VN-2015-009 – Multiple NTP Vulnerabilities


Userlevel 7
Multiple vulnerabilities have been found and fixed in the software that implements the Network Time Protocol (NTP). These vulnerabilities range from memory corruption issues to conditions in which attackers can force an NTP daemon to adjust the local clock setting to a value that is maliciously influenced through an authentication bypass vulnerability.
Extreme Networks has posted its assessment of these vulnerabilities, described by numerous CVEs.

More information can be found in this document. It will be updated as more information is available.

3 replies

Userlevel 3
Hi Drew,

I see that fix will be available for 15.5 and 15.7.
Do you have any plans to fix this in 15.6 ?

--
Jarek
Userlevel 7
Jarek wrote:

Hi Drew,

I see that fix will be available for 15.5 and 15.7.
Do you have any plans to fix this in 15.6 ?

--
Jarek

Hi Jarek,
We're working on Rev3 of notice now and I've asked if we can get an answer to your question published with it. If the updates are going in 15.5.5 and 15.7.3, I would imagine we can get it in a 15.6.x release as well.
Userlevel 7
Jarek wrote:

Hi Drew,

I see that fix will be available for 15.5 and 15.7.
Do you have any plans to fix this in 15.6 ?

--
Jarek

The rev3 copy should be posted any minute now. In it, you'll find that target fixes are now listed for EXOS 21.1, 16.2, 16.1.3, 15.7.3, 15.6.4, and 15.5.5. Some of those actual release versions will be done as patches.

EDIT: It has been posted now

Reply