CVE-2016-1548: Input Validation
First published: Thu Apr 28 2016(Updated: )
An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. After making this switch, the client in NTP 4.2.8p4 and earlier and NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c will reject all future legitimate server responses. It is possible to force the victim client to move time after the mode has been changed. ntpq gives no indication that the mode has been switched.
Credit: cret@cert.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/ntp | 1:4.2.8p12+dfsg-4 1:4.2.8p15+dfsg-1 | |
| NTP ntp | =4.2.8-p4 | |
| redhat/ntp | <4.2.8 | 4.2.8 |
| Siemens TIM 4R-IE | ||
| Siemens TIM 4R-IE DNP3 | ||
| Siemens Simatic Net CP 443-1 OPC UA Firmware |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security
- https://security-tracker.debian.org/tracker/CVE-2016-1548
- http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183647.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184669.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00034.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00037.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00052.html
- http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00020.html
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00026.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00042.html
- http://lists.opensuse.org/opensuse-updates/2016-05/msg00114.html
- http://packetstormsecurity.com/files/136864/Slackware-Security-Advisory-ntp-Updates.html
- http://rhn.redhat.com/errata/RHSA-2016-1552.html
- http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160428-ntpd
- http://www.debian.org/security/2016/dsa-3629
- http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- http://www.securityfocus.com/archive/1/538233/100/0/threaded
- http://www.securityfocus.com/archive/1/archive/1/538233/100/0/threaded
- http://www.securityfocus.com/bid/88264
- http://www.securitytracker.com/id/1035705
- http://www.talosintelligence.com/reports/TALOS-2016-0082/
- http://www.ubuntu.com/usn/USN-3096-1
- https://access.redhat.com/errata/RHSA-2016:1141
- https://cert-portal.siemens.com/productcert/pdf/ssa-211752.pdf
- https://cert-portal.siemens.com/productcert/pdf/ssa-497656.pdf
- https://security.FreeBSD.org/advisories/FreeBSD-SA-16:16.ntp.asc
- https://security.gentoo.org/glsa/201607-15
- https://security.netapp.com/advisory/ntap-20171004-0002/
- https://us-cert.cisa.gov/ics/advisories/icsa-21-103-11
- https://us-cert.cisa.gov/ics/advisories/icsa-21-159-11
- https://www.arista.com/en/support/advisories-notices/security-advisories/1332-security-advisory-19
- https://www.debian.org/security/2016/dsa-3629
- https://www.kb.cert.org/vuls/id/718152
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0082
- http://support.ntp.org/bin/view/Main/NtpBug2978
- http://www.talosintel.com/reports/TALOS-2016-0082/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1332160
- https://rhn.redhat.com/errata/RHSA-2016-1552.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1331462
- https://www.cisa.gov/news-events/ics-advisories/icsa-21-159-11 (Advisory)
- https://www.cisa.gov/news-events/ics-advisories/icsa-21-103-11 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2016-1548?
CVE-2016-1548 is rated as a medium severity vulnerability.
How do I fix CVE-2016-1548?
To fix CVE-2016-1548, upgrade to NTP versions 4.2.8p12+dfsg-4 or 4.2.8p15+dfsg-1.
What software is affected by CVE-2016-1548?
CVE-2016-1548 affects NTP versions 4.2.8p4 and earlier, including NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c.
What are the potential impacts of CVE-2016-1548?
The potential impact of CVE-2016-1548 includes the ability for an attacker to spoof legitimate ntpd server packets.
Is CVE-2016-1548 present in any specific products?
CVE-2016-1548 is present in various products, including certain Siemens TIM 4R-IE and SIMATIC NET CP 443-1 OPC UA devices.
- collector/security-tracker-debian
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/author
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-1548
- agent/software-canonical-lookup
- agent/description
- agent/weakness
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- collector/ics-cert-advisory
- source/ICS
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- alias/CVE-2016-4956
- package-manager/debian
- vendor/ntp
- canonical/ntp ntp
- version/ntp ntp/4.2.8-p4
- package-manager/redhat
- vendor/siemens
- canonical/siemens tim 4r-ie
- canonical/siemens tim 4r-ie dnp3
- canonical/siemens simatic net cp 443-1 opc ua firmware