CVE-2016-7426

Опубликовано: 21 нояб. 2016

Источник: redhat

CVSS3: 5.9

CVSS2: 4.3

EPSS Средний

Описание

NTP before 4.2.8p9 rate limits responses received from the configured sources when rate limiting for all associations is enabled, which allows remote attackers to cause a denial of service (prevent responses from the sources) by sending responses with a spoofed source address.

It was found that when ntp is configured with rate limiting for all associations the limits are also applied to responses received from its configured sources. A remote attacker who knows the sources can cause a denial of service by preventing ntpd from accepting valid responses from its sources.

Меры по смягчению последствий

If you choose to use restrict default limited ..., be sure to use restrict source ... (without limited) to avoid this attack.

Затронутые пакеты

Платформа	Пакет	Состояние	Рекомендация	Релиз
Red Hat Enterprise Linux 5	ntp	Will not fix
Red Hat Enterprise Linux 6	ntp	Fixed	RHSA-2017:0252	06.02.2017
Red Hat Enterprise Linux 7	ntp	Fixed	RHSA-2017:0252	06.02.2017

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate

Дефект:

CWE-400

https://bugzilla.redhat.com/show_bug.cgi?id=1397345ntp: Client rate limiting and server responses

EPSS

Процентиль: 97%

0.38912

Средний

5.9 Medium

CVSS3

4.3 Medium

CVSS2

Связанные уязвимости

CVE-2016-7426

CVSS3: 7.5

ubuntu

почти 9 лет назад

CVE-2016-7426

CVSS3: 7.5

nvd

почти 9 лет назад

CVE-2016-7426

CVSS3: 7.5

debian

почти 9 лет назад

NTP before 4.2.8p9 rate limits responses received from the configured ...

GHSA-8wjh-3x3g-6pjf

CVSS3: 7.5

github

больше 3 лет назад

ELSA-2017-0252

oracle-oval

почти 9 лет назад

ELSA-2017-0252: ntp security update (MODERATE)

EPSS

Процентиль: 97%

0.38912

Средний

5.9 Medium

CVSS3

4.3 Medium

CVSS2