Vulnerability Details : CVE-2016-2517
NTP before 4.2.8p7 and 4.3.x before 4.3.92 allows remote attackers to cause a denial of service (prevent subsequent authentication) by leveraging knowledge of the controlkey or requestkey and sending a crafted packet to ntpd, which changes the value of trustedkey, controlkey, or requestkey. NOTE: this vulnerability exists because of a CVE-2016-2516 regression.
Vulnerability category: Input validationDenial of service
Exploit prediction scoring system (EPSS) score for CVE-2016-2517
Probability of exploitation activity in the next 30 days: 0.48%
Percentile, the proportion of vulnerabilities that are scored at or less: ~ 73 % EPSS Score History EPSS FAQ
CVSS scores for CVE-2016-2517
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source |
|---|---|---|---|---|---|
|
4.9
|
MEDIUM | AV:N/AC:H/Au:S/C:N/I:N/A:C |
3.9
|
6.9
|
NIST |
|
5.3
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H |
1.6
|
3.6
|
NIST |
CWE ids for CVE-2016-2517
-
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.Assigned by: nvd@nist.gov (Primary)
References for CVE-2016-2517
-
https://security.netapp.com/advisory/ntap-20171004-0002/
April 2016 Network Time Protocol Daemon (ntpd) Vulnerabilities in Multiple NetApp Products | NetApp Product Security
-
https://security.gentoo.org/glsa/201607-15
NTP: Multiple vulnerabilities (GLSA 201607-15) — Gentoo security
-
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
Oracle Solaris Bulletin - April 2016Third Party Advisory
-
http://www.securityfocus.com/bid/88189
NTP CVE-2016-2517 Denial of Service VulnerabilityThird Party Advisory;VDB Entry
-
http://support.ntp.org/bin/view/Main/NtpBug3010
NtpBug3010 < Main < NTPVendor Advisory
- https://security.FreeBSD.org/advisories/FreeBSD-SA-16:16.ntp.asc
-
https://www.kb.cert.org/vuls/id/718152
VU#718152 - NTP.org ntpd contains multiple vulnerabilitiesThird Party Advisory;US Government Resource
-
http://www.securitytracker.com/id/1035705
ntp Multiple Bugs Let Remote Users Spoof Messages, Obtain Potentially Sensitive Information, Modify Time, and Deny Service - SecurityTracker
Products affected by CVE-2016-2517
- cpe:2.3:a:ntp:ntp:*:p6:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.0:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.1:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.8:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.9:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.6:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.7:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.10:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.11:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.4:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.5:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.13:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.14:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.20:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.21:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.28:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.29:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.36:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.37:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.43:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.44:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.51:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.52:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.59:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.66:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.67:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.74:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.75:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.81:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.82:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.89:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.17:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.18:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.24:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.25:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.32:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.33:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.40:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.47:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.48:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.55:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.56:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.62:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.63:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.70:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.78:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.79:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.85:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.86:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.12:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.19:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.26:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.27:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.34:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.35:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.41:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.42:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.49:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.50:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.57:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.58:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.64:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.65:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.71:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.72:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.73:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.80:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.87:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.88:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.15:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.16:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.22:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.23:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.30:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.31:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.38:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.39:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.45:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.46:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.53:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.54:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.60:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.61:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.68:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.69:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.76:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.77:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.83:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.84:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.90:*:*:*:*:*:*:*
- cpe:2.3:a:ntp:ntp:4.3.91:*:*:*:*:*:*:*