Debian Ntp vulnerabilities

CVE-2017-6452 [HIGH] CVE-2017-6452: ntp - Stack-based buffer overflow in the Windows installer for NTP before 4.2.8p10 and... Stack-based buffer overflow in the Windows installer for NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows local users to have unspecified impact via an application path on the command line. Scope: local bullseye: resolved

CVE-2017-6462 [HIGH] CVE-2017-6462: ntp - Buffer overflow in the legacy Datum Programmable Time Server (DPTS) refclock dri... Buffer overflow in the legacy Datum Programmable Time Server (DPTS) refclock driver in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows local users to have unspecified impact via a crafted /dev/datum device. Scope: local bullseye: resolved (fixed in 1:4.2.8p10+dfsg-1)

CVE-2017-6464 [MEDIUM] CVE-2017-6464: ntp - NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote attackers to cause a d... NTP before 4.2.8p10 and 4.3.x before 4.3.94 allows remote attackers to cause a denial of service (ntpd crash) via a malformed mode configuration directive. Scope: local bullseye: resolved (fixed in 1:4.2.8p10+dfsg-1)

CVE-2017-6451 [HIGH] CVE-2017-6451: ntp - The mx4200_send function in the legacy MX4200 refclock in NTP before 4.2.8p10 an... The mx4200_send function in the legacy MX4200 refclock in NTP before 4.2.8p10 and 4.3.x before 4.3.94 does not properly handle the return value of the snprintf function, which allows local users to execute arbitrary code via unspecified vectors, which trigger an out-of-bounds memory write. Scope: local bullseye: resolved

CVE-2017-6458 [HIGH] CVE-2017-6458: ntp - Multiple buffer overflows in the ctl_put* functions in NTP before 4.2.8p10 and 4... Multiple buffer overflows in the ctl_put* functions in NTP before 4.2.8p10 and 4.3.x before 4.3.94 allow remote authenticated users to have unspecified impact via a long variable. Scope: local bullseye: resolved (fixed in 1:4.2.8p10+dfsg-1)

CVE-2016-4956 [HIGH] CVE-2016-4956: ntp - ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of serv... ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (interleaved-mode transition and time change) via a spoofed broadcast packet. NOTE: this vulnerability exists because of an incomplete fix for CVE-2016-1548. Scope: local bullseye: resolved (fixed in 1:4.2.8p8+dfsg-1)

CVE-2016-4953 [HIGH] CVE-2016-4953: ntp - ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of serv... ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (ephemeral-association demobilization) by sending a spoofed crypto-NAK packet with incorrect authentication data at a certain time. Scope: local bullseye: resolved (fixed in 1:4.2.8p8+dfsg-1)

CVE-2016-7426 [HIGH] CVE-2016-7426: ntp - NTP before 4.2.8p9 rate limits responses received from the configured sources wh... NTP before 4.2.8p9 rate limits responses received from the configured sources when rate limiting for all associations is enabled, which allows remote attackers to cause a denial of service (prevent responses from the sources) by sending responses with a spoofed source address. Scope: local bullseye: resolved (fixed in 1:4.2.8p9+dfsg-1)

CVE-2016-1548 [HIGH] CVE-2016-1548: ntp - An attacker can spoof a packet from a legitimate ntpd server with an origin time... An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. After making this switch, the client in NTP 4.2.8p4 and earlier and NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c will reject all future legitimate server responses. It is possible to force the victim client to move time a

CVE-2016-4954 [HIGH] CVE-2016-4954: ntp - The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 all... The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication. Scope: local bullseye: resolved (fixed in 1:4.2.8p8+dfsg-1)

CVE-2016-7434 [HIGH] CVE-2016-7434: ntp - The read_mru_list function in NTP before 4.2.8p9 allows remote attackers to caus... The read_mru_list function in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (crash) via a crafted mrulist query. Scope: local bullseye: resolved (fixed in 1:4.2.8p9+dfsg-1)

CVE-2016-2518 [MEDIUM] CVE-2016-2518: ntp - The MATCH_ASSOC function in NTP before version 4.2.8p9 and 4.3.x before 4.3.92 a... The MATCH_ASSOC function in NTP before version 4.2.8p9 and 4.3.x before 4.3.92 allows remote attackers to cause an out-of-bounds reference via an addpeer request with a large hmode value. Scope: local bullseye: resolved (fixed in 1:4.2.8p7+dfsg-1)

CVE-2016-1547 [MEDIUM] CVE-2016-1547: ntp - An off-path attacker can cause a preemptible client association to be demobilize... An off-path attacker can cause a preemptible client association to be demobilized in NTP 4.2.8p4 and earlier and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 by sending a crypto NAK packet to a victim client with a spoofed source address of an existing associated peer. This is true even if authentication is enabled. Scope: local bullseye: resolved (fixed in 1:4.2.8p7

CVE-2016-1549 [MEDIUM] CVE-2016-1549: ntp - A malicious authenticated peer can create arbitrarily-many ephemeral association... A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim's clock. Scope: local bullseye: resolved (fixed in 1:4.2.8p7+dfsg-1)

CVE-2016-1550 [MEDIUM] CVE-2016-1550: ntp - An exploitable vulnerability exists in the message authentication functionality ... An exploitable vulnerability exists in the message authentication functionality of libntp in ntp 4.2.8p4 and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92. An attacker can send a series of crafted messages to attempt to recover the message digest key. Scope: local bullseye: resolved (fixed in 1:4.2.8p7+dfsg-1)

CVE-2016-4955 [MEDIUM] CVE-2016-4955: ntp - ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers... ntpd in NTP 4.x before 4.2.8p8, when autokey is enabled, allows remote attackers to cause a denial of service (peer-variable clearing and association outage) by sending (1) a spoofed crypto-NAK packet or (2) a packet with an incorrect MAC value at a certain time. Scope: local bullseye: resolved (fixed in 1:4.2.8p8+dfsg-1)

CVE-2016-7428 [MEDIUM] CVE-2016-7428: ntp - ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service ... ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via the poll interval in a broadcast packet. Scope: local bullseye: resolved (fixed in 1:4.2.8p9+dfsg-1)

CVE-2016-2516 [MEDIUM] CVE-2016-2516: ntp - NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7 is enabled, allows remote... NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7 is enabled, allows remote attackers to cause a denial of service (ntpd abort) by using the same IP address multiple times in an unconfig directive. Scope: local bullseye: resolved (fixed in 1:4.2.8p7+dfsg-1)

CVE-2016-7431 [MEDIUM] CVE-2016-7431: ntp - NTP before 4.2.8p9 allows remote attackers to bypass the origin timestamp protec... NTP before 4.2.8p9 allows remote attackers to bypass the origin timestamp protection mechanism via an origin timestamp of zero. NOTE: this vulnerability exists because of a CVE-2015-8138 regression. Scope: local bullseye: resolved (fixed in 1:4.2.8p9+dfsg-1)

CVE-2016-4957 [MEDIUM] CVE-2016-4957: ntp - ntpd in NTP before 4.2.8p8 allows remote attackers to cause a denial of service ... ntpd in NTP before 4.2.8p8 allows remote attackers to cause a denial of service (daemon crash) via a crypto-NAK packet. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-1547. Scope: local bullseye: resolved (fixed in 1:4.2.8p8+dfsg-1)