CVE-2016-1548 : An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timesta

An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. After making this switch, the client in NTP 4.2.8p4 and earlier and NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c will reject all future legitimate server responses. It is possible to force the victim client to move time after the mode has been changed. ntpq gives no indication that the mode has been switched.

Published 2017-01-06 21:59:00

Updated 2021-11-17 22:15:48

Source CERT/CC

View at NVD, CVE.org

Exploit prediction scoring system (EPSS) score for CVE-2016-1548

Probability of exploitation activity in the next 30 days: 0.62%

Percentile, the proportion of vulnerabilities that are scored at or less: ~ 78 % EPSS Score History EPSS FAQ

CVSS scores for CVE-2016-1548

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
6.4	MEDIUM	AV:N/AC:L/Au:N/C:N/I:P/A:P	10.0	4.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: Partial
7.2	HIGH	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L	3.9	2.7	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Changed Confidentiality: None Integrity: Low Availability: Low

CWE ids for CVE-2016-1548

CWE-19

Assigned by: nvd@nist.gov (Primary)

References for CVE-2016-1548

http://packetstormsecurity.com/files/136864/Slackware-Security-Advisory-ntp-Updates.html

Slackware Security Advisory - ntp Updates ≈ Packet Storm

CVEs referencing this url
https://cert-portal.siemens.com/productcert/pdf/ssa-497656.pdf

CVEs referencing this url
http://www.securityfocus.com/bid/88264

NTP CVE-2016-1548 Security Bypass Vulnerability
https://security.netapp.com/advisory/ntap-20171004-0002/

April 2016 Network Time Protocol Daemon (ntpd) Vulnerabilities in Multiple NetApp Products | NetApp Product Security

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00001.html

[security-announce] SUSE-SU-2016:1471-1: important: Security update for ntp - openSUSE Security Announce - openSUSE Mailing Lists

CVEs referencing this url
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160428-ntpd

Multiple Vulnerabilities in Network Time Protocol Daemon Affecting Cisco Products: April 2016

CVEs referencing this url
http://www.talosintelligence.com/reports/TALOS-2016-0082/

TALOS-2016-0082 || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence
Exploit;Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2016-1552.html

RHSA-2016:1552 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00052.html

[security-announce] openSUSE-SU-2016:1329-1: important: Security update for ntp - openSUSE Security Announce - openSUSE Mailing Lists

CVEs referencing this url
https://security.gentoo.org/glsa/201607-15

NTP: Multiple vulnerabilities (GLSA 201607-15) — Gentoo security

CVEs referencing this url
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html

Oracle Solaris Bulletin - April 2016

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00034.html

[security-announce] SUSE-SU-2016:1278-1: important: Security update for ntp - openSUSE Security Announce - openSUSE Mailing Lists

CVEs referencing this url
http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183647.html

[SECURITY] Fedora 24 Update: ntp-4.2.6p5-40.fc24

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00020.html

[security-announce] SUSE-SU-2016:1568-1: important: Security update for ntp - openSUSE Security Announce - openSUSE Mailing Lists

CVEs referencing this url
https://us-cert.cisa.gov/ics/advisories/icsa-21-103-11

Siemens TIM 4R-IE Devices | CISA

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00037.html

[security-announce] SUSE-SU-2016:1291-1: important: Security update for ntp - openSUSE Security Announce - openSUSE Mailing Lists

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2016:1141

RHSA-2016:1141 - Security Advisory - Red Hat Customer Portal

CVEs referencing this url
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html

Oracle Linux Bulletin - April 2016

CVEs referencing this url
https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0082

TALOS-2016-0082 || Cisco Talos Intelligence Group - Comprehensive Threat Intelligence
http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00026.html

[security-announce] SUSE-SU-2016:1912-1: important: Security update for

CVEs referencing this url
https://security.FreeBSD.org/advisories/FreeBSD-SA-16:16.ntp.asc

CVEs referencing this url
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00042.html

[security-announce] SUSE-SU-2016:2094-1: important: Security update for

CVEs referencing this url
https://www.debian.org/security/2016/dsa-3629

Debian -- Security Information -- DSA-3629-1 ntp

CVEs referencing this url
https://cert-portal.siemens.com/productcert/pdf/ssa-211752.pdf

CVEs referencing this url
http://www.securityfocus.com/archive/1/archive/1/538233/100/0/threaded

SecurityFocus

CVEs referencing this url
https://www.kb.cert.org/vuls/id/718152

VU#718152 - NTP.org ntpd contains multiple vulnerabilities

CVEs referencing this url
http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184669.html

[SECURITY] Fedora 23 Update: ntp-4.2.6p5-40.fc23

CVEs referencing this url
http://www.ubuntu.com/usn/USN-3096-1

USN-3096-1: NTP vulnerabilities | Ubuntu security notices

CVEs referencing this url
https://www.arista.com/en/support/advisories-notices/security-advisories/1332-security-advisory-19

Security Advisory 0019 - Arista

CVEs referencing this url
http://www.securitytracker.com/id/1035705

ntp Multiple Bugs Let Remote Users Spoof Messages, Obtain Potentially Sensitive Information, Modify Time, and Deny Service - SecurityTracker

CVEs referencing this url
http://www.securityfocus.com/archive/1/538233/100/0/threaded

SecurityFocus

CVEs referencing this url
http://lists.opensuse.org/opensuse-updates/2016-05/msg00114.html

openSUSE-SU-2016:1423-1: moderate: Security update for ntp

CVEs referencing this url
https://us-cert.cisa.gov/ics/advisories/icsa-21-159-11

Siemens SIMATIC NET CP 443-1 OPC UA | CISA

CVEs referencing this url
http://www.debian.org/security/2016/dsa-3629

Debian -- Security Information -- DSA-3629-1 ntp

CVEs referencing this url

Products affected by CVE-2016-1548

NTP » NTP » Version: 4.2.8 Update P4
cpe:2.3:a:ntp:ntp:4.2.8:p4:*:*:*:*:*:*
Matching versions

Vulnerability Details : CVE-2016-1548

Exploit prediction scoring system (EPSS) score for CVE-2016-1548

CVSS scores for CVE-2016-1548

CWE ids for CVE-2016-1548

References for CVE-2016-1548

Products affected by CVE-2016-1548