CVE-2016-9042

An exploitable denial of service vulnerability exists in the origin timestamp check functionality of ntpd 4.2.8p9. A specially crafted unauthenticated network packet can be used to reset the expected origin timestamp for target peers. Legitimate replies from targeted peers will fail the origin timestamp check (TEST2) causing the reply to be dropped and creating a denial of service condition.

CVSS v3.0 5.9 MEDIUM
CVSS v2.0 4.3 MEDIUM

5.9^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

4.3^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:M/Au:N/C:N/I:N/A:P

Exploitability : 8.6 / Impact : 2.9

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

References

Link	Resource
https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0260	Exploit Mitigation Third Party Advisory
https://security.FreeBSD.org/advisories/FreeBSD-SA-17:03.ntp.asc	Third Party Advisory
http://www.securitytracker.com/id/1039427	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1038123	Third Party Advisory VDB Entry
http://www.securityfocus.com/bid/97046	Permissions Required Third Party Advisory VDB Entry
https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03962en_us	Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-211752.pdf	Third Party Advisory
https://kc.mcafee.com/corporate/index?page=content&id=SB10201
http://seclists.org/fulldisclosure/2017/Nov/7
http://seclists.org/fulldisclosure/2017/Sep/62
https://support.f5.com/csp/article/K39041624
http://www.securityfocus.com/archive/1/540403/100/0/threaded
https://bto.bluecoat.com/security-advisory/sa147
http://www.securityfocus.com/archive/1/archive/1/540464/100/0/threaded
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KVLFA3J43QFIP4I7HE7KQ5FXSMJEKC6/
http://packetstormsecurity.com/files/142101/FreeBSD-Security-Advisory-FreeBSD-SA-17-03.ntp.html
http://www.securityfocus.com/archive/1/archive/1/540403/100/0/threaded
http://packetstormsecurity.com/files/142284/Slackware-Security-Advisory-ntp-Updates.html
https://us-cert.cisa.gov/ics/advisories/icsa-21-159-11
http://www.ubuntu.com/usn/USN-3349-1
https://support.apple.com/kb/HT208144

Configurations

Configuration 1 (hide)

cpe:2.3:a:ntp:ntp:4.2.8:p9:*:*:*:*:*:*

Configuration 2 (hide)

OR	cpe:2.3:o:freebsd:freebsd:10.0:::::::*
	cpe:2.3:o:freebsd:freebsd:11.0:::::::*

Configuration 3 (hide)

cpe:2.3:a:hpe:hpux-ntp:*:*:*:*:*:*:*:*

Configuration 4 (hide)

AND

cpe:2.3:o:siemens:simatic_net_cp_443-1_opc_ua_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:simatic_net_cp_443-1_opc_ua:-:*:*:*:*:*:*:*

Information

Published : 2018-06-04 13:29

Updated : 2022-04-19 13:15

NVD link : CVE-2016-9042

Mitre link : CVE-2016-9042

JSON object : View

CWE

CWE-20

Improper Input Validation

Products Affected

freebsd

freebsd

siemens

simatic_net_cp_443-1_opc_ua
simatic_net_cp_443-1_opc_ua_firmware

ntp

hpe

hpux-ntp

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0260", "name": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2016-0260", "tags": ["Exploit", "Mitigation", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://security.FreeBSD.org/advisories/FreeBSD-SA-17:03.ntp.asc", "name": "FreeBSD-SA-17:03", "tags": ["Third Party Advisory"], "refsource": "FREEBSD"}, {"url": "http://www.securitytracker.com/id/1039427", "name": "1039427", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "SECTRACK"}, {"url": "http://www.securitytracker.com/id/1038123", "name": "1038123", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "SECTRACK"}, {"url": "http://www.securityfocus.com/bid/97046", "name": "97046", "tags": ["Permissions Required", "Third Party Advisory", "VDB Entry"], "refsource": "BID"}, {"url": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03962en_us", "name": "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03962en_us", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-211752.pdf", "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-211752.pdf", "tags": ["Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://kc.mcafee.com/corporate/index?page=content&id=SB10201", "name": "https://kc.mcafee.com/corporate/index?page=content&id=SB10201", "tags": [], "refsource": "CONFIRM"}, {"url": "http://seclists.org/fulldisclosure/2017/Nov/7", "name": "20171101 APPLE-SA-2017-10-31-8 Additional information for APPLE-SA-2017-09-25-1 macOS High Sierra 10.13", "tags": [], "refsource": "FULLDISC"}, {"url": "http://seclists.org/fulldisclosure/2017/Sep/62", "name": "20170925 APPLE-SA-2017-09-25-1 macOS High Sierra 10.13", "tags": [], "refsource": "FULLDISC"}, {"url": "https://support.f5.com/csp/article/K39041624", "name": "https://support.f5.com/csp/article/K39041624", "tags": [], "refsource": "CONFIRM"}, {"url": "http://www.securityfocus.com/archive/1/540403/100/0/threaded", "name": "20170412 FreeBSD Security Advisory FreeBSD-SA-17:03.ntp", "tags": [], "refsource": "BUGTRAQ"}, {"url": "https://bto.bluecoat.com/security-advisory/sa147", "name": "https://bto.bluecoat.com/security-advisory/sa147", "tags": [], "refsource": "CONFIRM"}, {"url": "http://www.securityfocus.com/archive/1/archive/1/540464/100/0/threaded", "name": "20170422 [slackware-security] ntp (SSA:2017-112-02)", "tags": [], "refsource": "BUGTRAQ"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7KVLFA3J43QFIP4I7HE7KQ5FXSMJEKC6/", "name": "FEDORA-2017-20d54b2782", "tags": [], "refsource": "FEDORA"}, {"url": "http://packetstormsecurity.com/files/142101/FreeBSD-Security-Advisory-FreeBSD-SA-17-03.ntp.html", "name": "http://packetstormsecurity.com/files/142101/FreeBSD-Security-Advisory-FreeBSD-SA-17-03.ntp.html", "tags": [], "refsource": "MISC"}, {"url": "http://www.securityfocus.com/archive/1/archive/1/540403/100/0/threaded", "name": "20170412 FreeBSD Security Advisory FreeBSD-SA-17:03.ntp", "tags": [], "refsource": "BUGTRAQ"}, {"url": "http://packetstormsecurity.com/files/142284/Slackware-Security-Advisory-ntp-Updates.html", "name": "http://packetstormsecurity.com/files/142284/Slackware-Security-Advisory-ntp-Updates.html", "tags": [], "refsource": "MISC"}, {"url": "https://us-cert.cisa.gov/ics/advisories/icsa-21-159-11", "name": "https://us-cert.cisa.gov/ics/advisories/icsa-21-159-11", "tags": [], "refsource": "MISC"}, {"url": "http://www.ubuntu.com/usn/USN-3349-1", "name": "USN-3349-1", "tags": [], "refsource": "UBUNTU"}, {"url": "https://support.apple.com/kb/HT208144", "name": "https://support.apple.com/kb/HT208144", "tags": [], "refsource": "CONFIRM"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "An exploitable denial of service vulnerability exists in the origin timestamp check functionality of ntpd 4.2.8p9. A specially crafted unauthenticated network packet can be used to reset the expected origin timestamp for target peers. Legitimate replies from targeted peers will fail the origin timestamp check (TEST2) causing the reply to be dropped and creating a denial of service condition."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-20"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2016-9042", "ASSIGNER": "talos-cna@cisco.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 4.3, "accessVector": "NETWORK", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "MEDIUM", "availabilityImpact": "PARTIAL", "confidentialityImpact": "NONE"}, "severity": "MEDIUM", "impactScore": 2.9, "obtainAllPrivilege": false, "exploitabilityScore": 8.6, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.2}}, "publishedDate": "2018-06-04T20:29Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:ntp:ntp:4.2.8:p9:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:freebsd:freebsd:10.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:o:freebsd:freebsd:11.0:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:hpe:hpux-ntp:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "c.4.2.8.4.0"}]}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:siemens:simatic_net_cp_443-1_opc_ua_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:siemens:simatic_net_cp_443-1_opc_ua:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-04-19T20:15Z"}

5.9 /10

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

4.3 /10

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

JSON object

Attach tags to CVE-2016-9042

5.9^/10

4.3^/10

Attach tags to `CVE-2016-9042`