search menu icon-carat-right cmu-wordmark

CERT Coordination Center

NTP.org ntpd contains multiple vulnerabilities

Vulnerability Note VU#718152

Original Release Date: 2016-04-27 | Last Revised: 2016-04-28

Overview

The NTP.org reference implementation of ntpd contains multiple vulnerabilities.

Description

NTP.org's reference implementation of NTP server, ntpd, contains multiple vulnerabilities.

CWE-294: Authentication Bypass by Capture-replay - CVE-2015-7973

An attacker on the network can record and replay authenticated broadcast mode packets. Also known as the "Deja Vu" attack.

CWE-20: Improper Input Validation - CVE-2015-7974

A missing key check allows impersonation between authenticated peers. Also known as the "Skeleton Key" attack.

CWE-20: Improper Input Validation - CVE-2015-7975

The nextvar() function does not properly validate length.

CWE-20: Improper Input Validation - CVE-2015-7976

ntpq saveconfig command allows dangerous characters in filenames

CWE-476: NULL Pointer Dereference - CVE-2015-7977

reslist NULL pointer dereference

CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') - CVE-2015-7978

Stack exhaustion in recursive traversal of restriction list

CWE-821: Incorrect Synchronization - CVE-2015-7979

Off-path Denial of Service (DoS) attack on authenticated broadcast and other pre-emptable modes

CWE-20: Improper Input Validation - CVE-2015-8138

Zero Origin Timestamp Bypass

CWE-200: Information Exposure - CVE-2015-8139

Network Time Protocol ntpq and ntpdc Origin Timestamp Disclosure Vulnerability
http://support.ntp.org/bin/view/Main/NtpBug2946

CWE-294: Authentication Bypass by Capture-replay - CVE-2015-8140

Network Time Protocol ntpq Control Protocol Replay Vulnerability
http://support.ntp.org/bin/view/Main/NtpBug2947

CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') - CVE-2015-8158

Potential Infinite Loop in ntpq
http://support.ntp.org/bin/view/Main/NtpBug2948

CWE-821: Incorrect Synchronization - CVE-2016-1547

An off-path attacker can deny service to ntpd clients by demobilizing preemptable associations using spoofed crypto-NAK packets. This vulnerability involves different code paths than those used by CVE-2015-7979.

CWE-290: Authentication Bypass by Spoofing - CVE-2016-1548

By spoofing packets from a legitimate server, an attacker can change the time of an ntpd client or deny service to an ntpd client by forcing it to change from basic client/server mode to interleaved symmetric mode.

CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') - CVE-2016-1549

ntpd does not prevent Sybil attacks from authenticated peers. An malicious authenticated peer can create any number of ephemeral associations in order to win ntpd's clock selection algorithm and modify a victim's clock.

CWE-20: Improper Input Validation - CVE-2016-1550

ntpd does not use a constant-time memory comparison function when validating the authentication digest on incoming packets. In some situations this may allow an attacker to conduct a timing attack to compute the value of the valid authentication digest causing forged packets to be accepted by ntpd.

CWE-290: Authentication Bypass by Spoofing - CVE-2016-1551

ntpd does not filter IPv4 bogon packets received from the network. This allows unauthenticated network attackers to spoof refclock packets to ntpd processes on systems that do not implement bogon filtering.

CWE-20: Improper Input Validation - CVE-2016-2516, CVE-2016-2517

Duplicate IPs on unconfig directives will cause an assertion botch in ntpd. A regression caused by the patch for CVE-2016-2516 was fixed and identified as CVE-2016-2517.

CWE-125: Out-of-bounds Read - CVE-2016-2518

Using a crafted packet to create a peer association with hmode > 7 causes the MATCH_ASSOC() lookup to make an out-of-bounds reference.

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer - CVE-2016-2519

ntpq and ntpdc can be used to store and retrieve information in ntpd. It is possible to store a data value that is larger than the size of the buffer that the ctl_getitem() function of ntpd uses to report the return value. If the length of the requested data value returned by ctl_getitem() is too large, the value NULL is returned instead. There are 2 cases where the return value from ctl_getitem() was not directly checked to make sure it's not NULL, but there are subsequent INSIST() checks that make sure the return value is not NULL. There are no data values ordinarily stored in ntpd that would exceed this buffer length. But if one has permission to store values and one stores a value that is "too large", then ntpd will abort if an attempt is made to read that oversized value.

CWE-20: Improper Input Validation - CVE-2015-7704, CVE-2015-7705

An ntpd client that honors Kiss-of-Death (KoD) responses will honor KoD messages that have been forged by an attacker, causing it to delay or stop querying its servers for time updates. Also, an attacker can forge packets that claim to be from the target and send them to servers often enough that a server that implements KoD rate limiting will send the target machine a KoD response to attempt to reduce the rate of incoming packets, or it may also trigger a firewall block at the server for packets from the target machine. For either of these attacks to succeed, the attacker must know what servers the target is communicating with. An attacker can be anywhere on the Internet and can frequently learn the identity of the target's time source by sending the target a time query.

For more information on these vulnerabilities, please see NTP.org's April 2016 security advisory as well as the January 2016 security advisory.

Impact

Unauthenticated remote attackers may be able to spoof packets to cause denial of service, authentication bypass on commands, or certain configuration changes. For more information on these vulnerabilities, please see NTP.org's April 2016 security advisory as well as the January 2016 security advisory.

Solution

Apply an update

Partial patches for some of these issues were initially released in January 2016 as version 4.2.8p6. Complete patches for all of these issues are now available in version 4.2.8p7, released 2016-04-26. Affected users are encouraged to update as soon as possible.

Vendor Information

718152
 
Affected   Unknown   Unaffected

NTP Project

Notified:  January 19, 2016 Updated:  April 22, 2016

Statement Date:   April 19, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS

Notified:  April 25, 2016 Updated:  April 25, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor References

    AT&T

    Notified:  April 25, 2016 Updated:  April 25, 2016

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor References

      Alcatel-Lucent

      Notified:  April 25, 2016 Updated:  April 25, 2016

      Status

        Unknown

      Vendor Statement

      No statement is currently available from the vendor regarding this vulnerability.

      Vendor References

        Apple

        Notified:  April 25, 2016 Updated:  April 25, 2016

        Status

          Unknown

        Vendor Statement

        No statement is currently available from the vendor regarding this vulnerability.

        Vendor References

          Arista Networks, Inc.

          Notified:  April 25, 2016 Updated:  April 25, 2016

          Status

            Unknown

          Vendor Statement

          No statement is currently available from the vendor regarding this vulnerability.

          Vendor References

            Aruba Networks

            Notified:  April 25, 2016 Updated:  April 25, 2016

            Status

              Unknown

            Vendor Statement

            No statement is currently available from the vendor regarding this vulnerability.

            Vendor References

              Avaya, Inc.

              Notified:  April 25, 2016 Updated:  April 25, 2016

              Status

                Unknown

              Vendor Statement

              No statement is currently available from the vendor regarding this vulnerability.

              Vendor References

                Belkin, Inc.

                Notified:  April 25, 2016 Updated:  April 25, 2016

                Status

                  Unknown

                Vendor Statement

                No statement is currently available from the vendor regarding this vulnerability.

                Vendor References

                  Blue Coat Systems

                  Notified:  April 25, 2016 Updated:  April 25, 2016

                  Status

                    Unknown

                  Vendor Statement

                  No statement is currently available from the vendor regarding this vulnerability.

                  Vendor References

                    CA Technologies

                    Notified:  April 25, 2016 Updated:  April 25, 2016

                    Status

                      Unknown

                    Vendor Statement

                    No statement is currently available from the vendor regarding this vulnerability.

                    Vendor References

                      CentOS

                      Notified:  April 25, 2016 Updated:  April 25, 2016

                      Status

                        Unknown

                      Vendor Statement

                      No statement is currently available from the vendor regarding this vulnerability.

                      Vendor References

                        Check Point Software Technologies

                        Notified:  April 25, 2016 Updated:  April 25, 2016

                        Status

                          Unknown

                        Vendor Statement

                        No statement is currently available from the vendor regarding this vulnerability.

                        Vendor References

                          Cisco

                          Notified:  January 08, 2016 Updated:  January 08, 2016

                          Status

                            Unknown

                          Vendor Statement

                          No statement is currently available from the vendor regarding this vulnerability.

                          Vendor References

                            CoreOS

                            Notified:  April 25, 2016 Updated:  April 25, 2016

                            Status

                              Unknown

                            Vendor Statement

                            No statement is currently available from the vendor regarding this vulnerability.

                            Vendor References

                              D-Link Systems, Inc.

                              Notified:  April 25, 2016 Updated:  April 25, 2016

                              Status

                                Unknown

                              Vendor Statement

                              No statement is currently available from the vendor regarding this vulnerability.

                              Vendor References

                                Debian GNU/Linux

                                Notified:  April 25, 2016 Updated:  April 25, 2016

                                Status

                                  Unknown

                                Vendor Statement

                                No statement is currently available from the vendor regarding this vulnerability.

                                Vendor References

                                  DesktopBSD

                                  Notified:  April 25, 2016 Updated:  April 25, 2016

                                  Status

                                    Unknown

                                  Vendor Statement

                                  No statement is currently available from the vendor regarding this vulnerability.

                                  Vendor References

                                    DragonFly BSD Project

                                    Notified:  April 25, 2016 Updated:  April 25, 2016

                                    Status

                                      Unknown

                                    Vendor Statement

                                    No statement is currently available from the vendor regarding this vulnerability.

                                    Vendor References

                                      EMC Corporation

                                      Notified:  April 25, 2016 Updated:  April 25, 2016

                                      Status

                                        Unknown

                                      Vendor Statement

                                      No statement is currently available from the vendor regarding this vulnerability.

                                      Vendor References

                                        EfficientIP SAS

                                        Notified:  April 25, 2016 Updated:  April 25, 2016

                                        Status

                                          Unknown

                                        Vendor Statement

                                        No statement is currently available from the vendor regarding this vulnerability.

                                        Vendor References

                                          Enterasys Networks

                                          Notified:  April 25, 2016 Updated:  April 25, 2016

                                          Status

                                            Unknown

                                          Vendor Statement

                                          No statement is currently available from the vendor regarding this vulnerability.

                                          Vendor References

                                            Ericsson

                                            Notified:  April 25, 2016 Updated:  April 25, 2016

                                            Status

                                              Unknown

                                            Vendor Statement

                                            No statement is currently available from the vendor regarding this vulnerability.

                                            Vendor References

                                              Extreme Networks

                                              Notified:  April 25, 2016 Updated:  April 25, 2016

                                              Status

                                                Unknown

                                              Vendor Statement

                                              No statement is currently available from the vendor regarding this vulnerability.

                                              Vendor References

                                                F5 Networks, Inc.

                                                Notified:  April 25, 2016 Updated:  April 25, 2016

                                                Status

                                                  Unknown

                                                Vendor Statement

                                                No statement is currently available from the vendor regarding this vulnerability.

                                                Vendor References

                                                  Fedora Project

                                                  Notified:  April 25, 2016 Updated:  April 25, 2016

                                                  Status

                                                    Unknown

                                                  Vendor Statement

                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                  Vendor References

                                                    Force10 Networks

                                                    Notified:  April 25, 2016 Updated:  April 25, 2016

                                                    Status

                                                      Unknown

                                                    Vendor Statement

                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                    Vendor References

                                                      FreeBSD Project

                                                      Notified:  April 25, 2016 Updated:  April 25, 2016

                                                      Status

                                                        Unknown

                                                      Vendor Statement

                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                      Vendor References

                                                        Gentoo Linux

                                                        Notified:  April 25, 2016 Updated:  April 25, 2016

                                                        Status

                                                          Unknown

                                                        Vendor Statement

                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                        Vendor References

                                                          Google

                                                          Notified:  April 25, 2016 Updated:  April 25, 2016

                                                          Status

                                                            Unknown

                                                          Vendor Statement

                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                          Vendor References

                                                            Hardened BSD

                                                            Notified:  April 25, 2016 Updated:  April 25, 2016

                                                            Status

                                                              Unknown

                                                            Vendor Statement

                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                            Vendor References

                                                              Hewlett Packard Enterprise

                                                              Notified:  April 25, 2016 Updated:  April 25, 2016

                                                              Status

                                                                Unknown

                                                              Vendor Statement

                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                              Vendor References

                                                                Hitachi

                                                                Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                Status

                                                                  Unknown

                                                                Vendor Statement

                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                Vendor References

                                                                  Huawei Technologies

                                                                  Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                  Status

                                                                    Unknown

                                                                  Vendor Statement

                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                  Vendor References

                                                                    IBM Corporation

                                                                    Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                    Status

                                                                      Unknown

                                                                    Vendor Statement

                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                    Vendor References

                                                                      IBM eServer

                                                                      Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                      Status

                                                                        Unknown

                                                                      Vendor Statement

                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                      Vendor References

                                                                        Infoblox

                                                                        Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                        Status

                                                                          Unknown

                                                                        Vendor Statement

                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                        Vendor References

                                                                          Intel Corporation

                                                                          Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                          Status

                                                                            Unknown

                                                                          Vendor Statement

                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                          Vendor References

                                                                            Internet Systems Consortium

                                                                            Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                            Status

                                                                              Unknown

                                                                            Vendor Statement

                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                            Vendor References

                                                                              Internet Systems Consortium - DHCP

                                                                              Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                              Status

                                                                                Unknown

                                                                              Vendor Statement

                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                              Vendor References

                                                                                Juniper Networks

                                                                                Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                Status

                                                                                  Unknown

                                                                                Vendor Statement

                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                Vendor References

                                                                                  McAfee

                                                                                  Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                  Status

                                                                                    Unknown

                                                                                  Vendor Statement

                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                  Vendor References

                                                                                    Microsoft Corporation

                                                                                    Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                    Status

                                                                                      Unknown

                                                                                    Vendor Statement

                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                    Vendor References

                                                                                      NEC Corporation

                                                                                      Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                      Status

                                                                                        Unknown

                                                                                      Vendor Statement

                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                      Vendor References

                                                                                        NTPsec

                                                                                        Notified:  January 19, 2016 Updated:  January 19, 2016

                                                                                        Status

                                                                                          Unknown

                                                                                        Vendor Statement

                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                        Vendor References

                                                                                          NetBSD

                                                                                          Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                          Status

                                                                                            Unknown

                                                                                          Vendor Statement

                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                          Vendor References

                                                                                            Nokia

                                                                                            Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                            Status

                                                                                              Unknown

                                                                                            Vendor Statement

                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                            Vendor References

                                                                                              Nominum

                                                                                              Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                              Status

                                                                                                Unknown

                                                                                              Vendor Statement

                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                              Vendor References

                                                                                                OmniTI

                                                                                                Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                Status

                                                                                                  Unknown

                                                                                                Vendor Statement

                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                Vendor References

                                                                                                  OpenBSD

                                                                                                  Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                  Status

                                                                                                    Unknown

                                                                                                  Vendor Statement

                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                  Vendor References

                                                                                                    OpenDNS

                                                                                                    Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                    Status

                                                                                                      Unknown

                                                                                                    Vendor Statement

                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                    Vendor References

                                                                                                      Openwall GNU/*/Linux

                                                                                                      Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                      Status

                                                                                                        Unknown

                                                                                                      Vendor Statement

                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                      Vendor References

                                                                                                        Oracle Corporation

                                                                                                        Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                        Status

                                                                                                          Unknown

                                                                                                        Vendor Statement

                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                        Vendor References

                                                                                                          Peplink

                                                                                                          Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                          Status

                                                                                                            Unknown

                                                                                                          Vendor Statement

                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                          Vendor References

                                                                                                            Q1 Labs

                                                                                                            Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                            Status

                                                                                                              Unknown

                                                                                                            Vendor Statement

                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                            Vendor References

                                                                                                              QNX Software Systems Inc.

                                                                                                              Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                              Status

                                                                                                                Unknown

                                                                                                              Vendor Statement

                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                              Vendor References

                                                                                                                Red Hat, Inc.

                                                                                                                Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                                Status

                                                                                                                  Unknown

                                                                                                                Vendor Statement

                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                Vendor References

                                                                                                                  SUSE Linux

                                                                                                                  Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                                  Status

                                                                                                                    Unknown

                                                                                                                  Vendor Statement

                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                  Vendor References

                                                                                                                    SafeNet

                                                                                                                    Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                                    Status

                                                                                                                      Unknown

                                                                                                                    Vendor Statement

                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                    Vendor References

                                                                                                                      Secure64 Software Corporation

                                                                                                                      Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                                      Status

                                                                                                                        Unknown

                                                                                                                      Vendor Statement

                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                      Vendor References

                                                                                                                        Slackware Linux Inc.

                                                                                                                        Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                                        Status

                                                                                                                          Unknown

                                                                                                                        Vendor Statement

                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                        Vendor References

                                                                                                                          SmoothWall

                                                                                                                          Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                                          Status

                                                                                                                            Unknown

                                                                                                                          Vendor Statement

                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                          Vendor References

                                                                                                                            Snort

                                                                                                                            Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                                            Status

                                                                                                                              Unknown

                                                                                                                            Vendor Statement

                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                            Vendor References

                                                                                                                              Sony Corporation

                                                                                                                              Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                                              Status

                                                                                                                                Unknown

                                                                                                                              Vendor Statement

                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                              Vendor References

                                                                                                                                Sourcefire

                                                                                                                                Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                                                Status

                                                                                                                                  Unknown

                                                                                                                                Vendor Statement

                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                Vendor References

                                                                                                                                  Symantec

                                                                                                                                  Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                                                  Status

                                                                                                                                    Unknown

                                                                                                                                  Vendor Statement

                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                  Vendor References

                                                                                                                                    TippingPoint Technologies Inc.

                                                                                                                                    Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                                                    Status

                                                                                                                                      Unknown

                                                                                                                                    Vendor Statement

                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                    Vendor References

                                                                                                                                      Turbolinux

                                                                                                                                      Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                                                      Status

                                                                                                                                        Unknown

                                                                                                                                      Vendor Statement

                                                                                                                                      No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                      Vendor References

                                                                                                                                        Ubuntu

                                                                                                                                        Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                                                        Status

                                                                                                                                          Unknown

                                                                                                                                        Vendor Statement

                                                                                                                                        No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                        Vendor References

                                                                                                                                          Unisys

                                                                                                                                          Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                                                          Status

                                                                                                                                            Unknown

                                                                                                                                          Vendor Statement

                                                                                                                                          No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                          Vendor References

                                                                                                                                            VMware

                                                                                                                                            Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                                                            Status

                                                                                                                                              Unknown

                                                                                                                                            Vendor Statement

                                                                                                                                            No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                            Vendor References

                                                                                                                                              Wind River

                                                                                                                                              Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                                                              Status

                                                                                                                                                Unknown

                                                                                                                                              Vendor Statement

                                                                                                                                              No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                              Vendor References

                                                                                                                                                dnsmasq

                                                                                                                                                Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                                                                Status

                                                                                                                                                  Unknown

                                                                                                                                                Vendor Statement

                                                                                                                                                No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                Vendor References

                                                                                                                                                  m0n0wall

                                                                                                                                                  Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                                                                  Status

                                                                                                                                                    Unknown

                                                                                                                                                  Vendor Statement

                                                                                                                                                  No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                  Vendor References

                                                                                                                                                    openSUSE project

                                                                                                                                                    Notified:  April 25, 2016 Updated:  April 25, 2016

                                                                                                                                                    Status

                                                                                                                                                      Unknown

                                                                                                                                                    Vendor Statement

                                                                                                                                                    No statement is currently available from the vendor regarding this vulnerability.

                                                                                                                                                    Vendor References

                                                                                                                                                      View all 75 vendors View less vendors


                                                                                                                                                      CVSS Metrics

                                                                                                                                                      Group Score Vector
                                                                                                                                                      Base 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P
                                                                                                                                                      Temporal 5.3 E:POC/RL:OF/RC:C
                                                                                                                                                      Environmental 5.3 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

                                                                                                                                                      References

                                                                                                                                                      Acknowledgements

                                                                                                                                                      Thanks to Cisco TALOS for reporting many of these issues to us. The Network Time Foundation credits many researchers for these vulnerabilities; see NTP.org's January 2016 and April 2016 security advisories for the complete list.

                                                                                                                                                      This document was written by Garret Wassermann.

                                                                                                                                                      Other Information

                                                                                                                                                      Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.