Vulnerabilities > CVE-2015-1799 - Code vulnerability in NTP
Attack vector
ADJACENT_NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | Ntp
| 690 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2015-5874.NASL description Security fix for CVE-2015-1799, CVE-2015-1798, #1210324 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-04-23 plugin id 83010 published 2015-04-23 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83010 title Fedora 20 : ntp-4.2.6p5-22.fc20 (2015-5874) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2015-5874. # include("compat.inc"); if (description) { script_id(83010); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2015-1798", "CVE-2015-1799"); script_bugtraq_id(73950, 73951); script_xref(name:"FEDORA", value:"2015-5874"); script_name(english:"Fedora 20 : ntp-4.2.6p5-22.fc20 (2015-5874)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Security fix for CVE-2015-1799, CVE-2015-1798, #1210324 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1199430" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1199435" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1210324" ); # https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155863.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?313a62f6" ); script_set_attribute(attribute:"solution", value:"Update the affected ntp package."); script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:N/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:ND/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:ntp"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:20"); script_set_attribute(attribute:"patch_publication_date", value:"2015/04/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/04/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^20([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 20.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC20", reference:"ntp-4.2.6p5-22.fc20")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ntp"); }NASL family AIX Local Security Checks NASL id AIX_IV71096.NASL description http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9297 Network Time Protocol (NTP) Project NTP daemon (ntpd) could allow a remote attacker to conduct spoofing attacks, caused by insufficient entropy in PRNG. An attacker could exploit this vulnerability to spoof the IPv6 address ::1 to bypass ACLs and launch further attacks on the system. Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable to a denial of service, caused by an error when using symmetric key authentication. By sending specially-crafted packets to both peering hosts, an attacker could exploit this vulnerability to prevent synchronization. last seen 2020-06-01 modified 2020-06-02 plugin id 84493 published 2015-07-02 reporter This script is Copyright (C) 2015-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84493 title AIX 7.1 TL 0 : ntp4 (IV71096) code # # (C) Tenable Network Security, Inc. # # The text in the description was extracted from AIX Security # Advisory ntp4_advisory.asc. # include("compat.inc"); if (description) { script_id(84493); script_version("$Revision: 2.6 $"); script_cvs_date("$Date: 2016/01/22 14:36:50 $"); script_cve_id("CVE-2014-9297", "CVE-2015-1799"); script_name(english:"AIX 7.1 TL 0 : ntp4 (IV71096)"); script_summary(english:"Check for APAR IV71096"); script_set_attribute( attribute:"synopsis", value:"The remote AIX host is missing a security patch." ); script_set_attribute( attribute:"description", value: "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9297 Network Time Protocol (NTP) Project NTP daemon (ntpd) could allow a remote attacker to conduct spoofing attacks, caused by insufficient entropy in PRNG. An attacker could exploit this vulnerability to spoof the IPv6 address ::1 to bypass ACLs and launch further attacks on the system. Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable to a denial of service, caused by an error when using symmetric key authentication. By sending specially-crafted packets to both peering hosts, an attacker could exploit this vulnerability to prevent synchronization." ); script_set_attribute( attribute:"see_also", value:"http://aix.software.ibm.com/aix/efixes/security/ntp4_advisory.asc" ); script_set_attribute( attribute:"solution", value:"Install the appropriate interim fix." ); script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:N/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:ibm:aix:7.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/06/29"); script_set_attribute(attribute:"patch_publication_date", value:"2015/06/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2016 Tenable Network Security, Inc."); script_family(english:"AIX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/AIX/lslpp", "Host/local_checks_enabled", "Host/AIX/version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("aix.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if ( ! get_kb_item("Host/AIX/version") ) audit(AUDIT_OS_NOT, "AIX"); if ( ! get_kb_item("Host/AIX/lslpp") ) audit(AUDIT_PACKAGE_LIST_MISSING); if ( get_kb_item("Host/AIX/emgr_failure" ) ) exit(0, "This iFix check is disabled because : "+get_kb_item("Host/AIX/emgr_failure") ); flag = 0; if (aix_check_ifix(release:"7.1", ml:"00", patch:"IV71096s0a", package:"ntp.rte", minfilesetver:"7.1.0.0", maxfilesetver:"7.1.0.4") < 0) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family AIX Local Security Checks NASL id AIX_IV73783.NASL description Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable to a denial of service, caused by an error when using symmetric key authentication. By sending specially-crafted packets to both peering hosts, an attacker could exploit this vulnerability to prevent synchronization. last seen 2020-06-01 modified 2020-06-02 plugin id 85603 published 2015-08-25 reporter This script is Copyright (C) 2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/85603 title AIX 6.1 TL 9 : ntp (IV73783) code # # (C) Tenable Network Security, Inc. # # The text in the description was extracted from AIX Security # Advisory ntp_advisory3.asc. # include("compat.inc"); if (description) { script_id(85603); script_version("$Revision: 2.1 $"); script_cvs_date("$Date: 2015/08/25 13:27:07 $"); script_cve_id("CVE-2015-1799"); script_name(english:"AIX 6.1 TL 9 : ntp (IV73783)"); script_summary(english:"Check for APAR IV73783"); script_set_attribute( attribute:"synopsis", value:"The remote AIX host is missing a security patch." ); script_set_attribute( attribute:"description", value: "Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable to a denial of service, caused by an error when using symmetric key authentication. By sending specially-crafted packets to both peering hosts, an attacker could exploit this vulnerability to prevent synchronization." ); script_set_attribute( attribute:"see_also", value:"http://aix.software.ibm.com/aix/efixes/security/ntp_advisory3.asc" ); script_set_attribute( attribute:"solution", value:"Install the appropriate interim fix." ); script_set_cvss_base_vector("CVSS2#AV:A/AC:M/Au:N/C:N/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:ibm:aix:6.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/08/21"); script_set_attribute(attribute:"patch_publication_date", value:"2015/08/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/08/25"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015 Tenable Network Security, Inc."); script_family(english:"AIX Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/AIX/lslpp", "Host/local_checks_enabled", "Host/AIX/version"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("aix.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if ( ! get_kb_item("Host/AIX/version") ) audit(AUDIT_OS_NOT, "AIX"); if ( ! get_kb_item("Host/AIX/lslpp") ) audit(AUDIT_PACKAGE_LIST_MISSING); if ( get_kb_item("Host/AIX/emgr_failure" ) ) exit(0, "This iFix check is disabled because : "+get_kb_item("Host/AIX/emgr_failure") ); flag = 0; if (aix_check_ifix(release:"6.1", ml:"09", sp:"05", patch:"IV73783s5a", package:"bos.net.tcp.client", minfilesetver:"6.1.0.0", maxfilesetver:"6.1.9.45") < 0) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:aix_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201509-01.NASL description The remote host is affected by the vulnerability described in GLSA-201509-01 (NTP: Multiple vulnerablities) Multiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with the privileges of the process, or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 86132 published 2015-09-25 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/86132 title GLSA-201509-01 : NTP: Multiple vulnerablities NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-1459.NASL description From Red Hat Security Advisory 2015:1459 : Updated ntp packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 85111 published 2015-07-30 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85111 title Oracle Linux 6 : ntp (ELSA-2015-1459) NASL family MacOS X Local Security Checks NASL id MACOSX_10_10_4.NASL description The remote host is running a version of Mac OS X 10.10.x that is prior to 10.10.4. It is, therefore, affected multiple vulnerabilities in the following components : - Admin Framework - afpserver - apache - AppleFSCompression - AppleGraphicsControl - AppleThunderboltEDMService - ATS - Bluetooth - Certificate Trust Policy - CFNetwork HTTPAuthentication - CoreText - coreTLS - DiskImages - Display Drivers - EFI - FontParser - Graphics Driver - ImageIO - Install Framework Legacy - Intel Graphics Driver - IOAcceleratorFamily - IOFireWireFamily - Kernel - kext tools - Mail - ntfs - ntp - OpenSSL - QuickTime - Security - Spotlight - SQLite - System Stats - TrueTypeScaler - zip Note that successful exploitation of the most serious issues can result in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 84488 published 2015-07-01 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84488 title Mac OS X 10.10.x < 10.10.4 Multiple Vulnerabilities (GHOST) (Logjam) NASL family CISCO NASL id CISCO_ACE_A5_3_3.NASL description The Cisco Application Control Engine (ACE) software installed on the remote Cisco ACE 4710 device or ACE30 module is version A5 prior to A5(3.3). It is, therefore, affected by multiple vulnerabilities : - An invalid free memory error exists due to improper validation of user-supplied input when a DTLS peer receives application data between ChangeCipherSpec and Finished messages. A remote attacker can exploit this to corrupt memory, resulting in a denial of service or the execution of arbitrary code. (CVE-2014-8176) - A denial of service vulnerability exists when processing an ECParameters structure due to an infinite loop that occurs when a specified curve is over a malformed binary polynomial field. A remote attacker can exploit this to perform a denial of service against any system that processes public keys, certificate requests, or certificates. This includes TLS clients and TLS servers with client authentication enabled. (CVE-2015-1788) - A denial of service vulnerability exists due to improper validation of the content and length of the ASN1_TIME string by the X509_cmp_time() function. A remote attacker can exploit this, via a malformed certificate and CRLs of various sizes, to cause a segmentation fault, resulting in a denial of service condition. TLS clients that verify CRLs are affected. TLS clients and servers with client authentication enabled may be affected if they use custom verification callbacks. (CVE-2015-1789) - A NULL pointer dereference flaw exists in the PKCS#7 parsing code due to incorrect handling of missing inner last seen 2020-06-01 modified 2020-06-02 plugin id 91427 published 2016-06-01 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/91427 title Cisco ACE 4710 Appliance / ACE30 Module Multiple Vulnerabilities (Logjam) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-2231.NASL description Updated ntp packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 86975 published 2015-11-20 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86975 title RHEL 7 : ntp (RHSA-2015:2231) NASL family CISCO NASL id CISCO-SA-20150408-NTPD-IOS.NASL description According to its self-reported version, the IOS is affected by one or more vulnerabilities. Please see the included Cisco BIDs and the Cisco Security Advisory for more information. last seen 2020-06-01 modified 2020-06-02 plugin id 108954 published 2018-04-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108954 title Cisco IOS Software Multiple Vulnerabilities in ntpd (cisco-sa-20150408-ntpd) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2015-2231.NASL description From Red Hat Security Advisory 2015:2231 : Updated ntp packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 87030 published 2015-11-24 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87030 title Oracle Linux 7 : ntp (ELSA-2015-2231) NASL family AIX Local Security Checks NASL id AIX_IV74261.NASL description The remote AIX host has a version of Network Time Protocol (NTP) installed that is affected by a denial of service vulnerability due to a flaw in the symmetric-key feature in the receive() function in file ntp_proto.c when receiving certain invalid packets, which causes state-variable updates to be performed. A man-in-the-middle attacker can exploit this, by spoofing the source IP of a peer, to cause a synchronization loss. last seen 2020-06-01 modified 2020-06-02 plugin id 85604 published 2015-08-25 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/85604 title AIX 7.1 TL 3 : ntp (IV74261) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3223.NASL description Multiple vulnerabilities were discovered in ntp, an implementation of the Network Time Protocol : - CVE-2015-1798 When configured to use a symmetric key with an NTP peer, ntpd would accept packets without MAC as if they had a valid MAC. This could allow a remote attacker to bypass the packet authentication and send malicious packets without having to know the symmetric key. - CVE-2015-1799 When peering with other NTP hosts using authenticated symmetric association, ntpd would update its internal state variables before the MAC of the NTP messages was validated. This could allow a remote attacker to cause a denial of service by impeding synchronization between NTP peers. Additionally, it was discovered that generating MD5 keys using ntp-keygen on big endian machines would either trigger an endless loop, or generate non-random keys. last seen 2020-06-01 modified 2020-06-02 plugin id 82745 published 2015-04-14 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82745 title Debian DSA-3223-1 : ntp - security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1555.NASL description According to the versions of the ntp packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - It was found that when ntp is configured with rate limiting for all associations the limits are also applied to responses received from its configured sources. A remote attacker who knows the sources can cause a denial of service by preventing ntpd from accepting valid responses from its sources.(CVE-2016-7426) - ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors.(CVE-2015-8139) - A NULL pointer dereference flaw was found in the way ntpd processed last seen 2020-06-01 modified 2020-06-02 plugin id 125008 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125008 title EulerOS Virtualization 3.0.1.0 : ntp (EulerOS-SA-2019-1555) NASL family Misc. NASL id NTP_4_2_8P2.NASL description The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p2. It is, therefore, affected by the following vulnerabilities : - The symmetric-key feature in the receive() function requires a correct message authentication code (MAC) only if the MAC field has a nonzero length. A man-in-the-middle attacker can exploit this to spoof packets by omitting the MAC. (CVE-2015-1798) - A flaw exists in the symmetric-key feature in the receive() function when handling a specially crafted packet sent to one of two hosts that are peering with each other. An attacker can exploit this to cause the next attempt by the servers to synchronize to fail. (CVE-2015-1799) - A flaw exists in util/ntp-keygen.c due to the way that the ntp-keygen utility generates MD5 symmetric keys on big-endian systems. A remote attacker can exploit this to more easily guess MD5 symmetric keys and thereby spoof an NTP server or client. (CVE-2015-3405) last seen 2020-06-01 modified 2020-06-02 plugin id 83744 published 2015-05-21 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83744 title Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p2 Multiple Vulnerabilities NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_EBD84C96DD7E11E4854E3C970E169BC2.NASL description ntp.org reports : - [Sec 2779] ntpd accepts unauthenticated packets with symmetric key crypto. - [Sec 2781] Authentication doesn last seen 2020-06-01 modified 2020-06-02 plugin id 82631 published 2015-04-08 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82631 title FreeBSD : ntp -- multiple vulnerabilities (ebd84c96-dd7e-11e4-854e-3c970e169bc2) NASL family CISCO NASL id CISCO-SA-20150408-NTPD-IOSXE.NASL description According to its self-reported version, the IOS XE is affected by one or more vulnerabilities. Please see the included Cisco BIDs and the Cisco Security Advisory for more information. last seen 2020-06-01 modified 2020-06-02 plugin id 108955 published 2018-04-10 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108955 title Cisco IOS XE Software Multiple Vulnerabilities in ntpd (cisco-sa-20150408-ntpd) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2015-202.NASL description Multiple vulnerabilities has been found and corrected in ntp : The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC (CVE-2015-1798). The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer (CVE-2015-1799). The updated packages provides a solution for these security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 82737 published 2015-04-13 reporter This script is Copyright (C) 2015-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82737 title Mandriva Linux Security Advisory : ntp (MDVSA-2015:202) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-1173-1.NASL description ntp was updated to fix two security issues : CVE-2015-1799: ntpd authentication did not protect symmetric associations against DoS attacks (bsc#924202) CVE-2015-3405: ntp-keygen may generate non-random symmetric keys on big-endian systems (bsc#928321) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 84544 published 2015-07-06 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84544 title SUSE SLED11 / SLES11 Security Update : ntp (SUSE-SU-2015:1173-1) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-192.NASL description Brief introduction CVE-2015-1798 When ntpd is configured to use a symmetric key to authenticate a remote NTP server/peer, it checks if the NTP message authentication code (MAC) in received packets is valid, but not if there actually is any MAC included. Packets without a MAC are accepted as if they had a valid MAC. This allows a MITM attacker to send false packets that are accepted by the client/peer without having to know the symmetric key. The attacker needs to know the transmit timestamp of the client to match it in the forged reply and the false reply needs to reach the client before the genuine reply from the server. The attacker doesn last seen 2020-03-17 modified 2015-04-13 plugin id 82715 published 2015-04-13 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82715 title Debian DLA-192-1 : ntp security update NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-1912-1.NASL description NTP was updated to version 4.2.8p8 to fix several security issues and to ensure the continued maintainability of the package. These security issues were fixed : CVE-2016-4953: Bad authentication demobilized ephemeral associations (bsc#982065). CVE-2016-4954: Processing spoofed server packets (bsc#982066). CVE-2016-4955: Autokey association reset (bsc#982067). CVE-2016-4956: Broadcast interleave (bsc#982068). CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS (bsc#977459). CVE-2016-1548: Prevent the change of time of an ntpd client or denying service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode (bsc#977461). CVE-2016-1549: Sybil vulnerability: ephemeral association attack (bsc#977451). CVE-2016-1550: Improve security against buffer comparison timing attacks (bsc#977464). CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y CVE-2016-2516: Duplicate IPs on unconfig directives could have caused an assertion botch in ntpd (bsc#977452). CVE-2016-2517: Remote configuration trustedkey/ requestkey/controlkey values are not properly validated (bsc#977455). CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966). CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). CVE-2015-7976: ntpq saveconfig command allowed dangerous characters in filenames (bsc#962802). CVE-2015-7975: nextvar() missing length check (bsc#962988). CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might have allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a last seen 2020-06-01 modified 2020-06-02 plugin id 93186 published 2016-08-29 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93186 title SUSE SLES10 Security Update : ntp (SUSE-SU-2016:1912-1) NASL family AIX Local Security Checks NASL id AIX_IV71094.NASL description http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9297 Network Time Protocol (NTP) Project NTP daemon (ntpd) could allow a remote attacker to conduct spoofing attacks, caused by insufficient entropy in PRNG. An attacker could exploit this vulnerability to spoof the IPv6 address ::1 to bypass ACLs and launch further attacks on the system. Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable to a denial of service, caused by an error when using symmetric key authentication. By sending specially-crafted packets to both peering hosts, an attacker could exploit this vulnerability to prevent synchronization. last seen 2020-06-01 modified 2020-06-02 plugin id 84492 published 2015-07-02 reporter This script is Copyright (C) 2015-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84492 title AIX 6.1 TL 6 : ntp4 (IV71094) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-0865-1.NASL description ntp was updated to fix two security related flaws as well as last seen 2020-06-01 modified 2020-06-02 plugin id 83725 published 2015-05-20 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83725 title SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2015:0865-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2015-1459.NASL description Updated ntp packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 85025 published 2015-07-28 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85025 title CentOS 6 : ntp (CESA-2015:1459) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2567-1.NASL description Miroslav Lichvar discovered that NTP incorrectly validated MAC fields. A remote attacker could possibly use this issue to bypass authentication and spoof packets. (CVE-2015-1798) Miroslav Lichvar discovered that NTP incorrectly handled certain invalid packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2015-1799) Juergen Perlinger discovered that NTP incorrectly generated MD5 keys on big-endian platforms. This issue could either cause ntp-keygen to hang, or could result in non-random keys. (CVE number pending). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 82765 published 2015-04-14 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/82765 title Ubuntu 12.04 LTS / 14.04 LTS / 14.10 : ntp vulnerabilities (USN-2567-1) NASL family Scientific Linux Local Security Checks NASL id SL_20150722_NTP_ON_SL6_X.NASL description It was found that because NTP last seen 2020-03-18 modified 2015-08-04 plugin id 85203 published 2015-08-04 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85203 title Scientific Linux Security Update : ntp on SL6.x i386/x86_64 (20150722) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2015-520.NASL description The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC. (CVE-2015-1798) The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer. (CVE-2015-1799) This update also addresses leap-second handling. With older ntp versions, the -x option was sometimes used as a workaround to avoid kernel inserting/deleting leap seconds by stepping the clock and possibly upsetting running applications. That no longer works with 4.2.6 as ntpd steps the clock itself when a leap second occurs. The fix is to treat the one second offset gained during leap second as a normal offset and check the stepping threshold (set by -x or tinker step) to decide if a step should be applied. See this forum post for more information on the Amazon Linux AMI last seen 2020-06-01 modified 2020-06-02 plugin id 83271 published 2015-05-07 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83271 title Amazon Linux AMI : ntp (ALAS-2015-520) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2015-0102.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - reject packets without MAC when authentication is enabled (CVE-2015-1798) - protect symmetric associations with symmetric key against DoS attack (CVE-2015-1799) - fix generation of MD5 keys with ntp-keygen on big-endian systems (CVE-2015-3405) - log when stepping clock for leap second or ignoring it with -x (#1204625) - fix typos in ntpd man page (#1194463) - validate lengths of values in extension fields (CVE-2014-9297) - drop packets with spoofed source address ::1 (CVE-2014-9298) - add nanosecond support to SHM refclock (#1117704) - allow creating all SHM segments with owner-only access (#1122015) - allow symmetric keys up to 32 bytes again (#1053551) - fix calculation of root dispersion (#1045376) - fix crash in ntpq mreadvar command (#1165141) - don last seen 2020-06-01 modified 2020-06-02 plugin id 85143 published 2015-07-31 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85143 title OracleVM 3.3 : ntp (OVMSA-2015-0102) NASL family AIX Local Security Checks NASL id AIX_IV74262.NASL description Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable to a denial of service, caused by an error when using symmetric key authentication. By sending specially-crafted packets to both peering hosts, an attacker could exploit this vulnerability to prevent synchronization. last seen 2020-06-01 modified 2020-06-02 plugin id 85605 published 2015-08-25 reporter This script is Copyright (C) 2015-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/85605 title AIX 7.1 TL 2 : ntp (IV74262) NASL family Fedora Local Security Checks NASL id FEDORA_2015-5761.NASL description Security fix for CVE-2015-1799, CVE-2015-1798, #1210324 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-04-23 plugin id 83008 published 2015-04-23 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83008 title Fedora 22 : ntp-4.2.6p5-30.fc22 (2015-5761) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-1459.NASL description Updated ntp packages that fix multiple security issues, several bugs, and add two enhancements are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 84951 published 2015-07-23 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84951 title RHEL 6 : ntp (RHSA-2015:1459) NASL family Fedora Local Security Checks NASL id FEDORA_2015-5830.NASL description Security fix for CVE-2015-1799, CVE-2015-1798, #1210324 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-04-29 plugin id 83121 published 2015-04-29 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83121 title Fedora 21 : ntp-4.2.6p5-30.fc21 (2015-5830) NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2015-005.NASL description The remote host is running a version of Mac OS X 10.8.5 or 10.9.5 that is missing Security Update 2015-005. It is, therefore, affected multiple vulnerabilities in the following components : - Admin Framework - afpserver - apache - AppleFSCompression - AppleGraphicsControl - AppleThunderboltEDMService - ATS - Bluetooth - Certificate Trust Policy - CFNetwork HTTPAuthentication - CoreText - coreTLS - DiskImages - Display Drivers - EFI - FontParser - Graphics Driver - ImageIO - Install Framework Legacy - Intel Graphics Driver - IOAcceleratorFamily - IOFireWireFamily - Kernel - kext tools - Mail - ntfs - ntp - OpenSSL - QuickTime - Security - Spotlight - SQLite - System Stats - TrueTypeScaler - zip Note that successful exploitation of the most serious issues can result in arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 84489 published 2015-07-01 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/84489 title Mac OS X Multiple Vulnerabilities (Security Update 2015-005) (GHOST) (Logjam) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2015-2231.NASL description Updated ntp packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 87143 published 2015-12-02 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87143 title CentOS 7 : ntp (CESA-2015:2231) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2015-111-08.NASL description New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 82921 published 2015-04-22 reporter This script is Copyright (C) 2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/82921 title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2015-111-08) NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL16506.NASL description The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer. (CVE-2015-1799) last seen 2020-06-01 modified 2020-06-02 plugin id 86026 published 2015-09-21 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/86026 title F5 Networks BIG-IP : NTP vulnerability (K16506) NASL family Scientific Linux Local Security Checks NASL id SL_20151119_NTP_ON_SL7_X.NASL description It was found that because NTP last seen 2020-03-18 modified 2015-12-22 plugin id 87564 published 2015-12-22 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87564 title Scientific Linux Security Update : ntp on SL7.x x86_64 (20151119) NASL family AIX Local Security Checks NASL id AIX_IV74263.NASL description Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable to a denial of service, caused by an error when using symmetric key authentication. By sending specially-crafted packets to both peering hosts, an attacker could exploit this vulnerability to prevent synchronization. last seen 2020-06-01 modified 2020-06-02 plugin id 85606 published 2015-08-25 reporter This script is Copyright (C) 2015-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/85606 title AIX 6.1 TL 8 : ntp (IV74263) NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-330.NASL description NTP was updated to fix two security vulnerabilities : - ntpd could accept unauthenticated packets with symmetric key crypto. (CVE-2015-1798) - ntpd authentication did not protect symmetric associations against DoS attacks (CVE-2015-1799) last seen 2020-06-05 modified 2015-04-28 plugin id 83105 published 2015-04-28 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83105 title openSUSE Security Update : ntp (openSUSE-2015-330)
Redhat
| advisories |
| ||||
| rpms |
|
References
- http://bugs.ntp.org/show_bug.cgi?id=2781
- http://listengine.tuxfamily.org/chrony.tuxfamily.org/chrony-announce/2015/04/msg00002.html
- http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155863.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155864.html
- http://lists.opensuse.org/opensuse-updates/2015-04/msg00052.html
- http://marc.info/?l=bugtraq&m=143213867103400&w=2
- http://marc.info/?l=bugtraq&m=145750740530849&w=2
- http://rhn.redhat.com/errata/RHSA-2015-1459.html
- http://support.apple.com/kb/HT204942
- http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-ntpd
- http://tools.cisco.com/security/center/viewAlert.x?alertId=38275
- http://www.debian.org/security/2015/dsa-3222
- http://www.debian.org/security/2015/dsa-3223
- http://www.kb.cert.org/vuls/id/374268
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:202
- http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
- http://www.securityfocus.com/bid/73950
- http://www.securitytracker.com/id/1032031
- http://www.ubuntu.com/usn/USN-2567-1
- https://kc.mcafee.com/corporate/index?page=content&id=SB10114
- https://security.gentoo.org/glsa/201509-01