Vulnerabilities > CVE-2016-5117 - 7PK - Security Features vulnerability in Openntpd 6.0

CVSS 5.9 - MEDIUM

Attack vector

NETWORK

Attack complexity

HIGH

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

HIGH

Availability impact

NONE

network

high complexity

openntpd

CWE-254

NVD

Published: 2017-01-31

Updated: 2017-02-24

Summary

OpenNTPD before 6.0p1 does not validate the CN for HTTPS constraint requests, which allows remote attackers to bypass the man-in-the-middle mitigations via a crafted timestamp constraint with a valid certificate.

Vulnerable Configurations

Part	Description	Count
Application	Openntpd Openntpd Openntpd 6.0	1

Common Weakness Enumeration (CWE)

CWE-254 - 7PK - Security Features

References

http://www.openwall.com/lists/oss-security/2016/05/29/6
http://www.openwall.com/lists/oss-security/2016/05/23/2
http://www.openntpd.org/txt/release-6.0p1.txt
http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.sbin/ntpd/constraint.c.diff?r1=1.27&r2=1.28