ID CVE-2017-6462
Summary Buffer overflow in the legacy Datum Programmable Time Server (DPTS) refclock driver in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows local users to have unspecified impact via a crafted /dev/datum device.
References
Vulnerable Configurations
  • NTP 4.2.8 Patch 9
    cpe:2.3:a:ntp:ntp:4.2.8:p9
  • NTP 4.3.0
    cpe:2.3:a:ntp:ntp:4.3.0
  • NTP 4.3.1
    cpe:2.3:a:ntp:ntp:4.3.1
  • NTP 4.3.2
    cpe:2.3:a:ntp:ntp:4.3.2
  • NTP 4.3.3
    cpe:2.3:a:ntp:ntp:4.3.3
  • NTP 4.3.4
    cpe:2.3:a:ntp:ntp:4.3.4
  • NTP 4.3.5
    cpe:2.3:a:ntp:ntp:4.3.5
  • NTP 4.3.6
    cpe:2.3:a:ntp:ntp:4.3.6
  • NTP 4.3.7
    cpe:2.3:a:ntp:ntp:4.3.7
  • NTP 4.3.8
    cpe:2.3:a:ntp:ntp:4.3.8
  • NTP 4.3.9
    cpe:2.3:a:ntp:ntp:4.3.9
  • NTP 4.3.10
    cpe:2.3:a:ntp:ntp:4.3.10
  • NTP 4.3.11
    cpe:2.3:a:ntp:ntp:4.3.11
  • NTP 4.3.12
    cpe:2.3:a:ntp:ntp:4.3.12
  • NTP 4.3.13
    cpe:2.3:a:ntp:ntp:4.3.13
  • NTP 4.3.14
    cpe:2.3:a:ntp:ntp:4.3.14
  • NTP 4.3.15
    cpe:2.3:a:ntp:ntp:4.3.15
  • NTP 4.3.16
    cpe:2.3:a:ntp:ntp:4.3.16
  • NTP 4.3.17
    cpe:2.3:a:ntp:ntp:4.3.17
  • NTP 4.3.18
    cpe:2.3:a:ntp:ntp:4.3.18
  • NTP 4.3.19
    cpe:2.3:a:ntp:ntp:4.3.19
  • NTP 4.3.20
    cpe:2.3:a:ntp:ntp:4.3.20
  • NTP 4.3.21
    cpe:2.3:a:ntp:ntp:4.3.21
  • NTP 4.3.22
    cpe:2.3:a:ntp:ntp:4.3.22
  • NTP 4.3.23
    cpe:2.3:a:ntp:ntp:4.3.23
  • NTP 4.3.24
    cpe:2.3:a:ntp:ntp:4.3.24
  • NTP 4.3.25
    cpe:2.3:a:ntp:ntp:4.3.25
  • NTP 4.3.26
    cpe:2.3:a:ntp:ntp:4.3.26
  • NTP 4.3.27
    cpe:2.3:a:ntp:ntp:4.3.27
  • NTP 4.3.28
    cpe:2.3:a:ntp:ntp:4.3.28
  • NTP 4.3.29
    cpe:2.3:a:ntp:ntp:4.3.29
  • NTP 4.3.30
    cpe:2.3:a:ntp:ntp:4.3.30
  • NTP 4.3.31
    cpe:2.3:a:ntp:ntp:4.3.31
  • NTP 4.3.32
    cpe:2.3:a:ntp:ntp:4.3.32
  • NTP 4.3.33
    cpe:2.3:a:ntp:ntp:4.3.33
  • NTP 4.3.34
    cpe:2.3:a:ntp:ntp:4.3.34
  • NTP 4.3.35
    cpe:2.3:a:ntp:ntp:4.3.35
  • NTP 4.3.36
    cpe:2.3:a:ntp:ntp:4.3.36
  • NTP 4.3.37
    cpe:2.3:a:ntp:ntp:4.3.37
  • NTP 4.3.38
    cpe:2.3:a:ntp:ntp:4.3.38
  • NTP 4.3.39
    cpe:2.3:a:ntp:ntp:4.3.39
  • NTP 4.3.40
    cpe:2.3:a:ntp:ntp:4.3.40
  • NTP 4.3.41
    cpe:2.3:a:ntp:ntp:4.3.41
  • NTP 4.3.42
    cpe:2.3:a:ntp:ntp:4.3.42
  • NTP 4.3.43
    cpe:2.3:a:ntp:ntp:4.3.43
  • NTP 4.3.44
    cpe:2.3:a:ntp:ntp:4.3.44
  • NTP 4.3.45
    cpe:2.3:a:ntp:ntp:4.3.45
  • NTP 4.3.46
    cpe:2.3:a:ntp:ntp:4.3.46
  • NTP 4.3.47
    cpe:2.3:a:ntp:ntp:4.3.47
  • NTP 4.3.48
    cpe:2.3:a:ntp:ntp:4.3.48
  • NTP 4.3.49
    cpe:2.3:a:ntp:ntp:4.3.49
  • NTP 4.3.50
    cpe:2.3:a:ntp:ntp:4.3.50
  • NTP 4.3.51
    cpe:2.3:a:ntp:ntp:4.3.51
  • NTP 4.3.52
    cpe:2.3:a:ntp:ntp:4.3.52
  • NTP 4.3.53
    cpe:2.3:a:ntp:ntp:4.3.53
  • NTP 4.3.54
    cpe:2.3:a:ntp:ntp:4.3.54
  • NTP 4.3.55
    cpe:2.3:a:ntp:ntp:4.3.55
  • NTP 4.3.56
    cpe:2.3:a:ntp:ntp:4.3.56
  • NTP 4.3.57
    cpe:2.3:a:ntp:ntp:4.3.57
  • NTP 4.3.58
    cpe:2.3:a:ntp:ntp:4.3.58
  • NTP 4.3.59
    cpe:2.3:a:ntp:ntp:4.3.59
  • NTP 4.3.60
    cpe:2.3:a:ntp:ntp:4.3.60
  • NTP 4.3.61
    cpe:2.3:a:ntp:ntp:4.3.61
  • NTP 4.3.62
    cpe:2.3:a:ntp:ntp:4.3.62
  • NTP 4.3.63
    cpe:2.3:a:ntp:ntp:4.3.63
  • NTP 4.3.64
    cpe:2.3:a:ntp:ntp:4.3.64
  • NTP 4.3.65
    cpe:2.3:a:ntp:ntp:4.3.65
  • NTP 4.3.66
    cpe:2.3:a:ntp:ntp:4.3.66
  • NTP 4.3.67
    cpe:2.3:a:ntp:ntp:4.3.67
  • NTP 4.3.68
    cpe:2.3:a:ntp:ntp:4.3.68
  • NTP 4.3.69
    cpe:2.3:a:ntp:ntp:4.3.69
  • NTP 4.3.70
    cpe:2.3:a:ntp:ntp:4.3.70
  • NTP 4.3.71
    cpe:2.3:a:ntp:ntp:4.3.71
  • NTP 4.3.72
    cpe:2.3:a:ntp:ntp:4.3.72
  • NTP 4.3.73
    cpe:2.3:a:ntp:ntp:4.3.73
  • NTP 4.3.74
    cpe:2.3:a:ntp:ntp:4.3.74
  • NTP 4.3.75
    cpe:2.3:a:ntp:ntp:4.3.75
  • NTP 4.3.76
    cpe:2.3:a:ntp:ntp:4.3.76
  • NTP 4.3.77
    cpe:2.3:a:ntp:ntp:4.3.77
  • NTP 4.3.78
    cpe:2.3:a:ntp:ntp:4.3.78
  • NTP 4.3.79
    cpe:2.3:a:ntp:ntp:4.3.79
  • NTP 4.3.80
    cpe:2.3:a:ntp:ntp:4.3.80
  • NTP 4.3.81
    cpe:2.3:a:ntp:ntp:4.3.81
  • NTP 4.3.82
    cpe:2.3:a:ntp:ntp:4.3.82
  • NTP 4.3.83
    cpe:2.3:a:ntp:ntp:4.3.83
  • NTP 4.3.84
    cpe:2.3:a:ntp:ntp:4.3.84
  • NTP 4.3.85
    cpe:2.3:a:ntp:ntp:4.3.85
  • NTP 4.3.86
    cpe:2.3:a:ntp:ntp:4.3.86
  • NTP 4.3.87
    cpe:2.3:a:ntp:ntp:4.3.87
  • NTP 4.3.88
    cpe:2.3:a:ntp:ntp:4.3.88
  • NTP 4.3.89
    cpe:2.3:a:ntp:ntp:4.3.89
  • NTP 4.3.90
    cpe:2.3:a:ntp:ntp:4.3.90
  • NTP 4.3.91
    cpe:2.3:a:ntp:ntp:4.3.91
  • NTP 4.3.92
    cpe:2.3:a:ntp:ntp:4.3.92
  • NTP 4.3.93
    cpe:2.3:a:ntp:ntp:4.3.93
CVSS
Base: 4.6 (as of 29-03-2017 - 12:33)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2017-3071.NASL
    description From Red Hat Security Advisory 2017:3071 : An update for ntp is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix(es) : * Two vulnerabilities were discovered in the NTP server's parsing of configuration directives. A remote, authenticated attacker could cause ntpd to crash by sending a crafted message. (CVE-2017-6463, CVE-2017-6464) * A vulnerability was found in NTP, in the parsing of packets from the /dev/ datum device. A malicious device could send crafted messages, causing ntpd to crash. (CVE-2017-6462) Red Hat would like to thank the NTP project for reporting these issues. Upstream acknowledges Cure53 as the original reporter of these issues.
    last seen 2018-09-02
    modified 2018-07-25
    plugin id 104199
    published 2017-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104199
    title Oracle Linux 6 : ntp (ELSA-2017-3071)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3349-1.NASL
    description Yihan Lian discovered that NTP incorrectly handled certain large request data values. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-2519) Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed addresses when performing rate limiting. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7426) Matthew Van Gundy discovered that NTP incorrectly handled certain crafted broadcast mode packets. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7427, CVE-2016-7428) Miroslav Lichvar discovered that NTP incorrectly handled certain responses. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7429) Sharon Goldberg and Aanchal Malhotra discovered that NTP incorrectly handled origin timestamps of zero. A remote attacker could possibly use this issue to bypass the origin timestamp protection mechanism. This issue only affected Ubuntu 16.10. (CVE-2016-7431) Brian Utterback, Sharon Goldberg and Aanchal Malhotra discovered that NTP incorrectly performed initial sync calculations. This issue only applied to Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7433) Magnus Stubman discovered that NTP incorrectly handled certain mrulist queries. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7434) Matthew Van Gund discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu Ubuntu 16.10, and Ubuntu 17.04. (CVE-2016-9042) Matthew Van Gundy discovered that NTP incorrectly handled certain control mode packets. A remote attacker could use this issue to set or unset traps. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9310) Matthew Van Gundy discovered that NTP incorrectly handled the trap service. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9311) It was discovered that NTP incorrectly handled memory when processing long variables. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2017-6458) It was discovered that NTP incorrectly handled memory when processing long variables. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only applied to Ubuntu 16.04 LTS, Ubuntu 16.10 and Ubuntu 17.04. (CVE-2017-6460) It was discovered that the NTP legacy DPTS refclock driver incorrectly handled the /dev/datum device. A local attacker could possibly use this issue to cause a denial of service. (CVE-2017-6462) It was discovered that NTP incorrectly handled certain invalid settings in a :config directive. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2017-6463) It was discovered that NTP incorrectly handled certain invalid mode configuration directives. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2017-6464). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-03
    plugin id 101263
    published 2017-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101263
    title Ubuntu 14.04 LTS / 16.04 LTS / 16.10 / 17.04 : ntp vulnerabilities (USN-3349-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-20D54B2782.NASL
    description Security fix for CVE-2017-6464 CVE-2017-6462 CVE-2017-6463 CVE-2017-6458 CVE-2017-6451 CVE-2017-6460 CVE-2016-9042. ---- This update improves the default configuration file to use the pool directive. It also replaces the ntpstat program with a shell script that uses the ntpq program instead of implementing the mode 6 protocol. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2017-07-17
    plugin id 101588
    published 2017-07-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101588
    title Fedora 26 : ntp (2017-20d54b2782)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2017-3071.NASL
    description An update for ntp is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix(es) : * Two vulnerabilities were discovered in the NTP server's parsing of configuration directives. A remote, authenticated attacker could cause ntpd to crash by sending a crafted message. (CVE-2017-6463, CVE-2017-6464) * A vulnerability was found in NTP, in the parsing of packets from the /dev/ datum device. A malicious device could send crafted messages, causing ntpd to crash. (CVE-2017-6462) Red Hat would like to thank the NTP project for reporting these issues. Upstream acknowledges Cure53 as the original reporter of these issues.
    last seen 2018-09-01
    modified 2018-07-30
    plugin id 104170
    published 2017-10-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104170
    title RHEL 6 : ntp (RHSA-2017:3071)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1052-1.NASL
    description This ntp update to version 4.2.8p10 fixes the following issues: Security issues fixed (bsc#1030050) : - CVE-2017-6464: Denial of Service via Malformed Config - CVE-2017-6462: Buffer Overflow in DPTS Clock - CVE-2017-6463: Authenticated DoS via Malicious Config Option - CVE-2017-6458: Potential Overflows in ctl_put() functions - CVE-2017-6451: Improper use of snprintf() in mx4200_send() - CVE-2017-6460: Buffer Overflow in ntpq when fetching reslist - CVE-2016-9042: 0rigin (zero origin) DoS. - ntpq_stripquotes() returns incorrect Value - ereallocarray()/eallocarray() underused - Copious amounts of Unused Code - Off-by-one in Oncore GPS Receiver - Makefile does not enforce Security Flags Bugfixes : - Remove spurious log messages (bsc#1014172). - Fixing ppc and ppc64 linker issue (bsc#1031085). - clang scan-build findings - Support for openssl-1.1.0 without compatibility modes - Bugfix 3072 breaks multicastclient - forking async worker: interrupted pipe I/O - (...) time_pps_create: Exec format error - Incorrect Logic for Peer Event Limiting - Change the process name of forked DNS worker - Trap Configuration Fail - Nothing happens if minsane - allow -4/-6 on restrict line with mask - out-of-bound pointers in ctl_putsys and decode_bitflags - Move ntp-kod to /var/lib/ntp, because /var/db is not a standard directory and causes problems for transactional updates. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-02
    plugin id 99469
    published 2017-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99469
    title SUSE SLES11 Security Update : ntp (SUSE-SU-2017:1052-1)
  • NASL family F5 Networks Local Security Checks
    NASL id F5_BIGIP_SOL07082049.NASL
    description Buffer overflow in the legacy Datum Programmable Time Server (DPTS) refclock driver in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows local users to have unspecified impact via a crafted /dev/datum device. (CVE-2017-6462)
    last seen 2018-09-02
    modified 2018-07-11
    plugin id 105399
    published 2017-12-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=105399
    title F5 Networks BIG-IP : NTP vulnerability (K07082049)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2017-112-02.NASL
    description New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, 14.2, and -current to fix security issues.
    last seen 2018-09-02
    modified 2018-01-26
    plugin id 99597
    published 2017-04-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99597
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / 14.2 / current : ntp (SSA:2017-112-02)
  • NASL family MacOS X Local Security Checks
    NASL id MACOS_10_13.NASL
    description The remote host is running a version of Mac OS X that is prior to 10.10.5, 10.11.x prior to 10.11.6, 10.12.x prior to 10.12.6, or is not macOS 10.13. It is, therefore, affected by multiple vulnerabilities in the following components : - apache - AppSandbox - AppleScript - Application Firewall - ATS - Audio - CFNetwork - CFNetwork Proxies - CFString - Captive Network Assistant - CoreAudio - CoreText - DesktopServices - Directory Utility - file - Fonts - fsck_msdos - HFS - Heimdal - HelpViewer - IOFireWireFamily - ImageIO - Installer - Kernel - kext tools - libarchive - libc - libexpat - Mail - Mail Drafts - ntp - Open Scripting Architecture - PCRE - Postfix - Quick Look - QuickTime - Remote Management - SQLite - Sandbox - Screen Lock - Security - Spotlight - WebKit - zlib Note that successful exploitation of the most serious issues can result in arbitrary code execution.
    last seen 2018-09-01
    modified 2018-07-14
    plugin id 103598
    published 2017-10-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=103598
    title macOS < 10.13 Multiple Vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-72323A442F.NASL
    description Security fix for CVE-2017-6464 CVE-2017-6462 CVE-2017-6463 CVE-2017-6458 CVE-2017-6451. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2017-04-19
    plugin id 99445
    published 2017-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99445
    title Fedora 24 : ntp (2017-72323a442f)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0010.NASL
    description An update of [binutils,ntp,libarchive] packages for PhotonOS has been released.
    last seen 2018-09-01
    modified 2018-08-17
    plugin id 111859
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111859
    title Photon OS 1.0: Binutils / Libarchive / Ntp PHSA-2017-0010
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1124.NASL
    description According to the versions of the ntp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors.(CVE-2015-8139) - NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7 is enabled, allows remote attackers to cause a denial of service (ntpd abort) by using the same IP address multiple times in an unconfig directive.(CVE-2016-2516) - The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.(CVE-2016-4954) - ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time.(CVE-2016-4955) - ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548.(CVE-2016-4956) - Buffer overflow in the legacy Datum Programmable Time Server (DPTS) refclock driver in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows local users to have unspecified impact via a crafted /dev/datum device.(CVE-2017-6462) - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote authenticated users to cause a denial of service (daemon crash) via an invalid setting in a :config directive, related to the unpeer option.(CVE-2017-6463) - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote attackers to cause a denial of service (ntpd crash) via a malformed mode configuration directive.(CVE-2017-6464) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-10
    plugin id 101310
    published 2017-07-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101310
    title EulerOS 2.0 SP1 : ntp (EulerOS-SA-2017-1124)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-0855.NASL
    description An update for ntp is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix(es) : * ntp: Authenticated DoS via Malicious Config Option (CVE-2017-6463) * ntp: Denial of Service via Malformed Config (CVE-2017-6464) * ntp: Buffer Overflow in DPTS Clock (CVE-2017-6462) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the NTP project for reporting these issues. Upstream acknowledges Cure53 as the original reporter of these issues. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen 2018-10-18
    modified 2018-10-17
    plugin id 108989
    published 2018-04-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=108989
    title RHEL 7 : ntp (RHSA-2018:0855)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-816.NASL
    description Denial of Service via Malformed Config : A vulnerability was discovered in the NTP server's parsing of configuration directives. A remote, authenticated attacker could cause ntpd to crash by sending a crafted message.(CVE-2017-6464) Potential Overflows in ctl_put() functions : A vulnerability was found in NTP, in the building of response packets with custom fields. If custom fields were configured in ntp.conf with particularly long names, inclusion of these fields in the response packet could cause a buffer overflow, leading to a crash. (CVE-2017-6458) Improper use of snprintf() in mx4200_send() : A vulnerability was found in NTP, in the legacy MX4200 refclock implementation. If this refclock was compiled in and used, an attacker may be able to induce stack overflow, leading to a crash or potential code execution.(CVE-2017-6451) Authenticated DoS via Malicious Config Option : A vulnerability was discovered in the NTP server's parsing of configuration directives. A remote, authenticated attacker could cause ntpd to crash by sending a crafted message.(CVE-2017-6463) Buffer Overflow in DPTS Clock : A vulnerability was found in NTP, in the parsing of packets from the /dev/datum device. A malicious device could send crafted messages, causing ntpd to crash.(CVE-2017-6462)
    last seen 2018-09-02
    modified 2018-04-18
    plugin id 99529
    published 2017-04-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99529
    title Amazon Linux AMI : ntp (ALAS-2017-816)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20180410_NTP_ON_SL7_X.NASL
    description Security Fix(es) : - ntp: Authenticated DoS via Malicious Config Option (CVE-2017-6463) - ntp: Denial of Service via Malformed Config (CVE-2017-6464) - ntp: Buffer Overflow in DPTS Clock (CVE-2017-6462) Additional Changes :
    last seen 2018-09-01
    modified 2018-05-01
    plugin id 109453
    published 2018-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109453
    title Scientific Linux Security Update : ntp on SL7.x x86_64
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_3C0237F5420E11E782C514DAE9D210B8.NASL
    description A vulnerability was discovered in the NTP server's parsing of configuration directives. [CVE-2017-6464] A vulnerability was found in NTP, in the parsing of packets from the DPTS Clock. [CVE-2017-6462] A vulnerability was discovered in the NTP server's parsing of configuration directives. [CVE-2017-6463] A vulnerability was found in NTP, affecting the origin timestamp check function. [CVE-2016-9042] Impact : A remote, authenticated attacker could cause ntpd to crash by sending a crafted message. [CVE-2017-6463, CVE-2017-6464] A malicious device could send crafted messages, causing ntpd to crash. [CVE-2017-6462] An attacker able to spoof messages from all of the configured peers could send crafted packets to ntpd, causing later replies from those peers to be discarded, resulting in denial of service. [CVE-2016-9042]
    last seen 2018-09-02
    modified 2017-05-30
    plugin id 100496
    published 2017-05-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=100496
    title FreeBSD : FreeBSD -- Multiple vulnerabilities of ntp (3c0237f5-420e-11e7-82c5-14dae9d210b8)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1047-1.NASL
    description This ntp update to version 4.2.8p10 fixes serveral issues. This updated enables leap smearing. See /usr/share/doc/packages/ntp/README.leapsmear for details. Security issues fixed (bsc#1030050) : - CVE-2017-6464: Denial of Service via Malformed Config - CVE-2017-6462: Buffer Overflow in DPTS Clock - CVE-2017-6463: Authenticated DoS via Malicious Config Option - CVE-2017-6458: Potential Overflows in ctl_put() functions - CVE-2017-6451: Improper use of snprintf() in mx4200_send() - CVE-2017-6460: Buffer Overflow in ntpq when fetching reslist - CVE-2016-9042: 0rigin (zero origin) DoS. - ntpq_stripquotes() returns incorrect Value - ereallocarray()/eallocarray() underused - Copious amounts of Unused Code - Off-by-one in Oncore GPS Receiver - Makefile does not enforce Security Flags Bugfixes : - Remove spurious log messages (bsc#1014172). - clang scan-build findings - Support for openssl-1.1.0 without compatibility modes - Bugfix 3072 breaks multicastclient - forking async worker: interrupted pipe I/O - (...) time_pps_create: Exec format error - Incorrect Logic for Peer Event Limiting - Change the process name of forked DNS worker - Trap Configuration Fail - Nothing happens if minsane - allow -4/-6 on restrict line with mask - out-of-bound pointers in ctl_putsys and decode_bitflags - Move ntp-kod to /var/lib/ntp, because /var/db is not a standard directory and causes problems for transactional updates. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-02
    plugin id 99467
    published 2017-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99467
    title SUSE SLES12 Security Update : ntp (SUSE-SU-2017:1047-1)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2017-1125.NASL
    description According to the versions of the ntp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors.(CVE-2015-8139) - NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7 is enabled, allows remote attackers to cause a denial of service (ntpd abort) by using the same IP address multiple times in an unconfig directive.(CVE-2016-2516) - The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.(CVE-2016-4954) - ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time.(CVE-2016-4955) - ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548.(CVE-2016-4956) - Buffer overflow in the legacy Datum Programmable Time Server (DPTS) refclock driver in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows local users to have unspecified impact via a crafted /dev/datum device.(CVE-2017-6462) - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote authenticated users to cause a denial of service (daemon crash) via an invalid setting in a :config directive, related to the unpeer option.(CVE-2017-6463) - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote attackers to cause a denial of service (ntpd crash) via a malformed mode configuration directive.(CVE-2017-6464) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-10
    plugin id 101311
    published 2017-07-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101311
    title EulerOS 2.0 SP2 : ntp (EulerOS-SA-2017-1125)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2017-5EBAC1C112.NASL
    description Security fix for CVE-2017-6464 CVE-2017-6462 CVE-2017-6463 CVE-2017-6458 CVE-2017-6451. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2017-03-30
    plugin id 99053
    published 2017-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99053
    title Fedora 25 : ntp (2017-5ebac1c112)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2018-0855.NASL
    description From Red Hat Security Advisory 2018:0855 : An update for ntp is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix(es) : * ntp: Authenticated DoS via Malicious Config Option (CVE-2017-6463) * ntp: Denial of Service via Malformed Config (CVE-2017-6464) * ntp: Buffer Overflow in DPTS Clock (CVE-2017-6462) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the NTP project for reporting these issues. Upstream acknowledges Cure53 as the original reporter of these issues. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen 2018-09-02
    modified 2018-04-18
    plugin id 109109
    published 2018-04-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109109
    title Oracle Linux 7 : ntp (ELSA-2018-0855)
  • NASL family AIX Local Security Checks
    NASL id AIX_NTP_V4_ADVISORY9.NASL
    description The version of NTP installed on the remote AIX host is affected by the following vulnerabilities : - Multiple stack-based buffer overflow conditions exist in various wrappers around the ctl_putdata() function within file ntpd/ntp_control.c due to improper validation of certain input from the ntp.conf file. An unauthenticated, remote attacker can exploit these, by convincing a user into deploying a specially crafted ntp.conf file, to cause a denial of service condition or possibly the execution of arbitrary code. (CVE-2017-6458) - A stack-based buffer overflow condition exists in the datum_pts_receive() function within file ntpd/refclock_datum.c when handling handling packets from the '/dev/datum' device due to improper validation of certain input. A local attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-6462) - A denial of service vulnerability exists when handling configuration directives. An authenticated, remote attacker can exploit this, via a malformed 'mode' configuration directive, to crash the ntpd daemon. (CVE-2017-6464)
    last seen 2018-09-01
    modified 2018-07-17
    plugin id 102131
    published 2017-08-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102131
    title AIX NTP v4 Advisory : ntp_advisory9.asc (IV96311) (IV96312)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2017-511.NASL
    description This ntp update to version 4.2.8p10 fixes serveral issues. This updated enables leap smearing. See /usr/share/doc/packages/ntp/README.leapsmear for details. Security issues fixed (bsc#1030050) : - CVE-2017-6464: Denial of Service via Malformed Config - CVE-2017-6462: Buffer Overflow in DPTS Clock - CVE-2017-6463: Authenticated DoS via Malicious Config Option - CVE-2017-6458: Potential Overflows in ctl_put() functions - CVE-2017-6451: Improper use of snprintf() in mx4200_send() - CVE-2017-6460: Buffer Overflow in ntpq when fetching reslist - CVE-2016-9042: 0rigin (zero origin) DoS. - ntpq_stripquotes() returns incorrect Value - ereallocarray()/eallocarray() underused - Copious amounts of Unused Code - Off-by-one in Oncore GPS Receiver - Makefile does not enforce Security Flags Bugfixes : - Remove spurious log messages (bsc#1014172). - clang scan-build findings - Support for openssl-1.1.0 without compatibility modes - Bugfix 3072 breaks multicastclient - forking async worker: interrupted pipe I/O - (...) time_pps_create: Exec format error - Incorrect Logic for Peer Event Limiting - Change the process name of forked DNS worker - Trap Configuration Fail - Nothing happens if minsane < maxclock < minclock - allow -4/-6 on restrict line with mask - out-of-bound pointers in ctl_putsys and decode_bitflags - Move ntp-kod to /var/lib/ntp, because /var/db is not a standard directory and causes problems for transactional updates. This update was imported from the SUSE:SLE-12-SP1:Update update project.
    last seen 2018-09-02
    modified 2017-04-27
    plugin id 99700
    published 2017-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99700
    title openSUSE Security Update : ntp (openSUSE-2017-511)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2017-1048-1.NASL
    description This ntp update to version 4.2.8p10 fixes serveral issues. This updated enables leap smearing. See /usr/share/doc/packages/ntp/README.leapsmear for details. Security issues fixed (bsc#1030050) : - CVE-2017-6464: Denial of Service via Malformed Config - CVE-2017-6462: Buffer Overflow in DPTS Clock - CVE-2017-6463: Authenticated DoS via Malicious Config Option - CVE-2017-6458: Potential Overflows in ctl_put() functions - CVE-2017-6451: Improper use of snprintf() in mx4200_send() - CVE-2017-6460: Buffer Overflow in ntpq when fetching reslist - CVE-2016-9042: 0rigin (zero origin) DoS. - ntpq_stripquotes() returns incorrect Value - ereallocarray()/eallocarray() underused - Copious amounts of Unused Code - Off-by-one in Oncore GPS Receiver - Makefile does not enforce Security Flags Bugfixes : - Remove spurious log messages (bsc#1014172). - clang scan-build findings - Support for openssl-1.1.0 without compatibility modes - Bugfix 3072 breaks multicastclient - forking async worker: interrupted pipe I/O - (...) time_pps_create: Exec format error - Incorrect Logic for Peer Event Limiting - Change the process name of forked DNS worker - Trap Configuration Fail - Nothing happens if minsane - allow -4/-6 on restrict line with mask - out-of-bound pointers in ctl_putsys and decode_bitflags - Move ntp-kod to /var/lib/ntp, because /var/db is not a standard directory and causes problems for transactional updates. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2018-08-02
    plugin id 99468
    published 2017-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99468
    title SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2017:1048-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id AL2_ALAS-2018-1009.NASL
    description Ephemeral association time spoofing additional protection ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549 .(CVE-2018-7170) Interleaved symmetric mode cannot recover from bad state ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the 'received' timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704 .(CVE-2018-7184) Ephemeral association time spoofing A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim's clock.(CVE-2016-1549) Buffer read overrun leads information leak in ctl_getitem() The ctl_getitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mode 6 packet with a ntpd instance from 4.2.8p6 through 4.2.8p10. (CVE-2018-7182) Unauthenticated packet can reset authenticated interleaved association The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the 'other side' of an interleaved association causing the victim ntpd to reset its association.(CVE-2018-7185) decodearr() can write beyond its buffer limit Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array.(CVE-2018-7183)
    last seen 2018-09-01
    modified 2018-05-11
    plugin id 109688
    published 2018-05-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109688
    title Amazon Linux 2 : ntp (ALAS-2018-1009)
  • NASL family Firewalls
    NASL id PFSENSE_SA-17_04.NASL
    description According to its self-reported version number, the remote pfSense install is affected by multiple vulnerabilities as stated in the referenced vendor advisories.
    last seen 2018-09-19
    modified 2018-09-17
    plugin id 106504
    published 2018-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106504
    title pfSense < 2.3.4 Multiple Vulnerabilities (SA-17_04)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20171026_NTP_ON_SL6_X.NASL
    description Security Fix(es) : - Two vulnerabilities were discovered in the NTP server's parsing of configuration directives. A remote, authenticated attacker could cause ntpd to crash by sending a crafted message. (CVE-2017-6463, CVE-2017-6464) - A vulnerability was found in NTP, in the parsing of packets from the /dev/datum device. A malicious device could send crafted messages, causing ntpd to crash. (CVE-2017-6462)
    last seen 2018-09-02
    modified 2018-01-26
    plugin id 104206
    published 2017-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104206
    title Scientific Linux Security Update : ntp on SL6.x i386/x86_64
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2017-0165.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - add disable monitor to default ntp.conf [CVE-2013-5211] - fix buffer overflow in datum refclock driver (CVE-2017-6462) - fix crash with invalid unpeer command (CVE-2017-6463) - fix potential crash with invalid server command (CVE-2017-6464) - don't limit rate of packets from sources (CVE-2016-7426) - don't change interface from received packets (CVE-2016-7429) - fix calculation of root distance again (CVE-2016-7433) - require authentication for trap commands (CVE-2016-9310) - fix crash when reporting peer event to trappers (CVE-2016-9311) - don't allow spoofed packets to demobilize associations (CVE-2015-7979, CVE-2016-1547) - don't allow spoofed packet to enable symmetric interleaved mode (CVE-2016-1548) - check mode of new source in config command (CVE-2016-2518) - make MAC check resilient against timing attack (CVE-2016-1550)
    last seen 2018-09-02
    modified 2018-07-24
    plugin id 104204
    published 2017-10-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104204
    title OracleVM 3.3 / 3.4 : ntp (OVMSA-2017-0165)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2017-3071.NASL
    description An update for ntp is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix(es) : * Two vulnerabilities were discovered in the NTP server's parsing of configuration directives. A remote, authenticated attacker could cause ntpd to crash by sending a crafted message. (CVE-2017-6463, CVE-2017-6464) * A vulnerability was found in NTP, in the parsing of packets from the /dev/ datum device. A malicious device could send crafted messages, causing ntpd to crash. (CVE-2017-6462) Red Hat would like to thank the NTP project for reporting these issues. Upstream acknowledges Cure53 as the original reporter of these issues.
    last seen 2018-11-11
    modified 2018-11-10
    plugin id 104217
    published 2017-10-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=104217
    title CentOS 6 : ntp (CESA-2017:3071)
  • NASL family Misc.
    NASL id NTP_4_2_8P10.NASL
    description The version of the remote NTP server is 4.x prior to 4.2.8p10. It is, therefore, affected by the following vulnerabilities : - A denial of service vulnerability exists in the receive() function within file ntpd/ntp_proto.c due to the expected origin timestamp being cleared when a packet with a zero origin timestamp is received. An unauthenticated, remote attacker can exploit this issue, via specially crafted network packets, to reset the expected origin timestamp for a target peer, resulting in legitimate replies being dropped. (CVE-2016-9042) - An out-of-bounds write error exists in the mx4200_send() function within file ntpd/refclock_mx4200.c due to improper handling of the return value of the snprintf() and vsnprintf() functions. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or possibly the execution of arbitrary code. However, neither the researcher nor vendor could find any exploitable code path. (CVE-2017-6451) - A stack-based buffer overflow condition exists in the addSourceToRegistry() function within file ports/winnt/instsrv/instsrv.c due to improper validation of certain input when adding registry keys. A local attacker can exploit this to execute arbitrary code. (CVE-2017-6452) - A flaw exists due to dynamic link library (DLL) files being preloaded when they are defined in the inherited environment variable 'PPSAPI_DLLS'. A local attacker can exploit this, via specially crafted DLL files, to execute arbitrary code with elevated privileges. (CVE-2017-6455) - Multiple stack-based buffer overflow conditions exist in various wrappers around the ctl_putdata() function within file ntpd/ntp_control.c due to improper validation of certain input from the ntp.conf file. An unauthenticated, remote attacker can exploit these, by convincing a user into deploying a specially crafted ntp.conf file, to cause a denial of service condition or possibly the execution of arbitrary code. (CVE-2017-6458) - A flaw exists in the addKeysToRegistry() function within file ports/winnt/instsrv/instsrv.c when running the Windows installer due to improper termination of strings used for adding registry keys, which may cause malformed registry entries to be created. A local attacker can exploit this issue to possibly disclose sensitive memory contents. (CVE-2017-6459) - A stack-based buffer overflow condition exists in the reslist() function within file ntpq/ntpq-subs.c when handling server responses due to improper validation of certain input. An unauthenticated, remote attacker can exploit this, by convincing a user to connect to a malicious NTP server and by using a specially crafted server response, to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-6460) - A stack-based buffer overflow condition exists in the datum_pts_receive() function within file ntpd/refclock_datum.c when handling handling packets from the '/dev/datum' device due to improper validation of certain input. A local attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-6462) - A denial of service vulnerability exists within file ntpd/ntp_config.c when handling 'unpeer' configuration options. An authenticated, remote attacker can exploit this issue, via an 'unpeer' option value of '0', to crash the ntpd daemon. (CVE-2017-6463) - A denial of service vulnerability exists when handling configuration directives. An authenticated, remote attacker can exploit this, via a malformed 'mode' configuration directive, to crash the ntpd daemon. (CVE-2017-6464) - A flaw exists in the ntpq_stripquotes() function within file ntpq/libntpq.c due to the function returning an incorrect value. An unauthenticated, remote attacker can possibly exploit this to have an unspecified impact. (VulnDB 154204) - An off-by-one overflow condition exists in the oncore_receive() function in file ntpd/refclock_oncore.c that possibly allows an unauthenticated, remote attacker to have an unspecified impact. (VulnDB 154208) - A flaw exists due to certain code locations not invoking the appropriate ereallocarray() and eallocarray() functions. An unauthenticated, remote attacker can possibly exploit this to have an unspecified impact. (VulnDB 154210) - A flaw exists due to the static inclusion of unused code from the libisc, libevent, and libopts libraries. An unauthenticated, remote attacker can possibly exploit this to have an unspecified impact. (VulnDB 154211) - A security weakness exists in the Makefile due to a failure to provide compile or link flags to offer hardened security options by default. (VulnDB 154458)
    last seen 2018-09-19
    modified 2018-09-17
    plugin id 97988
    published 2017-03-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97988
    title Network Time Protocol Daemon (ntpd) 4.x < 4.2.8p10 Multiple Vulnerabilities
  • NASL family AIX Local Security Checks
    NASL id AIX_NTP_V3_ADVISORY9.NASL
    description The version of NTP installed on the remote AIX host is affected by the following vulnerabilities : - An out-of-bounds write error exists in the mx4200_send() function within file ntpd/refclock_mx4200.c due to improper handling of the return value of the snprintf() and vsnprintf() functions. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or possibly the execution of arbitrary code. However, neither the researcher nor vendor could find any exploitable code path. (CVE-2017-6451) - Multiple stack-based buffer overflow conditions exist in various wrappers around the ctl_putdata() function within file ntpd/ntp_control.c due to improper validation of certain input from the ntp.conf file. An unauthenticated, remote attacker can exploit these, by convincing a user into deploying a specially crafted ntp.conf file, to cause a denial of service condition or possibly the execution of arbitrary code. (CVE-2017-6458) - A stack-based buffer overflow condition exists in the datum_pts_receive() function within file ntpd/refclock_datum.c when handling handling packets from the '/dev/datum' device due to improper validation of certain input. A local attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2017-6462) - A denial of service vulnerability exists when handling configuration directives. An authenticated, remote attacker can exploit this, via a malformed 'mode' configuration directive, to crash the ntpd daemon. (CVE-2017-6464)
    last seen 2018-09-02
    modified 2018-07-17
    plugin id 102130
    published 2017-08-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=102130
    title AIX NTP v3 Advisory : ntp_advisory9.asc (IV96305) (IV96306) (IV96307) (IV96308) (IV96309) (IV96310)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2018-0855.NASL
    description An update for ntp is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the ntpd service. Security Fix(es) : * ntp: Authenticated DoS via Malicious Config Option (CVE-2017-6463) * ntp: Denial of Service via Malformed Config (CVE-2017-6464) * ntp: Buffer Overflow in DPTS Clock (CVE-2017-6462) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Red Hat would like to thank the NTP project for reporting these issues. Upstream acknowledges Cure53 as the original reporter of these issues. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen 2018-11-11
    modified 2018-11-10
    plugin id 109375
    published 2018-04-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=109375
    title CentOS 7 : ntp (CESA-2018:0855)
redhat via4
advisories
  • rhsa
    id RHSA-2017:3071
  • rhsa
    id RHSA-2018:0855
rpms
  • ntp-0:4.2.6p5-12.el6_9.1
  • ntp-doc-0:4.2.6p5-12.el6_9.1
  • ntp-perl-0:4.2.6p5-12.el6_9.1
  • ntpdate-0:4.2.6p5-12.el6_9.1
  • ntp-0:4.2.6p5-28.el7
  • ntp-doc-0:4.2.6p5-28.el7
  • ntp-perl-0:4.2.6p5-28.el7
  • ntpdate-0:4.2.6p5-28.el7
  • sntp-0:4.2.6p5-28.el7
refmap via4
bid 97045
confirm
freebsd FreeBSD-SA-17:03
sectrack 1038123
Last major update 29-03-2017 - 14:31
Published 27-03-2017 - 13:59
Last modified 11-04-2018 - 21:29
Back to Top