CVE-2016-1548

An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. After making this switch, the client in NTP 4.2.8p4 and earlier and NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c will reject all future legitimate server responses. It is possible to force the victim client to move time after the mode has been changed. ntpq gives no indication that the mode has been switched.

CVSS v3 7.2 HIGH
CVSS v2.0 6.4 MEDIUM

7.2^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L

Exploitability : 3.9 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

6.4^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:P

Exploitability : 10.0 / Impact : 4.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183647.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184669.html
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00034.html
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00037.html
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00052.html
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00020.html
http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00026.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00042.html
http://lists.opensuse.org/opensuse-updates/2016-05/msg00114.html
http://packetstormsecurity.com/files/136864/Slackware-Security-Advisory-ntp-Updates.html
http://rhn.redhat.com/errata/RHSA-2016-1552.html
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160428-ntpd
http://www.debian.org/security/2016/dsa-3629
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
http://www.securityfocus.com/archive/1/538233/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/538233/100/0/threaded
http://www.securityfocus.com/bid/88264
http://www.securitytracker.com/id/1035705
http://www.talosintelligence.com/reports/TALOS-2016-0082/	Exploit Third Party Advisory
http://www.ubuntu.com/usn/USN-3096-1
https://access.redhat.com/errata/RHSA-2016:1141
https://cert-portal.siemens.com/productcert/pdf/ssa-211752.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-497656.pdf
https://security.FreeBSD.org/advisories/FreeBSD-SA-16:16.ntp.asc
https://security.gentoo.org/glsa/201607-15
https://security.netapp.com/advisory/ntap-20171004-0002/
https://us-cert.cisa.gov/ics/advisories/icsa-21-103-11
https://us-cert.cisa.gov/ics/advisories/icsa-21-159-11
https://www.arista.com/en/support/advisories-notices/security-advisories/1332-security-advisory-19
https://www.debian.org/security/2016/dsa-3629
https://www.kb.cert.org/vuls/id/718152
https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0082
http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183647.html
http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184669.html
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00034.html
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00037.html
http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00052.html
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00001.html
http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00020.html
http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00026.html
http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00042.html
http://lists.opensuse.org/opensuse-updates/2016-05/msg00114.html
http://packetstormsecurity.com/files/136864/Slackware-Security-Advisory-ntp-Updates.html
http://rhn.redhat.com/errata/RHSA-2016-1552.html
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160428-ntpd
http://www.debian.org/security/2016/dsa-3629
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
http://www.securityfocus.com/archive/1/538233/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/538233/100/0/threaded
http://www.securityfocus.com/bid/88264
http://www.securitytracker.com/id/1035705
http://www.talosintelligence.com/reports/TALOS-2016-0082/	Exploit Third Party Advisory
http://www.ubuntu.com/usn/USN-3096-1
https://access.redhat.com/errata/RHSA-2016:1141
https://cert-portal.siemens.com/productcert/pdf/ssa-211752.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-497656.pdf
https://security.FreeBSD.org/advisories/FreeBSD-SA-16:16.ntp.asc
https://security.gentoo.org/glsa/201607-15
https://security.netapp.com/advisory/ntap-20171004-0002/
https://us-cert.cisa.gov/ics/advisories/icsa-21-103-11
https://us-cert.cisa.gov/ics/advisories/icsa-21-159-11
https://www.arista.com/en/support/advisories-notices/security-advisories/1332-security-advisory-19
https://www.debian.org/security/2016/dsa-3629
https://www.kb.cert.org/vuls/id/718152
https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0082

Configurations

Configuration 1 (hide)

cpe:2.3:a:ntp:ntp:4.2.8:p4:*:*:*:*:*:*

History

21 Nov 2024, 02:46

Information

Published : 2017-01-06 21:59

Updated : 2025-04-20 01:37

NVD link : CVE-2016-1548

Mitre link : CVE-2016-1548

CVE.ORG link : CVE-2016-1548

JSON object : View

Products Affected

ntp

CWE

CWE-19

Data Processing Errors

{"id": "CVE-2016-1548", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 6.4, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV30": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.0", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 2.7, "exploitabilityScore": 3.9}]}, "published": "2017-01-06T21:59:00.353", "references": [{"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183647.html", "source": "cret@cert.org"}, {"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184669.html", "source": "cret@cert.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00034.html", "source": "cret@cert.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00037.html", "source": "cret@cert.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00052.html", "source": "cret@cert.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00001.html", "source": "cret@cert.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00020.html", "source": "cret@cert.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00026.html", "source": "cret@cert.org"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00042.html", "source": "cret@cert.org"}, {"url": "http://lists.opensuse.org/opensuse-updates/2016-05/msg00114.html", "source": "cret@cert.org"}, {"url": "http://packetstormsecurity.com/files/136864/Slackware-Security-Advisory-ntp-Updates.html", "source": "cret@cert.org"}, {"url": "http://rhn.redhat.com/errata/RHSA-2016-1552.html", "source": "cret@cert.org"}, {"url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160428-ntpd", "source": "cret@cert.org"}, {"url": "http://www.debian.org/security/2016/dsa-3629", "source": "cret@cert.org"}, {"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", "source": "cret@cert.org"}, {"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", "source": "cret@cert.org"}, {"url": "http://www.securityfocus.com/archive/1/538233/100/0/threaded", "source": "cret@cert.org"}, {"url": "http://www.securityfocus.com/archive/1/archive/1/538233/100/0/threaded", "source": "cret@cert.org"}, {"url": "http://www.securityfocus.com/bid/88264", "source": "cret@cert.org"}, {"url": "http://www.securitytracker.com/id/1035705", "source": "cret@cert.org"}, {"url": "http://www.talosintelligence.com/reports/TALOS-2016-0082/", "tags": ["Exploit", "Third Party Advisory"], "source": "cret@cert.org"}, {"url": "http://www.ubuntu.com/usn/USN-3096-1", "source": "cret@cert.org"}, {"url": "https://access.redhat.com/errata/RHSA-2016:1141", "source": "cret@cert.org"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-211752.pdf", "source": "cret@cert.org"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-497656.pdf", "source": "cret@cert.org"}, {"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:16.ntp.asc", "source": "cret@cert.org"}, {"url": "https://security.gentoo.org/glsa/201607-15", "source": "cret@cert.org"}, {"url": "https://security.netapp.com/advisory/ntap-20171004-0002/", "source": "cret@cert.org"}, {"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-103-11", "source": "cret@cert.org"}, {"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-159-11", "source": "cret@cert.org"}, {"url": "https://www.arista.com/en/support/advisories-notices/security-advisories/1332-security-advisory-19", "source": "cret@cert.org"}, {"url": "https://www.debian.org/security/2016/dsa-3629", "source": "cret@cert.org"}, {"url": "https://www.kb.cert.org/vuls/id/718152", "source": "cret@cert.org"}, {"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0082", "source": "cret@cert.org"}, {"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/183647.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-May/184669.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00034.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00037.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00052.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00001.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00020.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00026.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00042.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://lists.opensuse.org/opensuse-updates/2016-05/msg00114.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://packetstormsecurity.com/files/136864/Slackware-Security-Advisory-ntp-Updates.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://rhn.redhat.com/errata/RHSA-2016-1552.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160428-ntpd", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.debian.org/security/2016/dsa-3629", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/archive/1/538233/100/0/threaded", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/archive/1/archive/1/538233/100/0/threaded", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securityfocus.com/bid/88264", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.securitytracker.com/id/1035705", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.talosintelligence.com/reports/TALOS-2016-0082/", "tags": ["Exploit", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "http://www.ubuntu.com/usn/USN-3096-1", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://access.redhat.com/errata/RHSA-2016:1141", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-211752.pdf", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-497656.pdf", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-16:16.ntp.asc", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.gentoo.org/glsa/201607-15", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://security.netapp.com/advisory/ntap-20171004-0002/", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-103-11", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-159-11", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.arista.com/en/support/advisories-notices/security-advisories/1332-security-advisory-19", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.debian.org/security/2016/dsa-3629", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.kb.cert.org/vuls/id/718152", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0082", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-19"}]}], "descriptions": [{"lang": "en", "value": "An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. After making this switch, the client in NTP 4.2.8p4 and earlier and NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c will reject all future legitimate server responses. It is possible to force the victim client to move time after the mode has been changed. ntpq gives no indication that the mode has been switched."}, {"lang": "es", "value": "Un atacante puede suplantar un paquete de un servidor ntpd leg\u00edtimo con una marca de tiempo de origen que coincida con la marca de tiempo peer->dst registrada para ese servidor. Despu\u00e9s de hacer este cambio, el cliente en NTP 4.2.8p4 y versiones anteriores y NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c rechazar\u00e1n todas las futuras respuestas leg\u00edtimas del servidor. Es posible forzar al cliente v\u00edctima a mover el tiempo despu\u00e9s de que el modo haya sido cambiado. ntpq no indica que el modo ha sido cambiado."}], "lastModified": "2025-04-20T01:37:25.860", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ntp:ntp:4.2.8:p4:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "99C71C00-7222-483B-AEFB-159337BD3C92"}], "operator": "OR"}]}], "sourceIdentifier": "cret@cert.org"}

7.2 /10

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

6.4 /10

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2016-1548

7.2^/10

6.4^/10

Attach tags to `CVE-2016-1548`