CVE-2016-4954

EPSS 2.18%
Published 05.07.2016 01:59:01
Last modified 12.04.2025 10:46:40
Source cve@mitre.org
Teams watchlist Login
Open Login

The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.

Affected products Warnungen 0 Metrics 3 CWE 1 References 38

Data is provided by the National Vulnerability Database (NVD)

Ntp ≫ Ntp Version >= 4.2.0 < 4.2.8

Ntp ≫ Ntp Version >= 4.3.0 < 4.3.93

Ntp ≫ Ntp Version4.2.8 Update-

Ntp ≫ Ntp Version4.2.8 Updatep1

Ntp ≫ Ntp Version4.2.8 Updatep1-beta1

Ntp ≫ Ntp Version4.2.8 Updatep1-beta2

Ntp ≫ Ntp Version4.2.8 Updatep1-beta3

Ntp ≫ Ntp Version4.2.8 Updatep1-beta4

Ntp ≫ Ntp Version4.2.8 Updatep1-beta5

Ntp ≫ Ntp Version4.2.8 Updatep1-rc1

Ntp ≫ Ntp Version4.2.8 Updatep1-rc2

Ntp ≫ Ntp Version4.2.8 Updatep2

Ntp ≫ Ntp Version4.2.8 Updatep2-rc1

Ntp ≫ Ntp Version4.2.8 Updatep2-rc2

Ntp ≫ Ntp Version4.2.8 Updatep2-rc3

Ntp ≫ Ntp Version4.2.8 Updatep3

Ntp ≫ Ntp Version4.2.8 Updatep3-rc1

Ntp ≫ Ntp Version4.2.8 Updatep3-rc2

Ntp ≫ Ntp Version4.2.8 Updatep3-rc3

Ntp ≫ Ntp Version4.2.8 Updatep4

Ntp ≫ Ntp Version4.2.8 Updatep5

Ntp ≫ Ntp Version4.2.8 Updatep6

Ntp ≫ Ntp Version4.2.8 Updatep7

Oracle ≫ Solaris Version10

Oracle ≫ Solaris Version11.3

Suse ≫ Manager Version2.1

Suse ≫ Manager Proxy Version2.1

Suse ≫ Openstack Cloud Version5

Opensuse ≫ Leap Version42.1

Opensuse ≫ Opensuse Version13.2

Suse ≫ Linux Enterprise Desktop Version12 Updatesp1

Suse ≫ Linux Enterprise Server Version11 Updatesp2 SwEditionltss

Suse ≫ Linux Enterprise Server Version11 Updatesp3 SwEditionltss

Suse ≫ Linux Enterprise Server Version11 Updatesp4

Suse ≫ Linux Enterprise Server Version12 Updatesp1

Siemens ≫ Simatic Net Cp 443-1 Opc Ua Firmware

Siemens ≫ Simatic Net Cp 443-1 Opc Ua Version-

Siemens ≫ Tim 4r-ie Firmware

Siemens ≫ Tim 4r-ie Version-

Siemens ≫ Tim 4r-ie Dnp3 Firmware

Siemens ≫ Tim 4r-ie Dnp3 Version-

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	2.18%	0.838

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:N/A:P

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.

http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

Third Party Advisory

http://support.ntp.org/bin/view/Main/SecurityNotice

Vendor Advisory

https://cert-portal.siemens.com/productcert/pdf/ssa-497656.pdf

Third Party Advisory

https://security.gentoo.org/glsa/201607-15

Third Party Advisory

https://us-cert.cisa.gov/ics/advisories/icsa-21-103-11

Third Party Advisory

US Government Resource

http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00018.html