// For flags

CVE-2016-1548

ntp: ntpd switching to interleaved mode with spoofed packets

Severity Score

7.2
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. After making this switch, the client in NTP 4.2.8p4 and earlier and NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c will reject all future legitimate server responses. It is possible to force the victim client to move time after the mode has been changed. ntpq gives no indication that the mode has been switched.

Un atacante puede suplantar un paquete de un servidor ntpd legítimo con una marca de tiempo de origen que coincida con la marca de tiempo peer->dst registrada para ese servidor. Después de hacer este cambio, el cliente en NTP 4.2.8p4 y versiones anteriores y NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c rechazarán todas las futuras respuestas legítimas del servidor. Es posible forzar al cliente víctima a mover el tiempo después de que el modo haya sido cambiado. ntpq no indica que el modo ha sido cambiado.

It was found that an ntpd client could be forced to change from basic client/server mode to the interleaved symmetric mode. A remote attacker could use a spoofed packet that, when processed by an ntpd client, would cause that client to reject all future legitimate server responses, effectively disabling time synchronization on that client.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
None
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2016-01-07 CVE Reserved
  • 2016-05-02 CVE Published
  • 2024-02-29 EPSS Updated
  • 2024-08-05 CVE Updated
  • 2024-08-05 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-19: Data Processing Errors
CAPEC
References (36)
URL Tag Source
http://packetstormsecurity.com/files/136864/Slackware-Security-Advisory-ntp-Updates.html X_refsource_misc
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html X_refsource_confirm
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html X_refsource_confirm
http://www.securityfocus.com/archive/1/538233/100/0/threaded Mailing List
http://www.securityfocus.com/archive/1/archive/1/538233/100/0/threaded Mailing List
http://www.securityfocus.com/bid/88264 Vdb Entry
http://www.securitytracker.com/id/1035705 Vdb Entry
https://cert-portal.siemens.com/productcert/pdf/ssa-211752.pdf X_refsource_confirm
https://cert-portal.siemens.com/productcert/pdf/ssa-497656.pdf X_refsource_confirm
https://security.netapp.com/advisory/ntap-20171004-0002 X_refsource_confirm
https://us-cert.cisa.gov/ics/advisories/icsa-21-103-11 X_refsource_misc
https://us-cert.cisa.gov/ics/advisories/icsa-21-159-11 X_refsource_misc
https://www.arista.com/en/support/advisories-notices/security-advisories/1332-security-advisory-19 X_refsource_misc
https://www.kb.cert.org/vuls/id/718152 Third Party Advisory
https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0082 X_refsource_misc
URL Date SRC
http://www.talosintelligence.com/reports/TALOS-2016-0082 2024-08-05
URL Date SRC
URL Date SRC
http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183647.html 2021-11-17
http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184669.html 2021-11-17
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00034.html 2021-11-17
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00037.html 2021-11-17
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00052.html 2021-11-17
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00001.html 2021-11-17
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00020.html 2021-11-17
http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00026.html 2021-11-17
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00042.html 2021-11-17
http://lists.opensuse.org/opensuse-updates/2016-05/msg00114.html 2021-11-17
http://rhn.redhat.com/errata/RHSA-2016-1552.html 2021-11-17
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160428-ntpd 2021-11-17
http://www.debian.org/security/2016/dsa-3629 2021-11-17
http://www.ubuntu.com/usn/USN-3096-1 2021-11-17
https://access.redhat.com/errata/RHSA-2016:1141 2021-11-17
https://security.FreeBSD.org/advisories/FreeBSD-SA-16:16.ntp.asc 2021-11-17
https://security.gentoo.org/glsa/201607-15 2021-11-17
https://www.debian.org/security/2016/dsa-3629 2021-11-17
https://access.redhat.com/security/cve/CVE-2016-1548 2016-08-03
https://bugzilla.redhat.com/show_bug.cgi?id=1331462 2016-08-03
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Ntp
Search vendor "Ntp"
 Ntp
Search vendor "Ntp" for product "Ntp"
 4.2.8
Search vendor "Ntp" for product "Ntp" and version "4.2.8"
p4
Affected