CVE-2016-2516 Details

CVE-2016-2516

Published: 2017-01-30
Last Modified: 2017-11-21
CVE Author: NIST National Vulnerability Database
CVE Assigner: cve@mitre.org
Summary

NTP before 4.2.8p7 and 4.3.x before 4.3.92, when mode7 is enabled, allows remote attackers to cause a denial of service (ntpd abort) by using the same IP address multiple times in an unconfig directive.

Analysis
Common Vulnerability Score System v2.0
Severity High
Base Score 7.1/10
Exploit Score 8.6/10
Access Vector Network
Access Complexity Medium
Authentication None
Impact Score 6.9/10
Confidentiality Impact None
Availability Impact Complete
Integrity Impact None
Vector String AV:N/AC:M/Au:N/C:N/I:N/A:C
Common Vulnerability Score System v3.1
Severity Medium
Base Score 5.3/10
Exploit Score 1.6/10
Access Vector Network
Access Complexity High
Privileges Required Low
Impact Score 3.6/10
Confidentiality Impact None
Availability Impact High
Integrity Impact None
Scope Unchanged
User Interaction None
Vector String CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Products Reported
CPE Vulnerable Start Excluding
cpe:2.3:a:ntp:ntp:*:p6:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.0:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.1:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.2:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.3:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.4:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.5:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.6:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.7:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.8:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.9:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.10:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.11:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.12:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.13:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.14:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.15:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.16:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.17:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.18:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.19:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.20:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.21:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.22:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.23:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.24:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.25:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.26:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.27:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.28:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.29:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.30:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.31:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.32:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.33:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.34:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.35:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.36:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.37:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.38:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.39:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.40:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.41:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.42:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.43:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.44:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.45:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.46:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.47:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.48:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.49:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.50:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.51:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.52:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.53:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.54:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.55:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.56:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.57:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.58:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.59:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.60:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.61:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.62:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.63:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.64:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.65:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.66:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.67:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.68:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.69:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.70:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.71:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.72:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.73:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.74:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.75:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.76:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.77:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.78:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.79:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.80:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.81:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.82:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.83:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.84:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.85:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.86:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.87:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.88:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.89:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.90:*:*:*:*:*:*:* Yes - -
cpe:2.3:a:ntp:ntp:4.3.91:*:*:*:*:*:*:* Yes - -
References

http://support.ntp.org/bin/view/Main/NtpBug3011
http://www.debian.org/security/2016/dsa-3629
http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html
http://www.securityfocus.com/bid/88180
http://www.securitytracker.com/id/1035705
https://security.FreeBSD.org/advisories/FreeBSD-SA-16:16.ntp.asc
https://security.gentoo.org/glsa/201607-15
https://security.netapp.com/advisory/ntap-20171004-0002/
https://www.kb.cert.org/vuls/id/718152

CVE ID
CVE-2016-2516
Published
2017-01-30
Modified
2017-11-21
CVSSv2.0
High
CVSSv3.1
Medium
PCI Compliance
Pass
US-CERT Alert
No
CWE
CWE-20

You never have to pay for a vulnerability scanning and management software again.

Tired of paying a subscription 'per asset' or 'per IP'? Well you can officially cancel your current subscription. Mageni provides a free, open source and enterprise-ready vulnerability scanning and management platform which helps you to find, prioritize, remediate and manage your vulnerabilities.