NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (client-server association tear down) by sending broadcast packets with invalid authentication to a broadcast client.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Ntp | Ntp | * | 4.2.8 (including) |
| Ntp | Ntp | 4.3.0 (including) | 4.3.0 (including) |
| Ntp | Ntp | 4.3.1 (including) | 4.3.1 (including) |
| Ntp | Ntp | 4.3.2 (including) | 4.3.2 (including) |
| Ntp | Ntp | 4.3.3 (including) | 4.3.3 (including) |
| Ntp | Ntp | 4.3.4 (including) | 4.3.4 (including) |
| Ntp | Ntp | 4.3.5 (including) | 4.3.5 (including) |
| Ntp | Ntp | 4.3.6 (including) | 4.3.6 (including) |
| Ntp | Ntp | 4.3.7 (including) | 4.3.7 (including) |
| Ntp | Ntp | 4.3.8 (including) | 4.3.8 (including) |
| Ntp | Ntp | 4.3.10 (including) | 4.3.10 (including) |
| Ntp | Ntp | 4.3.11 (including) | 4.3.11 (including) |
| Ntp | Ntp | 4.3.12 (including) | 4.3.12 (including) |
| Ntp | Ntp | 4.3.13 (including) | 4.3.13 (including) |
| Ntp | Ntp | 4.3.14 (including) | 4.3.14 (including) |
| Ntp | Ntp | 4.3.15 (including) | 4.3.15 (including) |
| Ntp | Ntp | 4.3.16 (including) | 4.3.16 (including) |
| Ntp | Ntp | 4.3.17 (including) | 4.3.17 (including) |
| Ntp | Ntp | 4.3.18 (including) | 4.3.18 (including) |
| Ntp | Ntp | 4.3.19 (including) | 4.3.19 (including) |
| Ntp | Ntp | 4.3.20 (including) | 4.3.20 (including) |
| Ntp | Ntp | 4.3.21 (including) | 4.3.21 (including) |
| Ntp | Ntp | 4.3.22 (including) | 4.3.22 (including) |
| Ntp | Ntp | 4.3.23 (including) | 4.3.23 (including) |
| Ntp | Ntp | 4.3.24 (including) | 4.3.24 (including) |
| Ntp | Ntp | 4.3.25 (including) | 4.3.25 (including) |
| Ntp | Ntp | 4.3.26 (including) | 4.3.26 (including) |
| Ntp | Ntp | 4.3.27 (including) | 4.3.27 (including) |
| Ntp | Ntp | 4.3.28 (including) | 4.3.28 (including) |
| Ntp | Ntp | 4.3.29 (including) | 4.3.29 (including) |
| Ntp | Ntp | 4.3.30 (including) | 4.3.30 (including) |
| Ntp | Ntp | 4.3.31 (including) | 4.3.31 (including) |
| Ntp | Ntp | 4.3.32 (including) | 4.3.32 (including) |
| Ntp | Ntp | 4.3.33 (including) | 4.3.33 (including) |
| Ntp | Ntp | 4.3.34 (including) | 4.3.34 (including) |
| Ntp | Ntp | 4.3.35 (including) | 4.3.35 (including) |
| Ntp | Ntp | 4.3.36 (including) | 4.3.36 (including) |
| Ntp | Ntp | 4.3.37 (including) | 4.3.37 (including) |
| Ntp | Ntp | 4.3.38 (including) | 4.3.38 (including) |
| Ntp | Ntp | 4.3.39 (including) | 4.3.39 (including) |
| Ntp | Ntp | 4.3.40 (including) | 4.3.40 (including) |
| Ntp | Ntp | 4.3.41 (including) | 4.3.41 (including) |
| Ntp | Ntp | 4.3.42 (including) | 4.3.42 (including) |
| Ntp | Ntp | 4.3.43 (including) | 4.3.43 (including) |
| Ntp | Ntp | 4.3.44 (including) | 4.3.44 (including) |
| Ntp | Ntp | 4.3.45 (including) | 4.3.45 (including) |
| Ntp | Ntp | 4.3.46 (including) | 4.3.46 (including) |
| Ntp | Ntp | 4.3.47 (including) | 4.3.47 (including) |
| Ntp | Ntp | 4.3.48 (including) | 4.3.48 (including) |
| Ntp | Ntp | 4.3.49 (including) | 4.3.49 (including) |
| Ntp | Ntp | 4.3.50 (including) | 4.3.50 (including) |
| Ntp | Ntp | 4.3.51 (including) | 4.3.51 (including) |
| Ntp | Ntp | 4.3.52 (including) | 4.3.52 (including) |
| Ntp | Ntp | 4.3.53 (including) | 4.3.53 (including) |
| Ntp | Ntp | 4.3.54 (including) | 4.3.54 (including) |
| Ntp | Ntp | 4.3.55 (including) | 4.3.55 (including) |
| Ntp | Ntp | 4.3.56 (including) | 4.3.56 (including) |
| Ntp | Ntp | 4.3.57 (including) | 4.3.57 (including) |
| Ntp | Ntp | 4.3.58 (including) | 4.3.58 (including) |
| Ntp | Ntp | 4.3.59 (including) | 4.3.59 (including) |
| Ntp | Ntp | 4.3.60 (including) | 4.3.60 (including) |
| Ntp | Ntp | 4.3.61 (including) | 4.3.61 (including) |
| Ntp | Ntp | 4.3.62 (including) | 4.3.62 (including) |
| Ntp | Ntp | 4.3.63 (including) | 4.3.63 (including) |
| Ntp | Ntp | 4.3.64 (including) | 4.3.64 (including) |
| Ntp | Ntp | 4.3.65 (including) | 4.3.65 (including) |
| Ntp | Ntp | 4.3.66 (including) | 4.3.66 (including) |
| Ntp | Ntp | 4.3.67 (including) | 4.3.67 (including) |
| Ntp | Ntp | 4.3.68 (including) | 4.3.68 (including) |
| Ntp | Ntp | 4.3.69 (including) | 4.3.69 (including) |
| Ntp | Ntp | 4.3.70 (including) | 4.3.70 (including) |
| Ntp | Ntp | 4.3.71 (including) | 4.3.71 (including) |
| Ntp | Ntp | 4.3.72 (including) | 4.3.72 (including) |
| Ntp | Ntp | 4.3.73 (including) | 4.3.73 (including) |
| Ntp | Ntp | 4.3.74 (including) | 4.3.74 (including) |
| Ntp | Ntp | 4.3.75 (including) | 4.3.75 (including) |
| Ntp | Ntp | 4.3.76 (including) | 4.3.76 (including) |
| Ntp | Ntp | 4.3.77 (including) | 4.3.77 (including) |
| Ntp | Ntp | 4.3.78 (including) | 4.3.78 (including) |
| Ntp | Ntp | 4.3.79 (including) | 4.3.79 (including) |
| Ntp | Ntp | 4.3.80 (including) | 4.3.80 (including) |
| Ntp | Ntp | 4.3.81 (including) | 4.3.81 (including) |
| Ntp | Ntp | 4.3.82 (including) | 4.3.82 (including) |
| Ntp | Ntp | 4.3.83 (including) | 4.3.83 (including) |
| Ntp | Ntp | 4.3.84 (including) | 4.3.84 (including) |
| Ntp | Ntp | 4.3.85 (including) | 4.3.85 (including) |
| Ntp | Ntp | 4.3.86 (including) | 4.3.86 (including) |
| Ntp | Ntp | 4.3.87 (including) | 4.3.87 (including) |
| Ntp | Ntp | 4.3.88 (including) | 4.3.88 (including) |
| Ntp | Ntp | 4.3.89 (including) | 4.3.89 (including) |
| Red Hat Enterprise Linux 6 | RedHat | ntp-0:4.2.6p5-10.el6.1 | * |
| Red Hat Enterprise Linux 6.7 Extended Update Support | RedHat | ntp-0:4.2.6p5-5.el6_7.5 | * |
| Red Hat Enterprise Linux 7 | RedHat | ntp-0:4.2.6p5-22.el7_2.2 | * |
| Red Hat Enterprise Linux 7 | RedHat | ntp-0:4.2.6p5-25.el7 | * |
| Ntp | Ubuntu | esm-infra-legacy/trusty | * |
| Ntp | Ubuntu | esm-infra/xenial | * |
| Ntp | Ubuntu | precise | * |
| Ntp | Ubuntu | trusty | * |
| Ntp | Ubuntu | trusty/esm | * |
| Ntp | Ubuntu | upstream | * |
| Ntp | Ubuntu | vivid | * |
| Ntp | Ubuntu | vivid/stable-phone-overlay | * |
| Ntp | Ubuntu | wily | * |
| Ntp | Ubuntu | xenial | * |
References
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177507.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176434.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00059.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00060.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00020.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00048.html
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00026.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00042.html
- http://lists.opensuse.org/opensuse-updates/2016-05/msg00114.html
- http://rhn.redhat.com/errata/RHSA-2016-1552.html
- http://rhn.redhat.com/errata/RHSA-2016-2583.html
- http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd
- http://www.debian.org/security/2016/dsa-3629
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- http://www.securityfocus.com/bid/81816
- http://www.securitytracker.com/id/1034782
- http://www.ubuntu.com/usn/USN-3096-1
- https://access.redhat.com/errata/RHSA-2016:1141
- https://bto.bluecoat.com/security-advisory/sa113
- https://cert-portal.siemens.com/productcert/pdf/ssa-497656.pdf
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03750en_us
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03766en_us
- https://security.FreeBSD.org/advisories/FreeBSD-SA-16:09.ntp.asc
- https://security.gentoo.org/glsa/201607-15
- https://security.netapp.com/advisory/ntap-20171031-0001/
- https://us-cert.cisa.gov/ics/advisories/icsa-21-103-11
- https://www.kb.cert.org/vuls/id/718152
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177507.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/176434.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00059.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00060.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00020.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00048.html
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00026.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00042.html
- http://lists.opensuse.org/opensuse-updates/2016-05/msg00114.html
- http://rhn.redhat.com/errata/RHSA-2016-1552.html
- http://rhn.redhat.com/errata/RHSA-2016-2583.html
- http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160127-ntpd
- http://www.debian.org/security/2016/dsa-3629
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- http://www.securityfocus.com/bid/81816
- http://www.securitytracker.com/id/1034782
- http://www.ubuntu.com/usn/USN-3096-1
- https://access.redhat.com/errata/RHSA-2016:1141
- https://bto.bluecoat.com/security-advisory/sa113
- https://cert-portal.siemens.com/productcert/pdf/ssa-497656.pdf
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03750en_us
- https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US\u0026docId=emr_na-hpesbhf03766en_us
- https://security.FreeBSD.org/advisories/FreeBSD-SA-16:09.ntp.asc
- https://security.gentoo.org/glsa/201607-15
- https://security.netapp.com/advisory/ntap-20171031-0001/
- https://us-cert.cisa.gov/ics/advisories/icsa-21-103-11
- https://www.kb.cert.org/vuls/id/718152