CVSS: 7.5EPSS: 35%CPEs: 45EXPL: 0CVE-2015-7703 – ntp: config command can be used to set the pidfile and drift file paths
https://notcve.org/view.php?id=CVE-2015-7703
The "pidfile" or "driftfile" directives in NTP ntpd 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77, when ntpd is configured to allow remote configuration, allows remote attackers with an IP address that is allowed to send configuration requests, and with knowledge of the remote configuration password to write to arbitrary files via the :config command. Las directivas "pidfile" o "driftfile" en NTP ntpd versión 4.2.x anterior a 4.2.8p4, y versión 4.3.x anterior a 4.3.77, cuando ntpd está configurado para permitir la configuración remota, permite a los atacantes remotos con una dirección IP que puede enviar peticiones de configuración y con el conocimiento de la contraseña de configuración remota, escribir en archivos arbitrarios mediante el comando :config. It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals). • http://rhn.redhat.com/errata/RHSA-2016-0780.html http://rhn.redhat.com/errata/RHSA-2016-2583.html http://support.ntp.org/bin/view/Main/NtpBug2902 http://www.debian.org/security/2015/dsa-3388 http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html http://www.securityfocus.com/bid/77278 http://www.securitytracker.com/id/1033951 https://bugzilla.redhat.com/show_bug.cgi?id=1254547 https://security.gentoo.org/glsa/201607-15 https://security.netapp.com • CWE-20: Improper Input Validation CWE-73: External Control of File Name or Path •
CVSS: 7.5EPSS: 83%CPEs: 58EXPL: 0CVE-2015-7704 – ntp: disabling synchronization via crafted KoD packet
https://notcve.org/view.php?id=CVE-2015-7704
The ntpd client in NTP 4.x before 4.2.8p4 and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service via a number of crafted "KOD" messages. El cliente ntpd en NTP 4.x en versiones anteriores a 4.2.8p4, y 4.3.x en versiones anteriores a 4.3.77 permite que atacantes remotos provoquen una denegación de servicio empleando una serie de mensajes "KOD" manipulados. It was discovered that ntpd as a client did not correctly check timestamps in Kiss-of-Death packets. A remote attacker could use this flaw to send a crafted Kiss-of-Death packet to an ntpd client that would increase the client's polling interval value, and effectively disable synchronization with the server. • http://bugs.ntp.org/show_bug.cgi?id=2901 http://rhn.redhat.com/errata/RHSA-2015-1930.html http://rhn.redhat.com/errata/RHSA-2015-2520.html http://support.ntp.org/bin/view/Main/NtpBug2901 http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_4_2_8p4_Securit http://www.debian.org/security/2015/dsa-3388 http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.securityfocus.com/bid/77280 http://www.securitytracker.com/id/1 • CWE-20: Improper Input Validation •
CVSS: 5.9EPSS: 4%CPEs: 46EXPL: 0CVE-2015-7852 – ntp: ntpq atoascii memory corruption vulnerability
https://notcve.org/view.php?id=CVE-2015-7852
ntpq in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (crash) via crafted mode 6 response packets. ntpd en NTP 4.2.x en versiones anteriores a 4.2.8p4, y 4.3.x en versiones anteriores a 4.3.77 permite que atacantes remotos provoquen una denegación de servicio empleando paquetes de respuesta en modo 6 manipulados. An off-by-one flaw, leading to a buffer overflow, was found in cookedprint functionality of ntpq. A specially crafted NTP packet could potentially cause ntpq to crash. • http://rhn.redhat.com/errata/RHSA-2016-0780.html http://rhn.redhat.com/errata/RHSA-2016-2583.html http://support.ntp.org/bin/view/Main/NtpBug2919 http://www.debian.org/security/2015/dsa-3388 http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html http://www.securityfocus.com/bid/77288 http://www.securitytracker.com/id/1033951 https://security.gentoo.org/glsa/201607-15 https://security.netapp.com/advisory/ntap-20171004-0001 https://access.redhat.com& • CWE-20: Improper Input Validation CWE-193: Off-by-one Error •
CVSS: 5.8EPSS: 1%CPEs: 9EXPL: 0CVE-2014-9750 – ntp: vallen in extension fields are not validated
https://notcve.org/view.php?id=CVE-2014-9750
ntp_crypto.c in ntpd in NTP 4.x before 4.2.8p1, when Autokey Authentication is enabled, allows remote attackers to obtain sensitive information from process memory or cause a denial of service (daemon crash) via a packet containing an extension field with an invalid value for the length of its value field. ntp_crypto.c en ntpd en NTP 4.x en versiones anteriores a 4.2.8p1, cuando Autokey Authentication está habilitada, permite a atacantes remotos obtener información sensible de la memoria de proceso o causar una denegación de servicio (caída del demonio) a través de un paquete que contiene un campo extension con un valor no válido para la longitud de su campo de valor. A stack-based buffer overflow was found in the way the NTP autokey protocol was implemented. When an NTP client decrypted a secret received from an NTP server, it could cause that client to crash. • http://bugs.ntp.org/show_bug.cgi?id=2671 http://rhn.redhat.com/errata/RHSA-2015-1459.html http://support.ntp.org/bin/view/Main/SecurityNotice#December_2014_NTP_Security_Vulne http://www.debian.org/security/2015/dsa-3388 http://www.kb.cert.org/vuls/id/852879 http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html http://www.securityfocus.com/bid/72583 https://bugzilla.redhat.com/show_bug.cgi?id=1184573 https://support.hpe.com/hpsc/doc/public&#x • CWE-20: Improper Input Validation •
CVSS: 6.8EPSS: 1%CPEs: 11EXPL: 0CVE-2014-9751 – ntp: drop packets with source address ::1
https://notcve.org/view.php?id=CVE-2014-9751
The read_network_packet function in ntp_io.c in ntpd in NTP 4.x before 4.2.8p1 on Linux and OS X does not properly determine whether a source IP address is an IPv6 loopback address, which makes it easier for remote attackers to spoof restricted packets, and read or write to the runtime state, by leveraging the ability to reach the ntpd machine's network interface with a packet from the ::1 address. La función read_network_packet en ntp_io.c en ntpd en NTP 4.x en versiones anteriores a 4.2.8p1 en Linux y OS X no determina correctamente si una dirección IP fuente es una dirección IPv6 loopback, lo que facilita a atacantes remotos suplantar paquetes restringidos y leer o escribir en el estado runtime, aprovechando la habilidad para alcanzar la interfaz de red de la máquina ntpd con un paquete proveniente de la dirección ::1. It was found that because NTP's access control was based on a source IP address, an attacker could bypass source IP restrictions and send malicious control and configuration packets by spoofing ::1 addresses. • http://bugs.ntp.org/show_bug.cgi?id=2672 http://rhn.redhat.com/errata/RHSA-2015-1459.html http://support.ntp.org/bin/view/Main/SecurityNotice#December_2014_NTP_Security_Vulne http://www.debian.org/security/2015/dsa-3388 http://www.kb.cert.org/vuls/id/852879 http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html http://www.securityfocus.com/bid/72584 https://bugzilla.redhat.com/show_bug.cgi?id=1184572 https://support.hpe.com/hpsc/doc/public&#x • CWE-20: Improper Input Validation •