Overview
NTP.org's reference implementation of NTP server, ntpd, contains multiple vulnerabilities.
Description
NTP.org's reference implementation of NTP server, ntpd, contains multiple vulnerabilities. A brief overview follows, but details may be found in NTP's security advisory listing and in the individual links below. CRYPTO-NAK denial of service introduced in Sec 3007 patch. See Sec 3046, CVE-2016-4957. The CVSS score below describes this vulnerability. |
Impact
Unauthenticated, remote attackers may be able to spoof or send specially crafted packets to create denial of service conditions. |
Solution
Apply an update |
Vendor Information
FreeBSD Project Affected
Notified: May 27, 2016 Updated: June 06, 2016
Statement Date: June 04, 2016
Status
Affected
Vendor Statement
As of 2016-06-04 05:46:52 UTC, we published fix for all supported FreeBSD releases. We have published a security advisory for this at https://www.freebsd.org/security/advisories/FreeBSD-SA-16:24.ntp.asc .
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
NTP Project Affected
Notified: May 25, 2016 Updated: June 02, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
ACCESS Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
AT&T Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Alcatel-Lucent Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Apple Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Arista Networks, Inc. Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Aruba Networks Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Avaya, Inc. Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Belkin, Inc. Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Blue Coat Systems Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CA Technologies Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CentOS Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Check Point Software Technologies Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Cisco Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CoreOS Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
D-Link Systems, Inc. Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Debian GNU/Linux Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
DesktopBSD Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
DragonFly BSD Project Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
EMC Corporation Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
EfficientIP SAS Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Enterasys Networks Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Ericsson Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Extreme Networks Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
F5 Networks, Inc. Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Fedora Project Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Force10 Networks Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Gentoo Linux Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Google Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hardened BSD Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hewlett Packard Enterprise Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hitachi Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Huawei Technologies Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
IBM Corporation Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Infoblox Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Intel Corporation Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Internet Systems Consortium Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Internet Systems Consortium - DHCP Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Juniper Networks Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Lenovo Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
McAfee Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Microsoft Corporation Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
NEC Corporation Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
NTPsec Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
NetBSD Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Nokia Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Nominum Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
OmniTI Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
OpenBSD Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
OpenDNS Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Openwall GNU/*/Linux Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Oracle Corporation Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Peplink Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Q1 Labs Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
QNX Software Systems Inc. Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Red Hat, Inc. Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SUSE Linux Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SafeNet Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Secure64 Software Corporation Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Slackware Linux Inc. Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SmoothWall Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Snort Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Sony Corporation Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Sourcefire Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Symantec Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
TippingPoint Technologies Inc. Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Turbolinux Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Ubuntu Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Unisys Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
VMware Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Wind River Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
dnsmasq Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
m0n0wall Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
openSUSE project Unknown
Notified: May 27, 2016 Updated: May 27, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 7.8 | AV:N/AC:L/Au:N/C:N/I:N/A:C |
| Temporal | 6.4 | E:F/RL:OF/RC:C |
| Environmental | 6.4 | CDP:N/TD:H/CR:ND/IR:ND/AR:ND |
References
- http://support.ntp.org/bin/view/Main/NtpBug3007
- http://support.ntp.org/bin/view/Main/NtpBug3046
- http://support.ntp.org/bin/view/Main/NtpBug3045
- http://support.ntp.org/bin/view/Main/NtpBug3044
- http://support.ntp.org/bin/view/Main/NtpBug3043
- http://support.ntp.org/bin/view/Main/NtpBug2978
- http://support.ntp.org/bin/view/Main/NtpBug3042
Acknowledgements
The NTP Project credits Nicolas Edet of Cisco, Miroslav Lichvar of Red Hat, and Jakub Prokes of Red Hat for reporting these vulnerabilities.
This document was written by Joel Land.
Other Information
| CVE IDs: | CVE-2016-4953, CVE-2016-4954, CVE-2016-4955, CVE-2016-4956, CVE-2016-4957 |
| Date Public: | 2016-06-02 |
| Date First Published: | 2016-06-02 |
| Date Last Updated: | 2016-06-06 14:21 UTC |
| Document Revision: | 9 |