Wednesday, November 23, 2016

Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: November 2016

Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.

On November 21, 2016, the NTP Consortium of the Network Time Foundation released a security notice that details ten issues regarding DoS vulnerabilities and logic issues that may allow an attacker to shift a system's time.

The new vulnerabilities disclosed in this document are as follows:
  • Network Time Protocol Trap Service Denial of Service Vulnerability
  • Network Time Protocol Broadcast Mode Denial of Service Vulnerability
  • Network Time Protocol Broadcast Mode Denial of Service Vulnerability
  • Network Time Protocol Insufficient Resource Pool Denial of Service Vulnerability
  • Network Time Protocol Configuration Modification Denial of Service Vulnerability
  • Network Time Protocol mrulist Query Requests Denial of Service Vulnerability
  • Network Time Protocol Multiple Binds to the Same Port Vulnerability
  • Network Time Protocol Rate Limiting Denial of Service Vulnerability
As well as:
  • Regression of CVE-2015-8138
  • Network Time Protocol Reboot sync calculation problem
Additional details about each vulnerability are in the NTP Consortium Security Notice.

Workarounds that address one or more of these vulnerabilities may be available and will be documented in the Cisco bug for each affected product.

This advisory is available at the following link:
http://ift.tt/2gmENhG Multiple Cisco products incorporate a version of the Network Time Protocol daemon (ntpd) package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server.

On November 21, 2016, the NTP Consortium of the Network Time Foundation released a security notice that details ten issues regarding DoS vulnerabilities and logic issues that may allow an attacker to shift a system's time.

The new vulnerabilities disclosed in this document are as follows:
  • Network Time Protocol Trap Service Denial of Service Vulnerability
  • Network Time Protocol Broadcast Mode Denial of Service Vulnerability
  • Network Time Protocol Broadcast Mode Denial of Service Vulnerability
  • Network Time Protocol Insufficient Resource Pool Denial of Service Vulnerability
  • Network Time Protocol Configuration Modification Denial of Service Vulnerability
  • Network Time Protocol mrulist Query Requests Denial of Service Vulnerability
  • Network Time Protocol Multiple Binds to the Same Port Vulnerability
  • Network Time Protocol Rate Limiting Denial of Service Vulnerability
As well as:
  • Regression of CVE-2015-8138
  • Network Time Protocol Reboot sync calculation problem
Additional details about each vulnerability are in the NTP Consortium Security Notice.

Workarounds that address one or more of these vulnerabilities may be available and will be documented in the Cisco bug for each affected product.

This advisory is available at the following link:
http://ift.tt/2gmENhG
Security Impact Rating: Medium
CVE: CVE-2016-7426,CVE-2016-7427,CVE-2016-7428,CVE-2016-7429,CVE-2016-7434,CVE-2016-9310,CVE-2016-9311,CVE-2016-9312

from Cisco Security Advisory http://ift.tt/2gmENhG

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.