Page 11 of 66 results (0.016 seconds)

CVSS: 6.5EPSS: 0%CPEs: 18EXPL: 1

Directory traversal vulnerability in the save_config function in ntpd in ntp_control.c in NTP before 4.2.8p4, when used on systems that do not use '\' or '/' characters for directory separation such as OpenVMS, allows remote authenticated users to overwrite arbitrary files. La vulnerabilidad salto de directorio en la función save_config en ntpd en el archivo ntp_control.c en NTP versiones anteriores a 4.2.8p4, cuando es usado en sistemas que no utilizan caracteres "\" o '"/" para la separación de directorios como OpenVMS, permite a usuarios autenticados remotos sobrescribir archivos arbitrarios. • http://support.ntp.org/bin/view/Main/NtpBug2918 http://support.ntp.org/bin/view/Main/SecurityNotice http://www.talosintel.com/reports/TALOS-2015-0062 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 6.8EPSS: 1%CPEs: 11EXPL: 0

The read_network_packet function in ntp_io.c in ntpd in NTP 4.x before 4.2.8p1 on Linux and OS X does not properly determine whether a source IP address is an IPv6 loopback address, which makes it easier for remote attackers to spoof restricted packets, and read or write to the runtime state, by leveraging the ability to reach the ntpd machine's network interface with a packet from the ::1 address. La función read_network_packet en ntp_io.c en ntpd en NTP 4.x en versiones anteriores a 4.2.8p1 en Linux y OS X no determina correctamente si una dirección IP fuente es una dirección IPv6 loopback, lo que facilita a atacantes remotos suplantar paquetes restringidos y leer o escribir en el estado runtime, aprovechando la habilidad para alcanzar la interfaz de red de la máquina ntpd con un paquete proveniente de la dirección ::1. It was found that because NTP's access control was based on a source IP address, an attacker could bypass source IP restrictions and send malicious control and configuration packets by spoofing ::1 addresses. • http://bugs.ntp.org/show_bug.cgi?id=2672 http://rhn.redhat.com/errata/RHSA-2015-1459.html http://support.ntp.org/bin/view/Main/SecurityNotice#December_2014_NTP_Security_Vulne http://www.debian.org/security/2015/dsa-3388 http://www.kb.cert.org/vuls/id/852879 http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html http://www.securityfocus.com/bid/72584 https://bugzilla.redhat.com/show_bug.cgi?id=1184572 https://support.hpe.com/hpsc/doc/public&#x • CWE-20: Improper Input Validation •

CVSS: 5.8EPSS: 1%CPEs: 9EXPL: 0

ntp_crypto.c in ntpd in NTP 4.x before 4.2.8p1, when Autokey Authentication is enabled, allows remote attackers to obtain sensitive information from process memory or cause a denial of service (daemon crash) via a packet containing an extension field with an invalid value for the length of its value field. ntp_crypto.c en ntpd en NTP 4.x en versiones anteriores a 4.2.8p1, cuando Autokey Authentication está habilitada, permite a atacantes remotos obtener información sensible de la memoria de proceso o causar una denegación de servicio (caída del demonio) a través de un paquete que contiene un campo extension con un valor no válido para la longitud de su campo de valor. A stack-based buffer overflow was found in the way the NTP autokey protocol was implemented. When an NTP client decrypted a secret received from an NTP server, it could cause that client to crash. • http://bugs.ntp.org/show_bug.cgi?id=2671 http://rhn.redhat.com/errata/RHSA-2015-1459.html http://support.ntp.org/bin/view/Main/SecurityNotice#December_2014_NTP_Security_Vulne http://www.debian.org/security/2015/dsa-3388 http://www.kb.cert.org/vuls/id/852879 http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html http://www.securityfocus.com/bid/72583 https://bugzilla.redhat.com/show_bug.cgi?id=1184573 https://support.hpe.com/hpsc/doc/public&#x • CWE-20: Improper Input Validation •

CVSS: 5.3EPSS: 1%CPEs: 6EXPL: 0

ntpd in ntp before 4.2.8p3 with remote configuration enabled allows remote authenticated users with knowledge of the configuration password and access to a computer entrusted to perform remote configuration to cause a denial of service (service crash) via a NULL byte in a crafted configuration directive packet. ntpd en ntp en versiones anteriores a la 4.2.8p3 con la configuración remota habilitada permite que usuarios remotos autenticados que conozcan la contraseña de configuración y acceso a un ordenador asignado para realizar configuraciones remotas provoquen una denegación de servicio (bloque de servicio) mediante un byte NULL en una directiva de paquete de configuración manipulada. • http://bugs.ntp.org/show_bug.cgi?id=2853 http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170926.html http://lists.fedoraproject.org/pipermail/package-announce/2015-October/169167.html http://lists.fedoraproject.org/pipermail/package-announce/2015-September/166992.html http://support.ntp.org/bin/view/Main/SecurityNotice#March_2017_ntp_4_2_8p10_NTP_Secu http://www.debian.org/security/2015/dsa-3388 http://www.securityfocus.com/bid/75589 http://www.securitytracker.com/ • CWE-20: Improper Input Validation •

CVSS: 2.6EPSS: 0%CPEs: 1EXPL: 0

The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC. La característica symmetric-key en la función receive en ntp_proto.c en ntpd en NTP 4.x anterior a 4.2.8p2 requiere un MAC correcto únicamente si el campo MAC tiene una longitud que no sea cero, lo que facilita a atacantes man-in-the-middle falsificar paquetes mediante la omisión del MAC. It was found that ntpd did not check whether a Message Authentication Code (MAC) was present in a received packet when ntpd was configured to use symmetric cryptographic keys. A man-in-the-middle attacker could use this flaw to send crafted packets that would be accepted by a client or a peer without the attacker knowing the symmetric key. • http://bugs.ntp.org/show_bug.cgi?id=2779 http://lists.apple.com/archives/security-announce/2015/Jun/msg00002.html http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155863.html http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155864.html http://lists.opensuse.org/opensuse-updates/2015-04/msg00052.html http://marc.info/?l=bugtraq&m=143213867103400&w=2 http://rhn.redhat.com/errata/RHSA-2015-1459.html http://support.apple.com/kb/HT204942 http: • CWE-17: DEPRECATED: Code CWE-347: Improper Verification of Cryptographic Signature •