製品・ソフトウェアに関する情報

JVN脆弱性詳細

NTP の ntpd におけるサービス運用妨害 (DoS) の脆弱性

Title	NTP の ntpd におけるサービス運用妨害 (DoS) の脆弱性
Summary	NTP の ntpd には、サービス運用妨害 (デーモンクラッシュ) 状態にされる脆弱性が存在します。本脆弱性は CVE-2016-1547 の修正が不完全だったことによる脆弱性です。
Possible impacts	第三者により、crypto-NAK パケットを介して、サービス運用妨害 (デーモンクラッシュ) 状態にされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	June 2, 2016, midnight
Registration Date	July 11, 2016, 11:57 a.m.
Last Update	March 9, 2017, 3:29 p.m.

CVSS3.0 : 重要
Score	8.6
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CVSS2.0 : 警告
Score	5
Vector	AV:N/AC:L/Au:N/C:N/I:N/A:P

Affected System

NTP Project

NTP 4.2.8p8 未満

オラクル

Oracle Solaris

日本電気

UNIVERGE IP8800シリーズ

SUSE

SUSE Linux Enterprise Debuginfo

SUSE Linux Enterprise Desktop

SUSE Linux Enterprise Server

SUSE Manager

SUSE Manager Proxy

SUSE OpenStack Cloud

openSUSE project

openSUSE

openSUSE Leap

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2016-4957	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4957
National Vulnerability Database (NVD)
2	CVE-2016-4957	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4957

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	Name	URL
Meinberg Security Advisory
1	Meinberg Security Advisory: [MBGSA-1604] WebUI and NTP	https://www.meinbergglobal.com/english/news/meinberg-security-advisory-mbgsa-1604-webui-and-ntp.htm
NEC製品セキュリティ情報
2	NV17-007	http://jpn.nec.com/security-info/secinfo/nv17-007.html
NTP Bugzilla
3	Bug 3046	http://bugs.ntp.org/show_bug.cgi?id=3046
ntp.org
4	NTP Bug 3046	http://support.ntp.org/bin/view/Main/NtpBug3046
opensuse-security-announce
5	openSUSE-SU-2016:1583	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00023.html
6	openSUSE-SU-2016:1636	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00040.html
7	SUSE-SU-2016:1563	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00018.html
8	SUSE-SU-2016:1584	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00024.html
9	SUSE-SU-2016:1602	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00028.html
Oracle Technology Network
10	Oracle Solaris Third Party Bulletin - April 2016	http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
Security Notice
11	June 2016 ntp-4.2.8p8 NTP Security Vulnerability Announcement (HIGH)(CVE-2016-4957)	http://support.ntp.org/bin/view/Main/SecurityNotice
富士通セキュリティ情報
12	JVNVU#94410990(VU#321640)に関する情報	http://www.fujitsu.com/jp/products/software/resources/condition/security/vulnerabilities/2016/index.html#JVNVU94410990

その他

No	Name	URL
JVN
1	JVNVU#94410990	http://jvn.jp/vu/JVNVU94410990/index.html
US-CERT Vulnerability Note
2	VU#321640	http://www.kb.cert.org/vuls/id/321640

Change Log

No	Changed Details	Date of change
0	[2016年07月11日] 掲載 [2016年08月03日] ベンダ情報：富士通 (JVNVU#94410990(VU#321640)に関する情報) を追加ベンダ情報：オラクル (Oracle Solaris Third Party Bulletin - April 2016) を追加 [2016年11月18日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：openSUSE project (SUSE-SU-2016:1563) を追加ベンダ情報：openSUSE project (SUSE-SU-2016:1584) を追加ベンダ情報：openSUSE project (SUSE-SU-2016:1602) を追加ベンダ情報：openSUSE project (openSUSE-SU-2016:1583) を追加ベンダ情報：openSUSE project (openSUSE-SU-2016:1636) を追加ベンダ情報：NTP Project (NTP Bug 3046) を追加ベンダ情報：NTP Project (June 2016 ntp-4.2.8p8 NTP Security Vulnerability Announcement (HIGH)(CVE-2016-4957)) を追加 [2017年03月09日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：日本電気 (NV17-007) を追加	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2016-4957

Summary	ntpd in NTP before 4.2.8p8 allows remote attackers to cause a denial of service (daemon crash) via a crypto-NAK packet. NOTE: this vulnerability exists because of an incorrect fix for CVE-2016-1547.
Publication Date	July 5, 2016, 10:59 a.m.
Registration Date	Jan. 26, 2021, 2:13 p.m.
Last Update	Nov. 21, 2024, 11:53 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:ntp:ntp:4.3.92:::::::*
cpe:2.3:a:ntp:ntp:4.2.8:p7::::::

Configuration2	or higher	or less	more than	less than
cpe:2.3:o:oracle:solaris:11.3:::::::*
cpe:2.3:o:oracle:solaris:10:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:novell:suse_manager:2.1:::::::*
cpe:2.3:o:suse:linux_enterprise_server:11:sp4::::::
cpe:2.3:a:suse:openstack_cloud:5:::::::*
cpe:2.3:a:suse:manager_proxy:2.1:::::::*
cpe:2.3:o:suse:linux_enterprise_server:11:sp3:::ltss:::*
cpe:2.3:o:suse:linux_enterprise_server:12:sp1::::::
cpe:2.3:o:suse:linux_enterprise_server:11:sp2:::ltss:::*
cpe:2.3:o:suse:linux_enterprise_desktop:12:sp1::::::
cpe:2.3:o:opensuse:leap:42.1:::::::*
cpe:2.3:o:opensuse:opensuse:13.2:::::::*

Related information, measures and tools

No	URL	タグ
1	http://bugs.ntp.org/3046	Issue Tracking Vendor Advisory
2	http://bugs.ntp.org/3046	Issue Tracking Vendor Advisory
3	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00018.html	Mailing List Third Party Advisory
4	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00018.html	Mailing List Third Party Advisory
5	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00023.html	Mailing List Third Party Advisory
6	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00023.html	Mailing List Third Party Advisory
7	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00024.html	Mailing List Third Party Advisory
8	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00024.html	Mailing List Third Party Advisory
9	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00028.html	Mailing List Third Party Advisory
10	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00028.html	Mailing List Third Party Advisory
11	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00040.html	Mailing List Third Party Advisory
12	http://lists.opensuse.org/opensuse-security-announce/2016-06/msg00040.html	Mailing List Third Party Advisory
13	http://support.ntp.org/bin/view/Main/NtpBug3046	Patch Vendor Advisory
14	http://support.ntp.org/bin/view/Main/NtpBug3046	Patch Vendor Advisory
15	http://support.ntp.org/bin/view/Main/SecurityNotice	Release Notes Vendor Advisory
16	http://support.ntp.org/bin/view/Main/SecurityNotice	Release Notes Vendor Advisory
17	http://www.kb.cert.org/vuls/id/321640	Third Party Advisory US Government Resource
18	http://www.kb.cert.org/vuls/id/321640	Third Party Advisory US Government Resource
19	http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html	Third Party Advisory
20	http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html	Third Party Advisory
21	http://www.securitytracker.com/id/1036037	Third Party Advisory VDB Entry
22	http://www.securitytracker.com/id/1036037	Third Party Advisory VDB Entry
23	https://security.FreeBSD.org/advisories/FreeBSD-SA-16:24.ntp.asc	Third Party Advisory
24	https://security.FreeBSD.org/advisories/FreeBSD-SA-16:24.ntp.asc	Third Party Advisory
25	https://security.gentoo.org/glsa/201607-15	Third Party Advisory
26	https://security.gentoo.org/glsa/201607-15	Third Party Advisory

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-476	NULL ポインタデリファレンス	https://cwe.mitre.org/data/definitions/476.html

Configuration3	or higher	or less	more than	less than
cpe:2.3:o:novell:suse_manager:2.1:::::::*
cpe:2.3:o:suse:linux_enterprise_server:11:sp4::::::
cpe:2.3:a:suse:openstack_cloud:5:::::::*
cpe:2.3:a:suse:manager_proxy:2.1:::::::*
cpe:2.3:o:suse:linux_enterprise_server:11:sp3:::ltss:::*
cpe:2.3:o:suse:linux_enterprise_server:12:sp1::::::
cpe:2.3:o:suse:linux_enterprise_server:11:sp2:::ltss:::*
cpe:2.3:o:suse:linux_enterprise_desktop:12:sp1::::::
cpe:2.3:o:opensuse:leap:42.1:::::::*
cpe:2.3:o:opensuse:opensuse:13.2:::::::*