Vigil@nce - NTP.org: multiple vulnerabilities
June 2016 by Vigil@nce
This bulletin was written by Vigil@nce : https://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use several vulnerabilities of NTP.org.
Impacted products: ASA, Cisco Catalyst, IOS Cisco, IOS XE Cisco,
IronPort Encryption, Cisco Nexus, NX-OS, Cisco Prime Access
Registrar, Prime Collaboration Assurance, Prime Infrastructure,
Cisco Prime LMS, Cisco Router, Secure ACS, Cisco CUCM, Cisco
MeetingPlace, Cisco Unity precise, BIG-IP Hardware, TMOS,
Fedora, FreeBSD, Meinberg NTP Server, NTP.org, openSUSE, openSUSE
Leap, pfSense, RHEL, Slackware, Spectracom SecureSync, SUSE Linux
Enterprise Desktop, SLES, Synology DS***, Synology RS***.
Severity: 2/4.
Creation date: 27/04/2016.
DESCRIPTION OF THE VULNERABILITY
Several vulnerabilities were announced in NTP.org.
The ntpd daemon can on certain systems accept packets from
127.0.0.0/8. [severity:1/4; CVE-2016-1551, TALOS-2016-0132]
An attacker can use a Sybil attack, in order to alter the system
clock. [severity:2/4; CVE-2016-1549, TALOS-2016-0083]
An attacker can force an assertion error with duplicate IP, in
order to trigger a denial of service. [severity:2/4; CVE-2016-2516]
An attacker can trigger an error in the management of
trustedkey/requestkey/controlkey, in order to trigger a denial of
service. [severity:2/4; CVE-2016-2517]
An attacker can force a read at an invalid address in MATCH_ASSOC,
in order to trigger a denial of service, or to obtain sensitive
information. [severity:1/4; CVE-2016-2518]
An attacker can trigger a fatal error in ctl_getitem(), in order
to trigger a denial of service. [severity:2/4; CVE-2016-2519]
An attacker can send a malicious CRYPTO-NAK packet, in order to
trigger a denial of service. [severity:2/4; CVE-2016-1547,
TALOS-2016-0081]
An attacker can use Interleave-pivot, in order to alter a client
time. [severity:2/4; CVE-2016-1548, TALOS-2016-0082]
An attacker can trigger a fatal error in the ntp client, in order
to trigger a denial of service. [severity:2/4; CVE-2015-7704]
The Zero Origin Timestamp value is not correctly checked.
[severity:2/4; CVE-2015-8138]
An attacker can measure the comparison execution time, in order to
guess a hash. [severity:2/4; CVE-2016-1550, TALOS-2016-0084]
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
https://vigilance.fr/vulnerability/NTP-org-multiple-vulnerabilities-19477