ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time.

ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

According to the versions of the ntp packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - A vulnerability was discovered in the NTP server's     parsing of configuration directives. A remote,     authenticated attacker could cause ntpd to crash by     sending a crafted message.(CVE-2017-6463)

  - ntpd in NTP 4.x before 4.2.8p8, when autokey is     enabled, allows remote attackers to cause a denial of     service (peer-variable clearing and association outage)     by sending (1) a spoofed crypto-NAK packet or (2) a     packet with an incorrect MAC value at a certain     time.(CVE-2016-4955)

  - The ntpq and ntpdc command-line utilities that are part     of ntp package are vulnerable to stack-based buffer     overflow via crafted hostname. Applications using these     vulnerable utilities with an untrusted input may be     potentially exploited, resulting in a crash or     arbitrary code execution under privileges of that     application.(CVE-2018-12327)

  - NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7     is enabled, allows remote attackers to cause a denial     of service (ntpd abort) by using the same IP address     multiple times in an unconfig directive.(CVE-2016-2516)

  - A flaw was found in the way NTP verified trusted keys     during symmetric key authentication. An authenticated     client (A) could use this flaw to modify a packet sent     between a server (B) and a client (C) using a key that     is different from the one known to the client     (A).(CVE-2015-7974)

  - A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If     ntpd was configured to use autokey authentication, an     attacker could send packets to ntpd that would, after     several days of ongoing attack, cause it to run out of     memory.(CVE-2015-7701)

  - An out-of-bounds access flaw was found in the way ntpd     processed certain packets. An authenticated attacker     could use a crafted packet to create a peer association     with hmode of 7 and larger, which could potentially     (although highly unlikely) cause ntpd to     crash.(CVE-2016-2518)

  - A stack-based buffer overflow was found in the way the     NTP autokey protocol was implemented. When an NTP     client decrypted a secret received from an NTP server,     it could cause that client to crash.(CVE-2014-9750)

  - It was found that NTP's :config command could be used     to set the pidfile and driftfile paths without any     restrictions. A remote attacker could use this flaw to     overwrite a file on the file system with a file     containing the pid of the ntpd process (immediately) or     the current estimated drift of the system clock (in     hourly intervals).(CVE-2015-7703)

  - A flaw was found in the way ntpd running on a host with     multiple network interfaces handled certain server     responses. A remote attacker could use this flaw which     would cause ntpd to not synchronize with the     source.(CVE-2016-7429)

  - A flaw was found in the way ntpd implemented the trap     service. A remote attacker could send a specially     crafted packet to cause a null pointer dereference that     will crash ntpd, resulting in a denial of     service.(CVE-2016-9311)

  - It was found that ntp-keygen used a weak method for     generating MD5 keys. This could possibly allow an     attacker to guess generated MD5 keys that could then be     used to spoof an NTP client or server. Note: it is     recommended to regenerate any MD5 keys that had     explicitly been generated with ntp-keygen the default     installation does not contain such keys.(CVE-2014-9294)

  - It was found that when NTP was configured in broadcast     mode, a remote attacker could broadcast packets with     bad authentication to all clients. The clients, upon     receiving the malformed packets, would break the     association with the broadcast server, causing them to     become out of sync over a longer period of     time.(CVE-2015-7979)

  - A flaw was found in the way ntpd calculated the root     delay. A remote attacker could send a specially-crafted     spoofed packet to cause denial of service or in some     special cases even crash.(CVE-2016-7433)

  - It was found that the fix for CVE-2014-9750 was     incomplete: three issues were found in the value length     checks in NTP's ntp_crypto.c, where a packet with     particular autokey operations that contained malicious     data was not always being completely validated. A     remote attacker could use a specially crafted NTP     packet to crash ntpd.(CVE-2015-7691)

  - It was found that ntpd did not correctly implement the     threshold limitation for the '-g' option, which is used     to set the time without any restrictions. A     man-in-the-middle attacker able to intercept NTP     traffic between a connecting client and an NTP server     could use this flaw to force that client to make     multiple steps larger than the panic threshold,     effectively changing the time to an arbitrary value at     any time.(CVE-2015-5300)

  - It was found that ntpd would exit with a segmentation     fault when a statistics type that was not enabled     during compilation (e.g. timingstats) was referenced by     the statistics or filegen configuration     command.(CVE-2015-5195)

  - An off-by-one flaw, leading to a buffer overflow, was     found in cookedprint functionality of ntpq. A specially     crafted NTP packet could potentially cause ntpq to     crash.(CVE-2015-7852)

  - ntpd in NTP 4.x before 4.2.8p8 allows remote attackers     to cause a denial of service (interleaved-mode     transition and time change) via a spoofed broadcast     packet. NOTE: this vulnerability exists because of an     incomplete fix for CVE-2016-1548.(CVE-2016-4956)

  - A stack-based buffer overflow flaw was found in the way     ntpd processed 'ntpdc reslist' commands that queried     restriction lists with a large amount of entries. A     remote attacker could use this flaw to crash     ntpd.(CVE-2015-7978)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ntp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - ntpq in NTP before 4.2.8p7 allows remote attackers to     obtain origin timestamps and then impersonate peers via     unspecified vectors.(CVE-2015-8139)

  - NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7     is enabled, allows remote attackers to cause a denial     of service (ntpd abort) by using the same IP address     multiple times in an unconfig directive.(CVE-2016-2516)

  - The process_packet function in ntp_proto.c in ntpd in     NTP 4.x before 4.2.8p8 allows remote attackers to cause     a denial of service (peer-variable modification) by     sending spoofed packets from many source IP addresses     in a certain scenario, as demonstrated by triggering an     incorrect leap indication.(CVE-2016-4954)

  - ntpd in NTP 4.x before 4.2.8p8, when autokey is     enabled, allows remote attackers to cause a denial of     service (peer-variable clearing and association outage)     by sending (1) a spoofed crypto-NAK packet or (2) a     packet with an incorrect MAC value at a certain     time.(CVE-2016-4955)

  - ntpd in NTP 4.x before 4.2.8p8 allows remote attackers     to cause a denial of service (interleaved-mode     transition and time change) via a spoofed broadcast     packet. NOTE: this vulnerability exists because of an     incomplete fix for CVE-2016-1548.(CVE-2016-4956)

  - Buffer overflow in the legacy Datum Programmable Time     Server (DPTS) refclock driver in NTP before 4.2.8p10     and 4.3.x before 4.3.94 allows local users to have     unspecified impact via a crafted /dev/datum     device.(CVE-2017-6462)

  - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows     remote authenticated users to cause a denial of service     (daemon crash) via an invalid setting in a :config     directive, related to the unpeer option.(CVE-2017-6463)

  - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows     remote attackers to cause a denial of service (ntpd     crash) via a malformed mode configuration     directive.(CVE-2017-6464)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the ntp packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - ntpq in NTP before 4.2.8p7 allows remote attackers to     obtain origin timestamps and then impersonate peers via     unspecified vectors.i1/4^CVE-2015-8139i1/4%0

  - NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7     is enabled, allows remote attackers to cause a denial     of service (ntpd abort) by using the same IP address     multiple times in an unconfig     directive.i1/4^CVE-2016-2516i1/4%0

  - The process_packet function in ntp_proto.c in ntpd in     NTP 4.x before 4.2.8p8 allows remote attackers to cause     a denial of service (peer-variable modification) by     sending spoofed packets from many source IP addresses     in a certain scenario, as demonstrated by triggering an     incorrect leap indication.i1/4^CVE-2016-4954i1/4%0

  - ntpd in NTP 4.x before 4.2.8p8, when autokey is     enabled, allows remote attackers to cause a denial of     service (peer-variable clearing and association outage)     by sending (1) a spoofed crypto-NAK packet or (2) a     packet with an incorrect MAC value at a certain     time.i1/4^CVE-2016-4955i1/4%0

  - ntpd in NTP 4.x before 4.2.8p8 allows remote attackers     to cause a denial of service (interleaved-mode     transition and time change) via a spoofed broadcast     packet. NOTE: this vulnerability exists because of an     incomplete fix for CVE-2016-1548.i1/4^CVE-2016-4956i1/4%0

  - Buffer overflow in the legacy Datum Programmable Time     Server (DPTS) refclock driver in NTP before 4.2.8p10     and 4.3.x before 4.3.94 allows local users to have     unspecified impact via a crafted /dev/datum     device.i1/4^CVE-2017-6462i1/4%0

  - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows     remote authenticated users to cause a denial of service     (daemon crash) via an invalid setting in a :config     directive, related to the unpeer     option.i1/4^CVE-2017-6463i1/4%0

  - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows     remote attackers to cause a denial of service (ntpd     crash) via a malformed mode configuration     directive.i1/4^CVE-2017-6464i1/4%0

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of NTP installed on the remote AIX host is affected by the following vulnerabilities :

  - A time serving flaw exists in the trusted key system     due to improper key checks. An authenticated, remote     attacker can exploit this to perform impersonation     attacks between authenticated peers. (CVE-2015-7974)

  - A denial of service vulnerability exists due to improper     handling of a crafted Crypto NAK Packet with a source     address spoofed to match that of an existing associated     peer. An unauthenticated, remote attacker can exploit     this to demobilize a client association. (CVE-2016-1547)

  - An information disclosure vulnerability exists in the     message authentication functionality in libntp that is     triggered during the handling of a series of specially     crafted messages. An adjacent attacker can exploit this     to partially recover the message digest key.
    (CVE-2016-1550)

  - A flaw exists due to improper filtering of IPv4 'bogon'     packets received from a network. An unauthenticated,     remote attacker can exploit this to spoof packets to     appear to come from a specific reference clock.
    (CVE-2016-1551)

  - A denial of service vulnerability exists that allows an     authenticated, remote attacker to manipulate the value     of the trustedkey, controlkey, or requestkey via a     crafted packet, preventing authentication with ntpd     until the daemon has been restarted. (CVE-2016-2517)

  - An out-of-bounds read error exists in the MATCH_ASSOC()     function that occurs during the creation of peer     associations with hmode greater than 7. An     authenticated, remote attacker can exploit this, via a     specially crafted packet, to cause a denial of service.
    (CVE-2016-2518)

  - An overflow condition exists in the ctl_getitem()     function in ntpd due to improper validation of     user-supplied input when reporting return values. An     authenticated, remote attacker can exploit this to cause     ntpd to abort. (CVE-2016-2519)

  - A denial of service vulnerability exists when handling     authentication due to improper packet timestamp checks.
    An unauthenticated, remote attacker can exploit this,     via a specially crafted and spoofed packet, to     demobilize the ephemeral associations. (CVE-2016-4953)

  - A flaw exists that is triggered when handling spoofed     packets. An unauthenticated, remote attacker can exploit     this, via specially crafted packets, to affect peer     variables (e.g., cause leap indications to be set). Note     that the attacker must be able to spoof packets with     correct origin timestamps from servers before expected     response packets arrive. (CVE-2016-4954)

  - A flaw exists that is triggered when handling spoofed     packets. An unauthenticated, remote attacker can exploit     this, via specially crafted packets, to reset autokey     associations. Note that the attacker must be able to     spoof packets with correct origin timestamps from     servers before expected response packets arrive.
    (CVE-2016-4955)

  - A denial of service vulnerability exists when handling     CRYPTO_NAK packets that allows an unauthenticated,     remote attacker to cause a crash. (CVE-2016-4957)

ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time.(CVE-2016-4955)

Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to perform a replay attack. (CVE-2015-7973)

Matt Street discovered that NTP incorrectly verified peer associations of symmetric keys. A remote attacker could use this issue to perform an impersonation attack. (CVE-2015-7974)

Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled memory. An attacker could possibly use this issue to cause ntpq to crash, resulting in a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2015-7975)

Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled dangerous characters in filenames. An attacker could possibly use this issue to overwrite arbitrary files. (CVE-2015-7976)

Stephen Gray discovered that NTP incorrectly handled large restrict lists. An attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7977, CVE-2015-7978)

Aanchal Malhotra discovered that NTP incorrectly handled authenticated broadcast mode. A remote attacker could use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2015-7979)

Jonathan Gardner discovered that NTP incorrectly handled origin timestamp checks. A remote attacker could use this issue to spoof peer servers. (CVE-2015-8138)

Jonathan Gardner discovered that the NTP ntpq utility did not properly handle certain incorrect values. An attacker could possibly use this issue to cause ntpq to hang, resulting in a denial of service.
(CVE-2015-8158)

It was discovered that the NTP cronjob incorrectly cleaned up the statistics directory. A local attacker could possibly use this to escalate privileges. (CVE-2016-0727)

Stephen Gray and Matthew Van Gundy discovered that NTP incorrectly validated crypto-NAKs. A remote attacker could possibly use this issue to prevent clients from synchronizing. (CVE-2016-1547)

Miroslav Lichvar and Jonathan Gardner discovered that NTP incorrectly handled switching to interleaved symmetric mode. A remote attacker could possibly use this issue to prevent clients from synchronizing.
(CVE-2016-1548)

Matthew Van Gundy, Stephen Gray and Loganaden Velvindron discovered that NTP incorrectly handled message authentication. A remote attacker could possibly use this issue to recover the message digest key.
(CVE-2016-1550)

Yihan Lian discovered that NTP incorrectly handled duplicate IPs on unconfig directives. An authenticated remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2516)

Yihan Lian discovered that NTP incorrectly handled certail peer associations. A remote attacker could possibly use this issue to cause NTP to crash, resulting in a denial of service. (CVE-2016-2518)

Jakub Prokes discovered that NTP incorrectly handled certain spoofed packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4954)

Miroslav Lichvar discovered that NTP incorrectly handled certain packets when autokey is enabled. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4955)

Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed broadcast packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2016-4956)

In the default installation, attackers would be isolated by the NTP AppArmor profile.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

NTP was updated to version 4.2.8p8 to fix several security issues and to ensure the continued maintainability of the package.

These security issues were fixed :

CVE-2016-4953: Bad authentication demobilized ephemeral associations (bsc#982065).

CVE-2016-4954: Processing spoofed server packets (bsc#982066).

CVE-2016-4955: Autokey association reset (bsc#982067).

CVE-2016-4956: Broadcast interleave (bsc#982068).

CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).

CVE-2016-1547: Validate crypto-NAKs to prevent ACRYPTO-NAK DoS (bsc#977459).

CVE-2016-1548: Prevent the change of time of an ntpd client or denying service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode (bsc#977461).

CVE-2016-1549: Sybil vulnerability: ephemeral association attack (bsc#977451).

CVE-2016-1550: Improve security against buffer comparison timing attacks (bsc#977464).

CVE-2016-1551: Refclock impersonation vulnerability (bsc#977450)y

CVE-2016-2516: Duplicate IPs on unconfig directives could have caused an assertion botch in ntpd (bsc#977452).

CVE-2016-2517: Remote configuration trustedkey/ requestkey/controlkey values are not properly validated (bsc#977455).

CVE-2016-2518: Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC (bsc#977457).

CVE-2016-2519: ctl_getitem() return value not always checked (bsc#977458).

CVE-2015-8158: Potential Infinite Loop in ntpq (bsc#962966).

CVE-2015-8138: Zero Origin Timestamp Bypass (bsc#963002).

CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode (bsc#962784).

CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list (bsc#963000).

CVE-2015-7977: reslist NULL pointer dereference (bsc#962970).

CVE-2015-7976: ntpq saveconfig command allowed dangerous characters in filenames (bsc#962802).

CVE-2015-7975: nextvar() missing length check (bsc#962988).

CVE-2015-7974: NTP did not verify peer associations of symmetric keys when authenticating packets, which might have allowed remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a 'skeleton' key (bsc#962960).

CVE-2015-7973: Replay attack on authenticated broadcast mode (bsc#962995).

CVE-2015-5300: MITM attacker can force ntpd to make a step larger than the panic threshold (bsc#951629).

CVE-2015-5194: Crash with crafted logconfig configuration command (bsc#943218).

CVE-2015-7871: NAK to the Future: Symmetric association authentication bypass via crypto-NAK (bsc#952611).

CVE-2015-7855: decodenetnum() will ASSERT botch instead of returning FAIL on some bogus values (bsc#952611).

CVE-2015-7854: Password Length Memory Corruption Vulnerability (bsc#952611).

CVE-2015-7853: Invalid length data provided by a custom refclock driver could cause a buffer overflow (bsc#952611).

CVE-2015-7852: ntpq atoascii() Memory Corruption Vulnerability (bsc#952611).

CVE-2015-7851: saveconfig Directory Traversal Vulnerability (bsc#952611).

CVE-2015-7850: Clients that receive a KoD now validate the origin timestamp field (bsc#952611).

CVE-2015-7849: Prevent use-after-free trusted key (bsc#952611).

CVE-2015-7848: Prevent mode 7 loop counter underrun (bsc#952611).

CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC (bsc#952611).

CVE-2015-7703: Configuration directives 'pidfile' and 'driftfile' should only be allowed locally (bsc#943221).

CVE-2015-7704: Clients that receive a KoD should validate the origin timestamp field (bsc#952611).

CVE-2015-7705: Clients that receive a KoD should validate the origin timestamp field (bsc#952611).

CVE-2015-7691: Incomplete autokey data packet length checks (bsc#952611).

CVE-2015-7692: Incomplete autokey data packet length checks (bsc#952611).

CVE-2015-7702: Incomplete autokey data packet length checks (bsc#952611).

CVE-2015-1798: The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP required a correct MAC only if the MAC field has a nonzero length, which made it easier for man-in-the-middle attackers to spoof packets by omitting the MAC (bsc#924202).

CVE-2015-1799: The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP performed state-variable updates upon receiving certain invalid packets, which made it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer (bsc#924202).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ntp was updated to version 4.2.8p8 to fix five security issues.

These security issues were fixed :

  - CVE-2016-4953: Bad authentication demobilizes ephemeral     associations (bsc#982065).

  - CVE-2016-4954: Processing spoofed server packets     (bsc#982066).

  - CVE-2016-4955: Autokey association reset (bsc#982067).

  - CVE-2016-4956: Broadcast interleave (bsc#982068).

  - CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities have been discovered in the NTP suite :

The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that could cause ntpd to crash. [CVE-2016-4957, Reported by Nicolas Edet of Cisco]

An attacker who knows the origin timestamp and can send a spoofed packet containing a CRYPTO-NAK to an ephemeral peer target before any other response is sent can demobilize that association.
[CVE-2016-4953, Reported by Miroslav Lichvar of Red Hat]

An attacker who is able to spoof packets with correct origin timestamps from enough servers before the expected response packets arrive at the target machine can affect some peer variables and, for example, cause a false leap indication to be set. [CVE-2016-4954, Reported by Jakub Prokes of Red Hat]

An attacker who is able to spoof a packet with a correct origin timestamp before the expected response packet arrives at the target machine can send a CRYPTO_NAK or a bad MAC and cause the association's peer variables to be cleared. If this can be done often enough, it will prevent that association from working. [CVE-2016-4955, Reported by Miroslav Lichvar of Red Hat]

The fix for NtpBug2978 does not cover broadcast associations, so broadcast clients can be triggered to flip into interleave mode.
[CVE-2016-4956, Reported by Miroslav Lichvar of Red Hat.] Impact :
Malicious remote attackers may be able to break time synchronization, or cause the ntpd(8) daemon to crash.

It was discovered that ntpq and ntpdc disclosed the origin timestamp to unauthenticated clients, which could permit such clients to forge the server's replies. (CVE-2015-8139)

The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication. (CVE-2016-4954)

ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time.
(CVE-2016-4955)

ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. This vulnerability exists because of an incomplete fix for CVE-2016-1548 . (CVE-2016-4956)

The remote host is affected by the vulnerability described in GLSA-201607-15 (NTP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in NTP. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

Security fix for CVE-2015-8139, CVE-2016-4954, CVE-2016-4955, CVE-2016-4956

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ntp was updated to version 4.2.8p8 to fix five security issues.

These security issues were fixed :

  - CVE-2016-4953: Bad authentication demobilizes ephemeral     associations (bsc#982065).

  - CVE-2016-4954: Processing spoofed server packets     (bsc#982066).

  - CVE-2016-4955: Autokey association reset (bsc#982067).

  - CVE-2016-4956: Broadcast interleave (bsc#982068).

  - CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).

These non-security issues were fixed :

  - Keep the parent process alive until the daemon has     finished initialisation, to make sure that the PID file     exists when the parent returns.

  - bsc#979302: Change the process name of the forking DNS     worker process to avoid the impression that ntpd is     started twice.

  - bsc#981422: Don't ignore SIGCHILD because it breaks     wait().

  - bsc#979981: ntp-wait does not accept fractional seconds,     so use 1 instead of 0.2 in ntp-wait.service.

  - Separate the creation of ntp.keys and key #1 in it to     avoid problems when upgrading installations that have     the file, but no key #1, which is needed e.g. by 'rcntp     addserver'.

This update was imported from the SUSE:SLE-12-SP1:Update update project.

ntp was updated to version 4.2.8p8 to fix 17 security issues.

These security issues were fixed :

  - CVE-2016-4956: Broadcast interleave (bsc#982068).

  - CVE-2016-2518: Crafted addpeer with hmode > 7 causes     array wraparound with MATCH_ASSOC (bsc#977457).

  - CVE-2016-2519: ctl_getitem() return value not always     checked (bsc#977458).

  - CVE-2016-4954: Processing spoofed server packets     (bsc#982066).

  - CVE-2016-4955: Autokey association reset (bsc#982067).

  - CVE-2015-7974: NTP did not verify peer associations of     symmetric keys when authenticating packets, which might     allowed remote attackers to conduct impersonation     attacks via an arbitrary trusted key, aka a 'skeleton     key (bsc#962960).

  - CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).

  - CVE-2016-2516: Duplicate IPs on unconfig directives will     cause an assertion botch (bsc#977452).

  - CVE-2016-2517: Remote configuration     trustedkey/requestkey values are not properly validated     (bsc#977455).

  - CVE-2016-4953: Bad authentication demobilizes ephemeral     associations (bsc#982065).

  - CVE-2016-1547: CRYPTO-NAK DoS (bsc#977459).

  - CVE-2016-1551: Refclock impersonation vulnerability,     AKA: refclock-peering (bsc#977450).

  - CVE-2016-1550: Improve NTP security against buffer     comparison timing attacks, authdecrypt-timing, AKA:
    authdecrypt-timing (bsc#977464).

  - CVE-2016-1548: Interleave-pivot - MITIGATION ONLY     (bsc#977461).

  - CVE-2016-1549: Sybil vulnerability: ephemeral     association attack, AKA: ntp-sybil - MITIGATION ONLY     (bsc#977451).

This release also contained improved patches for CVE-2015-7704, CVE-2015-7705, CVE-2015-7974.

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ntp was updated to fix five security issues.

These security issues were fixed :

  - CVE-2016-4953: Bad authentication demobilizes ephemeral     associations (bsc#982065).

  - CVE-2016-4954: Processing spoofed server packets     (bsc#982066).

  - CVE-2016-4955: Autokey association reset (bsc#982067).

  - CVE-2016-4956: Broadcast interleave (bsc#982068).

  - CVE-2016-4957: CRYPTO_NAK crash (bsc#982064).

These non-security issues were fixed :

  - bsc#979302: Change the process name of the forking DNS     worker process to avoid the impression that ntpd is     started twice.

  - bsc#979981: ntp-wait does not accept fractional seconds,     so use 1 instead of 0.2 in ntp-wait.service.

  - bsc#981422: Don't ignore SIGCHILD because it breaks     wait().

  - Separate the creation of ntp.keys and key #1 in it to     avoid problems when upgrading installations that have     the file, but no key #1, which is needed e.g. by 'rcntp     addserver'.

The version of the remote NTP server is 4.x prior to 4.2.8p8 or 4.3.x prior to 4.3.93. It is, therefore, affected by the following vulnerabilities :
  - A denial of service vulnerability exists when handling     authentication due to improper packet timestamp checks.
    An unauthenticated, remote attacker can exploit this,     via a specially crafted and spoofed packet, to     demobilize the ephemeral associations. (CVE-2016-4953)

  - A flaw exists that is triggered when handling spoofed     packets. An unauthenticated, remote attacker can exploit     this, via specially crafted packets, to affect peer     variables (e.g., cause leap indications to be set). Note     that the attacker must be able to spoof packets with     correct origin timestamps from servers before expected     response packets arrive. (CVE-2016-4954)

  - A flaw exists that is triggered when handling spoofed     packets. An unauthenticated, remote attacker can exploit     this, via specially crafted packets, to reset autokey     associations. Note that the attacker must be able to     spoof packets with correct origin timestamps from     servers before expected response packets arrive.
    (CVE-2016-4955)

  - A flaw exists when handling broadcast associations that     allows an unauthenticated, remote attacker to cause a     broadcast client to change into interleave mode.
    (CVE-2016-4956)

  - A denial of service vulnerability exists when handling     CRYPTO_NAK packets that allows an unauthenticated,     remote attacker to cause a crash. Note that this issue     only affects versions 4.2.8p7 and 4.3.92.
    (CVE-2016-4957)

New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.

ID	Name	Product	Family	Severity
501096	Siemens SIMATIC NET CP 443-1 OPC UA Concurrent Execution Using Shared Resource with Improper Synchronization (CVE-2016-4955)	Tenable OT Security	Tenable.ot	medium
125009	EulerOS Virtualization 3.0.1.0 : ntp (EulerOS-SA-2019-1556)	Nessus	Huawei Local Security Checks	critical
101311	EulerOS 2.0 SP2 : ntp (EulerOS-SA-2017-1125)	Nessus	Huawei Local Security Checks	medium
101310	EulerOS 2.0 SP1 : ntp (EulerOS-SA-2017-1124)	Nessus	Huawei Local Security Checks	medium
99183	AIX NTP v4 Advisory : ntp_advisory7.asc (IV87278) (IV87279)	Nessus	AIX Local Security Checks	high
95959	F5 Networks BIG-IP : NTP vulnerability (K03331206)	Nessus	F5 Networks Local Security Checks	medium
93896	Ubuntu 14.04 LTS / 16.04 LTS : NTP vulnerabilities (USN-3096-1)	Nessus	Ubuntu Local Security Checks	high
93186	SUSE SLES10 Security Update : ntp (SUSE-SU-2016:1912-1)	Nessus	SuSE Local Security Checks	critical
93153	SUSE SLES11 Security Update : ntp (SUSE-SU-2016:1602-1)	Nessus	SuSE Local Security Checks	high
92927	FreeBSD : FreeBSD -- Multiple ntp vulnerabilities (7cfcea05-600a-11e6-a6c3-14dae9d210b8)	Nessus	FreeBSD Local Security Checks	high
92662	Amazon Linux AMI : ntp (ALAS-2016-727)	Nessus	Amazon Linux Local Security Checks	high
92485	GLSA-201607-15 : NTP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
92288	Fedora 22 : ntp (2016-c3bd6a3496)	Nessus	Fedora Local Security Checks	medium
92265	Fedora 23 : ntp (2016-89e0874533)	Nessus	Fedora Local Security Checks	medium
92095	Fedora 24 : ntp (2016-50b0066b7f)	Nessus	Fedora Local Security Checks	medium
91721	openSUSE Security Update : ntp (openSUSE-2016-750)	Nessus	SuSE Local Security Checks	high
91666	SUSE SLES11 Security Update : ntp (SUSE-SU-2016:1584-1)	Nessus	SuSE Local Security Checks	high
91663	SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1568-1)	Nessus	SuSE Local Security Checks	critical
91662	SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1563-1)	Nessus	SuSE Local Security Checks	high
91630	openSUSE Security Update : ntp (openSUSE-2016-727)	Nessus	SuSE Local Security Checks	high
91515	Network Time Protocol Daemon (ntpd) 4.x < 4.2.8p8 / 4.3.x < 4.3.93 Multiple Vulnerabilities	Nessus	Misc.	high
91462	Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2016-155-01)	Nessus	Slackware Local Security Checks	high

Detections

Analytics

CVE-2016-4955

medium

Tenable Plugins

medium

critical

medium

medium

high

medium

high

critical

high

high

high

critical

medium

medium

medium

high

high

critical

high

high

high

high