FreeBSD : ntp -- multiple vulnerabilities (af485ef4-1c58-11e8-8477-d05099c0ae8c)

High Nessus Plugin ID 107046

Synopsis

The remote FreeBSD host is missing one or more security-related updates.

Description

Network Time Foundation reports :

The NTP Project at Network Time Foundation is releasing ntp-4.2.8p11.

This release addresses five security issues in ntpd :

- LOW/MEDIUM: Sec 3012 / CVE-2016-1549 / VU#961909: Sybil vulnerability: ephemeral association attack

- INFO/MEDIUM: Sec 3412 / CVE-2018-7182 / VU#961909 : ctl_getitem():
buffer read overrun leads to undefined behavior and information leak

- LOW: Sec 3415 / CVE-2018-7170 / VU#961909: Multiple authenticated ephemeral associations

- LOW: Sec 3453 / CVE-2018-7184 / VU#961909: Interleaved symmetric mode cannot recover from bad state

- LOW/MEDIUM: Sec 3454 / CVE-2018-7185 / VU#961909 : Unauthenticated packet can reset authenticated interleaved association

one security issue in ntpq :

- MEDIUM: Sec 3414 / CVE-2018-7183 / VU#961909 : ntpq:decodearr() can write beyond its buffer limit

and provides over 33 bugfixes and 32 other improvements.

Solution

Update the affected packages.

See Also

http://www.nessus.org/u?706c32c8

http://www.nessus.org/u?0ef4c3d6

Plugin Details

Severity: High

ID: 107046

File Name: freebsd_pkg_af485ef41c5811e88477d05099c0ae8c.nasl

Version: 3.4

Type: local

Published: 2018/02/28

Modified: 2018/03/29

Dependencies: 12634

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSSv3

Base Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Vulnerability Information

CPE: p-cpe:/a:freebsd:freebsd:ntp, p-cpe:/a:freebsd:freebsd:ntp-devel, cpe:/o:freebsd:freebsd

Required KB Items: Host/local_checks_enabled, Host/FreeBSD/release, Host/FreeBSD/pkg_info

Patch Publication Date: 2018/02/28

Vulnerability Publication Date: 2018/02/27

Reference Information

CVE: CVE-2016-1549, CVE-2018-7170, CVE-2018-7182, CVE-2018-7183, CVE-2018-7184, CVE-2018-7185

FreeBSD: SA-18:02.ntp