Vulnerabilities > CVE-2016-2518 - Out-of-bounds Read vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
LOW Summary
The MATCH_ASSOC function in NTP before version 4.2.8p9 and 4.3.x before 4.3.92 allows remote attackers to cause an out-of-bounds reference via an addpeer request with a large hmode value.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Overread Buffers An adversary attacks a target by providing input that causes an application to read beyond the boundary of a defined buffer. This typically occurs when a value influencing where to start or stop reading is set to reflect positions outside of the valid memory location of the buffer. This type of attack may result in exposure of sensitive information, a system crash, or arbitrary code execution.
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DLA-559.NASL description Several vulnerabilities were discovered in the Network Time Protocol daemon and utility programs : CVE-2015-7974 Matt Street discovered that insufficient key validation allows impersonation attacks between authenticated peers. CVE-2015-7977 / CVE-2015-7978 Stephen Gray discovered that a NULL pointer dereference and a buffer overflow in the handling of last seen 2020-03-17 modified 2016-07-26 plugin id 92546 published 2016-07-26 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/92546 title Debian DLA-559-1 : ntp security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-559-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(92546); script_version("2.12"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2015-7974", "CVE-2015-7977", "CVE-2015-7978", "CVE-2015-7979", "CVE-2015-8138", "CVE-2015-8158", "CVE-2016-1547", "CVE-2016-1548", "CVE-2016-1550", "CVE-2016-2516", "CVE-2016-2518"); script_name(english:"Debian DLA-559-1 : ntp security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities were discovered in the Network Time Protocol daemon and utility programs : CVE-2015-7974 Matt Street discovered that insufficient key validation allows impersonation attacks between authenticated peers. CVE-2015-7977 / CVE-2015-7978 Stephen Gray discovered that a NULL pointer dereference and a buffer overflow in the handling of 'ntpdc reslist' commands may result in denial of service. CVE-2015-7979 Aanchal Malhotra discovered that if NTP is configured for broadcast mode, an attacker can send malformed authentication packets which break associations with the server for other broadcast clients. CVE-2015-8138 Matthew van Gundy and Jonathan Gardner discovered that missing validation of origin timestamps in ntpd clients may result in denial of service. CVE-2015-8158 Jonathan Gardner discovered that missing input sanitising in ntpq may result in denial of service. CVE-2016-1547 Stephen Gray and Matthew van Gundy discovered that incorrect handling of crypto NAK packets my result in denial of service. CVE-2016-1548 Jonathan Gardner and Miroslav Lichvar discovered that ntpd clients could be forced to change from basic client/server mode to interleaved symmetric mode, preventing time synchronisation. CVE-2016-1550 Matthew van Gundy, Stephen Gray and Loganaden Velvindron discovered that timing leaks in the the packet authentication code could result in recovery of a message digest. CVE-2016-2516 Yihan Lian discovered that duplicate IPs on 'unconfig' directives will trigger an assert. CVE-2016-2518 Yihan Lian discovered that an OOB memory access could potentially crash ntpd. For Debian 7 'Wheezy', these problems have been fixed in version 1:4.2.6.p5+dfsg-2+deb7u7. We recommend that you upgrade your ntp packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2016/07/msg00021.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/ntp" ); script_set_attribute( attribute:"solution", value:"Upgrade the affected ntp, ntp-doc, and ntpdate packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ntp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ntp-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:ntpdate"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"patch_publication_date", value:"2016/07/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/26"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"ntp", reference:"1:4.2.6.p5+dfsg-2+deb7u7")) flag++; if (deb_check(release:"7.0", prefix:"ntp-doc", reference:"1:4.2.6.p5+dfsg-2+deb7u7")) flag++; if (deb_check(release:"7.0", prefix:"ntpdate", reference:"1:4.2.6.p5+dfsg-2+deb7u7")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Fedora Local Security Checks NASL id FEDORA_2016-5B2EB0BF9C.NASL description Security fix for CVE-2016-1548, CVE-2016-2516, CVE-2016-2518, CVE-2016-1550 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-05-12 plugin id 91062 published 2016-05-12 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/91062 title Fedora 23 : ntp-4.2.6p5-40.fc23 (2016-5b2eb0bf9c) NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2016-120-01.NASL description New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. last seen 2020-06-01 modified 2020-06-02 plugin id 90800 published 2016-05-02 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90800 title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2016-120-01) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2017-0165.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - add disable monitor to default ntp.conf [CVE-2013-5211] - fix buffer overflow in datum refclock driver (CVE-2017-6462) - fix crash with invalid unpeer command (CVE-2017-6463) - fix potential crash with invalid server command (CVE-2017-6464) - don last seen 2020-06-01 modified 2020-06-02 plugin id 104204 published 2017-10-27 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104204 title OracleVM 3.3 / 3.4 : ntp (OVMSA-2017-0165) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2016-1141.NASL description An update for ntp is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 91420 published 2016-06-01 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91420 title RHEL 6 / 7 : ntp (RHSA-2016:1141) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2016-1552.NASL description An update for ntp is now available for Red Hat Enterprise Linux 6.7 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 92718 published 2016-08-04 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92718 title RHEL 6 : ntp (RHSA-2016:1552) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3629.NASL description Several vulnerabilities were discovered in the Network Time Protocol daemon and utility programs : - CVE-2015-7974 Matt Street discovered that insufficient key validation allows impersonation attacks between authenticated peers. - CVE-2015-7977 CVE-2015-7978 Stephen Gray discovered that a NULL pointer dereference and a buffer overflow in the handling of last seen 2020-06-01 modified 2020-06-02 plugin id 92571 published 2016-07-27 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92571 title Debian DSA-3629-1 : ntp - security update NASL family AIX Local Security Checks NASL id AIX_NTP_V3_ADVISORY7.NASL description The version of NTP installed on the remote AIX host is affected by the following vulnerabilities : - A time serving flaw exists in the trusted key system due to improper key checks. An authenticated, remote attacker can exploit this to perform impersonation attacks between authenticated peers. (CVE-2015-7974) - An information disclosure vulnerability exists in the message authentication functionality in libntp that is triggered during the handling of a series of specially crafted messages. An adjacent attacker can exploit this to partially recover the message digest key. (CVE-2016-1550) - A flaw exists due to improper filtering of IPv4 last seen 2020-06-01 modified 2020-06-02 plugin id 102128 published 2017-08-03 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/102128 title AIX NTP v3 Advisory : ntp_advisory7.asc (IV87614) (IV87419) (IV87615) (IV87420) (IV87939) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-649.NASL description This update for ntp fixes the following issues : - Update to 4.2.8p7 (boo#977446) : - CVE-2016-1547, boo#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, boo#977461: Interleave-pivot - CVE-2016-1549, boo#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, boo#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, boo#977450: Refclock impersonation vulnerability - CVE-2016-2516, boo#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, boo#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, boo#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, boo#977458: ctl_getitem() return value not always checked. - integrate ntp-fork.patch - Improve the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 - Restrict the parser in the startup script to the first occurrance of last seen 2020-06-05 modified 2016-06-01 plugin id 91403 published 2016-06-01 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91403 title openSUSE Security Update : ntp (openSUSE-2016-649) NASL family Fedora Local Security Checks NASL id FEDORA_2016-777D838C1B.NASL description Security fix for CVE-2016-1548, CVE-2016-2516, CVE-2016-2518, CVE-2016-1550 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-07-14 plugin id 92113 published 2016-07-14 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92113 title Fedora 22 : ntp (2016-777d838c1b) NASL family AIX Local Security Checks NASL id AIX_IV87939.NASL description NTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128). last seen 2017-10-29 modified 2017-08-03 plugin id 93352 published 2016-09-08 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=93352 title AIX 7.2 TL 0 : ntp (IV87939) (deprecated) NASL family AIX Local Security Checks NASL id AIX_IV87419.NASL description NTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128). last seen 2017-10-29 modified 2017-08-03 plugin id 93348 published 2016-09-08 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=93348 title AIX 6.1 TL 9 : ntp (IV87419) (deprecated) NASL family AIX Local Security Checks NASL id AIX_IV87420.NASL description NTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128). last seen 2017-10-29 modified 2017-08-03 plugin id 93349 published 2016-09-08 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=93349 title AIX 7.1 TL 4 : ntp (IV87420) (deprecated) NASL family AIX Local Security Checks NASL id AIX_NTP_V4_ADVISORY7.NASL description The version of NTP installed on the remote AIX host is affected by the following vulnerabilities : - A time serving flaw exists in the trusted key system due to improper key checks. An authenticated, remote attacker can exploit this to perform impersonation attacks between authenticated peers. (CVE-2015-7974) - A denial of service vulnerability exists due to improper handling of a crafted Crypto NAK Packet with a source address spoofed to match that of an existing associated peer. An unauthenticated, remote attacker can exploit this to demobilize a client association. (CVE-2016-1547) - An information disclosure vulnerability exists in the message authentication functionality in libntp that is triggered during the handling of a series of specially crafted messages. An adjacent attacker can exploit this to partially recover the message digest key. (CVE-2016-1550) - A flaw exists due to improper filtering of IPv4 last seen 2020-06-01 modified 2020-06-02 plugin id 99183 published 2017-04-04 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/99183 title AIX NTP v4 Advisory : ntp_advisory7.asc (IV87278) (IV87279) NASL family AIX Local Security Checks NASL id AIX_IV87614.NASL description NTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128). last seen 2017-10-29 modified 2017-08-03 plugin id 93350 published 2016-09-08 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=93350 title AIX 5.3 TL 12 : ntp (IV87614) (deprecated) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-1278-1.NASL description This update for ntp to 4.2.8p7 fixes the following issues : - CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, bsc#977461: Interleave-pivot - CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, bsc#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability - CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, bsc#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked. - This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 Bugs fixed : - Restrict the parser in the startup script to the first occurrance of last seen 2020-06-01 modified 2020-06-02 plugin id 91120 published 2016-05-13 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91120 title SUSE SLES11 Security Update : ntp (SUSE-SU-2016:1278-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201607-15.NASL description The remote host is affected by the vulnerability described in GLSA-201607-15 (NTP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 92485 published 2016-07-21 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92485 title GLSA-201607-15 : NTP: Multiple vulnerabilities NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2016-1141.NASL description An update for ntp is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 91394 published 2016-06-01 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91394 title CentOS 6 / 7 : ntp (CESA-2016:1141) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-1568-1.NASL description ntp was updated to version 4.2.8p8 to fix 17 security issues. These security issues were fixed : - CVE-2016-4956: Broadcast interleave (bsc#982068). - CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). - CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). - CVE-2016-4954: Processing spoofed server packets (bsc#982066). - CVE-2016-4955: Autokey association reset (bsc#982067). - CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a last seen 2020-06-01 modified 2020-06-02 plugin id 91663 published 2016-06-17 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91663 title SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1568-1) NASL family AIX Local Security Checks NASL id AIX_IV87615.NASL description NTPv3 and NTPv4 are vulnerable to : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974 NTP could allow a remote authenticated attacker to conduct spoofing attacks, caused by a missing key check. An attacker could exploit this vulnerability to impersonate a peer. NTP could allow a local attacker to bypass security restrictions, caused by the failure to use a constant-time memory comparison function when validating the authentication digest on incoming packets. By sending a specially crafted packet with an authentication payload, an attacker could exploit this vulnerability to conduct a timing attack to compute the value of the valid authentication digest. While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock. If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. NTP is vulnerable to a denial of service, caused by an error when using a specially crafted packet to create a peer association with hmode > 7. An attacker could exploit this vulnerability to cause the MATCH_ASSOC() function to trigger an out-of-bounds read. NTP is vulnerable to a denial of service, caused by the failure to always check the ctl_getitem() function return value. By sending an overly large value, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the demobilization of a preemptable client association. By sending specially crafted crypto NAK packets, an attacker could exploit this vulnerability to cause a denial of service. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets, an attacker could exploit this vulnerability to cause ntpd to crash. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending specially crafted CRYPTO_NAK packets to an ephemeral peer target prior to a response being sent, a remote attacker could exploit this vulnerability to demobilize the ephemeral association. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed server packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause a false leap indication to be set. NTP is vulnerable to a denial of service, caused by the improper handling of packets. By sending spoofed CRYPTO_NAK or a bad MAC packets with correct origin timestamps, a remote attacker could exploit this vulnerability to cause the autokey association to reset. This plugin has been deprecated to better accommodate iFix supersedence with replacement plugin aix_ntp_v3_advisory7.nasl (plugin id 102128). last seen 2017-10-29 modified 2017-08-03 plugin id 93351 published 2016-09-08 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=93351 title AIX 7.1 TL 3 : ntp (IV87615) (deprecated) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2016-708.NASL description It was found that an ntpd client could be forced to change from basic client/server mode to the interleaved symmetric mode. A remote attacker could use a spoofed packet that, when processed by an ntpd client, would cause that client to reject all future legitimate server responses, effectively disabling time synchronization on that client. (CVE-2016-1548) An out-of-bounds access flaw was found in the way ntpd processed certain packets. An authenticated attacker could use a crafted packet to create a peer association with hmode of 7 and larger, which could potentially (although highly unlikely) cause ntpd to crash. (CVE-2016-2518) A flaw was found in the way libntp performed message authentication. An attacker able to observe the timing of the comparison function used in packet authentication could potentially use this flaw to recover the message digest. (CVE-2016-1550) Assertion failure in ntpd on duplicate IPs on unconfig directives (CVE-2016-2516) last seen 2020-06-01 modified 2020-06-02 plugin id 91467 published 2016-06-06 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/91467 title Amazon Linux AMI : ntp (ALAS-2016-708) NASL family Misc. NASL id NTP_4_2_8P7.NASL description The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p7. It is, therefore, affected by the following vulnerabilities : - A denial of service vulnerability exists due to improper validation of the origin timestamp field when handling a Kiss-of-Death (KoD) packet. An unauthenticated, remote attacker can exploit this to cause a client to stop querying its servers, preventing the client from updating its clock. (CVE-2015-7704) - A flaw exists in the receive() function in ntp_proto.c that allows packets with an origin timestamp of zero to bypass security checks. An unauthenticated, remote attacker can exploit this to spoof arbitrary content. (CVE-2015-8138) - A denial of service vulnerability exists due to improper handling of a crafted Crypto NAK Packet with a source address spoofed to match that of an existing associated peer. An unauthenticated, remote attacker can exploit this to demobilize a client association. (CVE-2016-1547) - A denial of service vulnerability exists due to improper handling of packets spoofed to appear to be from a valid ntpd server. An unauthenticated, remote attacker can exploit this to cause NTP to switch from basic client/server mode to interleaved symmetric mode, causing the client to reject future legitimate responses. (CVE-2016-1548) - A race condition exists that is triggered during the handling of a saturation of ephemeral associations. An authenticated, remote attacker can exploit this to defeat NTP last seen 2020-06-01 modified 2020-06-02 plugin id 90923 published 2016-05-05 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90923 title Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p7 Multiple Vulnerabilities NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-1291-1.NASL description This update for ntp to 4.2.8p7 fixes the following issues : - CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, bsc#977461: Interleave-pivot - CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, bsc#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability - CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, bsc#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked. - This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 Bugs fixed : - Restrict the parser in the startup script to the first occurrance of last seen 2020-06-01 modified 2020-06-02 plugin id 91159 published 2016-05-16 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91159 title SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1291-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-1912-1.NASL description NTP was updated to version 4.2.8p8 to fix several security issues and to ensure the continued maintainability of the package. These security issues were fixed : CVE-2016-4953: Bad authentication demobilized ephemeral associations (bsc#982065). CVE-2016-4954: Processing spoofed server packets (bsc#982066). CVE-2016-4955: Autokey association reset (bsc#982067). CVE-2016-4956: Broadcast interleave (bsc#982068). CVE-2016-4957: CRYPTO_NAK crash (bsc#982064). CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS (bsc#977459). CVE-2016-1548: Prevent the change of time of an ntpd client or denying service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode (bsc#977461). CVE-2016-1549: Sybil vulnerability: ephemeral association attack (bsc#977451). CVE-2016-1550: Improve security against buffer comparison timing attacks (bsc#977464). CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y CVE-2016-2516: Duplicate IPs on unconfig directives could have caused an assertion botch in ntpd (bsc#977452). CVE-2016-2517: Remote configuration trustedkey/ requestkey/controlkey values are not properly validated (bsc#977455). CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457). CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458). CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966). CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002). CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784). CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000). CVE-2015-7977: reslist NULL pointer dereference (bsc#962970). CVE-2015-7976: ntpq saveconfig command allowed dangerous characters in filenames (bsc#962802). CVE-2015-7975: nextvar() missing length check (bsc#962988). CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might have allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a last seen 2020-06-01 modified 2020-06-02 plugin id 93186 published 2016-08-29 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93186 title SUSE SLES10 Security Update : ntp (SUSE-SU-2016:1912-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-599.NASL description This update for ntp to 4.2.8p7 fixes the following issues : - CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA: CRYPTO-NAK DoS. - CVE-2016-1548, bsc#977461: Interleave-pivot - CVE-2016-1549, bsc#977451: Sybil vulnerability: ephemeral association attack. - CVE-2016-1550, bsc#977464: Improve NTP security against buffer comparison timing attacks. - CVE-2016-1551, bsc#977450: Refclock impersonation vulnerability - CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. - CVE-2016-2517, bsc#977455: remote configuration trustedkey/ requestkey/controlkey values are not properly validated. - CVE-2016-2518, bsc#977457: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. - CVE-2016-2519, bsc#977458: ctl_getitem() return value not always checked. - This update also improves the fixes for: CVE-2015-7704, CVE-2015-7705, CVE-2015-7974 Bugs fixed : - Restrict the parser in the startup script to the first occurrance of last seen 2020-06-05 modified 2016-05-20 plugin id 91269 published 2016-05-20 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91269 title openSUSE Security Update : ntp (openSUSE-2016-599) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3096-1.NASL description Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to perform a replay attack. (CVE-2015-7973) Matt Street discovered that NTP incorrectly verified peer associations of symmetric keys. A remote attacker could use this issue to perform an impersonation attack. (CVE-2015-7974) Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled memory. An attacker could possibly use this issue to cause ntpq to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-7975) Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled dangerous characters in filenames. An attacker could possibly use this issue to overwrite arbitrary files. (CVE-2015-7976) Stephen Gray discovered that NTP incorrectly handled large restrict lists. An attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7977, CVE-2015-7978) Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7979) Jonathan Gardner discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could use this issue to spoof peer servers. (CVE-2015-8138) Jonathan Gardner discovered that the NTP ntpq utility did not properly handle certain incorrect values. An attacker could possibly use this issue to cause ntpq to hang, resulting in a denial of service. (CVE-2015-8158) It was discovered that the NTP cronjob incorrectly cleaned up the statistics directory. A local attacker could possibly use this to escalate privileges. (CVE-2016-0727) Stephen Gray and Matthew Van Gundy discovered that NTP incorrectly validated crypto-NAKs. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1547) Miroslav Lichvar and Jonathan Gardner discovered that NTP incorrectly handled switching to interleaved symmetric mode. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1548) Matthew Van Gundy, Stephen Gray and Loganaden Velvindron discovered that NTP incorrectly handled message authentication. A remote attacker could possibly use this issue to recover the message digest key. (CVE-2016-1550) Yihan Lian discovered that NTP incorrectly handled duplicate IPs on unconfig directives. An authenticated remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2516) Yihan Lian discovered that NTP incorrectly handled certail peer associations. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2518) Jakub Prokes discovered that NTP incorrectly handled certain spoofed packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4954) Miroslav Lichvar discovered that NTP incorrectly handled certain packets when autokey is enabled. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4955) Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed broadcast packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4956) In the default installation, attackers would be isolated by the NTP AppArmor profile. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 93896 published 2016-10-06 reporter Ubuntu Security Notice (C) 2016-2019 Canonical, Inc. / NASL script (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93896 title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : ntp vulnerabilities (USN-3096-1) NASL family F5 Networks Local Security Checks NASL id F5_BIGIP_SOL20804323.NASL description The MATCH_ASSOC function in NTP before version 4.2.8p9 and 4.3.x before 4.3.92 allows remote attackers to cause an out-of-bounds reference via an addpeer request with a large hmode value. (CVE-2016-2518) Using a crafted packet to create a peer association with hmode > 7 causes the MATCH_ASSOC() lookup to make an out-of-bounds reference. last seen 2020-06-01 modified 2020-06-02 plugin id 97152 published 2017-02-15 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/97152 title F5 Networks BIG-IP : NTP vulnerability (K20804323) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1556.NASL description According to the versions of the ntp packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - A vulnerability was discovered in the NTP server last seen 2020-06-01 modified 2020-06-02 plugin id 125009 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125009 title EulerOS Virtualization 3.0.1.0 : ntp (EulerOS-SA-2019-1556) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2016-1141.NASL description From Red Hat Security Advisory 2016:1141 : An update for ntp is now available for Red Hat Enterprise Linux 6 and Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Network Time Protocol (NTP) is used to synchronize a computer last seen 2020-06-01 modified 2020-06-02 plugin id 91418 published 2016-06-01 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91418 title Oracle Linux 6 / 7 : ntp (ELSA-2016-1141) NASL family Scientific Linux Local Security Checks NASL id SL_20160531_NTP_ON_SL6_X.NASL description Security Fix(es) : - It was found that when NTP was configured in broadcast mode, a remote attacker could broadcast packets with bad authentication to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server, causing them to become out of sync over a longer period of time. (CVE-2015-7979) - A denial of service flaw was found in the way NTP handled preemptable client associations. A remote attacker could send several crypto NAK packets to a victim client, each with a spoofed source address of an existing associated peer, preventing that client from synchronizing its time. (CVE-2016-1547) - It was found that an ntpd client could be forced to change from basic client/server mode to the interleaved symmetric mode. A remote attacker could use a spoofed packet that, when processed by an ntpd client, would cause that client to reject all future legitimate server responses, effectively disabling time synchronization on that client. (CVE-2016-1548) - A flaw was found in the way NTP last seen 2020-03-18 modified 2016-06-17 plugin id 91644 published 2016-06-17 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91644 title Scientific Linux Security Update : ntp on SL6.x, SL7.x i386/x86_64 (20160531) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2016-0082.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - don last seen 2020-06-01 modified 2020-06-02 plugin id 91419 published 2016-06-01 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/91419 title OracleVM 3.3 / 3.4 : ntp (OVMSA-2016-0082) NASL family Junos Local Security Checks NASL id JUNIPER_SPACE_JSA_10826.NASL description According to its self-reported version number, the version of Junos Space running on the remote device is < 17.1R1, and is therefore affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 104100 published 2017-10-23 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104100 title Juniper Junos Space < 17.1R1 Multiple Vulnerabilities (JSA10826) NASL family Fedora Local Security Checks NASL id FEDORA_2016-ED8C6C0426.NASL description Security fix for CVE-2016-1548, CVE-2016-2516, CVE-2016-2518, CVE-2016-1550 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-05-09 plugin id 90977 published 2016-05-09 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/90977 title Fedora 24 : ntp-4.2.6p5-40.fc24 (2016-ed8c6c0426) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_B2487D9A0C3011E6ACD0D050996490D0.NASL description Network Time Foundation reports : NTF last seen 2020-06-01 modified 2020-06-02 plugin id 90742 published 2016-04-27 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90742 title FreeBSD : ntp -- multiple vulnerabilities (b2487d9a-0c30-11e6-acd0-d050996490d0)
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
References
- https://www.kb.cert.org/vuls/id/718152
- http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_ntp_4_2_8p7_Security
- http://support.ntp.org/bin/view/Main/NtpBug3009
- http://www.securityfocus.com/bid/88226
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- https://security.gentoo.org/glsa/201607-15
- http://www.securitytracker.com/id/1035705
- http://www.debian.org/security/2016/dsa-3629
- https://security.netapp.com/advisory/ntap-20171004-0002/
- https://security.FreeBSD.org/advisories/FreeBSD-SA-16:16.ntp.asc
- https://access.redhat.com/errata/RHSA-2016:1141
- http://rhn.redhat.com/errata/RHSA-2016-1552.html
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-211752.pdf
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00034.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00037.html
- http://lists.opensuse.org/opensuse-updates/2016-05/msg00114.html
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00026.html
- http://www.ubuntu.com/usn/USN-3096-1
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00042.html
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160428-ntpd
- http://www.securityfocus.com/archive/1/archive/1/538233/100/0/threaded
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00052.html
- http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00020.html
- http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00001.html
- http://www.securityfocus.com/archive/1/538233/100/0/threaded
- http://packetstormsecurity.com/files/136864/Slackware-Security-Advisory-ntp-Updates.html
- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-11
- https://support.f5.com/csp/article/K20804323
- http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183647.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184669.html
- https://www.debian.org/security/2016/dsa-3629