:4.3.58
  • NTP 4.3.59
    cpe:2.3:a:ntp:ntp:4.3.59
  • NTP 4.3.60
    cpe:2.3:a:ntp:ntp:4.3.60
  • NTP 4.3.61
    cpe:2.3:a:ntp:ntp:4.3.61
  • NTP 4.3.62
    cpe:2.3:a:ntp:ntp:4.3.62
  • NTP 4.3.63
    cpe:2.3:a:ntp:ntp:4.3.63
  • NTP 4.3.64
    cpe:2.3:a:ntp:ntp:4.3.64
  • NTP 4.3.65
    cpe:2.3:a:ntp:ntp:4.3.65
  • NTP 4.3.66
    cpe:2.3:a:ntp:ntp:4.3.66
  • NTP 4.3.67
    cpe:2.3:a:ntp:ntp:4.3.67
  • NTP 4.3.68
    cpe:2.3:a:ntp:ntp:4.3.68
  • NTP 4.3.69
    cpe:2.3:a:ntp:ntp:4.3.69
  • NTP 4.3.70
    cpe:2.3:a:ntp:ntp:4.3.70
  • NTP 4.3.71
    cpe:2.3:a:ntp:ntp:4.3.71
  • NTP 4.3.72
    cpe:2.3:a:ntp:ntp:4.3.72
  • NTP 4.3.73
    cpe:2.3:a:ntp:ntp:4.3.73
  • NTP 4.3.74
    cpe:2.3:a:ntp:ntp:4.3.74
  • NTP 4.3.75
    cpe:2.3:a:ntp:ntp:4.3.75
  • NTP 4.3.76
    cpe:2.3:a:ntp:ntp:4.3.76
  • NTP 4.3.77
    cpe:2.3:a:ntp:ntp:4.3.77
  • NTP 4.3.78
    cpe:2.3:a:ntp:ntp:4.3.78
  • NTP 4.3.79
    cpe:2.3:a:ntp:ntp:4.3.79
  • NTP 4.3.80
    cpe:2.3:a:ntp:ntp:4.3.80
  • NTP 4.3.81
    cpe:2.3:a:ntp:ntp:4.3.81
  • NTP 4.3.82
    cpe:2.3:a:ntp:ntp:4.3.82
  • NTP 4.3.83
    cpe:2.3:a:ntp:ntp:4.3.83
  • NTP 4.3.84
    cpe:2.3:a:ntp:ntp:4.3.84
  • NTP 4.3.85
    cpe:2.3:a:ntp:ntp:4.3.85
  • NTP 4.3.86
    cpe:2.3:a:ntp:ntp:4.3.86
  • NTP 4.3.87
    cpe:2.3:a:ntp:ntp:4.3.87
  • NTP 4.3.88
    cpe:2.3:a:ntp:ntp:4.3.88
  • NTP 4.3.89
    cpe:2.3:a:ntp:ntp:4.3.89
  • NTP 4.3.90
    cpe:2.3:a:ntp:ntp:4.3.90
  • NTP 4.3.91
    cpe:2.3:a:ntp:ntp:4.3.91
CVSS
Base: 5.0 (as of 24-02-2017 - 11:14)
Impact:
Exploitability:
CWE CWE-125
CAPEC
  • Overread Buffers
    An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201607-15.NASL
    description The remote host is affected by the vulnerability described in GLSA-201607-15 (NTP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-01-26
    plugin id 92485
    published 2016-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92485
    title GLSA-201607-15 : NTP: Multiple vulnerabilities
  • NASL family AIX Local Security Checks
    NASL id AIX_IV87614.NASL
    description NTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128).
    last seen 2017-10-29
    modified 2017-08-03
    plugin id 93350
    published 2016-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93350
    title AIX 5.3 TL 12 : ntp (IV87614) (deprecated)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-649.NASL
    description This update for ntp fixes the following issues : - Update to 4.2.8p7 (boo#977446) : - CVE-2016-1547, boo#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, boo#977461: Interleave-pivot - CVE-2016-1549, boo#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, boo#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, boo#977450: Refclock impersonation vulnerability - CVE-2016-2516, boo#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, boo#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, boo#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, boo#977458: ctl_getitem() return value not always checked. - integrate ntp-fork.patch - Improve the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 - Restrict the parser in the startup script to the first occurrance of 'keys' and 'controlkey' in ntp.conf (boo#957226). - Enable compile-time support for MS-SNTP (--enable-ntp-signd). This replaces the w32 patches in 4.2.4 that added the authreg directive. (fate#320758). - Fix ntp-sntp-dst.patch (boo#975496). - Call /usr/sbin/sntp with full path to synchronize in start-ntpd. When run as cron job, /usr/sbin/ is not in the path, which caused the synchronization to fail. (boo#962318) - Speedup ntpq (boo#782060, ntp-speedup-ntpq.patch). - Sync service files with openSUSE Factory. - Fix the TZ offset output of sntp during DST (boo#951559). - Add ntp-fork.patch and build with threads disabled to allow name resolution even when running chrooted. - Update to 4.2.8p6 : - CVE-2015-8158, boo#962966: Potential Infinite Loop in ntpq. - CVE-2015-8138, boo#963002: origin: Zero Origin Timestamp Bypass. - CVE-2015-7979, boo#962784: Off-path Denial of Service (DoS) attack on authenticated broadcast mode. - CVE-2015-7978, boo#963000: Stack exhaustion in recursive traversal of restriction list. - CVE-2015-7977, boo#962970: reslist NULL pointer dereference. - CVE-2015-7976, boo#962802: ntpq saveconfig command allows dangerous characters in filenames. - CVE-2015-7975, boo#962988: nextvar() missing length check. - CVE-2015-7974, boo#962960: Skeleton Key: Missing key check allows impersonation between authenticated peers. - CVE-2015-7973, boo#962995: Deja Vu: Replay attack on authenticated broadcast mode. - CVE-2015-8140: ntpq vulnerable to replay attacks. - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. - CVE-2015-5300, boo#951629: Small-step/Big-step. - Add /var/db/ntp-kod (boo#916617). - Add ntp-ENOBUFS.patch to limit a warning that might happen quite a lot on loaded systems (boo#956773). - add ntp.bug2965.diff (boo#954982) - fixes regression in 4.2.8p4 update - Update to 4.2.8p4 to fix several security issues (boo#951608) : - CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK - CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values - CVE-2015-7854: Password Length Memory Corruption Vulnerability - CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow - CVE-2015-7852 ntpq atoascii() Memory Corruption Vulnerability - CVE-2015-7851 saveconfig Directory Traversal Vulnerability - CVE-2015-7850 remote config logfile-keyfile - CVE-2015-7849 trusted key use-after-free - CVE-2015-7848 mode 7 loop counter underrun - CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC - CVE-2015-7703 configuration directives 'pidfile' and 'driftfile' should only be allowed locally - CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD should validate the origin timestamp field - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete autokey data packet length checks - obsoletes ntp-memlock.patch. - Add a controlkey line to /etc/ntp.conf if one does not already exist to allow runtime configuuration via ntpq. - Temporarily disable memlock to avoid problems due to high memory usage during name resolution (boo#946386, ntp-memlock.patch). - Use SHA1 instead of MD5 for symmetric keys (boo#905885). - Improve runtime configuration : - Read keytype from ntp.conf - Don't write ntp keys to syslog. - Fix legacy action scripts to pass on command line arguments. - Remove ntp.1.gz, it wasn't installed anymore. - Remove ntp-4.2.7-rh-manpages.tar.gz and only keep ntptime.8.gz. The rest is partially irrelevant, partially redundant and potentially outdated (boo#942587). - Remove 'kod' from the restrict line in ntp.conf (boo#944300). - Use ntpq instead of deprecated ntpdc in start-ntpd (boo#936327). - Add a controlkey to ntp.conf to make the above work. - Don't let 'keysdir' lines in ntp.conf trigger the 'keys' parser. - Disable mode 7 (ntpdc) again, now that we don't use it anymore. - Add 'addserver' as a new legacy action. - Fix the comment regarding addserver in ntp.conf (boo#910063). - Update to version 4.2.8p3 which incorporates all security fixes and most other patches we have so far (fate#319040). More information on: http://archive.ntp.org/ntp4/ChangeLog-stable - Disable chroot by default (boo#926510). - Enable ntpdc for backwards compatibility (boo#920238). - Security fix: ntp-keygen may generate non-random symmetric keys
    last seen 2019-02-21
    modified 2018-12-18
    plugin id 91403
    published 2016-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91403
    title openSUSE Security Update : ntp (openSUSE-2016-649)
  • NASL family Misc.
    NASL id NTP_4_2_8P7.NASL
    description The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p7. It is, therefore, affected by the following vulnerabilities : - A denial of service vulnerability exists due to improper validation of the origin timestamp field when handling a Kiss-of-Death (KoD) packet. An unauthenticated, remote attacker can exploit this to cause a client to stop querying its servers, preventing the client from updating its clock. (CVE-2015-7704) - A flaw exists in the receive() function in ntp_proto.c that allows packets with an origin timestamp of zero to bypass security checks. An unauthenticated, remote attacker can exploit this to spoof arbitrary content. (CVE-2015-8138) - A denial of service vulnerability exists due to improper handling of a crafted Crypto NAK Packet with a source address spoofed to match that of an existing associated peer. An unauthenticated, remote attacker can exploit this to demobilize a client association. (CVE-2016-1547) - A denial of service vulnerability exists due to improper handling of packets spoofed to appear to be from a valid ntpd server. An unauthenticated, remote attacker can exploit this to cause NTP to switch from basic client/server mode to interleaved symmetric mode, causing the client to reject future legitimate responses. (CVE-2016-1548) - A race condition exists that is triggered during the handling of a saturation of ephemeral associations. An authenticated, remote attacker can exploit this to defeat NTP's clock selection algorithm and modify a user's clock. (CVE-2016-1549) - An information disclosure vulnerability exists in the message authentication functionality in libntp that is triggered during the handling of a series of specially crafted messages. An adjacent attacker can exploit this to partially recover the message digest key. (CVE-2016-1550) - A flaw exists due to improper filtering of IPv4 'bogon' packets received from a network. An unauthenticated, remote attacker can exploit this to spoof packets to appear to come from a specific reference clock. (CVE-2016-1551) - A denial of service vulnerability exists that allows an authenticated, remote attacker that has knowledge of the controlkey for ntpq or the requestkey for ntpdc to create a session with the same IP twice on an unconfigured directive line, causing ntpd to abort. (CVE-2016-2516) - A denial of service vulnerability exists that allows an authenticated, remote attacker to manipulate the value of the trustedkey, controlkey, or requestkey via a crafted packet, preventing authentication with ntpd until the daemon has been restarted. (CVE-2016-2517) - An out-of-bounds read error exists in the MATCH_ASSOC() function that occurs during the creation of peer associations with hmode greater than 7. An authenticated, remote attacker can exploit this, via a specially crafted packet, to cause a denial of service. (CVE-2016-2518) - An overflow condition exists in the ctl_getitem() function in ntpd due to improper validation of user-supplied input when reporting return values. An authenticated, remote attacker can exploit this to cause ntpd to abort. (CVE-2016-2519)
    last seen 2019-02-21
    modified 2019-01-22
    plugin id 90923
    published 2016-05-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90923
    title Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p7 Multiple Vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1568-1.NASL
    description ntp was updated to version 4.2.8p8 to fix 17 security issues. These security issues were fixed : - CVE-2016-4956: Broadcast interleave (bsc#982068). - CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). - CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). - CVE-2016-4954: Processing spoofed server packets (bsc#982066). - CVE-2016-4955: Autokey association reset (bsc#982067). - CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a 'skeleton key (bsc#962960). - CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). - CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch (bsc#977452). - CVE-2016-2517: Remote configuration trustedkey/requestkey values are not properly validated (bsc#977455). - CVE-2016-4953: Bad authentication demobilizes ephemeral associations (bsc#982065). - CVE-2016-1547: CRYPTO-NAK DoS (bsc#977459). - CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering (bsc#977450). - CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing (bsc#977464). - CVE-2016-1548: Interleave-pivot - MITIGATION ONLY (bsc#977461). - CVE-2016-1549: Sybil vulnerability: ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY (bsc#977451). This release also contained improved patches for CVE-2015-7704, CVE-2015-7705, CVE-2015-7974. The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 91663
    published 2016-06-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91663
    title SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1568-1)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2016-120-01.NASL
    description New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
    last seen 2019-02-21
    modified 2018-09-06
    plugin id 90800
    published 2016-05-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90800
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2016-120-01)
  • NASL family AIX Local Security Checks
    NASL id AIX_IV87420.NASL
    description NTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128).
    last seen 2017-10-29
    modified 2017-08-03
    plugin id 93349
    published 2016-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93349
    title AIX 7.1 TL 4 : ntp (IV87420) (deprecated)
  • NASL family AIX Local Security Checks
    NASL id AIX_NTP_V3_ADVISORY7.NASL
    description The version of NTP installed on the remote AIX host is affected by the following vulnerabilities : - A time serving flaw exists in the trusted key system due to improper key checks. An authenticated, remote attacker can exploit this to perform impersonation attacks between authenticated peers. (CVE-2015-7974) - An information disclosure vulnerability exists in the message authentication functionality in libntp that is triggered during the handling of a series of specially crafted messages. An adjacent attacker can exploit this to partially recover the message digest key. (CVE-2016-1550) - A flaw exists due to improper filtering of IPv4 'bogon' packets received from a network. An unauthenticated, remote attacker can exploit this to spoof packets to appear to come from a specific reference clock. (CVE-2016-1551) - A denial of service vulnerability exists that allows an authenticated, remote attacker to manipulate the value of the trustedkey, controlkey, or requestkey via a crafted packet, preventing authentication with ntpd until the daemon has been restarted. (CVE-2016-2517) - An out-of-bounds read error exists in the MATCH_ASSOC() function that occurs during the creation of peer associations with hmode greater than 7. An authenticated, remote attacker can exploit this, via a specially crafted packet, to cause a denial of service. (CVE-2016-2518) - An overflow condition exists in the ctl_getitem() function in ntpd due to improper validation of user-supplied input when reporting return values. An authenticated, remote attacker can exploit this to cause ntpd to abort. (CVE-2016-2519)
    last seen 2019-02-21
    modified 2018-07-17
    plugin id 102128
    published 2017-08-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102128
    title AIX NTP v3 Advisory : ntp_advisory7.asc (IV87614) (IV87419) (IV87615) (IV87420) (IV87939)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-559.NASL
    description Several vulnerabilities were discovered in the Network Time Protocol daemon and utility programs : CVE-2015-7974 Matt Street discovered that insufficient key validation allows impersonation attacks between authenticated peers. CVE-2015-7977 / CVE-2015-7978 Stephen Gray discovered that a NULL pointer dereference and a buffer overflow in the handling of 'ntpdc reslist' commands may result in denial of service. CVE-2015-7979 Aanchal Malhotra discovered that if NTP is configured for broadcast mode, an attacker can send malformed authentication packets which break associations with the server for other broadcast clients. CVE-2015-8138 Matthew van Gundy and Jonathan Gardner discovered that missing validation of origin timestamps in ntpd clients may result in denial of service. CVE-2015-8158 Jonathan Gardner discovered that missing input sanitising in ntpq may result in denial of service. CVE-2016-1547 Stephen Gray and Matthew van Gundy discovered that incorrect handling of crypto NAK packets my result in denial of service. CVE-2016-1548 Jonathan Gardner and Miroslav Lichvar discovered that ntpd clients could be forced to change from basic client/server mode to interleaved symmetric mode, preventing time synchronisation. CVE-2016-1550 Matthew van Gundy, Stephen Gray and Loganaden Velvindron discovered that timing leaks in the the packet authentication code could result in recovery of a message digest. CVE-2016-2516 Yihan Lian discovered that duplicate IPs on 'unconfig' directives will trigger an assert. CVE-2016-2518 Yihan Lian discovered that an OOB memory access could potentially crash ntpd. For Debian 7 'Wheezy', these problems have been fixed in version 1:4.2.6.p5+dfsg-2+deb7u7. We recommend that you upgrade your ntp packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 92546
    published 2016-07-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92546
    title Debian DLA-559-1 : ntp security update
  • NASL family Junos Local Security Checks
    NASL id JUNIPER_SPACE_JSA_10826.NASL
    description According to its self-reported version number, the version of Junos Space running on the remote device is < 17.1R1, and is therefore affected by multiple vulnerabilities.
    last seen 2019-02-21
    modified 2018-07-13
    plugin id 104100
    published 2017-10-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104100
    title Juniper Junos Space < 17.1R1 Multiple Vulnerabilities (JSA10826)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0165.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - add disable monitor to default ntp.conf [CVE-2013-5211] - fix buffer overflow in datum refclock driver (CVE-2017-6462) - fix crash with invalid unpeer command (CVE-2017-6463) - fix potential crash with invalid server command (CVE-2017-6464) - don't limit rate of packets from sources (CVE-2016-7426) - don't change interface from received packets (CVE-2016-7429) - fix calculation of root distance again (CVE-2016-7433) - require authentication for trap commands (CVE-2016-9310) - fix crash when reporting peer event to trappers (CVE-2016-9311) - don't allow spoofed packets to demobilize associations (CVE-2015-7979, CVE-2016-1547) - don't allow spoofed packet to enable symmetric interleaved mode (CVE-2016-1548) - check mode of new source in config command (CVE-2016-2518) - make MAC check resilient against timing attack (CVE-2016-1550)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 104204
    published 2017-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104204
    title OracleVM 3.3 / 3.4 : ntp (OVMSA-2017-0165)
  • NASL family AIX Local Security Checks
    NASL id AIX_IV87419.NASL
    description NTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128).
    last seen 2017-10-29
    modified 2017-08-03
    plugin id 93348
    published 2016-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93348
    title AIX 6.1 TL 9 : ntp (IV87419) (deprecated)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-599.NASL
    description This update for ntp to 4.2.8p7 fixes the following issues : - CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, bsc#977461: Interleave-pivot - CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, bsc#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability - CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, bsc#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked. - This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 Bugs fixed : - Restrict the parser in the startup script to the first occurrance of 'keys' and 'controlkey' in ntp.conf (bsc#957226). This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen 2019-02-21
    modified 2018-09-06
    plugin id 91269
    published 2016-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91269
    title openSUSE Security Update : ntp (openSUSE-2016-599)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3096-1.NASL
    description Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to perform a replay attack. (CVE-2015-7973) Matt Street discovered that NTP incorrectly verified peer associations of symmetric keys. A remote attacker could use this issue to perform an impersonation attack. (CVE-2015-7974) Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled memory. An attacker could possibly use this issue to cause ntpq to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-7975) Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled dangerous characters in filenames. An attacker could possibly use this issue to overwrite arbitrary files. (CVE-2015-7976) Stephen Gray discovered that NTP incorrectly handled large restrict lists. An attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7977, CVE-2015-7978) Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7979) Jonathan Gardner discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could use this issue to spoof peer servers. (CVE-2015-8138) Jonathan Gardner discovered that the NTP ntpq utility did not properly handle certain incorrect values. An attacker could possibly use this issue to cause ntpq to hang, resulting in a denial of service. (CVE-2015-8158) It was discovered that the NTP cronjob incorrectly cleaned up the statistics directory. A local attacker could possibly use this to escalate privileges. (CVE-2016-0727) Stephen Gray and Matthew Van Gundy discovered that NTP incorrectly validated crypto-NAKs. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1547) Miroslav Lichvar and Jonathan Gardner discovered that NTP incorrectly handled switching to interleaved symmetric mode. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1548) Matthew Van Gundy, Stephen Gray and Loganaden Velvindron discovered that NTP incorrectly handled message authentication. A remote attacker could possibly use this issue to recover the message digest key. (CVE-2016-1550) Yihan Lian discovered that NTP incorrectly handled duplicate IPs on unconfig directives. An authenticated remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2516) Yihan Lian discovered that NTP incorrectly handled certail peer associations. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2518) Jakub Prokes discovered that NTP incorrectly handled certain spoofed packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4954) Miroslav Lichvar discovered that NTP incorrectly handled certain packets when autokey is enabled. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4955) Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed broadcast packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4956) In the default installation, attackers would be isolated by the NTP AppArmor profile. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 93896
    published 2016-10-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93896
    title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : ntp vulnerabilities (USN-3096-1)
  • NASL family AIX Local Security Checks
    NASL id AIX_IV87615.NASL
    description NTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128).
    last seen 2017-10-29
    modified 2017-08-03
    plugin id 93351
    published 2016-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93351
    title AIX 7.1 TL 3 : ntp (IV87615) (deprecated)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-1141.NASL
    description An update for ntp is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix(es) : * It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time. (CVE-2015-7979) * A denial of service flaw was found in the way NTP handled preemptable client associations. A remote attacker could send several crypto NAK packets to a victim client, each with a spoofed source address of an existing associated peer, preventing that client from synchronizing its time. (CVE-2016-1547) * It was found that an ntpd client could be forced to change from basic client/server mode to the interleaved symmetric mode. A remote attacker could use a spoofed packet that, when processed by an ntpd client, would cause that client to reject all future legitimate server responses, effectively disabling time synchronization on that client. (CVE-2016-1548) * A flaw was found in the way NTP's libntp performed message authentication. An attacker able to observe the timing of the comparison function used in packet authentication could potentially use this flaw to recover the message digest. (CVE-2016-1550) * An out-of-bounds access flaw was found in the way ntpd processed certain packets. An authenticated attacker could use a crafted packet to create a peer association with hmode of 7 and larger, which could potentially (although highly unlikely) cause ntpd to crash. (CVE-2016-2518) The CVE-2016-1548 issue was discovered by Miroslav Lichvar (Red Hat).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 91394
    published 2016-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91394
    title CentOS 6 / 7 : ntp (CESA-2016:1141)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-777D838C1B.NASL
    description Security fix for CVE-2016-1548, CVE-2016-2516, CVE-2016-2518, CVE-2016-1550 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2017-02-27
    plugin id 92113
    published 2016-07-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92113
    title Fedora 22 : ntp (2016-777d838c1b)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0082.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - don't allow spoofed packets to demobilize associations (CVE-2015-7979, CVE-2016-1547) - don't allow spoofed packet to enable symmetric interleaved mode (CVE-2016-1548) - check mode of new source in config command (CVE-2016-2518) - make MAC check resilient against timing attack (CVE-2016-1550) - don't accept server/peer packets with zero origin timestamp (CVE-2015-8138) - fix crash with reslist command (CVE-2015-7977, CVE-2015-7978) - fix crash with invalid logconfig command (CVE-2015-5194) - fix crash when referencing disabled statistic type (CVE-2015-5195) - don't hang in sntp with crafted reply (CVE-2015-5219) - don't crash with crafted autokey packet (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702) - fix memory leak with autokey (CVE-2015-7701) - don't allow setting driftfile and pidfile remotely (CVE-2015-7703) - don't crash in ntpq with crafted packet (CVE-2015-7852) - add option to set Differentiated Services Code Point (DSCP) (#1228314) - extend rawstats log (#1242895) - fix resetting of leap status (#1243034) - report clock state changes related to leap seconds (#1242937) - allow -4/-6 on restrict lines with mask (#1232146) - retry joining multicast groups (#1288534) - explain synchronised state in ntpstat man page (#1286969) - check origin timestamp before accepting KoD RATE packet (CVE-2015-7704) - allow only one step larger than panic threshold with -g (CVE-2015-5300)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 91419
    published 2016-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91419
    title OracleVM 3.3 / 3.4 : ntp (OVMSA-2016-0082)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1912-1.NASL
    description NTP was updated to version 4.2.8p8 to fix several security issues and to ensure the continued maintainability of the package. These security issues were fixed : CVE-2016-4953: Bad authentication demobilized ephemeral associations (bsc#982065). CVE-2016-4954: Processing spoofed server packets (bsc#982066). CVE-2016-4955: Autokey association reset (bsc#982067). CVE-2016-4956: Broadcast interleave (bsc#982068). CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS (bsc#977459). CVE-2016-1548: Prevent the change of time of an ntpd client or denying service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode (bsc#977461). CVE-2016-1549: Sybil vulnerability: ephemeral association attack (bsc#977451). CVE-2016-1550: Improve security against buffer comparison timing attacks (bsc#977464). CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y CVE-2016-2516: Duplicate IPs on unconfig directives could have caused an assertion botch in ntpd (bsc#977452). CVE-2016-2517: Remote configuration trustedkey/ requestkey/controlkey values are not properly validated (bsc#977455). CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966). CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). CVE-2015-7976: ntpq saveconfig command allowed dangerous characters in filenames (bsc#962802). CVE-2015-7975: nextvar() missing length check (bsc#962988). CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might have allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a 'skeleton' key (bsc#962960). CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995). CVE-2015-5300: MITM attacker can force ntpd to make a step larger than the panic threshold (bsc#951629). CVE-2015-5194: Crash with crafted logconfig configuration command (bsc#943218). CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK (bsc#952611). CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (bsc#952611). CVE-2015-7854: Password Length Memory Corruption Vulnerability (bsc#952611). CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow (bsc#952611). CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability (bsc#952611). CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#952611). CVE-2015-7850: Clients that receive a KoD now validate the origin timestamp field (bsc#952611). CVE-2015-7849: Prevent use-after-free trusted key (bsc#952611). CVE-2015-7848: Prevent mode 7 loop counter underrun (bsc#952611). CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#952611). CVE-2015-7703: Configuration directives 'pidfile' and 'driftfile' should only be allowed locally (bsc#943221). CVE-2015-7704: Clients that receive a KoD should validate the origin timestamp field (bsc#952611). CVE-2015-7705: Clients that receive a KoD should validate the origin timestamp field (bsc#952611). CVE-2015-7691: Incomplete autokey data packet length checks (bsc#952611). CVE-2015-7692: Incomplete autokey data packet length checks (bsc#952611). CVE-2015-7702: Incomplete autokey data packet length checks (bsc#952611). CVE-2015-1798: The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP required a correct MAC only if the MAC field has a nonzero length, which made it easier for man-in-the-middle attackers to spoof packets by omitting the MAC (bsc#924202). CVE-2015-1799: The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP performed state-variable updates upon receiving certain invalid packets, which made it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer (bsc#924202). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 93186
    published 2016-08-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93186
    title SUSE SLES10 Security Update : ntp (SUSE-SU-2016:1912-1)
  • NASL family AIX Local Security Checks
    NASL id AIX_NTP_V4_ADVISORY7.NASL
    description The version of NTP installed on the remote AIX host is affected by the following vulnerabilities : - A time serving flaw exists in the trusted key system due to improper key checks. An authenticated, remote attacker can exploit this to perform impersonation attacks between authenticated peers. (CVE-2015-7974) - A denial of service vulnerability exists due to improper handling of a crafted Crypto NAK Packet with a source address spoofed to match that of an existing associated peer. An unauthenticated, remote attacker can exploit this to demobilize a client association. (CVE-2016-1547) - An information disclosure vulnerability exists in the message authentication functionality in libntp that is triggered during the handling of a series of specially crafted messages. An adjacent attacker can exploit this to partially recover the message digest key. (CVE-2016-1550) - A flaw exists due to improper filtering of IPv4 'bogon' packets received from a network. An unauthenticated, remote attacker can exploit this to spoof packets to appear to come from a specific reference clock. (CVE-2016-1551) - A denial of service vulnerability exists that allows an authenticated, remote attacker to manipulate the value of the trustedkey, controlkey, or requestkey via a crafted packet, preventing authentication with ntpd until the daemon has been restarted. (CVE-2016-2517) - An out-of-bounds read error exists in the MATCH_ASSOC() function that occurs during the creation of peer associations with hmode greater than 7. An authenticated, remote attacker can exploit this, via a specially crafted packet, to cause a denial of service. (CVE-2016-2518) - An overflow condition exists in the ctl_getitem() function in ntpd due to improper validation of user-supplied input when reporting return values. An authenticated, remote attacker can exploit this to cause ntpd to abort. (CVE-2016-2519) - A denial of service vulnerability exists when handling authentication due to improper packet timestamp checks. An unauthenticated, remote attacker can exploit this, via a specially crafted and spoofed packet, to demobilize the ephemeral associations. (CVE-2016-4953) - A flaw exists that is triggered when handling spoofed packets. An unauthenticated, remote attacker can exploit this, via specially crafted packets, to affect peer variables (e.g., cause leap indications to be set). Note that the attacker must be able to spoof packets with correct origin timestamps from servers before expected response packets arrive. (CVE-2016-4954) - A flaw exists that is triggered when handling spoofed packets. An unauthenticated, remote attacker can exploit this, via specially crafted packets, to reset autokey associations. Note that the attacker must be able to spoof packets with correct origin timestamps from servers before expected response packets arrive. (CVE-2016-4955) - A denial of service vulnerability exists when handling CRYPTO_NAK packets that allows an unauthenticated, remote attacker to cause a crash. (CVE-2016-4957)
    last seen 2019-02-21
    modified 2018-07-17
    plugin id 99183
    published 2017-04-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99183
    title AIX NTP v4 Advisory : ntp_advisory7.asc (IV87278) (IV87279)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1291-1.NASL
    description This update for ntp to 4.2.8p7 fixes the following issues : - CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, bsc#977461: Interleave-pivot - CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, bsc#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability - CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, bsc#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked. - This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 Bugs fixed : - Restrict the parser in the startup script to the first occurrance of 'keys' and 'controlkey' in ntp.conf (bsc#957226). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 91159
    published 2016-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91159
    title SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1291-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-708.NASL
    description It was found that an ntpd client could be forced to change from basic client/server mode to the interleaved symmetric mode. A remote attacker could use a spoofed packet that, when processed by an ntpd client, would cause that client to reject all future legitimate server responses, effectively disabling time synchronization on that client. (CVE-2016-1548) An out-of-bounds access flaw was found in the way ntpd processed certain packets. An authenticated attacker could use a crafted packet to create a peer association with hmode of 7 and larger, which could potentially (although highly unlikely) cause ntpd to crash. (CVE-2016-2518) A flaw was found in the way libntp performed message authentication. An attacker able to observe the timing of the comparison function used in packet authentication could potentially use this flaw to recover the message digest. (CVE-2016-1550) Assertion failure in ntpd on duplicate IPs on unconfig directives (CVE-2016-2516)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 91467
    published 2016-06-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91467
    title Amazon Linux AMI : ntp (ALAS-2016-708)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-1552.NASL
    description An update for ntp is now available for Red Hat Enterprise Linux 6.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix(es) : * It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time. (CVE-2015-7979) * A denial of service flaw was found in the way NTP handled preemptable client associations. A remote attacker could send several crypto NAK packets to a victim client, each with a spoofed source address of an existing associated peer, preventing that client from synchronizing its time. (CVE-2016-1547) * It was found that an ntpd client could be forced to change from basic client/server mode to the interleaved symmetric mode. A remote attacker could use a spoofed packet that, when processed by an ntpd client, would cause that client to reject all future legitimate server responses, effectively disabling time synchronization on that client. (CVE-2016-1548) * A flaw was found in the way NTP's libntp performed message authentication. An attacker able to observe the timing of the comparison function used in packet authentication could potentially use this flaw to recover the message digest. (CVE-2016-1550) * An out-of-bounds access flaw was found in the way ntpd processed certain packets. An authenticated attacker could use a crafted packet to create a peer association with hmode of 7 and larger, which could potentially (although highly unlikely) cause ntpd to crash. (CVE-2016-2518) The CVE-2016-1548 issue was discovered by Miroslav Lichvar (Red Hat).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 92718
    published 2016-08-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92718
    title RHEL 6 : ntp (RHSA-2016:1552)
  • NASL family AIX Local Security Checks
    NASL id AIX_IV87939.NASL
    description NTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128).
    last seen 2017-10-29
    modified 2017-08-03
    plugin id 93352
    published 2016-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93352
    title AIX 7.2 TL 0 : ntp (IV87939) (deprecated)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1278-1.NASL
    description This update for ntp to 4.2.8p7 fixes the following issues : - CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, bsc#977461: Interleave-pivot - CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, bsc#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability - CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, bsc#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked. - This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 Bugs fixed : - Restrict the parser in the startup script to the first occurrance of 'keys' and 'controlkey' in ntp.conf (bsc#957226). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 91120
    published 2016-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91120
    title SUSE SLES11 Security Update : ntp (SUSE-SU-2016:1278-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-1141.NASL
    description An update for ntp is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix(es) : * It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time. (CVE-2015-7979) * A denial of service flaw was found in the way NTP handled preemptable client associations. A remote attacker could send several crypto NAK packets to a victim client, each with a spoofed source address of an existing associated peer, preventing that client from synchronizing its time. (CVE-2016-1547) * It was found that an ntpd client could be forced to change from basic client/server mode to the interleaved symmetric mode. A remote attacker could use a spoofed packet that, when processed by an ntpd client, would cause that client to reject all future legitimate server responses, effectively disabling time synchronization on that client. (CVE-2016-1548) * A flaw was found in the way NTP's libntp performed message authentication. An attacker able to observe the timing of the comparison function used in packet authentication could potentially use this flaw to recover the message digest. (CVE-2016-1550) * An out-of-bounds access flaw was found in the way ntpd processed certain packets. An authenticated attacker could use a crafted packet to create a peer association with hmode of 7 and larger, which could potentially (although highly unlikely) cause ntpd to crash. (CVE-2016-2518) The CVE-2016-1548 issue was discovered by Miroslav Lichvar (Red Hat).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 91420
    published 2016-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91420
    title RHEL 6 / 7 : ntp (RHSA-2016:1141)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-ED8C6C0426.NASL
    description Security fix for CVE-2016-1548, CVE-2016-2516, CVE-2016-2518, CVE-2016-1550 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2017-02-27
    plugin id 90977
    published 2016-05-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90977
    title Fedora 24 : ntp-4.2.6p5-40.fc24 (2016-ed8c6c0426)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20160531_NTP_ON_SL6_X.NASL
    description Security Fix(es) : - It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time. (CVE-2015-7979) - A denial of service flaw was found in the way NTP handled preemptable client associations. A remote attacker could send several crypto NAK packets to a victim client, each with a spoofed source address of an existing associated peer, preventing that client from synchronizing its time. (CVE-2016-1547) - It was found that an ntpd client could be forced to change from basic client/server mode to the interleaved symmetric mode. A remote attacker could use a spoofed packet that, when processed by an ntpd client, would cause that client to reject all future legitimate server responses, effectively disabling time synchronization on that client. (CVE-2016-1548) - A flaw was found in the way NTP's libntp performed message authentication. An attacker able to observe the timing of the comparison function used in packet authentication could potentially use this flaw to recover the message digest. (CVE-2016-1550) - An out-of-bounds access flaw was found in the way ntpd processed certain packets. An authenticated attacker could use a crafted packet to create a peer association with hmode of 7 and larger, which could potentially (although highly unlikely) cause ntpd to crash. (CVE-2016-2518) The CVE-2016-1548 issue was discovered by Miroslav Lichvar (Red Hat).
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 91644
    published 2016-06-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91644
    title Scientific Linux Security Update : ntp on SL6.x, SL7.x i386/x86_64
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3629.NASL
    description Several vulnerabilities were discovered in the Network Time Protocol daemon and utility programs : - CVE-2015-7974 Matt Street discovered that insufficient key validation allows impersonation attacks between authenticated peers. - CVE-2015-7977 CVE-2015-7978 Stephen Gray discovered that a NULL pointer dereference and a buffer overflow in the handling of 'ntpdc reslist' commands may result in denial of service. - CVE-2015-7979 Aanchal Malhotra discovered that if NTP is configured for broadcast mode, an attacker can send malformed authentication packets which break associations with the server for other broadcast clients. - CVE-2015-8138 Matthew van Gundy and Jonathan Gardner discovered that missing validation of origin timestamps in ntpd clients may result in denial of service. - CVE-2015-8158 Jonathan Gardner discovered that missing input sanitising in ntpq may result in denial of service. - CVE-2016-1547 Stephen Gray and Matthew van Gundy discovered that incorrect handling of crypto NAK packets may result in denial of service. - CVE-2016-1548 Jonathan Gardner and Miroslav Lichvar discovered that ntpd clients could be forced to change from basic client/server mode to interleaved symmetric mode, preventing time synchronisation. - CVE-2016-1550 Matthew van Gundy, Stephen Gray and Loganaden Velvindron discovered that timing leaks in the packet authentication code could result in recovery of a message digest. - CVE-2016-2516 Yihan Lian discovered that duplicate IPs on 'unconfig' directives will trigger an assert. - CVE-2016-2518 Yihan Lian discovered that an OOB memory access could potentially crash ntpd.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 92571
    published 2016-07-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92571
    title Debian DSA-3629-1 : ntp - security update
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL20804323.NASL
    description The MATCH_ASSOC function in NTP before version 4.2.8p9 and 4.3.x before 4.3.92 allows remote attackers to cause an out-of-bounds reference via an addpeer request with a large hmode value. (CVE-2016-2518) Using a crafted packet to create a peer association with hmode > 7 causes the MATCH_ASSOC() lookup to make an out-of-bounds reference.
    last seen 2019-02-21
    modified 2019-01-04
    plugin id 97152
    published 2017-02-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97152
    title F5 Networks BIG-IP : NTP vulnerability (K20804323)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-1141.NASL
    description From Red Hat Security Advisory 2016:1141 : An update for ntp is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix(es) : * It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time. (CVE-2015-7979) * A denial of service flaw was found in the way NTP handled preemptable client associations. A remote attacker could send several crypto NAK packets to a victim client, each with a spoofed source address of an existing associated peer, preventing that client from synchronizing its time. (CVE-2016-1547) * It was found that an ntpd client could be forced to change from basic client/server mode to the interleaved symmetric mode. A remote attacker could use a spoofed packet that, when processed by an ntpd client, would cause that client to reject all future legitimate server responses, effectively disabling time synchronization on that client. (CVE-2016-1548) * A flaw was found in the way NTP's libntp performed message authentication. An attacker able to observe the timing of the comparison function used in packet authentication could potentially use this flaw to recover the message digest. (CVE-2016-1550) * An out-of-bounds access flaw was found in the way ntpd processed certain packets. An authenticated attacker could use a crafted packet to create a peer association with hmode of 7 and larger, which could potentially (although highly unlikely) cause ntpd to crash. (CVE-2016-2518) The CVE-2016-1548 issue was discovered by Miroslav Lichvar (Red Hat).
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 91418
    published 2016-06-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91418
    title Oracle Linux 6 / 7 : ntp (ELSA-2016-1141)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_B2487D9A0C3011E6ACD0D050996490D0.NASL
    description Network Time Foundation reports : NTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p7, released on Tuesday, 26 April 2016 : - Bug 3020 / CVE-2016-1551: Refclock impersonation vulnerability, AKA: refclock-peering. Reported by Matt Street and others of Cisco ASIG - Bug 3012 / CVE-2016-1549: Sybil vulnerability : ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY. Reported by Matthew Van Gundy of Cisco ASIG - Bug 3011 / CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch. Reported by Yihan Lian of the Cloud Security Team, Qihoo 360 - Bug 3010 / CVE-2016-2517: Remote configuration trustedkey/requestkey values are not properly validated. Reported by Yihan Lian of the Cloud Security Team, Qihoo 360 - Bug 3009 / CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. Reported by Yihan Lian of the Cloud Security Team, Qihoo 360 - Bug 3008 / CVE-2016-2519: ctl_getitem() return value not always checked. Reported by Yihan Lian of the Cloud Security Team, Qihoo 360 - Bug 3007 / CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos. Reported by Stephen Gray and Matthew Van Gundy of Cisco ASIG - Bug 2978 / CVE-2016-1548: Interleave-pivot - MITIGATION ONLY. Reported by Miroslav Lichvar of RedHat and separately by Jonathan Gardner of Cisco ASIG. - Bug 2952 / CVE-2015-7704: KoD fix: peer associations were broken by the fix for NtpBug2901, AKA: Symmetric active/passive mode is broken. Reported by Michael Tatarinov, NTP Project Developer Volunteer - Bug 2945 / Bug 2901 / CVE-2015-8138: Zero Origin Timestamp Bypass, AKA: Additional KoD Checks. Reported by Jonathan Gardner of Cisco ASIG - Bug 2879 / CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA: authdecrypt-timing. Reported independently by Loganaden Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 90742
    published 2016-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90742
    title FreeBSD : ntp -- multiple vulnerabilities (b2487d9a-0c30-11e6-acd0-d050996490d0)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-5B2EB0BF9C.NASL
    description Security fix for CVE-2016-1548, CVE-2016-2516, CVE-2016-2518, CVE-2016-1550 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2017-02-27
    plugin id 91062
    published 2016-05-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=91062
    title Fedora 23 : ntp-4.2.6p5-40.fc23 (2016-5b2eb0bf9c)
redhat via4
advisories
  • bugzilla
    id 1331468
    title CVE-2016-2518 ntp: out-of-bounds references on crafted packet
    oval
    OR
    • AND
      • OR
        • comment Red Hat Enterprise Linux 7 Client is installed
          oval oval:com.redhat.rhsa:tst:20140675001
        • comment Red Hat Enterprise Linux 7 Server is installed
          oval oval:com.redhat.rhsa:tst:20140675002
        • comment Red Hat Enterprise Linux 7 Workstation is installed
          oval oval:com.redhat.rhsa:tst:20140675003
        • comment Red Hat Enterprise Linux 7 ComputeNode is installed
          oval oval:com.redhat.rhsa:tst:20140675004
      • OR
        • AND
          • comment ntp is earlier than 0:4.2.6p5-22.el7_2.2
            oval oval:com.redhat.rhsa:tst:20161141005
          • comment ntp is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20142024006
        • AND
          • comment ntp-doc is earlier than 0:4.2.6p5-22.el7_2.2
            oval oval:com.redhat.rhsa:tst:20161141013
          • comment ntp-doc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20142024010
        • AND
          • comment ntp-perl is earlier than 0:4.2.6p5-22.el7_2.2
            oval oval:com.redhat.rhsa:tst:20161141011
          • comment ntp-perl is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20142024014
        • AND
          • comment ntpdate is earlier than 0:4.2.6p5-22.el7_2.2
            oval oval:com.redhat.rhsa:tst:20161141009
          • comment ntpdate is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20142024012
        • AND
          • comment sntp is earlier than 0:4.2.6p5-22.el7_2.2
            oval oval:com.redhat.rhsa:tst:20161141007
          • comment sntp is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20142024008
    • AND
      • OR
        • comment Red Hat Enterprise Linux 6 Client is installed
          oval oval:com.redhat.rhsa:tst:20100842001
        • comment Red Hat Enterprise Linux 6 Server is installed
          oval oval:com.redhat.rhsa:tst:20100842002
        • comment Red Hat Enterprise Linux 6 Workstation is installed
          oval oval:com.redhat.rhsa:tst:20100842003
        • comment Red Hat Enterprise Linux 6 ComputeNode is installed
          oval oval:com.redhat.rhsa:tst:20100842004
      • OR
        • AND
          • comment ntp is earlier than 0:4.2.6p5-10.el6.1
            oval oval:com.redhat.rhsa:tst:20161141019
          • comment ntp is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20142024006
        • AND
          • comment ntp-doc is earlier than 0:4.2.6p5-10.el6.1
            oval oval:com.redhat.rhsa:tst:20161141022
          • comment ntp-doc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20142024010
        • AND
          • comment ntp-perl is earlier than 0:4.2.6p5-10.el6.1
            oval oval:com.redhat.rhsa:tst:20161141020
          • comment ntp-perl is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20142024014
        • AND
          • comment ntpdate is earlier than 0:4.2.6p5-10.el6.1
            oval oval:com.redhat.rhsa:tst:20161141021
          • comment ntpdate is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20142024012
    rhsa
    id RHSA-2016:1141
    released 2016-05-31
    severity Moderate
    title RHSA-2016:1141: ntp security update (Moderate)
  • rhsa
    id RHSA-2016:1552
rpms
  • ntp-0:4.2.6p5-22.el7_2.2
  • ntp-doc-0:4.2.6p5-22.el7_2.2
  • ntp-perl-0:4.2.6p5-22.el7_2.2
  • ntpdate-0:4.2.6p5-22.el7_2.2
  • sntp-0:4.2.6p5-22.el7_2.2
  • ntp-0:4.2.6p5-10.el6.1
  • ntp-doc-0:4.2.6p5-10.el6.1
  • ntp-perl-0:4.2.6p5-10.el6.1
  • ntpdate-0:4.2.6p5-10.el6.1
refmap via4
bid 88226
cert-vn VU#718152
confirm
debian DSA-3629
freebsd FreeBSD-SA-16:16
gentoo GLSA-201607-15
sectrack 1035705
Last major update 24-02-2017 - 14:08
Published 30-01-2017 - 16:59
Last modified 17-05-2018 - 21:29
Back to Top