search menu icon-carat-right cmu-wordmark

CERT Coordination Center

NTP.org ntpd contains multiple denial of service vulnerabilities

Vulnerability Note VU#633847

Original Release Date: 2016-11-21 | Last Revised: 2017-11-20

Overview

NTP.org ntpd versions ntp-4.2.7p385 up to but not including ntp-4.2.8p9 and ntp-4.3.0 up to but not including ntp-4.3.94 contain multiple denial of service vulnerabilities.

Description

NTP.org's ntpd, versions ntp-4.2.7p385 up to but not including ntp-4.2.8p9 and ntp-4.3.0 up to but not including ntp-4.3.94, contain multiple denial of service vulnerabilities.

CWE-476: NULL Pointer Dereference - CVE-2016-9311

According to NTP.org, "ntpd does not enable trap service by default. If trap service has been explicitly enabled, an attacker can send a specially crafted packet to cause a null pointer dereference that will crash ntpd, resulting in a denial of service. Affects Windows only."

CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') - CVE-2016-9310

According to NTP.org, "An exploitable configuration modification vulnerability exists in the control mode (mode 6) functionality of ntpd. If, against long-standing BCP recommendations, "restrict default noquery ..." is not specified, a specially crafted control mode packet can set ntpd traps, providing information disclosure and DDoS amplification, and unset ntpd traps, disabling legitimate monitoring. A remote, unauthenticated, network attacker can trigger this vulnerability."

CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') - CVE-2016-7427

According to NTP.org, "The broadcast mode of NTP is expected to only be used in a trusted network. If the broadcast network is accessible to an attacker, a potentially exploitable denial of service vulnerability in ntpd's broadcast mode replay prevention functionality can be abused. An attacker with access to the NTP broadcast domain can periodically inject specially crafted broadcast mode NTP packets into the broadcast domain which, while being logged by ntpd, can cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers."


CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') - CVE-2016-7428

According to NTP.org, "The broadcast mode of NTP is expected to only be used in a trusted network. If the broadcast network is accessible to an attacker, a potentially exploitable denial of service vulnerability in ntpd's broadcast mode poll interval enforcement functionality can be abused. To limit abuse, ntpd restricts the rate at which each broadcast association will process incoming packets. ntpd will reject broadcast mode packets that arrive before the poll interval specified in the preceding broadcast packet expires. An attacker with access to the NTP broadcast domain can send specially crafted broadcast mode NTP packets to the broadcast domain which, while being logged by ntpd, will cause ntpd to reject broadcast mode packets from legitimate NTP broadcast servers."

CWE-410: Insufficient Resource Pool - CVE-2016-9312

According to NTP.org, "If a vulnerable instance of ntpd on Windows receives a crafted malicious packet that is "too big", ntpd will stop working."

CWE-20: Improper Input Validation - CVE-2016-7431

According to NTP.org, "Zero Origin timestamp problems were fixed by Bug 2945 in ntp-4.2.8p6. However, subsequent timestamp validation checks introduced a regression in the handling of some Zero origin timestamp checks."

CWE-20: Improper Input Validation - CVE-2016-7434

According to NTP.org, "If ntpd is configured to allow mrulist query requests from a server that sends a crafted malicious packet, ntpd will crash on receipt of that crafted malicious mrulist query packet."

CWE-605: Multiple Binds to the Same Port - CVE-2016-7429

According to NTP.org, "When ntpd receives a server response on a socket that corresponds to a different interface than was used for the request, the peer structure is updated to use the interface for new requests. If ntpd is running on a host with multiple interfaces in separate networks and the operating system doesn't check source address in received packets (e.g. rp_filter on Linux is set to 0), an attacker that knows the address of the source can send a packet with spoofed source address which will cause ntpd to select wrong interface for the source and prevent it from sending new requests until the list of interfaces is refreshed, which happens on routing changes or every 5 minutes by default. If the attack is repeated often enough (once per second), ntpd will not be able to synchronize with the source."

CWE-410: Insufficient Resource Pool - CVE-2016-7426

According to NTP.org, "When ntpd is configured with rate limiting for all associations (restrict default limited in ntp.conf), the limits are applied also to responses received from its configured sources. An attacker who knows the sources (e.g., from an IPv4 refid in server response) and knows the system is (mis)configured in this way can periodically send packets with spoofed source address to keep the rate limiting activated and prevent ntpd from accepting valid responses from its sources."

CWE-682: Incorrect Calculation - CVE-2016-7433

According to NTP.org, "Bug 2085 described a condition where the root delay was included twice, causing the jitter value to be higher than expected. Due to a misinterpretation of a small-print variable in The Book, the fix for this problem was incorrect, resulting in a root distance that did not include the peer dispersion. The calculations and formulae have been reviewed and reconciled, and the code has been updated accordingly."

For more information, please see NTP.org's security advisory.

The CVSS score below is based on CVE-2016-9312.

Impact

A remote unauthenticated attacker may be able to perform a denial of service on ntpd.

Solution

Implement BCP-38.

Use "restrict default noquery ..." in your ntp.conf file. Only allow mode 6 queries from trusted networks and hosts.

Apply an update

Upgrade to 4.2.8p9, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page.

Monitor ntpd

Properly monitor your ntpd instances, and auto-restart ntpd (without -g) if it stops running.

Vendor Information

633847
 
Affected   Unknown   Unaffected

NTP Project

Updated:  November 18, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CoreOS

Notified:  November 21, 2016 Updated:  November 21, 2016

Statement Date:   November 21, 2016

Status

  Not Affected

Vendor Statement

CoreOS Container Linux, by default, is not affected by this since ntpd is disabled.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS

Notified:  November 21, 2016 Updated:  November 21, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    AT&T

    Notified:  November 21, 2016 Updated:  November 21, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      Alcatel-Lucent

      Notified:  November 21, 2016 Updated:  November 21, 2016

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        Apple

        Notified:  November 21, 2016 Updated:  November 21, 2016

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          Arch Linux

          Notified:  November 21, 2016 Updated:  November 21, 2016

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            Arista Networks, Inc.

            Notified:  November 21, 2016 Updated:  November 21, 2016

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              Aruba Networks

              Notified:  November 21, 2016 Updated:  November 21, 2016

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Avaya, Inc.

                Notified:  November 21, 2016 Updated:  November 21, 2016

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  Barracuda Networks

                  Notified:  November 21, 2016 Updated:  November 21, 2016

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    Belkin, Inc.

                    Notified:  November 21, 2016 Updated:  November 21, 2016

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      Blue Coat Systems

                      Notified:  November 21, 2016 Updated:  November 21, 2016

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        Brocade Communication Systems

                        Notified:  November 21, 2016 Updated:  November 21, 2016

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          CA Technologies

                          Notified:  November 21, 2016 Updated:  November 21, 2016

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            CMX Systems

                            Notified:  November 21, 2016 Updated:  November 21, 2016

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              CentOS

                              Notified:  November 21, 2016 Updated:  November 21, 2016

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                Check Point Software Technologies

                                Notified:  November 21, 2016 Updated:  November 21, 2016

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  Cisco

                                  Notified:  November 21, 2016 Updated:  November 21, 2016

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    Contiki OS

                                    Notified:  November 21, 2016 Updated:  November 21, 2016

                                    Status

                                      Unknown

                                    Vendor Statement

                                    No statement is currently available from the vendor regarding this vulnerability.

                                    Vendor References

                                      D-Link Systems, Inc.

                                      Notified:  November 21, 2016 Updated:  November 21, 2016

                                      Status

                                        Unknown

                                      Vendor Statement

                                      No statement is currently available from the vendor regarding this vulnerability.

                                      Vendor References

                                        Debian GNU/Linux

                                        Notified:  November 21, 2016 Updated:  November 21, 2016

                                        Status

                                          Unknown

                                        Vendor Statement

                                        No statement is currently available from the vendor regarding this vulnerability.

                                        Vendor References

                                          DesktopBSD

                                          Notified:  November 21, 2016 Updated:  November 21, 2016

                                          Status

                                            Unknown

                                          Vendor Statement

                                          No statement is currently available from the vendor regarding this vulnerability.

                                          Vendor References

                                            DragonFly BSD Project

                                            Notified:  November 21, 2016 Updated:  November 21, 2016

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor References

                                              EMC Corporation

                                              Notified:  November 21, 2016 Updated:  November 21, 2016

                                              Status

                                                Unknown

                                              Vendor Statement

                                              No statement is currently available from the vendor regarding this vulnerability.

                                              Vendor References

                                                EfficientIP SAS

                                                Notified:  November 21, 2016 Updated:  November 21, 2016

                                                Status

                                                  Unknown

                                                Vendor Statement

                                                No statement is currently available from the vendor regarding this vulnerability.

                                                Vendor References

                                                  Enterasys Networks

                                                  Notified:  November 21, 2016 Updated:  November 21, 2016

                                                  Status

                                                    Unknown

                                                  Vendor Statement

                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                  Vendor References

                                                    Ericsson

                                                    Notified:  November 21, 2016 Updated:  November 21, 2016

                                                    Status

                                                      Unknown

                                                    Vendor Statement

                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                    Vendor References

                                                      European Registry for Internet Domains

                                                      Notified:  November 21, 2016 Updated:  November 21, 2016

                                                      Status

                                                        Unknown

                                                      Vendor Statement

                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                      Vendor References

                                                        Extreme Networks

                                                        Notified:  November 21, 2016 Updated:  November 21, 2016

                                                        Status

                                                          Unknown

                                                        Vendor Statement

                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                        Vendor References

                                                          F5 Networks, Inc.

                                                          Notified:  November 21, 2016 Updated:  November 21, 2016

                                                          Status

                                                            Unknown

                                                          Vendor Statement

                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                          Vendor References

                                                            Fedora Project

                                                            Notified:  November 21, 2016 Updated:  November 21, 2016

                                                            Status

                                                              Unknown

                                                            Vendor Statement

                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                            Vendor References

                                                              Force10 Networks

                                                              Notified:  November 21, 2016 Updated:  November 21, 2016

                                                              Status

                                                                Unknown

                                                              Vendor Statement

                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                              Vendor References

                                                                Fortinet, Inc.

                                                                Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                Status

                                                                  Unknown

                                                                Vendor Statement

                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                Vendor References

                                                                  Foundry Brocade

                                                                  Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                  Status

                                                                    Unknown

                                                                  Vendor Statement

                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                  Vendor References

                                                                    FreeBSD Project

                                                                    Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                    Status

                                                                      Unknown

                                                                    Vendor Statement

                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                    Vendor References

                                                                      GNU adns

                                                                      Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                      Status

                                                                        Unknown

                                                                      Vendor Statement

                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                      Vendor References

                                                                        GNU glibc

                                                                        Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                        Status

                                                                          Unknown

                                                                        Vendor Statement

                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                        Vendor References

                                                                          Gentoo Linux

                                                                          Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                          Status

                                                                            Unknown

                                                                          Vendor Statement

                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                          Vendor References

                                                                            Google

                                                                            Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                            Status

                                                                              Unknown

                                                                            Vendor Statement

                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                            Vendor References

                                                                              Hardened BSD

                                                                              Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                              Status

                                                                                Unknown

                                                                              Vendor Statement

                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                              Vendor References

                                                                                Hewlett Packard Enterprise

                                                                                Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                Status

                                                                                  Unknown

                                                                                Vendor Statement

                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                Vendor References

                                                                                  Hitachi

                                                                                  Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                  Status

                                                                                    Unknown

                                                                                  Vendor Statement

                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                  Vendor References

                                                                                    Huawei Technologies

                                                                                    Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                    Status

                                                                                      Unknown

                                                                                    Vendor Statement

                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                    Vendor References

                                                                                      IBM Corporation

                                                                                      Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                      Status

                                                                                        Unknown

                                                                                      Vendor Statement

                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                      Vendor References

                                                                                        Infoblox

                                                                                        Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                        Status

                                                                                          Unknown

                                                                                        Vendor Statement

                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                        Vendor References

                                                                                          Intel Corporation

                                                                                          Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                          Status

                                                                                            Unknown

                                                                                          Vendor Statement

                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                          Vendor References

                                                                                            Internet Systems Consortium

                                                                                            Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                            Status

                                                                                              Unknown

                                                                                            Vendor Statement

                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                            Vendor References

                                                                                              Internet Systems Consortium - DHCP

                                                                                              Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                              Status

                                                                                                Unknown

                                                                                              Vendor Statement

                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                              Vendor References

                                                                                                JH Software

                                                                                                Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                Status

                                                                                                  Unknown

                                                                                                Vendor Statement

                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                Vendor References

                                                                                                  Juniper Networks

                                                                                                  Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                  Status

                                                                                                    Unknown

                                                                                                  Vendor Statement

                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                  Vendor References

                                                                                                    Lenovo

                                                                                                    Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                    Status

                                                                                                      Unknown

                                                                                                    Vendor Statement

                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                    Vendor References

                                                                                                      Lynx Software Technologies

                                                                                                      Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                      Status

                                                                                                        Unknown

                                                                                                      Vendor Statement

                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                      Vendor References

                                                                                                        McAfee

                                                                                                        Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                        Status

                                                                                                          Unknown

                                                                                                        Vendor Statement

                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                        Vendor References

                                                                                                          Microchip Technology

                                                                                                          Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                          Status

                                                                                                            Unknown

                                                                                                          Vendor Statement

                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                          Vendor References

                                                                                                            Microsoft Corporation

                                                                                                            Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                            Status

                                                                                                              Unknown

                                                                                                            Vendor Statement

                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                            Vendor References

                                                                                                              NEC Corporation

                                                                                                              Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                              Status

                                                                                                                Unknown

                                                                                                              Vendor Statement

                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                              Vendor References

                                                                                                                NLnet Labs

                                                                                                                Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                Status

                                                                                                                  Unknown

                                                                                                                Vendor Statement

                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                Vendor References

                                                                                                                  NetBSD

                                                                                                                  Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                  Status

                                                                                                                    Unknown

                                                                                                                  Vendor Statement

                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                  Vendor References

                                                                                                                    Nokia

                                                                                                                    Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                    Status

                                                                                                                      Unknown

                                                                                                                    Vendor Statement

                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                    Vendor References

                                                                                                                      Nominum

                                                                                                                      Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                      Status

                                                                                                                        Unknown

                                                                                                                      Vendor Statement

                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                      Vendor References

                                                                                                                        OmniTI

                                                                                                                        Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                        Status

                                                                                                                          Unknown

                                                                                                                        Vendor Statement

                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                        Vendor References

                                                                                                                          OpenBSD

                                                                                                                          Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                          Status

                                                                                                                            Unknown

                                                                                                                          Vendor Statement

                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                          Vendor References

                                                                                                                            OpenDNS

                                                                                                                            Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                            Status

                                                                                                                              Unknown

                                                                                                                            Vendor Statement

                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                            Vendor References

                                                                                                                              Openwall GNU/*/Linux

                                                                                                                              Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                              Status

                                                                                                                                Unknown

                                                                                                                              Vendor Statement

                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                              Vendor References

                                                                                                                                Oracle Corporation

                                                                                                                                Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                Status

                                                                                                                                  Unknown

                                                                                                                                Vendor Statement

                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                Vendor References

                                                                                                                                  Oryx Embedded

                                                                                                                                  Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                  Status

                                                                                                                                    Unknown

                                                                                                                                  Vendor Statement

                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                  Vendor References

                                                                                                                                    Peplink

                                                                                                                                    Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                    Status

                                                                                                                                      Unknown

                                                                                                                                    Vendor Statement

                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                    Vendor References

                                                                                                                                      PowerDNS

                                                                                                                                      Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                      Status

                                                                                                                                        Unknown

                                                                                                                                      Vendor Statement

                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                      Vendor References

                                                                                                                                        Q1 Labs

                                                                                                                                        Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                        Status

                                                                                                                                          Unknown

                                                                                                                                        Vendor Statement

                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                        Vendor References

                                                                                                                                          QNX Software Systems Inc.

                                                                                                                                          Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                          Status

                                                                                                                                            Unknown

                                                                                                                                          Vendor Statement

                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                          Vendor References

                                                                                                                                            Quadros Systems

                                                                                                                                            Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                            Status

                                                                                                                                              Unknown

                                                                                                                                            Vendor Statement

                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                            Vendor References

                                                                                                                                              Red Hat, Inc.

                                                                                                                                              Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                              Status

                                                                                                                                                Unknown

                                                                                                                                              Vendor Statement

                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                              Vendor References

                                                                                                                                                Rocket RTOS

                                                                                                                                                Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                Status

                                                                                                                                                  Unknown

                                                                                                                                                Vendor Statement

                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                Vendor References

                                                                                                                                                  SUSE Linux

                                                                                                                                                  Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                  Status

                                                                                                                                                    Unknown

                                                                                                                                                  Vendor Statement

                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                  Vendor References

                                                                                                                                                    SafeNet

                                                                                                                                                    Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                    Status

                                                                                                                                                      Unknown

                                                                                                                                                    Vendor Statement

                                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                    Vendor References

                                                                                                                                                      Secure64 Software Corporation

                                                                                                                                                      Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                      Status

                                                                                                                                                        Unknown

                                                                                                                                                      Vendor Statement

                                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                      Vendor References

                                                                                                                                                        Slackware Linux Inc.

                                                                                                                                                        Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                        Status

                                                                                                                                                          Unknown

                                                                                                                                                        Vendor Statement

                                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                        Vendor References

                                                                                                                                                          SmoothWall

                                                                                                                                                          Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                          Status

                                                                                                                                                            Unknown

                                                                                                                                                          Vendor Statement

                                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                          Vendor References

                                                                                                                                                            Snort

                                                                                                                                                            Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                            Status

                                                                                                                                                              Unknown

                                                                                                                                                            Vendor Statement

                                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                            Vendor References

                                                                                                                                                              Sony Corporation

                                                                                                                                                              Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                              Status

                                                                                                                                                                Unknown

                                                                                                                                                              Vendor Statement

                                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                              Vendor References

                                                                                                                                                                Sourcefire

                                                                                                                                                                Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                                Status

                                                                                                                                                                  Unknown

                                                                                                                                                                Vendor Statement

                                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                Vendor References

                                                                                                                                                                  Symantec

                                                                                                                                                                  Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                                  Status

                                                                                                                                                                    Unknown

                                                                                                                                                                  Vendor Statement

                                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                  Vendor References

                                                                                                                                                                    TCPWave

                                                                                                                                                                    Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                                    Status

                                                                                                                                                                      Unknown

                                                                                                                                                                    Vendor Statement

                                                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                    Vendor References

                                                                                                                                                                      TippingPoint Technologies Inc.

                                                                                                                                                                      Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                                      Status

                                                                                                                                                                        Unknown

                                                                                                                                                                      Vendor Statement

                                                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                      Vendor References

                                                                                                                                                                        Tizen

                                                                                                                                                                        Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                                        Status

                                                                                                                                                                          Unknown

                                                                                                                                                                        Vendor Statement

                                                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                        Vendor References

                                                                                                                                                                          TrueOS

                                                                                                                                                                          Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                                          Status

                                                                                                                                                                            Unknown

                                                                                                                                                                          Vendor Statement

                                                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                          Vendor References

                                                                                                                                                                            Turbolinux

                                                                                                                                                                            Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                                            Status

                                                                                                                                                                              Unknown

                                                                                                                                                                            Vendor Statement

                                                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                            Vendor References

                                                                                                                                                                              Ubuntu

                                                                                                                                                                              Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                                              Status

                                                                                                                                                                                Unknown

                                                                                                                                                                              Vendor Statement

                                                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                              Vendor References

                                                                                                                                                                                Unisys

                                                                                                                                                                                Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                                                Status

                                                                                                                                                                                  Unknown

                                                                                                                                                                                Vendor Statement

                                                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                Vendor References

                                                                                                                                                                                  VMware

                                                                                                                                                                                  Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                                                  Status

                                                                                                                                                                                    Unknown

                                                                                                                                                                                  Vendor Statement

                                                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                  Vendor References

                                                                                                                                                                                    Wind River

                                                                                                                                                                                    Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                                                    Status

                                                                                                                                                                                      Unknown

                                                                                                                                                                                    Vendor Statement

                                                                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                    Vendor References

                                                                                                                                                                                      WizNET Technology

                                                                                                                                                                                      Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                                                      Status

                                                                                                                                                                                        Unknown

                                                                                                                                                                                      Vendor Statement

                                                                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                      Vendor References

                                                                                                                                                                                        Xilinx

                                                                                                                                                                                        Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                                                        Status

                                                                                                                                                                                          Unknown

                                                                                                                                                                                        Vendor Statement

                                                                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                        Vendor References

                                                                                                                                                                                          Zephyr Project

                                                                                                                                                                                          Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                                                          Status

                                                                                                                                                                                            Unknown

                                                                                                                                                                                          Vendor Statement

                                                                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                          Vendor References

                                                                                                                                                                                            ZyXEL

                                                                                                                                                                                            Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                                                            Status

                                                                                                                                                                                              Unknown

                                                                                                                                                                                            Vendor Statement

                                                                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                            Vendor References

                                                                                                                                                                                              dnsmasq

                                                                                                                                                                                              Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                                                              Status

                                                                                                                                                                                                Unknown

                                                                                                                                                                                              Vendor Statement

                                                                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                              Vendor References

                                                                                                                                                                                                gdnsd

                                                                                                                                                                                                Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                                                                Status

                                                                                                                                                                                                  Unknown

                                                                                                                                                                                                Vendor Statement

                                                                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                Vendor References

                                                                                                                                                                                                  m0n0wall

                                                                                                                                                                                                  Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                                                                  Status

                                                                                                                                                                                                    Unknown

                                                                                                                                                                                                  Vendor Statement

                                                                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                  Vendor References

                                                                                                                                                                                                    openSUSE project

                                                                                                                                                                                                    Notified:  November 21, 2016 Updated:  November 21, 2016

                                                                                                                                                                                                    Status

                                                                                                                                                                                                      Unknown

                                                                                                                                                                                                    Vendor Statement

                                                                                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                                                                    Vendor References

                                                                                                                                                                                                      View all 100 vendors View less vendors


                                                                                                                                                                                                      CVSS Metrics

                                                                                                                                                                                                      Group Score Vector
                                                                                                                                                                                                      Base 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C
                                                                                                                                                                                                      Temporal 6.1 E:POC/RL:OF/RC:C
                                                                                                                                                                                                      Environmental 6.1 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

                                                                                                                                                                                                      References

                                                                                                                                                                                                      Acknowledgements

                                                                                                                                                                                                      NTP.org thanks Matthew Van Gundy of Cisco, Robert Pajak, Sharon Goldberg and Aanchal Malhotra of Boston University, Magnus Stubman, Miroslav Lichvar of Red Hat, and Brian Utterback of Oracle for reporting these vulnerabilities.

                                                                                                                                                                                                      This document was written by Garret Wassermann.

                                                                                                                                                                                                      Other Information

                                                                                                                                                                                                      CVE IDs: CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7429, CVE-2016-7431, CVE-2016-7433, CVE-2016-7434, CVE-2016-9310, CVE-2016-9312
                                                                                                                                                                                                      Date Public: 2016-11-21
                                                                                                                                                                                                      Date First Published: 2016-11-21
                                                                                                                                                                                                      Date Last Updated: 2017-11-20 15:38 UTC
                                                                                                                                                                                                      Document Revision: 25

                                                                                                                                                                                                      Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.