본문 바로가기

취약점 정보2

NTP 4.2.8p9 업데이트 권고

728x90

NTF’s Network Time Protocol (NTP) Project released ntp-4.2.8p9 on 21 November 2016, its first update since ntp-4.2.8p8 was released in June. The latest version addresses the following:

  • 1 HIGH severity vulnerability that only affects Windows
  • 2 MEDIUM severity vulnerabilities
  • 2 MEDIUM/LOW severity vulnerabilities
  • 5 LOW severity vulnerabilities
  • 28 non-security fixes and improvements

All of the security issues in this release are included in VU#633847.

  • Sec 3119 / CVE-2016-9311: Trap crash
    • Reported by Matthew Van Gundy of Cisco ASIG.
  • Sec 3118 / CVE-2016-9310: Mode 6 unauthenticated trap information disclosure and DDoS vector
    • Reported by Matthew Van Gundy of Cisco ASIG.
  • Sec 3114 / CVE-2016-7427: Broadcast Mode Replay Prevention DoS
    • Reported by Matthew Van Gundy of Cisco ASIG.
  • Sec 3113 / CVE-2016-7428: Broadcast Mode Poll Interval Enforcement DoS
    • Reported by Matthew Van Gundy of Cisco ASIG.
  • Sec 3110 / CVE-2016-9312: Windows: ntpd DoS by oversized UDP packet
    • Reported by Robert Pajak of ABB.
  • Sec 3102 / CVE-2016-7431: Regression: 010-origin: Zero Origin Timestamp Bypass
    • Reported by Sharon Goldberg and Aanchal Malhotra of Boston University.
  • Sec 3082 / CVE-2016-7434: Null pointer dereference in _IO_str_init_static_internal()
    • Reported by Magnus Stubman.
  • Sec 3072 / CVE-2016-7429: Interface selection attack
    • Reported by Miroslav Lichvar of Red Hat.
  • Sec 3071 / CVE-2016-7426: Client rate limiting and server responses
    • Reported by Miroslav Lichvar of Red Hat.
  • Sec 3067 / CVE-2016-7433: Reboot sync calculation problem
    • Reported independently by Brian Utterback of Oracle, and by Sharon Goldberg and Aanchal Malhotra of Boston University.
728x90