49 results (0.005 seconds)

CVSS: 4.9EPSS: 0%CPEs: 32EXPL: 0

ntpd in ntp 4.2.8 before 4.2.8p15 and 4.3.x before 4.3.101 allows remote attackers to cause a denial of service (memory consumption) by sending packets, because memory is not freed in situations where a CMAC key is used and associated with a CMAC algorithm in the ntp.keys file. ntpd en ntp versión 4.2.8 versiones anteriores a 4.2.8p15 y versiones 4.3.x anteriores a 4.3.101, permite a atacantes remotos causar una denegación de servicio (consumo de la memoria) mediante el envío de paquetes, porque la memoria no es liberada en situaciones donde se usa una clave CMAC y está asociada con un algoritmo CMAC en el archivo ntp.keys • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.html https://bugs.gentoo.org/729458 https://security.gentoo.org/glsa/202007-12 https://security.netapp.com/advisory/ntap-20200702-0002 https://support.ntp.org/bin/view/Main/NtpBug3661 https://support.ntp.org/bin/view/Main/SecurityNotice#June_2020_ntp_4_2_8p15_NTP_Relea https://www.oracle.com/security-alerts/cpujan2021.html • CWE-401: Missing Release of Memory after Effective Lifetime •

CVSS: 7.4EPSS: 5%CPEs: 79EXPL: 0

ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows remote attackers to cause a denial of service (daemon exit or system time change) by predicting transmit timestamps for use in spoofed packets. The victim must be relying on unauthenticated IPv4 time sources. There must be an off-path attacker who can query time from the victim's ntpd instance. ntpd en ntp versiones anteriores a 4.2.8p14 y versiones 4.3.x versiones anteriores a 4.3.100, permite a atacantes remotos causar una denegación de servicio (salida del demonio o cambio de hora del sistema) mediante la predicción de las marcas de tiempo de transmisión para su uso en paquetes falsificados. La víctima debe confiar en fuentes de tiempo IPv4 no autenticadas. Debe haber un atacante fuera de la ruta que pueda consultar el tiempo desde la instancia ntpd de la víctima A high-performance ntpd instance that gets its time from unauthenticated IPv4 time sources may be vulnerable to an off-path attacker who can query time from the victim's ntpd instance. • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.html http://support.ntp.org/bin/view/Main/NtpBug3596 https://bugs.ntp.org/show_bug.cgi?id=3596 https://security.gentoo.org/glsa/202007-12 https://security.netapp.com/advisory/ntap-20200625-0004 https://www.oracle.com/security-alerts/cpujan2022.html https://access.redhat.com/security/cve/CVE-2020-13817 https://bugzilla.redhat.com/show_bug& • CWE-330: Use of Insufficiently Random Values CWE-358: Improperly Implemented Security Check for Standard •

CVSS: 7.5EPSS: 2%CPEs: 54EXPL: 0

ntpd in ntp before 4.2.8p14 and 4.3.x before 4.3.100 allows an off-path attacker to block unauthenticated synchronization via a server mode packet with a spoofed source IP address, because transmissions are rescheduled even when a packet lacks a valid origin timestamp. ntpd en ntp versiones anteriores a 4.2.8p14 y versiones 4.3.x anteriores a 4.3.100, permite a un atacante fuera de ruta bloquear una sincronización no autenticada por medio de un paquete en modo server con una dirección IP de origen falsificado, porque las transmisiones son reprogramados aun cuando un paquete carece de una marca de tiempo de origen valido. A flaw was found in the Network Time Protocol (NTP), where a security issue exists that allows an off-path attacker to prevent the Network Time Protocol daemon (ntpd) from synchronizing with NTP servers not using authentication. A server mode packet with a spoofed source address sent to the client ntpd causes the next transmission to be rescheduled, even if the packet does not have a valid origin timestamp. If the packet is sent to the client frequently enough, it stops polling the server and is unable to synchronize with it. • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00005.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00044.html http://support.ntp.org/bin/view/Main/NtpBug3592 https://bugzilla.redhat.com/show_bug.cgi?id=1716665 https://lists.debian.org/debian-lts-announce/2020/05/msg00004.html https://security.gentoo.org/glsa/202007-12 https://security.netapp.com/advisory/ntap-20200424-0002 https://www.oracle.com//security-alerts/cpujul2021.html https://access&# • CWE-346: Origin Validation Error CWE-400: Uncontrolled Resource Consumption •

CVSS: 5.3EPSS: 0%CPEs: 31EXPL: 0

ntpd in ntp 4.2.x before 4.2.8p7 and 4.3.x before 4.3.92 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549. ntpd en ntp, en versiones 4.2.x anteriores a la 4.2.8p7 y versiones 4.3.x anteriores a la 4.3.92, permite que usuarios autenticados que conozcan la clave privada simétrica creen de forma arbitraria muchas asociaciones efímeras para ganar la selección de reloj de ntpd y modifiquen el reloj de una víctima mediante un ataque Sybil. Este problema existe debido a una solución incompleta para CVE-2016-1549. • http://packetstormsecurity.com/files/146631/Slackware-Security-Advisory-ntp-Updates.html http://support.ntp.org/bin/view/Main/NtpBug3415 http://www.securityfocus.com/archive/1/541824/100/0/threaded http://www.securityfocus.com/bid/103194 https://bugzilla.redhat.com/show_bug.cgi?id=1550214 https://security.FreeBSD.org/advisories/FreeBSD-SA-18:02.ntp.asc https://security.gentoo.org/glsa/201805-12 https://security.netapp.com/advisory/ntap-20180626-0001 https://support.hpe.com/hpsc/doc •

CVSS: 7.8EPSS: 0%CPEs: 95EXPL: 0

Stack-based buffer overflow in the Windows installer for NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows local users to have unspecified impact via an application path on the command line. Desbordamiento de búfer basado en pila en el instalador de Windows para NTP en versiones anteriores a 4.2.8p10 y 4.3.x en versiones anteriores a 4.3.94 permite a usuarios locales tener un impacto no especificado a través de una ruta de la aplicación en la línea de comandos. • http://support.ntp.org/bin/view/Main/NtpBug3383 http://support.ntp.org/bin/view/Main/SecurityNotice#March_2017_ntp_4_2_8p10_NTP_Secu http://www.securityfocus.com/bid/97078 http://www.securitytracker.com/id/1038123 http://www.securitytracker.com/id/1039427 https://support.apple.com/HT208144 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •