Executive Summary

Summary
Title NTP Project ntpd reference implementation contains multiple vulnerabilities
Informations
Name VU#374268 First vendor Publication 2015-04-07
Vendor VU-CERT Last vendor Modification 2015-04-10
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:A/AC:M/Au:N/C:N/I:P/A:P)
Cvss Base Score 4.3 Attack Range Adjacent network
Cvss Impact Score 4.9 Attack Complexity Medium
Cvss Expoit Score 5.5 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#374268

NTP Project ntpd reference implementation contains multiple vulnerabilities

Original Release date: 07 Apr 2015 | Last revised: 10 Apr 2015

Overview

NTP Project ntpd reference implementation accepts unauthenticated packets with symmetric key cryptography and does not protect symmetric associations against denial of service attacks.

Description

CVE-2015-1798, bug 2779:

In NTP4 installations utilizing symmetric key authentication, versions ntp-4.2.5p99 to ntp-4.2.8p1, packets with no message authentication code (MAC) are accepted as though they have a valid MAC. An attacker may be able to leverage this validation error to send packets that will be accepted by the client. The CVSS score reflects this issue.

CVE-2015-1799, bug 2781:

In NTP installations utilizing symmetric key authentication, including xntp3.3wy to version ntp-4.2.8p1, a denial of service condition is created when two peering hosts receive packets in which the originate and transmit timestamps do not match. An attacker who periodically sends such packets to both hosts can prevent synchronization.

For more information about these issues, visit NTP's security notice.

Impact

An unauthenticated attacker with network access may be able to inject packets or prevent peer synchronization among symmetrically authenticated hosts.

Solution

Apply an update

The NTP Project has released version ntp-4.2.8p2 to address these issues.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Arista Networks, Inc.Affected-10 Apr 2015
FreeBSD ProjectAffected24 Mar 201510 Apr 2015
NTP ProjectAffected23 Mar 201507 Apr 2015
EfficientIPNot Affected-10 Apr 2015
ACCESSUnknown24 Mar 201524 Mar 2015
Alcatel-LucentUnknown24 Mar 201524 Mar 2015
AppleUnknown24 Mar 201524 Mar 2015
Arch LinuxUnknown30 Mar 201530 Mar 2015
AT&TUnknown24 Mar 201524 Mar 2015
Avaya, Inc.Unknown24 Mar 201524 Mar 2015
Barracuda NetworksUnknown24 Mar 201524 Mar 2015
Belkin, Inc.Unknown24 Mar 201524 Mar 2015
Blue Coat SystemsUnknown24 Mar 201524 Mar 2015
BrocadeUnknown30 Mar 201530 Mar 2015
CA TechnologiesUnknown24 Mar 201524 Mar 2015
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

GroupScoreVector
Base5.4AV:A/AC:M/Au:N/C:P/I:P/A:P
Temporal4.2E:POC/RL:OF/RC:C
Environmental4.2CDP:N/TD:H/CR:ND/IR:ND/AR:ND

References

  • http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
  • http://bugs.ntp.org/show_bug.cgi?id=2781
  • http://bugs.ntp.org/show_bug.cgi?id=2779
  • http://www.ntp.org/downloads.html

Credit

The NTP Project credits Miroslav Lichvar of Red Hat for reporting these issues.

This document was written by Joel Land.

Other Information

  • CVE IDs:CVE-2015-1798CVE-2015-1799
  • Date Public:07 Apr 2015
  • Date First Published:07 Apr 2015
  • Date Last Updated:10 Apr 2015
  • Document Revision:18

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/374268

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-17 Code

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:28698
 
Oval ID: oval:org.mitre.oval:def:28698
Title: Symmetric-Key feature allows MAC address spoofing.
Description: The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC.
Family: unix Class: vulnerability
Reference(s): CVE-2015-1798
Version: 3
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28915
 
Oval ID: oval:org.mitre.oval:def:28915
Title: Symmetric-Key feature allows denial of service
Description: The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer.
Family: unix Class: vulnerability
Reference(s): CVE-2015-1799
Version: 3
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:29492
 
Oval ID: oval:org.mitre.oval:def:29492
Title: AIX 'NTPv4' vulnerability
Description: The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer.
Family: unix Class: vulnerability
Reference(s): CVE-2015-1799
Version: 5
Platform(s): IBM AIX 6.1
IBM AIX 7.1
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 775

Nessus® Vulnerability Scanner

Date Description
2018-04-10 Name : The remote device is missing a vendor-supplied security patch.
File : cisco-sa-20150408-ntpd-iosxe.nasl - Type : ACT_GATHER_INFO
2018-04-10 Name : The remote device is missing a vendor-supplied security patch.
File : cisco-sa-20150408-ntpd-ios.nasl - Type : ACT_GATHER_INFO
2016-08-29 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2016-1912-1.nasl - Type : ACT_GATHER_INFO
2016-06-01 Name : The remote device is affected by multiple vulnerabilities.
File : cisco_ace_A5_3_3.nasl - Type : ACT_GATHER_INFO
2015-12-22 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20151119_ntp_on_SL7_x.nasl - Type : ACT_GATHER_INFO
2015-12-02 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2015-2231.nasl - Type : ACT_GATHER_INFO
2015-11-24 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2015-2231.nasl - Type : ACT_GATHER_INFO
2015-11-20 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2015-2231.nasl - Type : ACT_GATHER_INFO
2015-09-25 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201509-01.nasl - Type : ACT_GATHER_INFO
2015-09-21 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL16506.nasl - Type : ACT_GATHER_INFO
2015-08-25 Name : The remote AIX host is missing a security patch.
File : aix_IV74263.nasl - Type : ACT_GATHER_INFO
2015-08-25 Name : The remote AIX host is missing a security patch.
File : aix_IV74262.nasl - Type : ACT_GATHER_INFO
2015-08-25 Name : The remote AIX host is missing a security patch.
File : aix_IV74261.nasl - Type : ACT_GATHER_INFO
2015-08-25 Name : The remote AIX host is missing a security patch.
File : aix_IV73783.nasl - Type : ACT_GATHER_INFO
2015-08-04 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20150722_ntp_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2015-07-31 Name : The remote OracleVM host is missing one or more security updates.
File : oraclevm_OVMSA-2015-0102.nasl - Type : ACT_GATHER_INFO
2015-07-30 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2015-1459.nasl - Type : ACT_GATHER_INFO
2015-07-28 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2015-1459.nasl - Type : ACT_GATHER_INFO
2015-07-23 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2015-1459.nasl - Type : ACT_GATHER_INFO
2015-07-06 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2015-1173-1.nasl - Type : ACT_GATHER_INFO
2015-07-02 Name : The remote AIX host is missing a security patch.
File : aix_IV71096.nasl - Type : ACT_GATHER_INFO
2015-07-02 Name : The remote AIX host is missing a security patch.
File : aix_IV71094.nasl - Type : ACT_GATHER_INFO
2015-07-01 Name : The remote host is missing a Mac OS X update that fixes multiple security vul...
File : macosx_SecUpd2015-005.nasl - Type : ACT_GATHER_INFO
2015-07-01 Name : The remote host is missing a Mac OS X update that fixes multiple security vul...
File : macosx_10_10_4.nasl - Type : ACT_GATHER_INFO
2015-05-21 Name : The remote NTP server is affected by multiple vulnerabilities.
File : ntp_4_2_8p2.nasl - Type : ACT_GATHER_INFO
2015-05-20 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2015-0865-1.nasl - Type : ACT_GATHER_INFO
2015-05-07 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2015-520.nasl - Type : ACT_GATHER_INFO
2015-04-29 Name : The remote Fedora host is missing a security update.
File : fedora_2015-5830.nasl - Type : ACT_GATHER_INFO
2015-04-28 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2015-330.nasl - Type : ACT_GATHER_INFO
2015-04-24 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL16505.nasl - Type : ACT_GATHER_INFO
2015-04-23 Name : The remote Fedora host is missing a security update.
File : fedora_2015-5874.nasl - Type : ACT_GATHER_INFO
2015-04-23 Name : The remote Fedora host is missing a security update.
File : fedora_2015-5761.nasl - Type : ACT_GATHER_INFO
2015-04-22 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2015-111-08.nasl - Type : ACT_GATHER_INFO
2015-04-14 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-2567-1.nasl - Type : ACT_GATHER_INFO
2015-04-14 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3223.nasl - Type : ACT_GATHER_INFO
2015-04-13 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2015-202.nasl - Type : ACT_GATHER_INFO
2015-04-13 Name : The remote Debian host is missing a security update.
File : debian_DLA-192.nasl - Type : ACT_GATHER_INFO
2015-04-08 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_ebd84c96dd7e11e4854e3c970e169bc2.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
Date Informations
2016-06-02 13:27:32
  • Multiple Updates
2015-05-22 13:29:29
  • Multiple Updates
2015-04-10 21:25:03
  • Multiple Updates
2015-04-09 17:24:46
  • Multiple Updates
2015-04-08 21:30:53
  • Multiple Updates
2015-04-08 17:29:18
  • Multiple Updates
2015-04-08 00:24:58
  • First insertion