CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2016-1548 – ntp: ntpd switching to interleaved mode with spoofed packets
https://notcve.org/view.php?id=CVE-2016-1548
An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. After making this switch, the client in NTP 4.2.8p4 and earlier and NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c will reject all future legitimate server responses. It is possible to force the victim client to move time after the mode has been changed. ntpq gives no indication that the mode has been switched. Un atacante puede suplantar un paquete de un servidor ntpd legítimo con una marca de tiempo de origen que coincida con la marca de tiempo peer->dst registrada para ese servidor. Después de hacer este cambio, el cliente en NTP 4.2.8p4 y versiones anteriores y NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c rechazarán todas las futuras respuestas legítimas del servidor. • http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183647.html http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184669.html http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00034.html http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00037.html http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00052.html http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2016& • CWE-19: Data Processing Errors •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2016-1549
https://notcve.org/view.php?id=CVE-2016-1549
A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim's clock. Un par malicioso autenticado puede crear arbitrariamente muchas asociaciones efímeras para ganar el algoritmo de selección de reloj en ntpd en NTP 4.2.8p4 y versiones anteriores y NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 y a5fb34b9cc89b92a8fef2f459004865c93bb7f92 y modificar un reloj de una víctima. • http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.securityfocus.com/bid/88200 http://www.securitytracker.com/id/1035705 http://www.talosintelligence.com/reports/TALOS-2016-0083 https://security.FreeBSD.org/advisories/FreeBSD-SA-16:16.ntp.asc https://security.gentoo.org/glsa/201607-15 https://security.netapp.com/advisory/ntap-20171004-0002 https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03962en_us https://www.synolo • CWE-19: Data Processing Errors •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2016-1547 – ntp: crypto-NAK preemptable association denial of service
https://notcve.org/view.php?id=CVE-2016-1547
An off-path attacker can cause a preemptible client association to be demobilized in NTP 4.2.8p4 and earlier and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 by sending a crypto NAK packet to a victim client with a spoofed source address of an existing associated peer. This is true even if authentication is enabled. Un atacante fuera de ruta puede provocar que una asociación de clientes preventiva sea desmovilizada en NTP 4.2.8p4 y versiones anteriores y NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 enviando un paquete NAK encriptado a un cliente víctima con una dirección fuente suplantada de un asociado existente. Esto es cierto incluso si la autenticación está habilitada. A denial of service flaw was found in the way NTP handled preemptable client associations. • http://rhn.redhat.com/errata/RHSA-2016-1552.html http://www.debian.org/security/2016/dsa-3629 http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html http://www.securityfocus.com/bid/88276 http://www.securitytracker.com/id/1035705 http://www.talosintelligence.com/reports/TALOS-2016-0081 https://access.redhat.com/errata/RHSA-2016:1141 https://cert-portal.siemens.com/productcert/pdf/ssa- • CWE-20: Improper Input Validation •
CVSS: 5.3EPSS: 0%CPEs: 125EXPL: 0CVE-2016-2518 – ntp: out-of-bounds references on crafted packet
https://notcve.org/view.php?id=CVE-2016-2518
The MATCH_ASSOC function in NTP before version 4.2.8p9 and 4.3.x before 4.3.92 allows remote attackers to cause an out-of-bounds reference via an addpeer request with a large hmode value. La función MATCH_ASSOC en NTP en versiones anteriores 4.2.8p9 y 4.3.x en versiones anteriores a 4.3.92 permite a atacantes remotos provocar una referencia fuera de los límites a través de una solicitud addpeer con un valor hmode grande. An out-of-bounds access flaw was found in the way ntpd processed certain packets. An authenticated attacker could use a crafted packet to create a peer association with hmode of 7 and larger, which could potentially (although highly unlikely) cause ntpd to crash. • http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183647.html http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184669.html http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00034.html http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00037.html http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00052.html http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00001.html http://lists.opensuse.org/opensuse-security-announce/2016& • CWE-125: Out-of-bounds Read •
CVSS: 5.9EPSS: 4%CPEs: 93EXPL: 0CVE-2016-2519
https://notcve.org/view.php?id=CVE-2016-2519
ntpd in NTP before 4.2.8p7 and 4.3.x before 4.3.92 allows remote attackers to cause a denial of service (ntpd abort) by a large request data value, which triggers the ctl_getitem function to return a NULL value. Ntpd en NTP en versiones anteriores a 4.2.8p7 y 4.3.x en versiones anteriores a 4.3.92 permite a los atacantes remotos causar una denegación de servicio (ntpd abort) por un gran petición de valores de datos, lo que activa la función ctl_getitem para devolver un valor NULL. • http://support.ntp.org/bin/view/Main/NtpBug3008 http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.securityfocus.com/bid/88204 http://www.securitytracker.com/id/1035705 https://security.FreeBSD.org/advisories/FreeBSD-SA-16:16.ntp.asc https://security.gentoo.org/glsa/201607-15 https://security.netapp.com/advisory/ntap-20171004-0002 https://www.kb.cert.org/vuls/id/718152 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •