ntpd in NTP before 4.2.8p7 and 4.3.x before 4.3.92 allows remote attackers to cause a denial of service (ntpd abort) by a large request data value, which triggers the ctl_getitem function to return a NULL value.

According to its self-reported version number, the version of Junos Space running on the remote device is < 17.1R1, and is therefore affected by multiple vulnerabilities.

The version of NTP installed on the remote AIX host is affected by the following vulnerabilities :

  - A time serving flaw exists in the trusted key system     due to improper key checks. An authenticated, remote     attacker can exploit this to perform impersonation     attacks between authenticated peers. (CVE-2015-7974)

  - An information disclosure vulnerability exists in the     message authentication functionality in libntp that is     triggered during the handling of a series of specially     crafted messages. An adjacent attacker can exploit this     to partially recover the message digest key.
    (CVE-2016-1550)

  - A flaw exists due to improper filtering of IPv4 'bogon'     packets received from a network. An unauthenticated,     remote attacker can exploit this to spoof packets to     appear to come from a specific reference clock.
    (CVE-2016-1551)

  - A denial of service vulnerability exists that allows an     authenticated, remote attacker to manipulate the value     of the trustedkey, controlkey, or requestkey via a     crafted packet, preventing authentication with ntpd     until the daemon has been restarted. (CVE-2016-2517)

  - An out-of-bounds read error exists in the MATCH_ASSOC()     function that occurs during the creation of peer     associations with hmode greater than 7. An     authenticated, remote attacker can exploit this, via a     specially crafted packet, to cause a denial of service.
    (CVE-2016-2518)

  - An overflow condition exists in the ctl_getitem()     function in ntpd due to improper validation of     user-supplied input when reporting return values. An     authenticated, remote attacker can exploit this to cause     ntpd to abort. (CVE-2016-2519)

Yihan Lian discovered that NTP incorrectly handled certain large request data values. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2016-2519)

Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed addresses when performing rate limiting. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7426)

Matthew Van Gundy discovered that NTP incorrectly handled certain crafted broadcast mode packets. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7427, CVE-2016-7428)

Miroslav Lichvar discovered that NTP incorrectly handled certain responses. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7429)

Sharon Goldberg and Aanchal Malhotra discovered that NTP incorrectly handled origin timestamps of zero. A remote attacker could possibly use this issue to bypass the origin timestamp protection mechanism.
This issue only affected Ubuntu 16.10. (CVE-2016-7431)

Brian Utterback, Sharon Goldberg and Aanchal Malhotra discovered that NTP incorrectly performed initial sync calculations. This issue only applied to Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7433)

Magnus Stubman discovered that NTP incorrectly handled certain mrulist queries. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7434)

Matthew Van Gund discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could possibly use this issue to perform a denial of service. This issue only affected Ubuntu Ubuntu 16.10, and Ubuntu 17.04. (CVE-2016-9042)

Matthew Van Gundy discovered that NTP incorrectly handled certain control mode packets. A remote attacker could use this issue to set or unset traps. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9310)

Matthew Van Gundy discovered that NTP incorrectly handled the trap service. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9311)

It was discovered that NTP incorrectly handled memory when processing long variables. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service.
(CVE-2017-6458)

It was discovered that NTP incorrectly handled memory when processing long variables. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. This issue only applied to Ubuntu 16.04 LTS, Ubuntu 16.10 and Ubuntu 17.04.
(CVE-2017-6460)

It was discovered that the NTP legacy DPTS refclock driver incorrectly handled the /dev/datum device. A local attacker could possibly use this issue to cause a denial of service. (CVE-2017-6462)

It was discovered that NTP incorrectly handled certain invalid settings in a :config directive. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2017-6463)

It was discovered that NTP incorrectly handled certain invalid mode configuration directives. A remote authenticated user could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2017-6464).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of NTP installed on the remote AIX host is affected by the following vulnerabilities :

  - A time serving flaw exists in the trusted key system     due to improper key checks. An authenticated, remote     attacker can exploit this to perform impersonation     attacks between authenticated peers. (CVE-2015-7974)

  - A denial of service vulnerability exists due to improper     handling of a crafted Crypto NAK Packet with a source     address spoofed to match that of an existing associated     peer. An unauthenticated, remote attacker can exploit     this to demobilize a client association. (CVE-2016-1547)

  - An information disclosure vulnerability exists in the     message authentication functionality in libntp that is     triggered during the handling of a series of specially     crafted messages. An adjacent attacker can exploit this     to partially recover the message digest key.
    (CVE-2016-1550)

  - A flaw exists due to improper filtering of IPv4 'bogon'     packets received from a network. An unauthenticated,     remote attacker can exploit this to spoof packets to     appear to come from a specific reference clock.
    (CVE-2016-1551)

  - A denial of service vulnerability exists that allows an     authenticated, remote attacker to manipulate the value     of the trustedkey, controlkey, or requestkey via a     crafted packet, preventing authentication with ntpd     until the daemon has been restarted. (CVE-2016-2517)

  - An out-of-bounds read error exists in the MATCH_ASSOC()     function that occurs during the creation of peer     associations with hmode greater than 7. An     authenticated, remote attacker can exploit this, via a     specially crafted packet, to cause a denial of service.
    (CVE-2016-2518)

  - An overflow condition exists in the ctl_getitem()     function in ntpd due to improper validation of     user-supplied input when reporting return values. An     authenticated, remote attacker can exploit this to cause     ntpd to abort. (CVE-2016-2519)

  - A denial of service vulnerability exists when handling     authentication due to improper packet timestamp checks.
    An unauthenticated, remote attacker can exploit this,     via a specially crafted and spoofed packet, to     demobilize the ephemeral associations. (CVE-2016-4953)

  - A flaw exists that is triggered when handling spoofed     packets. An unauthenticated, remote attacker can exploit     this, via specially crafted packets, to affect peer     variables (e.g., cause leap indications to be set). Note     that the attacker must be able to spoof packets with     correct origin timestamps from servers before expected     response packets arrive. (CVE-2016-4954)

  - A flaw exists that is triggered when handling spoofed     packets. An unauthenticated, remote attacker can exploit     this, via specially crafted packets, to reset autokey     associations. Note that the attacker must be able to     spoof packets with correct origin timestamps from     servers before expected response packets arrive.
    (CVE-2016-4955)

  - A denial of service vulnerability exists when handling     CRYPTO_NAK packets that allows an unauthenticated,     remote attacker to cause a crash. (CVE-2016-4957)

NTP was updated to version 4.2.8p8 to fix several security issues and to ensure the continued maintainability of the package.

These security issues were fixed :

CVE-2016-4953: Bad authentication demobilized ephemeral associations (bsc#982065).

CVE-2016-4954: Processing spoofed server packets (bsc#982066).

CVE-2016-4955: Autokey association reset (bsc#982067).

CVE-2016-4956: Broadcast interleave (bsc#982068).

CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).

CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS (bsc#977459).

CVE-2016-1548: Prevent the change of time of an ntpd client or denying service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode (bsc#977461).

CVE-2016-1549: Sybil vulnerability: ephemeral association attack (bsc#977451).

CVE-2016-1550: Improve security against buffer comparison timing attacks (bsc#977464).

CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y

CVE-2016-2516: Duplicate IPs on unconfig directives could have caused an assertion botch in ntpd (bsc#977452).

CVE-2016-2517: Remote configuration trustedkey/ requestkey/controlkey values are not properly validated (bsc#977455).

CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457).

CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458).

CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966).

CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).

CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784).

CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000).

CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).

CVE-2015-7976: ntpq saveconfig command allowed dangerous characters in filenames (bsc#962802).

CVE-2015-7975: nextvar() missing length check (bsc#962988).

CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might have allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a 'skeleton' key (bsc#962960).

CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995).

CVE-2015-5300: MITM attacker can force ntpd to make a step larger than the panic threshold (bsc#951629).

CVE-2015-5194: Crash with crafted logconfig configuration command (bsc#943218).

CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK (bsc#952611).

CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (bsc#952611).

CVE-2015-7854: Password Length Memory Corruption Vulnerability (bsc#952611).

CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow (bsc#952611).

CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability (bsc#952611).

CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#952611).

CVE-2015-7850: Clients that receive a KoD now validate the origin timestamp field (bsc#952611).

CVE-2015-7849: Prevent use-after-free trusted key (bsc#952611).

CVE-2015-7848: Prevent mode 7 loop counter underrun (bsc#952611).

CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#952611).

CVE-2015-7703: Configuration directives 'pidfile' and 'driftfile' should only be allowed locally (bsc#943221).

CVE-2015-7704: Clients that receive a KoD should validate the origin timestamp field (bsc#952611).

CVE-2015-7705: Clients that receive a KoD should validate the origin timestamp field (bsc#952611).

CVE-2015-7691: Incomplete autokey data packet length checks (bsc#952611).

CVE-2015-7692: Incomplete autokey data packet length checks (bsc#952611).

CVE-2015-7702: Incomplete autokey data packet length checks (bsc#952611).

CVE-2015-1798: The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP required a correct MAC only if the MAC field has a nonzero length, which made it easier for man-in-the-middle attackers to spoof packets by omitting the MAC (bsc#924202).

CVE-2015-1799: The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP performed state-variable updates upon receiving certain invalid packets, which made it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer (bsc#924202).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201607-15 (NTP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in NTP. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

ntp was updated to version 4.2.8p8 to fix 17 security issues.

These security issues were fixed :

  - CVE-2016-4956: Broadcast interleave (bsc#982068).

  - CVE-2016-2518: Crafted addpeer with hmode > 7 causes     array wraparound with MATCH_ASSOC (bsc#977457).

  - CVE-2016-2519: ctl_getitem() return value not always     checked (bsc#977458).

  - CVE-2016-4954: Processing spoofed server packets     (bsc#982066).

  - CVE-2016-4955: Autokey association reset (bsc#982067).

  - CVE-2015-7974: NTP did not verify peer associations of     symmetric keys when authenticating packets, which might     allowed remote attackers to conduct impersonation     attacks via an arbitrary trusted key, aka a 'skeleton     key (bsc#962960).

  - CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).

  - CVE-2016-2516: Duplicate IPs on unconfig directives will     cause an assertion botch (bsc#977452).

  - CVE-2016-2517: Remote configuration     trustedkey/requestkey values are not properly validated     (bsc#977455).

  - CVE-2016-4953: Bad authentication demobilizes ephemeral     associations (bsc#982065).

  - CVE-2016-1547: CRYPTO-NAK DoS (bsc#977459).

  - CVE-2016-1551: Refclock impersonation vulnerability,     AKA: refclock-peering (bsc#977450).

  - CVE-2016-1550: Improve NTP security against buffer     comparison timing attacks, authdecrypt-timing, AKA:
    authdecrypt-timing (bsc#977464).

  - CVE-2016-1548: Interleave-pivot - MITIGATION ONLY     (bsc#977461).

  - CVE-2016-1549: Sybil vulnerability: ephemeral     association attack, AKA: ntp-sybil - MITIGATION ONLY     (bsc#977451).

This release also contained improved patches for CVE-2015-7704, CVE-2015-7705, CVE-2015-7974.

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ntp fixes the following issues :

  - Update to 4.2.8p7 (boo#977446) :

  - CVE-2016-1547, boo#977459: Validate crypto-NAKs, AKA:
    CRYPTO-NAK DoS.

  - CVE-2016-1548, boo#977461: Interleave-pivot

  - CVE-2016-1549, boo#977451: Sybil vulnerability:
    ephemeral association attack.

  - CVE-2016-1550, boo#977464: Improve NTP security against     buffer comparison timing attacks.

  - CVE-2016-1551, boo#977450: Refclock impersonation     vulnerability

  - CVE-2016-2516, boo#977452: Duplicate IPs on unconfig     directives will cause an assertion botch in ntpd.

  - CVE-2016-2517, boo#977455: remote configuration     trustedkey/ requestkey/controlkey values are not     properly validated.

  - CVE-2016-2518, boo#977457: Crafted addpeer with hmode >     7 causes array wraparound with MATCH_ASSOC.

  - CVE-2016-2519, boo#977458: ctl_getitem() return value     not always checked.

  - integrate ntp-fork.patch

  - Improve the fixes for: CVE-2015-7704, CVE-2015-7705,     CVE-2015-7974

  - Restrict the parser in the startup script to the first     occurrance of 'keys' and 'controlkey' in ntp.conf     (boo#957226).

  - Enable compile-time support for MS-SNTP     (--enable-ntp-signd). This replaces the w32 patches in     4.2.4 that added the authreg directive. (fate#320758).

  - Fix ntp-sntp-dst.patch (boo#975496).

  - Call /usr/sbin/sntp with full path to synchronize in     start-ntpd. When run as cron job, /usr/sbin/ is not in     the path, which caused the synchronization to fail.
    (boo#962318)

  - Speedup ntpq (boo#782060, ntp-speedup-ntpq.patch).

  - Sync service files with openSUSE Factory.

  - Fix the TZ offset output of sntp during DST     (boo#951559).

  - Add ntp-fork.patch and build with threads disabled to     allow name resolution even when running chrooted.

  - Update to 4.2.8p6 :

  - CVE-2015-8158, boo#962966: Potential Infinite Loop in     ntpq.

  - CVE-2015-8138, boo#963002: origin: Zero Origin Timestamp     Bypass.

  - CVE-2015-7979, boo#962784: Off-path Denial of Service     (DoS) attack on authenticated broadcast mode.

  - CVE-2015-7978, boo#963000: Stack exhaustion in recursive     traversal of restriction list.

  - CVE-2015-7977, boo#962970: reslist NULL pointer     dereference.

  - CVE-2015-7976, boo#962802: ntpq saveconfig command     allows dangerous characters in filenames.

  - CVE-2015-7975, boo#962988: nextvar() missing length     check.

  - CVE-2015-7974, boo#962960: Skeleton Key: Missing key     check allows impersonation between authenticated peers.

  - CVE-2015-7973, boo#962995: Deja Vu: Replay attack on     authenticated broadcast mode.

  - CVE-2015-8140: ntpq vulnerable to replay attacks.

  - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose     origin.

  - CVE-2015-5300, boo#951629: Small-step/Big-step.

  - Add /var/db/ntp-kod (boo#916617).

  - Add ntp-ENOBUFS.patch to limit a warning that might     happen quite a lot on loaded systems (boo#956773).

  - add ntp.bug2965.diff (boo#954982)

  - fixes regression in 4.2.8p4 update

  - Update to 4.2.8p4 to fix several security issues     (boo#951608) :

  - CVE-2015-7871: NAK to the Future: Symmetric association     authentication bypass via crypto-NAK

  - CVE-2015-7855: decodenetnum() will ASSERT botch instead     of returning FAIL on some bogus values

  - CVE-2015-7854: Password Length Memory Corruption     Vulnerability

  - CVE-2015-7853: Invalid length data provided by a custom     refclock driver could cause a buffer overflow

  - CVE-2015-7852 ntpq atoascii() Memory Corruption     Vulnerability

  - CVE-2015-7851 saveconfig Directory Traversal     Vulnerability

  - CVE-2015-7850 remote config logfile-keyfile

  - CVE-2015-7849 trusted key use-after-free

  - CVE-2015-7848 mode 7 loop counter underrun

  - CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC

  - CVE-2015-7703 configuration directives 'pidfile' and     'driftfile' should only be allowed locally

  - CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD     should validate the origin timestamp field

  - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete     autokey data packet length checks

  - obsoletes ntp-memlock.patch.

  - Add a controlkey line to /etc/ntp.conf if one does not     already exist to allow runtime configuuration via ntpq.

  - Temporarily disable memlock to avoid problems due to     high memory usage during name resolution (boo#946386,     ntp-memlock.patch).

  - Use SHA1 instead of MD5 for symmetric keys (boo#905885).

  - Improve runtime configuration :

  - Read keytype from ntp.conf

  - Don't write ntp keys to syslog.

  - Fix legacy action scripts to pass on command line     arguments.

  - Remove ntp.1.gz, it wasn't installed anymore.

  - Remove ntp-4.2.7-rh-manpages.tar.gz and only keep     ntptime.8.gz. The rest is partially irrelevant,     partially redundant and potentially outdated     (boo#942587).

  - Remove 'kod' from the restrict line in ntp.conf     (boo#944300).

  - Use ntpq instead of deprecated ntpdc in start-ntpd     (boo#936327).

  - Add a controlkey to ntp.conf to make the above work.

  - Don't let 'keysdir' lines in ntp.conf trigger the 'keys'     parser.

  - Disable mode 7 (ntpdc) again, now that we don't use it     anymore.

  - Add 'addserver' as a new legacy action.

  - Fix the comment regarding addserver in ntp.conf     (boo#910063).

  - Update to version 4.2.8p3 which incorporates all     security fixes and most other patches we have so far     (fate#319040). More information on:
    http://archive.ntp.org/ntp4/ChangeLog-stable

  - Disable chroot by default (boo#926510).

  - Enable ntpdc for backwards compatibility (boo#920238).

  - Security fix: ntp-keygen may generate non-random     symmetric keys

This update for ntp to 4.2.8p7 fixes the following issues :

  - CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA:
    CRYPTO-NAK DoS.

  - CVE-2016-1548, bsc#977461: Interleave-pivot

  - CVE-2016-1549, bsc#977451: Sybil vulnerability:
    ephemeral association attack.

  - CVE-2016-1550, bsc#977464: Improve NTP security against     buffer comparison timing attacks.

  - CVE-2016-1551, bsc#977450: Refclock impersonation     vulnerability

  - CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig     directives will cause an assertion botch in ntpd.

  - CVE-2016-2517, bsc#977455: remote configuration     trustedkey/ requestkey/controlkey values are not     properly validated.

  - CVE-2016-2518, bsc#977457: Crafted addpeer with hmode >     7 causes array wraparound with MATCH_ASSOC.

  - CVE-2016-2519, bsc#977458: ctl_getitem() return value     not always checked.

  - This update also improves the fixes for: CVE-2015-7704,     CVE-2015-7705, CVE-2015-7974

Bugs fixed :

  - Restrict the parser in the startup script to the first     occurrance of 'keys' and 'controlkey' in ntp.conf     (bsc#957226).

This update was imported from the SUSE:SLE-12-SP1:Update update project.

This update for ntp to 4.2.8p7 fixes the following issues :

  - CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA:
    CRYPTO-NAK DoS.

  - CVE-2016-1548, bsc#977461: Interleave-pivot

  - CVE-2016-1549, bsc#977451: Sybil vulnerability:
    ephemeral association attack.

  - CVE-2016-1550, bsc#977464: Improve NTP security against     buffer comparison timing attacks.

  - CVE-2016-1551, bsc#977450: Refclock impersonation     vulnerability

  - CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig     directives will cause an assertion botch in ntpd.

  - CVE-2016-2517, bsc#977455: remote configuration     trustedkey/ requestkey/controlkey values are not     properly validated.

  - CVE-2016-2518, bsc#977457: Crafted addpeer with hmode >     7 causes array wraparound with MATCH_ASSOC.

  - CVE-2016-2519, bsc#977458: ctl_getitem() return value     not always checked.

  - This update also improves the fixes for: CVE-2015-7704,     CVE-2015-7705, CVE-2015-7974

Bugs fixed :

  - Restrict the parser in the startup script to the first     occurrance of 'keys' and 'controlkey' in ntp.conf     (bsc#957226).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p7.
It is, therefore, affected by the following vulnerabilities :

  - A denial of service vulnerability exists due to improper     validation of the origin timestamp field when handling a     Kiss-of-Death (KoD) packet. An unauthenticated, remote     attacker can exploit this to cause a client to stop     querying its servers, preventing the client from     updating its clock. (CVE-2015-7704)

  - A flaw exists in the receive() function in ntp_proto.c     that allows packets with an origin timestamp of zero to     bypass security checks. An unauthenticated, remote     attacker can exploit this to spoof arbitrary content.
    (CVE-2015-8138)

  - A denial of service vulnerability exists due to improper     handling of a crafted Crypto NAK Packet with a source     address spoofed to match that of an existing associated     peer. An unauthenticated, remote attacker can exploit     this to demobilize a client association. (CVE-2016-1547)

  - A denial of service vulnerability exists due to improper     handling of packets spoofed to appear to be from a valid     ntpd server. An unauthenticated, remote attacker can     exploit this to cause NTP to switch from basic     client/server mode to interleaved symmetric mode,     causing the client to reject future legitimate     responses. (CVE-2016-1548)

  - A race condition exists that is triggered during the     handling of a saturation of ephemeral associations. An     authenticated, remote attacker can exploit this to     defeat NTP's clock selection algorithm and modify a     user's clock. (CVE-2016-1549)

  - An information disclosure vulnerability exists in the     message authentication functionality in libntp that is     triggered during the handling of a series of specially     crafted messages. An adjacent attacker can exploit this     to partially recover the message digest key.
    (CVE-2016-1550)

  - A flaw exists due to improper filtering of IPv4 'bogon'     packets received from a network. An unauthenticated,     remote attacker can exploit this to spoof packets to     appear to come from a specific reference clock.
    (CVE-2016-1551)

  - A denial of service vulnerability exists that allows an     authenticated, remote attacker that has knowledge of the     controlkey for ntpq or the requestkey for ntpdc to     create a session with the same IP twice on an     unconfigured directive line, causing ntpd to abort.
    (CVE-2016-2516)

  - A denial of service vulnerability exists that allows an     authenticated, remote attacker to manipulate the value     of the trustedkey, controlkey, or requestkey via a     crafted packet, preventing authentication with ntpd     until the daemon has been restarted. (CVE-2016-2517)

  - An out-of-bounds read error exists in the MATCH_ASSOC()     function that occurs during the creation of peer     associations with hmode greater than 7. An     authenticated, remote attacker can exploit this, via a     specially crafted packet, to cause a denial of service.
    (CVE-2016-2518)

  - An overflow condition exists in the ctl_getitem()     function in ntpd due to improper validation of     user-supplied input when reporting return values. An     authenticated, remote attacker can exploit this to cause     ntpd to abort. (CVE-2016-2519)

New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.

Network Time Foundation reports :

NTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p7, released on Tuesday, 26 April 2016 :

- Bug 3020 / CVE-2016-1551: Refclock impersonation vulnerability, AKA:
refclock-peering. Reported by Matt Street and others of Cisco ASIG

- Bug 3012 / CVE-2016-1549: Sybil vulnerability : ephemeral association attack, AKA: ntp-sybil - MITIGATION ONLY. Reported by Matthew Van Gundy of Cisco ASIG

- Bug 3011 / CVE-2016-2516: Duplicate IPs on unconfig directives will cause an assertion botch. Reported by Yihan Lian of the Cloud Security Team, Qihoo 360

- Bug 3010 / CVE-2016-2517: Remote configuration trustedkey/requestkey values are not properly validated. Reported by Yihan Lian of the Cloud Security Team, Qihoo 360

- Bug 3009 / CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC. Reported by Yihan Lian of the Cloud Security Team, Qihoo 360

- Bug 3008 / CVE-2016-2519: ctl_getitem() return value not always checked. Reported by Yihan Lian of the Cloud Security Team, Qihoo 360

- Bug 3007 / CVE-2016-1547: Validate crypto-NAKs, AKA: nak-dos.
Reported by Stephen Gray and Matthew Van Gundy of Cisco ASIG

- Bug 2978 / CVE-2016-1548: Interleave-pivot - MITIGATION ONLY.
Reported by Miroslav Lichvar of RedHat and separately by Jonathan Gardner of Cisco ASIG.

- Bug 2952 / CVE-2015-7704: KoD fix: peer associations were broken by the fix for NtpBug2901, AKA: Symmetric active/passive mode is broken.
Reported by Michael Tatarinov, NTP Project Developer Volunteer

- Bug 2945 / Bug 2901 / CVE-2015-8138: Zero Origin Timestamp Bypass, AKA: Additional KoD Checks. Reported by Jonathan Gardner of Cisco ASIG

- Bug 2879 / CVE-2016-1550: Improve NTP security against buffer comparison timing attacks, authdecrypt-timing, AKA:
authdecrypt-timing. Reported independently by Loganaden Velvindron, and Matthew Van Gundy and Stephen Gray of Cisco ASIG.

ID	Name	Product	Family	Severity
104100	Juniper Junos Space < 17.1R1 Multiple Vulnerabilities (JSA10826)	Nessus	Junos Local Security Checks	critical
102128	AIX NTP v3 Advisory : ntp_advisory7.asc (IV87614) (IV87419) (IV87615) (IV87420) (IV87939)	Nessus	AIX Local Security Checks	medium
101263	Ubuntu 14.04 LTS / 16.04 LTS : NTP vulnerabilities (USN-3349-1)	Nessus	Ubuntu Local Security Checks	high
99183	AIX NTP v4 Advisory : ntp_advisory7.asc (IV87278) (IV87279)	Nessus	AIX Local Security Checks	high
93186	SUSE SLES10 Security Update : ntp (SUSE-SU-2016:1912-1)	Nessus	SuSE Local Security Checks	critical
92485	GLSA-201607-15 : NTP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
91663	SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1568-1)	Nessus	SuSE Local Security Checks	critical
91403	openSUSE Security Update : ntp (openSUSE-2016-649)	Nessus	SuSE Local Security Checks	critical
91269	openSUSE Security Update : ntp (openSUSE-2016-599)	Nessus	SuSE Local Security Checks	critical
91159	SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1291-1)	Nessus	SuSE Local Security Checks	critical
91120	SUSE SLES11 Security Update : ntp (SUSE-SU-2016:1278-1)	Nessus	SuSE Local Security Checks	critical
90923	Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p7 Multiple Vulnerabilities	Nessus	Misc.	critical
90800	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2016-120-01)	Nessus	Slackware Local Security Checks	high
90742	FreeBSD : ntp -- multiple vulnerabilities (b2487d9a-0c30-11e6-acd0-d050996490d0)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2016-2519

medium

Tenable Plugins

critical

medium

high

high

critical

critical

critical

critical

critical

critical

critical

critical

high

high