CVE-2016-7426
published 2017-01-13CVE-2016-7426: NTP before 4.2.8p9 rate limits responses received from the configured sources when rate limiting for all associations is enabled, which allows remote attackers…
high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
NTP before 4.2.8p9 rate limits responses received from the configured sources when rate limiting for all associations is enabled, which allows remote attackers to cause a denial of service (prevent responses from the sources) by sending responses with a spoofed source address.
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| debian | ntp | < ntp 1:4.2.8p9+dfsg-1 (bullseye) | ntp 1:4.2.8p9+dfsg-1 (bullseye) |
| hpe | hpux-ntp | >= b.11.31 < c.4.2.8.2.0 | c.4.2.8.2.0 |
| ntp | ntp | — | — |
| ntp | ntp | — | — |
| ntp | ntp | >= 0 < 1:4.2.8p9+dfsg-1 | 1:4.2.8p9+dfsg-1 |
| ntp | ntp | >= 0 < 1:4.2.6.p5+dfsg-3ubuntu2.14.04.11 | 1:4.2.6.p5+dfsg-3ubuntu2.14.04.11 |
| ntp | ntp | >= 0 < 1:4.2.8p4+dfsg-3ubuntu5.5 | 1:4.2.8p4+dfsg-3ubuntu5.5 |
| ntp | ntp | >= 4.2.6 < 4.2.8 | 4.2.8 |
| ntp | ntp | >= 4.3.0 < 4.3.94 | 4.3.94 |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_server_aus | — | — |
| redhat | enterprise_linux_server_aus | — | — |
| redhat | enterprise_linux_server_aus | — | — |
| redhat | enterprise_linux_server_aus | — | — |
| redhat | enterprise_linux_server_eus | — | — |
| redhat | enterprise_linux_server_eus | — | — |
| redhat | enterprise_linux_server_eus | — | — |
| redhat | enterprise_linux_server_eus | — | — |
| redhat | enterprise_linux_server_eus | — | — |
| redhat | enterprise_linux_server_tus | — | — |
| redhat | enterprise_linux_server_tus | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
GHSA
GHSA-8wjh-3x3g-6pjf: NTP before 4
ghsa_unreviewed·2022-05-13
CVE-2016-7426 [HIGH] CWE-400 GHSA-8wjh-3x3g-6pjf: NTP before 4
NTP before 4.2.8p9 rate limits responses received from the configured sources when rate limiting for all associations is enabled, which allows remote attackers to cause a denial of service (prevent responses from the sources) by sending responses with a spoofed source address.
OSV
ntp vulnerabilities
osv·2017-07-05·CVSS 5.9
CVE-2016-2519 [MEDIUM] ntp vulnerabilities
ntp vulnerabilities
Yihan Lian discovered that NTP incorrectly handled certain large request
data values. A remote attacker could possibly use this issue to cause NTP
to crash, resulting in a denial of service. This issue only affected
Ubuntu 16.04 LTS. (CVE-2016-2519)
Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed
addresses when performing rate limiting. A remote attacker could possibly
use this issue to perform a denial of service. This issue only affected
Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7426)
Matthew Van Gundy discovered that NTP incorrectly handled certain crafted
broadcast mode packets. A remote attacker could possibly use this issue to
perform a denial of service. This issue only affected Ubuntu 14.04 LTS,
Ubuntu 16.04 LTS,
OSV
CVE-2016-7426: NTP before 4
osv·2017-01-13·CVSS 7.5
CVE-2016-7426 [HIGH] CVE-2016-7426: NTP before 4
NTP before 4.2.8p9 rate limits responses received from the configured sources when rate limiting for all associations is enabled, which allows remote attackers to cause a denial of service (prevent responses from the sources) by sending responses with a spoofed source address.
Ubuntu
NTP vulnerabilities
vendor_ubuntu·2019-01-23·CVSS 7.5
CVE-2016-7426 [HIGH] NTP vulnerabilities
Title: NTP vulnerabilities
Summary: Several security issues were fixed in NTP.
USN-3707-1 and USN-3349-1 fixed several vulnerabilities in NTP. This update
provides the corresponding update for Ubuntu 12.04 ESM.
Original advisory details:
Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed
addresses when performing rate limiting. A remote attacker could possibly
use this issue to perform a denial of service. (CVE-2016-7426)
Matthew Van Gundy discovered that NTP incorrectly handled certain crafted
broadcast mode packets. A remote attacker could possibly use this issue to
perform a denial of service. (CVE-2016-7427, CVE-2016-7428)
Matthew Van Gundy discovered that NTP incorrectly handled certain control
mode packets. A remote attacker could use this issue to set or
Ubuntu
NTP vulnerabilities
vendor_ubuntu·2017-07-05·CVSS 5.9
CVE-2016-2519 [MEDIUM] NTP vulnerabilities
Title: NTP vulnerabilities
Summary: Several security issues were fixed in NTP.
Yihan Lian discovered that NTP incorrectly handled certain large request
data values. A remote attacker could possibly use this issue to cause NTP
to crash, resulting in a denial of service. This issue only affected
Ubuntu 16.04 LTS. (CVE-2016-2519)
Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed
addresses when performing rate limiting. A remote attacker could possibly
use this issue to perform a denial of service. This issue only affected
Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7426)
Matthew Van Gundy discovered that NTP incorrectly handled certain crafted
broadcast mode packets. A remote attacker could possibly use this issue to
perform a denial of service.
BSD
FreeBSD-SA-16:39.ntp: Multiple vulnerabilities of ntp
bsd_advisories·2016-12-22·CVSS 7.5
CVE-2016-7426 [HIGH] FreeBSD-SA-16:39.ntp: Multiple vulnerabilities of ntp
FreeBSD-SA-16:39.ntp Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities of ntp
Category: contrib
Module: ntp
Announced: 2016-12-22
Credits: Network Time Foundation
Affects: All supported versions of FreeBSD.
Corrected: 2016-11-22 16:22:51 UTC (stable/11, 11.0-STABLE)
2016-12-22 16:19:05 UTC (releng/11.0, 11.0-RELEASE-p6)
2016-11-22 16:23:20 UTC (stable/10, 10.3-STABLE)
2016-12-22 16:19:05 UTC (releng/10.3, 10.3-RELEASE-p15)
2016-12-22 16:19:05 UTC (releng/10.2, 10.2-RELEASE-p28)
2016-12-22 16:19:05 UTC (releng/10.1, 10.1-RELEASE-p45)
2016-11-22 16:23:46 UTC (stable/9, 9.3-STABLE)
2016-12-22 16:19:05 UTC (releng/9.3, 9.3-RELEASE-p53)
CVE Name: CVE-2016-7426, CVE-2016-7427, CVE-2016-7428, CVE-2016-7431,
CVE-2016-7433, CVE-2016-7434, CVE-2016-9310, CVE-2016-9311
For gene
Cisco
Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: November 2016
vendor_cisco·2016-11-23·CVSS 5.3
CVE-2015-8138 [MEDIUM] CWE-119 Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: November 2016
Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: November 2016
Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.
On November 21, 2016, the NTP Consortium of the Network Time Foundation released a security notice that details ten issues regarding DoS vulnerabilities and logic issues that may allow an attacker to shift a system's time.
The new vulnerabilities disclosed in this document are as follows:
Network Time Protocol Trap Service Denial of S
Red Hat
ntp: Client rate limiting and server responses
vendor_redhat·2016-11-21·CVSS 7.5
CVE-2016-7426 [HIGH] CWE-400 ntp: Client rate limiting and server responses
ntp: Client rate limiting and server responses
NTP before 4.2.8p9 rate limits responses received from the configured sources when rate limiting for all associations is enabled, which allows remote attackers to cause a denial of service (prevent responses from the sources) by sending responses with a spoofed source address.
It was found that when ntp is configured with rate limiting for all associations the limits are also applied to responses received from its configured sources. A remote attacker who knows the sources can cause a denial of service by preventing ntpd from accepting valid responses from its sources.
Mitigation: If you choose to use restrict default limited ..., be sure to use restrict source ... (without limited) to avoid this attack.
Package: ntp (Red Hat Enterprise Li
Debian
CVE-2016-7426: ntp - NTP before 4.2.8p9 rate limits responses received from the configured sources wh...
vendor_debian·2016·CVSS 7.5
CVE-2016-7426 [HIGH] CVE-2016-7426: ntp - NTP before 4.2.8p9 rate limits responses received from the configured sources wh...
NTP before 4.2.8p9 rate limits responses received from the configured sources when rate limiting for all associations is enabled, which allows remote attackers to cause a denial of service (prevent responses from the sources) by sending responses with a spoofed source address.
Scope: local
bullseye: resolved (fixed in 1:4.2.8p9+dfsg-1)
Cisco
Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: November 2016
vendor_cisco
CVE-2016-7426 Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: November 2016
CVE-2016-7426: Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: November 2016
Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server. On November 21, 2016, the NTP Consortium of the Network Time Foundation released a security notice that
CWE: CWE-119, CWE-20, CWE-399, CWE-119, CWE-20, CWE-399
Bug IDs: CSCvc22942, CSCvc23435, CSCvc23437, CSCvc22942, CSCvc23435
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-7426 CVE-2016-7429 CVE-2016-7433 CVE-2016-9310 CVE-2016-9311 ntp: various flaws [fedora-all]
bugzilla·2016-11-22·CVSS 7.5
CVE-2016-7426 [HIGH] CVE-2016-7426 CVE-2016-7429 CVE-2016-7433 CVE-2016-9310 CVE-2016-9311 ntp: various flaws [fedora-all]
CVE-2016-7426 CVE-2016-7429 CVE-2016-7433 CVE-2016-9310 CVE-2016-9311 ntp: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multipl
Bugzilla
CVE-2016-7426 ntp: Client rate limiting and server responses
bugzilla·2016-11-22·CVSS 7.5
CVE-2016-7426 [HIGH] CVE-2016-7426 ntp: Client rate limiting and server responses
CVE-2016-7426 ntp: Client rate limiting and server responses
When ntpd is configured with rate limiting for all associations (restrict default limited in ntp.conf), the limits are applied also to responses received from its configured sources. An attacker who knows the sources (e.g., from an IPv4 refid in server response) and knows the system is (mis)configured in this way can periodically send packets with spoofed source address to keep the rate limiting activated and prevent ntpd from accepting valid responses from its sources.
External References:
http://support.ntp.org/bin/view/Main/NtpBug3071
Discussion:
Created ntp tracking bugs for this issue:
Affects: fedora-all [bug 1397351]
---
Mitigation:
If you choose to use restrict default limited ..., be sure to use restrict source
http://nwtime.org/ntp428p9_release/http://rhn.redhat.com/errata/RHSA-2017-0252.htmlhttp://support.ntp.org/bin/view/Main/NtpBug3071http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilitieshttp://www.securityfocus.com/bid/94451http://www.securitytracker.com/id/1037354https://bto.bluecoat.com/security-advisory/sa139https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03706en_ushttps://security.FreeBSD.org/advisories/FreeBSD-SA-16:39.ntp.aschttps://usn.ubuntu.com/3707-2/https://www.kb.cert.org/vuls/id/633847http://nwtime.org/ntp428p9_release/http://rhn.redhat.com/errata/RHSA-2017-0252.htmlhttp://support.ntp.org/bin/view/Main/NtpBug3071http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilitieshttp://www.securityfocus.com/bid/94451http://www.securitytracker.com/id/1037354https://bto.bluecoat.com/security-advisory/sa139https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03706en_ushttps://security.FreeBSD.org/advisories/FreeBSD-SA-16:39.ntp.aschttps://usn.ubuntu.com/3707-2/https://www.kb.cert.org/vuls/id/633847
2017-01-13
Published