CERT/CC Vulnerability Note VU#374268

Overview

NTP Project ntpd reference implementation accepts unauthenticated packets with symmetric key cryptography and does not protect symmetric associations against denial of service attacks.

Description

CVE-2015-1798, bug 2779:

In NTP4 installations utilizing symmetric key authentication, versions ntp-4.2.5p99 to ntp-4.2.8p1, packets with no message authentication code (MAC) are accepted as though they have a valid MAC. An attacker may be able to leverage this validation error to send packets that will be accepted by the client. The CVSS score reflects this issue.

CVE-2015-1799, bug 2781:

In NTP installations utilizing symmetric key authentication, including xntp3.3wy to version ntp-4.2.8p1, a denial of service condition is created when two peering hosts receive packets in which the originate and transmit timestamps do not match. An attacker who periodically sends such packets to both hosts can prevent synchronization.

For more information about these issues, visit NTP's security notice.

Impact

An unauthenticated attacker with network access may be able to inject packets or prevent peer synchronization among symmetrically authenticated hosts.

Solution

Apply an update

The NTP Project has released version ntp-4.2.8p2 to address these issues.

Vendor Information

374268

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Arista Networks, Inc. Affected

Updated: April 10, 2015

Statement Date: April 09, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD Project Affected

Notified: March 24, 2015 Updated: April 10, 2015

Statement Date: April 09, 2015

Status

Affected

Vendor Statement

The vulnerabilities in 374268 (different from 852879) have been resolved by FreeBSD-SA-15:07.ntp. https://www.freebsd.org/security/advisories/FreeBSD-SA-15:07.ntp.asc

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.freebsd.org/security/advisories/FreeBSD-SA-15:07.ntp.asc

NTP Project Affected

Notified: March 23, 2015 Updated: April 07, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

EfficientIP Not Affected

Updated: April 10, 2015

Statement Date: April 09, 2015

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

AT&T Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Alcatel-Lucent Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Apple Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Arch Linux Unknown

Notified: March 30, 2015 Updated: March 30, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Avaya, Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Barracuda Networks Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Belkin, Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Blue Coat Systems Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Brocade Unknown

Notified: March 30, 2015 Updated: March 30, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CA Technologies Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CentOS Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Check Point Software Technologies Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Cisco Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Cray Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

D-Link Systems, Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Debian GNU/Linux Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DesktopBSD Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DragonFly BSD Project Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

EMC Corporation Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Enterasys Networks Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ericsson Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Extreme Networks Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

F5 Networks, Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Fedora Project Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Force10 Networks Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Fortinet, Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Fujitsu Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Gentoo Linux Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Global Technology Associates, Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hewlett-Packard Company Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hitachi Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Huawei Technologies Unknown

Notified: March 30, 2015 Updated: March 30, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM Corporation Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM eServer Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Infoblox Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Intel Corporation Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Intoto Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Juniper Networks Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Mandriva S. A. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

McAfee Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Microsemi Unknown

Notified: April 09, 2015 Updated: April 09, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Microsoft Corporation Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NEC Corporation Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NetBSD Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Nokia Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Novell, Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OmniTI Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OpenBSD Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Openwall GNU/*/Linux Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Oracle Corporation Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

PC-BSD Unknown

Notified: March 30, 2015 Updated: March 30, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Palo Alto Networks Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Peplink Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Process Software Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Q1 Labs Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

QNX Software Systems Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Quagga Unknown

Notified: March 30, 2015 Updated: March 30, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Red Hat, Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SUSE Linux Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SafeNet Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Slackware Linux Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SmoothWall Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Snort Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sony Corporation Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sourcefire Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Stonesoft Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Symantec Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

The SCO Group Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

TippingPoint Technologies Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Turbolinux Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ubuntu Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Unisys Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

VMware Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Vyatta Unknown

Notified: March 30, 2015 Updated: March 30, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Watchguard Technologies, Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Wind River Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

ZyXEL Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

eSoft, Inc. Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

m0n0wall Unknown

Notified: March 24, 2015 Updated: March 24, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

openSUSE project Unknown

Notified: March 30, 2015 Updated: March 30, 2015

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

View all 85 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base	5.4	AV:A/AC:M/Au:N/C:P/I:P/A:P
Temporal	4.2	E:POC/RL:OF/RC:C
Environmental	4.2	CDP:N/TD:H/CR:ND/IR:ND/AR:ND

References

Acknowledgements

The NTP Project credits Miroslav Lichvar of Red Hat for reporting these issues.

This document was written by Joel Land.

Other Information

CVE IDs:	CVE-2015-1798, CVE-2015-1799
Date Public:	2015-04-07
Date First Published:	2015-04-07
Date Last Updated:	2015-04-10 18:36 UTC
Document Revision:	19

Software Engineering Institute

CERT Coordination Center

NTP Project ntpd reference implementation contains multiple vulnerabilities

Vulnerability Note VU#374268

Overview

Description

Impact

Solution

Vendor Information

Arista Networks, Inc. Affected

Status

Vendor Statement

Vendor Information

FreeBSD Project Affected

Status

Vendor Statement

Vendor Information

Vendor References

NTP Project Affected

Status

Vendor Statement

Vendor Information

Vendor References

EfficientIP Not Affected

Status

Vendor Statement

Vendor Information

ACCESS Unknown

Status

Vendor Statement

Vendor References

AT&T Unknown

Status

Vendor Statement

Vendor References

Alcatel-Lucent Unknown

Status

Vendor Statement

Vendor References

Apple Unknown

Status

Vendor Statement

Vendor References

Arch Linux Unknown

Status

Vendor Statement

Vendor References

Avaya, Inc. Unknown

Status

Vendor Statement

Vendor References

Barracuda Networks Unknown

Status

Vendor Statement

Vendor References

Belkin, Inc. Unknown

Status

Vendor Statement

Vendor References

Blue Coat Systems Unknown

Status

Vendor Statement

Vendor References

Brocade Unknown

Status

Vendor Statement

Vendor References

CA Technologies Unknown

Status

Vendor Statement

Vendor References

CentOS Unknown

Status

Vendor Statement

Vendor References

Check Point Software Technologies Unknown

Status

Vendor Statement

Vendor References

Cisco Unknown