search menu icon-carat-right cmu-wordmark

CERT Coordination Center

NTP.org ntpd is vulnerable to denial of service and other vulnerabilities

Vulnerability Note VU#321640

Original Release Date: 2016-06-02 | Last Revised: 2016-06-06

Overview

NTP.org's reference implementation of NTP server, ntpd, contains multiple vulnerabilities.

Description

NTP.org's reference implementation of NTP server, ntpd, contains multiple vulnerabilities. A brief overview follows, but details may be found in NTP's security advisory listing and in the individual links below.

CRYPTO-NAK denial of service introduced in Sec 3007 patch. See Sec 3046, CVE-2016-4957. The CVSS score below describes this vulnerability.

Bad authentication demobilizes ephemeral associations. See Sec 3045, CVE-2016-4953.

Processing of spoofed server packets affects peer variables. See Sec 3044, CVE-2016-4954.

Autokey associations may be reset when repeatedly receiving spoofed packets. See Sec 3043, CVE-2016-4955.

Broadcast associations are not covered in Sec 2978 patch, which may be leveraged to flip broadcast clients into interleave mode. See Sec 3042, CVE-2016-4956.

Impact

Unauthenticated, remote attackers may be able to spoof or send specially crafted packets to create denial of service conditions.

Solution

Apply an update

The vendor has released version 4.2.8p8 to address these issues. Users are encouraged to update to the latest release. Those unable to update should consider mitigations listed in NTP's security advisory listing.

Vendor Information

321640
 
Affected   Unknown   Unaffected

FreeBSD Project

Notified:  May 27, 2016 Updated:  June 06, 2016

Statement Date:   June 04, 2016

Status

  Affected

Vendor Statement

As of 2016-06-04 05:46:52 UTC, we published fix for all supported FreeBSD releases. We have published a security advisory for this at https://www.freebsd.org/security/advisories/FreeBSD-SA-16:24.ntp.asc .

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

NTP Project

Notified:  May 25, 2016 Updated:  June 02, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS

Notified:  May 27, 2016 Updated:  May 27, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    AT&T

    Notified:  May 27, 2016 Updated:  May 27, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      Alcatel-Lucent

      Notified:  May 27, 2016 Updated:  May 27, 2016

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        Apple

        Notified:  May 27, 2016 Updated:  May 27, 2016

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          Arista Networks, Inc.

          Notified:  May 27, 2016 Updated:  May 27, 2016

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            Aruba Networks

            Notified:  May 27, 2016 Updated:  May 27, 2016

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              Avaya, Inc.

              Notified:  May 27, 2016 Updated:  May 27, 2016

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Belkin, Inc.

                Notified:  May 27, 2016 Updated:  May 27, 2016

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  Blue Coat Systems

                  Notified:  May 27, 2016 Updated:  May 27, 2016

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    CA Technologies

                    Notified:  May 27, 2016 Updated:  May 27, 2016

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      CentOS

                      Notified:  May 27, 2016 Updated:  May 27, 2016

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        Check Point Software Technologies

                        Notified:  May 27, 2016 Updated:  May 27, 2016

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          Cisco

                          Notified:  May 27, 2016 Updated:  May 27, 2016

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            CoreOS

                            Notified:  May 27, 2016 Updated:  May 27, 2016

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              D-Link Systems, Inc.

                              Notified:  May 27, 2016 Updated:  May 27, 2016

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                Debian GNU/Linux

                                Notified:  May 27, 2016 Updated:  May 27, 2016

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  DesktopBSD

                                  Notified:  May 27, 2016 Updated:  May 27, 2016

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    DragonFly BSD Project

                                    Notified:  May 27, 2016 Updated:  May 27, 2016

                                    Status

                                      Unknown

                                    Vendor Statement

                                    No statement is currently available from the vendor regarding this vulnerability.

                                    Vendor References

                                      EMC Corporation

                                      Notified:  May 27, 2016 Updated:  May 27, 2016

                                      Status

                                        Unknown

                                      Vendor Statement

                                      No statement is currently available from the vendor regarding this vulnerability.

                                      Vendor References

                                        EfficientIP SAS

                                        Notified:  May 27, 2016 Updated:  May 27, 2016

                                        Status

                                          Unknown

                                        Vendor Statement

                                        No statement is currently available from the vendor regarding this vulnerability.

                                        Vendor References

                                          Enterasys Networks

                                          Notified:  May 27, 2016 Updated:  May 27, 2016

                                          Status

                                            Unknown

                                          Vendor Statement

                                          No statement is currently available from the vendor regarding this vulnerability.

                                          Vendor References

                                            Ericsson

                                            Notified:  May 27, 2016 Updated:  May 27, 2016

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor References

                                              Extreme Networks

                                              Notified:  May 27, 2016 Updated:  May 27, 2016

                                              Status

                                                Unknown

                                              Vendor Statement

                                              No statement is currently available from the vendor regarding this vulnerability.

                                              Vendor References

                                                F5 Networks, Inc.

                                                Notified:  May 27, 2016 Updated:  May 27, 2016

                                                Status

                                                  Unknown

                                                Vendor Statement

                                                No statement is currently available from the vendor regarding this vulnerability.

                                                Vendor References

                                                  Fedora Project

                                                  Notified:  May 27, 2016 Updated:  May 27, 2016

                                                  Status

                                                    Unknown

                                                  Vendor Statement

                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                  Vendor References

                                                    Force10 Networks

                                                    Notified:  May 27, 2016 Updated:  May 27, 2016

                                                    Status

                                                      Unknown

                                                    Vendor Statement

                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                    Vendor References

                                                      Gentoo Linux

                                                      Notified:  May 27, 2016 Updated:  May 27, 2016

                                                      Status

                                                        Unknown

                                                      Vendor Statement

                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                      Vendor References

                                                        Google

                                                        Notified:  May 27, 2016 Updated:  May 27, 2016

                                                        Status

                                                          Unknown

                                                        Vendor Statement

                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                        Vendor References

                                                          Hardened BSD

                                                          Notified:  May 27, 2016 Updated:  May 27, 2016

                                                          Status

                                                            Unknown

                                                          Vendor Statement

                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                          Vendor References

                                                            Hewlett Packard Enterprise

                                                            Notified:  May 27, 2016 Updated:  May 27, 2016

                                                            Status

                                                              Unknown

                                                            Vendor Statement

                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                            Vendor References

                                                              Hitachi

                                                              Notified:  May 27, 2016 Updated:  May 27, 2016

                                                              Status

                                                                Unknown

                                                              Vendor Statement

                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                              Vendor References

                                                                Huawei Technologies

                                                                Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                Status

                                                                  Unknown

                                                                Vendor Statement

                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                Vendor References

                                                                  IBM Corporation

                                                                  Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                  Status

                                                                    Unknown

                                                                  Vendor Statement

                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                  Vendor References

                                                                    Infoblox

                                                                    Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                    Status

                                                                      Unknown

                                                                    Vendor Statement

                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                    Vendor References

                                                                      Intel Corporation

                                                                      Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                      Status

                                                                        Unknown

                                                                      Vendor Statement

                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                      Vendor References

                                                                        Internet Systems Consortium

                                                                        Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                        Status

                                                                          Unknown

                                                                        Vendor Statement

                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                        Vendor References

                                                                          Internet Systems Consortium - DHCP

                                                                          Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                          Status

                                                                            Unknown

                                                                          Vendor Statement

                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                          Vendor References

                                                                            Juniper Networks

                                                                            Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                            Status

                                                                              Unknown

                                                                            Vendor Statement

                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                            Vendor References

                                                                              Lenovo

                                                                              Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                              Status

                                                                                Unknown

                                                                              Vendor Statement

                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                              Vendor References

                                                                                McAfee

                                                                                Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                Status

                                                                                  Unknown

                                                                                Vendor Statement

                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                Vendor References

                                                                                  Microsoft Corporation

                                                                                  Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                  Status

                                                                                    Unknown

                                                                                  Vendor Statement

                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                  Vendor References

                                                                                    NEC Corporation

                                                                                    Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                    Status

                                                                                      Unknown

                                                                                    Vendor Statement

                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                    Vendor References

                                                                                      NTPsec

                                                                                      Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                      Status

                                                                                        Unknown

                                                                                      Vendor Statement

                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                      Vendor References

                                                                                        NetBSD

                                                                                        Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                        Status

                                                                                          Unknown

                                                                                        Vendor Statement

                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                        Vendor References

                                                                                          Nokia

                                                                                          Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                          Status

                                                                                            Unknown

                                                                                          Vendor Statement

                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                          Vendor References

                                                                                            Nominum

                                                                                            Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                            Status

                                                                                              Unknown

                                                                                            Vendor Statement

                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                            Vendor References

                                                                                              OmniTI

                                                                                              Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                              Status

                                                                                                Unknown

                                                                                              Vendor Statement

                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                              Vendor References

                                                                                                OpenBSD

                                                                                                Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                Status

                                                                                                  Unknown

                                                                                                Vendor Statement

                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                Vendor References

                                                                                                  OpenDNS

                                                                                                  Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                  Status

                                                                                                    Unknown

                                                                                                  Vendor Statement

                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                  Vendor References

                                                                                                    Openwall GNU/*/Linux

                                                                                                    Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                    Status

                                                                                                      Unknown

                                                                                                    Vendor Statement

                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                    Vendor References

                                                                                                      Oracle Corporation

                                                                                                      Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                      Status

                                                                                                        Unknown

                                                                                                      Vendor Statement

                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                      Vendor References

                                                                                                        Peplink

                                                                                                        Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                        Status

                                                                                                          Unknown

                                                                                                        Vendor Statement

                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                        Vendor References

                                                                                                          Q1 Labs

                                                                                                          Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                          Status

                                                                                                            Unknown

                                                                                                          Vendor Statement

                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                          Vendor References

                                                                                                            QNX Software Systems Inc.

                                                                                                            Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                            Status

                                                                                                              Unknown

                                                                                                            Vendor Statement

                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                            Vendor References

                                                                                                              Red Hat, Inc.

                                                                                                              Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                              Status

                                                                                                                Unknown

                                                                                                              Vendor Statement

                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                              Vendor References

                                                                                                                SUSE Linux

                                                                                                                Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                                Status

                                                                                                                  Unknown

                                                                                                                Vendor Statement

                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                Vendor References

                                                                                                                  SafeNet

                                                                                                                  Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                                  Status

                                                                                                                    Unknown

                                                                                                                  Vendor Statement

                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                  Vendor References

                                                                                                                    Secure64 Software Corporation

                                                                                                                    Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                                    Status

                                                                                                                      Unknown

                                                                                                                    Vendor Statement

                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                    Vendor References

                                                                                                                      Slackware Linux Inc.

                                                                                                                      Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                                      Status

                                                                                                                        Unknown

                                                                                                                      Vendor Statement

                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                      Vendor References

                                                                                                                        SmoothWall

                                                                                                                        Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                                        Status

                                                                                                                          Unknown

                                                                                                                        Vendor Statement

                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                        Vendor References

                                                                                                                          Snort

                                                                                                                          Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                                          Status

                                                                                                                            Unknown

                                                                                                                          Vendor Statement

                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                          Vendor References

                                                                                                                            Sony Corporation

                                                                                                                            Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                                            Status

                                                                                                                              Unknown

                                                                                                                            Vendor Statement

                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                            Vendor References

                                                                                                                              Sourcefire

                                                                                                                              Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                                              Status

                                                                                                                                Unknown

                                                                                                                              Vendor Statement

                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                              Vendor References

                                                                                                                                Symantec

                                                                                                                                Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                                                Status

                                                                                                                                  Unknown

                                                                                                                                Vendor Statement

                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                Vendor References

                                                                                                                                  TippingPoint Technologies Inc.

                                                                                                                                  Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                                                  Status

                                                                                                                                    Unknown

                                                                                                                                  Vendor Statement

                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                  Vendor References

                                                                                                                                    Turbolinux

                                                                                                                                    Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                                                    Status

                                                                                                                                      Unknown

                                                                                                                                    Vendor Statement

                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                    Vendor References

                                                                                                                                      Ubuntu

                                                                                                                                      Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                                                      Status

                                                                                                                                        Unknown

                                                                                                                                      Vendor Statement

                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                      Vendor References

                                                                                                                                        Unisys

                                                                                                                                        Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                                                        Status

                                                                                                                                          Unknown

                                                                                                                                        Vendor Statement

                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                        Vendor References

                                                                                                                                          VMware

                                                                                                                                          Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                                                          Status

                                                                                                                                            Unknown

                                                                                                                                          Vendor Statement

                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                          Vendor References

                                                                                                                                            Wind River

                                                                                                                                            Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                                                            Status

                                                                                                                                              Unknown

                                                                                                                                            Vendor Statement

                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                            Vendor References

                                                                                                                                              dnsmasq

                                                                                                                                              Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                                                              Status

                                                                                                                                                Unknown

                                                                                                                                              Vendor Statement

                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                              Vendor References

                                                                                                                                                m0n0wall

                                                                                                                                                Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                                                                Status

                                                                                                                                                  Unknown

                                                                                                                                                Vendor Statement

                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                Vendor References

                                                                                                                                                  openSUSE project

                                                                                                                                                  Notified:  May 27, 2016 Updated:  May 27, 2016

                                                                                                                                                  Status

                                                                                                                                                    Unknown

                                                                                                                                                  Vendor Statement

                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                  Vendor References

                                                                                                                                                    View all 75 vendors View less vendors


                                                                                                                                                    CVSS Metrics

                                                                                                                                                    Group Score Vector
                                                                                                                                                    Base 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C
                                                                                                                                                    Temporal 6.4 E:F/RL:OF/RC:C
                                                                                                                                                    Environmental 6.4 CDP:N/TD:H/CR:ND/IR:ND/AR:ND

                                                                                                                                                    References

                                                                                                                                                    Acknowledgements

                                                                                                                                                    The NTP Project credits Nicolas Edet of Cisco, Miroslav Lichvar of Red Hat, and Jakub Prokes of Red Hat for reporting these vulnerabilities.

                                                                                                                                                    This document was written by Joel Land.

                                                                                                                                                    Other Information

                                                                                                                                                    CVE IDs: CVE-2016-4953, CVE-2016-4954, CVE-2016-4955, CVE-2016-4956, CVE-2016-4957
                                                                                                                                                    Date Public: 2016-06-02
                                                                                                                                                    Date First Published: 2016-06-02
                                                                                                                                                    Date Last Updated: 2016-06-06 14:21 UTC
                                                                                                                                                    Document Revision: 8

                                                                                                                                                    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.