Vous êtes ici: index » cert » avis

Avis du CERT RENATER

Par défaut, cette page vous affichera les derniers messages envoyés par le CERT RENATER à la communauté. Vous pouvez affiner par année ou par type de message. Si aucun critère n'est précisé, seuls les derniers messages sont affichés

Date : Mon, 27 Mar 2017 11:38:59 +0200
Type : VULN
Sujet : CERT-Renater : 2017/VULN083 (NTP : March 2017 ntp-4.2.8p10 NTP Security Vulnerability Announcement)
===================================================================
                              CERT-Renater

                 Note d'Information No. 2017/VULN083
_____________________________________________________________________

DATE                : 27/03/2017

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running NTP versions prior to 4.2.8p10.

=====================================================================
http://support.ntp.org/bin/view/Main/SecurityNotice#March_2017_ntp_4_2_8p10_NTP_Secu
____________________________________________________________________

March 2017 ntp-4.2.8p10 NTP Security Vulnerability Announcement


NTF's NTP Project is releasing ntp-4.2.8p10, which addresses:

    6 MEDIUM severity vulnerabilities (1 is about the Windows PPSAPI DLL)
    5 LOW severity vulnerabilities (2 are in the Windows Installer)
    4 Informational-level vulnerabilities

    15 other non-security fixes and improvements

All of the security issues in this release are listed in VU#633849.

ntp-4.2.8p10 was released on 21 March 2017.

    Sec 3389 / CVE-2017-6464 / VU#325339: NTP-01-016 NTP: Denial of
Service via Malformed Config (Pentest report 01.2017)
        Reported by Cure53.

    Sec 3388 / CVE-2017-6462 / VU#325339: NTP-01-014 NTP: Buffer
Overflow in DPTS Clock (Pentest report 01.2017)
        Reported by Cure53.

    Sec 3387 / CVE-2017-6463 / VU#325339: NTP-01-012 NTP: Authenticated
DoS via Malicious Config Option (Pentest report 01.2017)
        Reported by Cure53.

    Sec 3386: NTP-01-011 NTP: ntpq_stripquotes() returns incorrect Value
(Pentest report 01.2017)
        Reported by Cure53.

    Sec 3385: NTP-01-010 NTP: ereallocarray()/eallocarray() underused
(Pentest report 01.2017)
        Reported by Cure53.

    Sec 3384 / CVE-2017-6455 / VU#325339: NTP-01-009 NTP: Windows:
Privileged execution of User Library code (Pentest report 01.2017)
        Reported by Cure53.

    Sec 3383 / CVE-2017-6452 / VU#325339: NTP-01-008 NTP: Windows
Installer: Stack Buffer Overflow from Command Line (Pentest report 01.2017)
        Reported by Cure53.

    Sec 3382 / CVE-2017-6459 / VU#325339: NTP-01-007 NTP: Windows
Installer: Data Structure terminated insufficiently (Pentest report 01.2017)
        Reported by Cure53.

    Sec 3381: NTP-01-006 NTP: Copious amounts of Unused Code (Pentest
report 01.2017)
        Reported by Cure53.

    Sec 3380: NTP-01-005 NTP: Off-by-one in Oncore GPS Receiver (Pentest
report 01.2017)
        Reported by Cure53.

    Sec 3379 / CVE-2017-6458 / VU#325339: NTP-01-004 NTP: Potential
Overflows in ctl_put() functions (Pentest report 01.2017)
        Reported by Cure53.

    Sec 3378 / CVE-2017-6451 / VU#325339: NTP-01-003 Improper use of
snprintf() in mx4200_send() (Pentest report 01.2017)
        Reported by Cure53.

    Sec 3377 / CVE-2017-6460 / VU#325339: NTP-01-002 Buffer Overflow in
ntpq when fetching reslist (Pentest report 01.2017)
        Reported by Cure53.

    Sec 3376: NTP-01-001 Makefile does not enforce Security Flags
(Pentest report 01.2017)
        Reported by Cure53.

    Sec 3361 / CVE-2016-9042 / VU#325339: 0rigin
        Reported by Matthew Van Gundy of Cisco ASIG.

ENotification of these issues were delivered to our Institutional
members on a rolling basis as they were reported and as progress was
made.

Timeline:

    2017 Mar 21: Public release
    2017 Mar 13: CERT notified
    2017 Mar 06: Release to Advance Security Partners
    2017 Mar 06: Announcement to Institutional Members
    2017 Feb 09: Mozilla/Cure53 audit received

==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================

[An attachment of type application/pkcs7-signature was included here]