F5 Networks BIG-IP : NTP vulnerabilities (K02360853)
Medium Nessus Plugin ID 97443
SynopsisThe remote device is missing a vendor-supplied security patch.
The log_config_command function in ntp_parser.y in ntpd in NTP before 4.2.7p42 allows remote attackers to cause a denial of service (ntpd crash) via crafted logconfig commands.
CVE-2015-5195 ntp_openssl.m4 in ntpd in NTP before 4.2.7p112 allows remote attackers to cause a denial of service (segmentation fault) via a crafted statistics or filegen configuration command that is not enabled during compilation.
The ntpd process could stop responding, due to an uninitialized variable, when processing malformed configuration commands.
F5 has evaluated this vulnerability as having low impact to the BIG-IP product line for the following reasons :
This issue is not exposed in a BIG-IP system default configuration.
The configuration that exposes the issue is not recommended by F5.
SolutionUpgrade to one of the non-vulnerable versions listed in the F5 Solution K02360853.