The ntpq protocol in NTP before 4.2.8p7 allows remote attackers to conduct replay attacks by sniffing the network.

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - ntp: denial of service by trigerring rate limiting on NTP server (CVE-2015-7705)

  - The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a     denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1     requests, as exploited in the wild in December 2013. (CVE-2013-5211)

  - An Information Disclosure vulnerability exists in NTP 4.2.7p25 private (mode 6/7) messages via a     GET_RESTRICT control message, which could let a malicious user obtain sensitive information.
    (CVE-2014-5209)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - ntp: Stack-based buffer overflow in ntpq and ntpdc allows denial of service or code execution     (CVE-2018-12327)

  - The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a     denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1     requests, as exploited in the wild in December 2013. (CVE-2013-5211)

  - An Information Disclosure vulnerability exists in NTP 4.2.7p25 private (mode 6/7) messages via a     GET_RESTRICT control message, which could let a malicious user obtain sensitive information.
    (CVE-2014-5209)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - ntp: denial of service by trigerring rate limiting on NTP server (CVE-2015-7705)

  - An Information Disclosure vulnerability exists in NTP 4.2.7p25 private (mode 6/7) messages via a     GET_RESTRICT control message, which could let a malicious user obtain sensitive information.
    (CVE-2014-5209)

  - ntpd in ntp before 4.2.8p3 with remote configuration enabled allows remote authenticated users with     knowledge of the configuration password and access to a computer entrusted to perform remote configuration     to cause a denial of service (service crash) via a NULL byte in a crafted configuration directive packet.
    (CVE-2015-5146)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

According to its self-reported version number, the remote pfSense install is prior to 2.3. It is, therefore, affected by multiple vulnerabilities.

CVE-2015-8139 ntpq in NTP before 4.2.8p7 allows remote attackers to obtain origin timestamps and then impersonate peers via unspecified vectors.

CVE-2015-8140 The ntpq protocol in NTP before 4.2.8p7 allows remote attackers to conduct replay attacks by sniffing the network.

This update for ntp fixes the following issues: ntp was updated to 4.2.8p9. Security issues fixed :

  - CVE-2016-9311, CVE-2016-9310, bsc#1011377: Mode 6     unauthenticated trap information disclosure and DDoS     vector.

  - CVE-2016-7427, bsc#1011390: Broadcast Mode Replay     Prevention DoS.

  - CVE-2016-7428, bsc#1011417: Broadcast Mode Poll Interval     Enforcement DoS.

  - CVE-2016-7431, bsc#1011395: Regression: 010-origin: Zero     Origin Timestamp Bypass.

  - CVE-2016-7434, bsc#1011398: NULL pointer dereference in
    _IO_str_init_static_internal().

  - CVE-2016-7429, bsc#1011404: Interface selection attack.

  - CVE-2016-7426, bsc#1011406: Client rate limiting and     server responses.

  - CVE-2016-7433, bsc#1011411: Reboot sync calculation     problem.

  - CVE-2015-8140: ntpq vulnerable to replay attacks.

  - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose     origin.

  - CVE-2015-5219: An endless loop due to incorrect     precision to double conversion (bsc#943216).
    Non-security issues fixed :

  - Fix a spurious error message.

  - Other bugfixes, see     /usr/share/doc/packages/ntp/ChangeLog.

  - Fix a regression in 'trap' (bsc#981252).

  - Reduce the number of netlink groups to listen on for     changes to the local network setup (bsc#992606).

  - Fix segfault in 'sntp -a' (bsc#1009434).

  - Silence an OpenSSL version warning (bsc#992038).

  - Make the resolver task change user and group IDs to the     same values as the main task. (bsc#988028)

  - Simplify ntpd's search for its own executable to prevent     AppArmor warnings (bsc#956365).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for ntp fixes the following issues :

  - Simplify ntpd's search for its own executable to prevent     AppArmor warnings (bsc#956365). Security issues fixed     (update to 4.2.8p9) :

  - CVE-2016-9311, CVE-2016-9310, bsc#1011377: Mode 6     unauthenticated trap information disclosure and DDoS     vector.

  - CVE-2016-7427, bsc#1011390: Broadcast Mode Replay     Prevention DoS.

  - CVE-2016-7428, bsc#1011417: Broadcast Mode Poll Interval     Enforcement DoS.

  - CVE-2016-7431, bsc#1011395: Regression: 010-origin: Zero     Origin Timestamp Bypass.

  - CVE-2016-7434, bsc#1011398: NULL pointer dereference in
    _IO_str_init_static_internal().

  - CVE-2016-7429, bsc#1011404: Interface selection attack.

  - CVE-2016-7426, bsc#1011406: Client rate limiting and     server responses.

  - CVE-2016-7433, bsc#1011411: Reboot sync calculation     problem.

  - CVE-2015-5219: An endless loop due to incorrect     precision to double conversion (bsc#943216).

  - CVE-2015-8140: ntpq vulnerable to replay attacks.

  - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose     origin.

  - CVE-2015-5219: An endless loop due to incorrect     precision to double conversion (bsc#943216).
    Non-security issues fixed :

  - Fix a spurious error message.

  - Other bugfixes, see     /usr/share/doc/packages/ntp/ChangeLog.

  - Fix a regression in 'trap' (bsc#981252).

  - Reduce the number of netlink groups to listen on for     changes to the local network setup (bsc#992606).

  - Fix segfault in 'sntp -a' (bsc#1009434).

  - Silence an OpenSSL version warning (bsc#992038).

  - Make the resolver task change user and group IDs to the     same values as the main task. (bsc#988028)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-201607-15 (NTP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in NTP. Please review the       CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly cause a Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

The version of NTP installed on the remote AIX host is affected by the following vulnerabilities :

  - A flaw exists in the receive() function due to the use     of authenticated broadcast mode. A man-in-the-middle     attacker can exploit this to conduct a replay attack.
    (CVE-2015-7973)

  - A NULL pointer dereference flaw exists in ntp_request.c     that is triggered when handling ntpdc relist commands.
    A remote attacker can exploit this, via a specially     crafted request, to crash the service, resulting in a     denial of service condition. (CVE-2015-7977)

  - An unspecified flaw exists in authenticated broadcast     mode. A remote attacker can exploit this, via specially     crafted packets, to cause a denial of service condition.
    (CVE-2015-7979)

  - A flaw exists in ntpq and ntpdc that allows a remote     attacker to disclose sensitive information in     timestamps. (CVE-2015-8139)

  - A flaw exists in the ntpq protocol that is triggered     during the handling of an improper sequence of numbers.
    A man-in-the-middle attacker can exploit this to conduct     a replay attack. (CVE-2015-8140)

  - A flaw exists in the ntpq client that is triggered when     handling packets that cause a loop in the getresponse()     function. A remote attacker can exploit this to cause an     infinite loop, resulting in a denial of service     condition. (CVE-2015-8158)

This update for ntp fixes the following issues :

  - Update to 4.2.8p7 (boo#977446) :

  - CVE-2016-1547, boo#977459: Validate crypto-NAKs, AKA:
    CRYPTO-NAK DoS.

  - CVE-2016-1548, boo#977461: Interleave-pivot

  - CVE-2016-1549, boo#977451: Sybil vulnerability:
    ephemeral association attack.

  - CVE-2016-1550, boo#977464: Improve NTP security against     buffer comparison timing attacks.

  - CVE-2016-1551, boo#977450: Refclock impersonation     vulnerability

  - CVE-2016-2516, boo#977452: Duplicate IPs on unconfig     directives will cause an assertion botch in ntpd.

  - CVE-2016-2517, boo#977455: remote configuration     trustedkey/ requestkey/controlkey values are not     properly validated.

  - CVE-2016-2518, boo#977457: Crafted addpeer with hmode >     7 causes array wraparound with MATCH_ASSOC.

  - CVE-2016-2519, boo#977458: ctl_getitem() return value     not always checked.

  - integrate ntp-fork.patch

  - Improve the fixes for: CVE-2015-7704, CVE-2015-7705,     CVE-2015-7974

  - Restrict the parser in the startup script to the first     occurrance of 'keys' and 'controlkey' in ntp.conf     (boo#957226).

  - Enable compile-time support for MS-SNTP     (--enable-ntp-signd). This replaces the w32 patches in     4.2.4 that added the authreg directive. (fate#320758).

  - Fix ntp-sntp-dst.patch (boo#975496).

  - Call /usr/sbin/sntp with full path to synchronize in     start-ntpd. When run as cron job, /usr/sbin/ is not in     the path, which caused the synchronization to fail.
    (boo#962318)

  - Speedup ntpq (boo#782060, ntp-speedup-ntpq.patch).

  - Sync service files with openSUSE Factory.

  - Fix the TZ offset output of sntp during DST     (boo#951559).

  - Add ntp-fork.patch and build with threads disabled to     allow name resolution even when running chrooted.

  - Update to 4.2.8p6 :

  - CVE-2015-8158, boo#962966: Potential Infinite Loop in     ntpq.

  - CVE-2015-8138, boo#963002: origin: Zero Origin Timestamp     Bypass.

  - CVE-2015-7979, boo#962784: Off-path Denial of Service     (DoS) attack on authenticated broadcast mode.

  - CVE-2015-7978, boo#963000: Stack exhaustion in recursive     traversal of restriction list.

  - CVE-2015-7977, boo#962970: reslist NULL pointer     dereference.

  - CVE-2015-7976, boo#962802: ntpq saveconfig command     allows dangerous characters in filenames.

  - CVE-2015-7975, boo#962988: nextvar() missing length     check.

  - CVE-2015-7974, boo#962960: Skeleton Key: Missing key     check allows impersonation between authenticated peers.

  - CVE-2015-7973, boo#962995: Deja Vu: Replay attack on     authenticated broadcast mode.

  - CVE-2015-8140: ntpq vulnerable to replay attacks.

  - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose     origin.

  - CVE-2015-5300, boo#951629: Small-step/Big-step.

  - Add /var/db/ntp-kod (boo#916617).

  - Add ntp-ENOBUFS.patch to limit a warning that might     happen quite a lot on loaded systems (boo#956773).

  - add ntp.bug2965.diff (boo#954982)

  - fixes regression in 4.2.8p4 update

  - Update to 4.2.8p4 to fix several security issues     (boo#951608) :

  - CVE-2015-7871: NAK to the Future: Symmetric association     authentication bypass via crypto-NAK

  - CVE-2015-7855: decodenetnum() will ASSERT botch instead     of returning FAIL on some bogus values

  - CVE-2015-7854: Password Length Memory Corruption     Vulnerability

  - CVE-2015-7853: Invalid length data provided by a custom     refclock driver could cause a buffer overflow

  - CVE-2015-7852 ntpq atoascii() Memory Corruption     Vulnerability

  - CVE-2015-7851 saveconfig Directory Traversal     Vulnerability

  - CVE-2015-7850 remote config logfile-keyfile

  - CVE-2015-7849 trusted key use-after-free

  - CVE-2015-7848 mode 7 loop counter underrun

  - CVE-2015-7701 Slow memory leak in CRYPTO_ASSOC

  - CVE-2015-7703 configuration directives 'pidfile' and     'driftfile' should only be allowed locally

  - CVE-2015-7704, CVE-2015-7705 Clients that receive a KoD     should validate the origin timestamp field

  - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 Incomplete     autokey data packet length checks

  - obsoletes ntp-memlock.patch.

  - Add a controlkey line to /etc/ntp.conf if one does not     already exist to allow runtime configuuration via ntpq.

  - Temporarily disable memlock to avoid problems due to     high memory usage during name resolution (boo#946386,     ntp-memlock.patch).

  - Use SHA1 instead of MD5 for symmetric keys (boo#905885).

  - Improve runtime configuration :

  - Read keytype from ntp.conf

  - Don't write ntp keys to syslog.

  - Fix legacy action scripts to pass on command line     arguments.

  - Remove ntp.1.gz, it wasn't installed anymore.

  - Remove ntp-4.2.7-rh-manpages.tar.gz and only keep     ntptime.8.gz. The rest is partially irrelevant,     partially redundant and potentially outdated     (boo#942587).

  - Remove 'kod' from the restrict line in ntp.conf     (boo#944300).

  - Use ntpq instead of deprecated ntpdc in start-ntpd     (boo#936327).

  - Add a controlkey to ntp.conf to make the above work.

  - Don't let 'keysdir' lines in ntp.conf trigger the 'keys'     parser.

  - Disable mode 7 (ntpdc) again, now that we don't use it     anymore.

  - Add 'addserver' as a new legacy action.

  - Fix the comment regarding addserver in ntp.conf     (boo#910063).

  - Update to version 4.2.8p3 which incorporates all     security fixes and most other patches we have so far     (fate#319040). More information on:
    http://archive.ntp.org/ntp4/ChangeLog-stable

  - Disable chroot by default (boo#926510).

  - Enable ntpdc for backwards compatibility (boo#920238).

  - Security fix: ntp-keygen may generate non-random     symmetric keys

This network time protocol server ntp was updated to 4.2.8p6 to fix the following issues :

Also yast2-ntp-client was updated to match some sntp syntax changes.
(bsc#937837)

Major functional changes :

  - The 'sntp' commandline tool changed its option handling     in a major way.

  - 'controlkey 1' is added during update to ntp.conf to     allow sntp to work.

  - The local clock is being disabled during update.

  - ntpd is no longer running chrooted.

Other functional changes :

  - ntp-signd is installed.

  - 'enable mode7' can be added to the configuration to     allow ntdpc to work as compatibility mode option.

  - 'kod' was removed from the default restrictions.

  - SHA1 keys are used by default instead of MD5 keys.

These security issues were fixed :

  - CVE-2015-5219: An endless loop due to incorrect     precision to double conversion (bsc#943216).

  - CVE-2015-8158: Fixed potential infinite loop in ntpq     (bsc#962966).

  - CVE-2015-8138: Zero Origin Timestamp Bypass     (bsc#963002).

  - CVE-2015-7979: Off-path Denial of Service (DoS) attack     on authenticated broadcast mode (bsc#962784).

  - CVE-2015-7978: Stack exhaustion in recursive traversal     of restriction list (bsc#963000).

  - CVE-2015-7977: reslist NULL pointer dereference     (bsc#962970).

  - CVE-2015-7976: ntpq saveconfig command allows dangerous     characters in filenames (bsc#962802).

  - CVE-2015-7975: nextvar() missing length check     (bsc#962988).

  - CVE-2015-7974: Skeleton Key: Missing key check allows     impersonation between authenticated peers (bsc#962960).

  - CVE-2015-7973: Replay attack on authenticated broadcast     mode (bsc#962995).

  - CVE-2015-8140: ntpq vulnerable to replay attacks     (bsc#962994).

  - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose     origin (bsc#962997).

  - CVE-2015-5300: MITM attacker could have forced ntpd to     make a step larger than the panic threshold     (bsc#951629).

  - CVE-2015-7871: NAK to the Future: Symmetric association     authentication bypass via crypto-NAK (bsc#951608).

  - CVE-2015-7855: decodenetnum() will ASSERT botch instead     of returning FAIL on some bogus values (bsc#951608).

  - CVE-2015-7854: Password Length Memory Corruption     Vulnerability (bsc#951608).

  - CVE-2015-7853: Invalid length data provided by a custom     refclock driver could cause a buffer overflow     (bsc#951608).

  - CVE-2015-7852: ntpq atoascii() Memory Corruption     Vulnerability (bsc#951608).

  - CVE-2015-7851: saveconfig Directory Traversal     Vulnerability (bsc#951608).

  - CVE-2015-7850: remote config logfile-keyfile     (bsc#951608).

  - CVE-2015-7849: trusted key use-after-free (bsc#951608).

  - CVE-2015-7848: mode 7 loop counter underrun     (bsc#951608).

  - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC     (bsc#951608).

  - CVE-2015-7703: configuration directives 'pidfile' and     'driftfile' should only be allowed locally (bsc#951608).

  - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD     should validate the origin timestamp field (bsc#951608).

  - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete     autokey data packet length checks (bsc#951608).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ntp was updated to version 4.2.8p6 to fix 12 security issues.

Also yast2-ntp-client was updated to match some sntp syntax changes.
(bsc#937837)

These security issues were fixed :

  - CVE-2015-8158: Fixed potential infinite loop in ntpq     (bsc#962966).

  - CVE-2015-8138: Zero Origin Timestamp Bypass     (bsc#963002).

  - CVE-2015-7979: Off-path Denial of Service (DoS) attack     on authenticated broadcast mode (bsc#962784).

  - CVE-2015-7978: Stack exhaustion in recursive traversal     of restriction list (bsc#963000).

  - CVE-2015-7977: reslist NULL pointer dereference     (bsc#962970).

  - CVE-2015-7976: ntpq saveconfig command allows dangerous     characters in filenames (bsc#962802).

  - CVE-2015-7975: nextvar() missing length check     (bsc#962988).

  - CVE-2015-7974: Skeleton Key: Missing key check allows     impersonation between authenticated peers (bsc#962960).

  - CVE-2015-7973: Replay attack on authenticated broadcast     mode (bsc#962995).

  - CVE-2015-8140: ntpq vulnerable to replay attacks     (bsc#962994).

  - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose     origin (bsc#962997).

  - CVE-2015-5300: MITM attacker could have forced ntpd to     make a step larger than the panic threshold     (bsc#951629).

These non-security issues were fixed :

  - fate#320758 bsc#975981: Enable compile-time support for     MS-SNTP (--enable-ntp-signd). This replaces the w32     patches in 4.2.4 that added the authreg directive.

  - bsc#962318: Call /usr/sbin/sntp with full path to     synchronize in start-ntpd. When run as cron job,     /usr/sbin/ is not in the path, which caused the     synchronization to fail.

  - bsc#782060: Speedup ntpq.

  - bsc#916617: Add /var/db/ntp-kod.

  - bsc#956773: Add ntp-ENOBUFS.patch to limit a warning     that might happen quite a lot on loaded systems.

  - bsc#951559,bsc#975496: Fix the TZ offset output of sntp     during DST.

  - Add ntp-fork.patch and build with threads disabled to     allow name resolution even when running chrooted.

This update was imported from the SUSE:SLE-12-SP1:Update update project.

ntp was updated to version 4.2.8p6 to fix 28 security issues.

Major functional changes :

  - The 'sntp' commandline tool changed its option handling     in a major way, some options have been renamed or     dropped.

  - 'controlkey 1' is added during update to ntp.conf to     allow sntp to work.

  - The local clock is being disabled during update.

  - ntpd is no longer running chrooted.

Other functional changes :

  - ntp-signd is installed.

  - 'enable mode7' can be added to the configuration to     allow ntdpc to work as compatibility mode option.

  - 'kod' was removed from the default restrictions.

  - SHA1 keys are used by default instead of MD5 keys.

Also yast2-ntp-client was updated to match some sntp syntax changes.
(bsc#937837)

These security issues were fixed :

  - CVE-2015-8158: Fixed potential infinite loop in ntpq     (bsc#962966).

  - CVE-2015-8138: Zero Origin Timestamp Bypass     (bsc#963002).

  - CVE-2015-7979: Off-path Denial of Service (DoS) attack     on authenticated broadcast mode (bsc#962784).

  - CVE-2015-7978: Stack exhaustion in recursive traversal     of restriction list (bsc#963000).

  - CVE-2015-7977: reslist NULL pointer dereference     (bsc#962970).

  - CVE-2015-7976: ntpq saveconfig command allows dangerous     characters in filenames (bsc#962802).

  - CVE-2015-7975: nextvar() missing length check     (bsc#962988).

  - CVE-2015-7974: Skeleton Key: Missing key check allows     impersonation between authenticated peers (bsc#962960).

  - CVE-2015-7973: Replay attack on authenticated broadcast     mode (bsc#962995).

  - CVE-2015-8140: ntpq vulnerable to replay attacks     (bsc#962994).

  - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose     origin (bsc#962997).

  - CVE-2015-5300: MITM attacker could have forced ntpd to     make a step larger than the panic threshold     (bsc#951629).

  - CVE-2015-7871: NAK to the Future: Symmetric association     authentication bypass via crypto-NAK (bsc#951608).

  - CVE-2015-7855: decodenetnum() will ASSERT botch instead     of returning FAIL on some bogus values (bsc#951608).

  - CVE-2015-7854: Password Length Memory Corruption     Vulnerability (bsc#951608).

  - CVE-2015-7853: Invalid length data provided by a custom     refclock driver could cause a buffer overflow     (bsc#951608).

  - CVE-2015-7852: ntpq atoascii() Memory Corruption     Vulnerability (bsc#951608).

  - CVE-2015-7851: saveconfig Directory Traversal     Vulnerability (bsc#951608).

  - CVE-2015-7850: remote config logfile-keyfile     (bsc#951608).

  - CVE-2015-7849: trusted key use-after-free (bsc#951608).

  - CVE-2015-7848: mode 7 loop counter underrun     (bsc#951608).

  - CVE-2015-7701: Slow memory leak in CRYPTO_ASSOC     (bsc#951608).

  - CVE-2015-7703: configuration directives 'pidfile' and     'driftfile' should only be allowed locally (bsc#951608).

  - CVE-2015-7704, CVE-2015-7705: Clients that receive a KoD     should validate the origin timestamp field (bsc#951608).

  - CVE-2015-7691, CVE-2015-7692, CVE-2015-7702: Incomplete     autokey data packet length checks (bsc#951608).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ntp was updated to version 4.2.8p6 to fix 12 security issues.

Also yast2-ntp-client was updated to match some sntp syntax changes.
(bsc#937837)

These security issues were fixed :

  - CVE-2015-8158: Fixed potential infinite loop in ntpq     (bsc#962966).

  - CVE-2015-8138: Zero Origin Timestamp Bypass     (bsc#963002).

  - CVE-2015-7979: Off-path Denial of Service (DoS) attack     on authenticated broadcast mode (bsc#962784).

  - CVE-2015-7978: Stack exhaustion in recursive traversal     of restriction list (bsc#963000).

  - CVE-2015-7977: reslist NULL pointer dereference     (bsc#962970).

  - CVE-2015-7976: ntpq saveconfig command allows dangerous     characters in filenames (bsc#962802).

  - CVE-2015-7975: nextvar() missing length check     (bsc#962988).

  - CVE-2015-7974: Skeleton Key: Missing key check allows     impersonation between authenticated peers (bsc#962960).

  - CVE-2015-7973: Replay attack on authenticated broadcast     mode (bsc#962995).

  - CVE-2015-8140: ntpq vulnerable to replay attacks     (bsc#962994).

  - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose     origin (bsc#962997).

  - CVE-2015-5300: MITM attacker could have forced ntpd to     make a step larger than the panic threshold     (bsc#951629).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ntp was updated to version 4.2.8p6 to fix 12 security issues.

These security issues were fixed :

  - CVE-2015-8158: Fixed potential infinite loop in ntpq     (bsc#962966).

  - CVE-2015-8138: Zero Origin Timestamp Bypass     (bsc#963002).

  - CVE-2015-7979: Off-path Denial of Service (DoS) attack     on authenticated broadcast mode (bsc#962784).

  - CVE-2015-7978: Stack exhaustion in recursive traversal     of restriction list (bsc#963000).

  - CVE-2015-7977: reslist NULL pointer dereference     (bsc#962970).

  - CVE-2015-7976: ntpq saveconfig command allows dangerous     characters in filenames (bsc#962802).

  - CVE-2015-7975: nextvar() missing length check     (bsc#962988).

  - CVE-2015-7974: Skeleton Key: Missing key check allows     impersonation between authenticated peers (bsc#962960).

  - CVE-2015-7973: Replay attack on authenticated broadcast     mode (bsc#962995).

  - CVE-2015-8140: ntpq vulnerable to replay attacks     (bsc#962994).

  - CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose     origin (bsc#962997).

  - CVE-2015-5300: MITM attacker could have forced ntpd to     make a step larger than the panic threshold     (bsc#951629).

The update package also includes non-security fixes. See advisory for details.

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Network Time Foundation reports :

NTF's NTP Project has been notified of the following low- and medium-severity vulnerabilities that are fixed in ntp-4.2.8p6, released on Tuesday, 19 January 2016 :

- Bug 2948 / CVE-2015-8158: Potential Infinite Loop in ntpq. Reported by Cisco ASIG.

- Bug 2945 / CVE-2015-8138: origin: Zero Origin Timestamp Bypass.
Reported by Cisco ASIG.

- Bug 2942 / CVE-2015-7979: Off-path Denial of Service (DoS) attack on authenticated broadcast mode. Reported by Cisco ASIG.

- Bug 2940 / CVE-2015-7978: Stack exhaustion in recursive traversal of restriction list. Reported by Cisco ASIG.

- Bug 2939 / CVE-2015-7977: reslist NULL pointer dereference. Reported by Cisco ASIG.

- Bug 2938 / CVE-2015-7976: ntpq saveconfig command allows dangerous characters in filenames. Reported by Cisco ASIG.

- Bug 2937 / CVE-2015-7975: nextvar() missing length check. Reported by Cisco ASIG.

- Bug 2936 / CVE-2015-7974: Skeleton Key: Missing key check allows impersonation between authenticated peers. Reported by Cisco ASIG.

- Bug 2935 / CVE-2015-7973: Deja Vu: Replay attack on authenticated broadcast mode. Reported by Cisco ASIG.

Additionally, mitigations are published for the following two issues :

- Bug 2947 / CVE-2015-8140: ntpq vulnerable to replay attacks.
Reported by Cisco ASIG.

- Bug 2946 / CVE-2015-8139: Origin Leak: ntpq and ntpdc, disclose origin. Reported by Cisco ASIG.

The version of the remote NTP server is 3.x or 4.x prior to 4.2.8p6.
It is, therefore, affected by the following vulnerabilities :

  - A flaw exists in the receive() function due to the use     of authenticated broadcast mode. A man-in-the-middle     attacker can exploit this to conduct a replay attack.
    (CVE-2015-7973)

  - A time serving flaw exists in the trusted key system     due to improper key checks. An authenticated, remote     attacker can exploit this to perform impersonation     attacks between authenticated peers. (CVE-2015-7974)

  - An overflow condition exists in the nextvar() function     due to improper validation of user-supplied input. A     local attacker can exploit this to cause a buffer     overflow, resulting in a denial of service condition.
    (CVE-2015-7975)

  - A flaw exists in ntp_control.c due to improper filtering     of special characters in filenames by the saveconfig     command. An authenticated, remote attacker can exploit     this to inject arbitrary content. (CVE-2015-7976)

  - A NULL pointer dereference flaw exists in ntp_request.c     that is triggered when handling ntpdc relist commands.
    A remote attacker can exploit this, via a specially     crafted request, to crash the service, resulting in a     denial of service condition. (CVE-2015-7977)

  - A flaw exists in ntpdc that is triggered during the     handling of the relist command. A remote attacker can     exploit this, via recursive traversals of the     restriction list, to exhaust available space on the call     stack, resulting in a denial of service condition.
    CVE-2015-7978)

  - An unspecified flaw exists in authenticated broadcast     mode. A remote attacker can exploit this, via specially     crafted packets, to cause a denial of service condition.
    (CVE-2015-7979)

  - A flaw exists in the receive() function that allows     packets with an origin timestamp of zero to bypass     security checks. A remote attacker can exploit this to     spoof arbitrary content. (CVE-2015-8138)

  - A flaw exists in ntpq and ntpdc that allows a remote     attacker to disclose sensitive information in     timestamps. (CVE-2015-8139)

  - A flaw exists in the ntpq protocol that is triggered     during the handling of an improper sequence of numbers.
    A man-in-the-middle attacker can exploit this to conduct     a replay attack. (CVE-2015-8140)

  - A flaw exists in the ntpq client that is triggered when     handling packets that cause a loop in the getresponse()     function. A remote attacker can exploit this to cause an     infinite loop, resulting in a denial of service     condition. (CVE-2015-8158)

ID	Name	Product	Family	Severity
198541	RHEL 6 : ntp (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
198530	RHEL 5 : ntp (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
198521	RHEL 7 : ntp (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
106499	pfSense < 2.3 Multiple Vulnerabilities (SA-16_01 - SA-16_02)	Nessus	Firewalls	critical
97499	F5 Networks BIG-IP : NTP vulnerabilities (K00329831)	Nessus	F5 Networks Local Security Checks	medium
96715	SUSE SLES11 Security Update : ntp (SUSE-SU-2017:0255-1)	Nessus	SuSE Local Security Checks	high
95986	SUSE SLES11 Security Update : ntp (SUSE-SU-2016:3193-1)	Nessus	SuSE Local Security Checks	high
92485	GLSA-201607-15 : NTP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
92357	AIX NTP v4 Advisory : ntp_advisory6.asc (IV83983) (IV83992)	Nessus	AIX Local Security Checks	high
92356	AIX NTP v3 Advisory : ntp_advisory6.asc (IV83984) (IV83993) (IV83994) (IV83995) (IV84269)	Nessus	AIX Local Security Checks	high
91403	openSUSE Security Update : ntp (openSUSE-2016-649)	Nessus	SuSE Local Security Checks	critical
91248	SUSE SLES11 Security Update : ntp (SUSE-SU-2016:1311-1)	Nessus	SuSE Local Security Checks	critical
91111	openSUSE Security Update : ntp (openSUSE-2016-578)	Nessus	SuSE Local Security Checks	high
90991	SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1247-1)	Nessus	SuSE Local Security Checks	critical
90821	SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1177-1)	Nessus	SuSE Local Security Checks	high
90820	SUSE SLES11 Security Update : ntp (SUSE-SU-2016:1175-1)	Nessus	SuSE Local Security Checks	high
88068	FreeBSD : ntp -- multiple vulnerabilities (5237f5d7-c020-11e5-b397-d050996490d0)	Nessus	FreeBSD Local Security Checks	high
88054	Network Time Protocol Daemon (ntpd) 3.x / 4.x < 4.2.8p6 Multiple Vulnerabilities	Nessus	Misc.	medium

Detections

Analytics

CVE-2015-8140

medium

Tenable Plugins

critical

critical

critical

critical

medium

high

high

critical

high

high

critical

critical

high

critical

high

high

high

medium