SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Device (VoIP/Phone/FAX)  >   Cisco Unity Vendors:   Cisco
(Cisco Issues Advisory for Cisco Unity Express) ntp Multiple Bugs Let Remote Users Spoof Messages, Obtain Potentially Sensitive Information, Modify Time, and Deny Service
SecurityTracker Alert ID:  1035737
SecurityTracker URL:  http://securitytracker.com/id/1035737
CVE Reference:   CVE-2016-1547, CVE-2016-1548, CVE-2016-1549, CVE-2016-1550, CVE-2016-1551, CVE-2016-2516, CVE-2016-2517, CVE-2016-2518, CVE-2016-2519   (Links to External Site)
Date:  May 4 2016
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in ntp. A remote or remote authenticated user can modify time on the target system. A remote user can cause denial of service conditions on the target system. A remote user can obtain potentially sensitive information on the target system. Cisco Unity Express is affected.

A remote user can send specially crafted crypto-NAK packets with a spoofed source address of an existing peer to trigger an error in 'ntp_proto.c' and cause the preemptable client association to be demobilized [CVE-2016-1547].

A remote user can send a spoofed packet with a specially crafted timestamp to cause the target ntpd client to reject future server responses from the spoofed server. As a result, the remote user can modify the time of the target client or cause denial of service conditions on the target client [CVE-2016-1548].

A remote authenticated peer can create an arbitrary number of ephemeral associations to modify the time on the target system [CVE-2016-1549].

A remote user can send a series of specially crafted messages to potentially recover the message digest key [CVE-2016-1550].

A remote user can send specially crafted spoofed packets to a target system that fails to implement martian packet filtering to modify the time on the target system [CVE-2016-1551].

A remote user with knowledge of the controlkey (for ntpq) or the requestkey (for ntpdc) can create a specially crafted session to cause ntpd to crash in certain cases [CVE-2016-2516].

A remote authenticated user with knowledge of the of the controlkey (for ntpq) or the requestkey (for ntpdc) can create a specially crafted session to prevent ntpd from processing authentication requests until the process is restarted [CVE-2016-2517].

A remote authenticated user can send a specially crafted packet to trigger an out-of-bounds memory reference error in the MATCH_ASSOC() function when creating a peer association with hmode > 7 [CVE-2016-2518].

A remote authenticated user can cause a specially crafted data value to be stored by ntpd and then cause ntpd to crash when attempting to read the value via ctl_getitem() [CVE-2016-2519].

Matt Street, Matthew Van Gundy, Stephen Gray, Jonathan Gardner, and others of Cisco ASIG, Yihan Lian (of the Cloud Security Team, Qihoo 360), Miroslav Lichvar of RedHat, Michael Tatarinov (NTP Project Developer Volunteer), and Loganaden Velvindron reported these vulnerabilities.

Impact:   A remote or remote authenticated user can modify time on the target system.

A remote user can cause denial of service conditions.

A remote user can obtain potentially sensitive information on the target system.

Solution:   No solution was available at the time of this entry.

The Cisco advisory is available at:

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160428-ntpd

Vendor URL:  tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160428-ntpd (Links to External Site)
Cause:   Access control error, Input validation error, State error

Message History:   This archive entry is a follow-up to the message listed below.
Apr 28 2016 ntp Multiple Bugs Let Remote Users Spoof Messages, Obtain Potentially Sensitive Information, Modify Time, and Deny Service



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC