search menu icon-carat-right cmu-wordmark

CERT Coordination Center

NTP Project ntpd reference implementation contains multiple vulnerabilities

Vulnerability Note VU#374268

Original Release Date: 2015-04-07 | Last Revised: 2015-04-10

Overview

NTP Project ntpd reference implementation accepts unauthenticated packets with symmetric key cryptography and does not protect symmetric associations against denial of service attacks.

Description

CVE-2015-1798, bug 2779:

In NTP4 installations utilizing symmetric key authentication, versions ntp-4.2.5p99 to ntp-4.2.8p1, packets with no message authentication code (MAC) are accepted as though they have a valid MAC. An attacker may be able to leverage this validation error to send packets that will be accepted by the client. The CVSS score reflects this issue.

CVE-2015-1799, bug 2781:

In NTP installations utilizing symmetric key authentication, including xntp3.3wy to version ntp-4.2.8p1, a denial of service condition is created when two peering hosts receive packets in which the originate and transmit timestamps do not match. An attacker who periodically sends such packets to both hosts can prevent synchronization.

For more information about these issues, visit NTP's security notice.

Impact

An unauthenticated attacker with network access may be able to inject packets or prevent peer synchronization among symmetrically authenticated hosts.

Solution

Apply an update

The NTP Project has released version ntp-4.2.8p2 to address these issues.

Vendor Information

374268
 
Affected   Unknown   Unaffected

Arista Networks, Inc.

Updated:  April 10, 2015

Statement Date:   April 09, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

FreeBSD Project

Notified:  March 24, 2015 Updated:  April 10, 2015

Statement Date:   April 09, 2015

Status

  Affected

Vendor Statement

The vulnerabilities in 374268 (different from 852879) have been resolved by FreeBSD-SA-15:07.ntp.

https://www.freebsd.org/security/advisories/FreeBSD-SA-15:07.ntp.asc

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.freebsd.org/security/advisories/FreeBSD-SA-15:07.ntp.asc

NTP Project

Notified:  March 23, 2015 Updated:  April 07, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://support.ntp.org/bin/view/Main/SecurityNotice http://www.ntp.org/downloads.html

EfficientIP

Updated:  April 10, 2015

Statement Date:   April 09, 2015

Status

  Not Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

AT&T

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Alcatel-Lucent

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Apple

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Arch Linux

Notified:  March 30, 2015 Updated:  March 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Avaya, Inc.

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Barracuda Networks

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Belkin, Inc.

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Blue Coat Systems

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Brocade

Notified:  March 30, 2015 Updated:  March 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CA Technologies

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CentOS

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Check Point Software Technologies

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Cisco

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Cray Inc.

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

D-Link Systems, Inc.

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Debian GNU/Linux

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

DesktopBSD

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

DragonFly BSD Project

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

EMC Corporation

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Enterasys Networks

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Ericsson

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Extreme Networks

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

F5 Networks, Inc.

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Fedora Project

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Force10 Networks

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Fortinet, Inc.

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Fujitsu

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Gentoo Linux

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Global Technology Associates, Inc.

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Hewlett-Packard Company

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Hitachi

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Huawei Technologies

Notified:  March 30, 2015 Updated:  March 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

IBM Corporation

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

IBM eServer

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Infoblox

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Intel Corporation

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Intoto

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Juniper Networks

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Mandriva S. A.

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

McAfee

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Microsemi

Notified:  April 09, 2015 Updated:  April 09, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Microsoft Corporation

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

NEC Corporation

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

NetBSD

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Nokia

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Novell, Inc.

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OmniTI

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OpenBSD

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Oracle Corporation

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

PC-BSD

Notified:  March 30, 2015 Updated:  March 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Palo Alto Networks

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Peplink

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Process Software

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Q1 Labs

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

QNX Software Systems Inc.

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Quagga

Notified:  March 30, 2015 Updated:  March 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Red Hat, Inc.

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SUSE Linux

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SafeNet

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Slackware Linux Inc.

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SmoothWall

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Snort

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Sony Corporation

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Sourcefire

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Stonesoft

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Symantec

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

The SCO Group

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

TippingPoint Technologies Inc.

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Turbolinux

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Ubuntu

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Unisys

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

VMware

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vyatta

Notified:  March 30, 2015 Updated:  March 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Watchguard Technologies, Inc.

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Wind River

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

ZyXEL

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

eSoft, Inc.

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

m0n0wall

Notified:  March 24, 2015 Updated:  March 24, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

openSUSE project

Notified:  March 30, 2015 Updated:  March 30, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

View all 85 vendors View less vendors


CVSS Metrics

Group Score Vector
Base 5.4 AV:A/AC:M/Au:N/C:P/I:P/A:P
Temporal 4.2 E:POC/RL:OF/RC:C
Environmental 4.2 CDP:N/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

The NTP Project credits Miroslav Lichvar of Red Hat for reporting these issues.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2015-1798, CVE-2015-1799
Date Public: 2015-04-07
Date First Published: 2015-04-07
Date Last Updated: 2015-04-10 18:36 UTC
Document Revision: 18

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.