Multiple Cisco products incorporate a version of the ntpd package. Versions of this package are affected by one or more vulnerabilities that could allow an unauthenticated, remote attacker to bypass authentication controls or to create a denial of service (DoS) condition.

On April 7, 2015, NTP.org and US-CERT released a security advisory dealing with two issues regarding bypass of authentication controls. These vulnerabilities are referenced in this document as follows:

CVE-2015-1798: NTP Authentication bypass vulnerability
CVE-2015-1799: NTP Authentication doesn’t protect symmetric associations against DoS attacks

Cisco has released software updates that address these vulnerabilities.

Workarounds that mitigate these vulnerabilities are available.

This advisory is available at the following link:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150408-ntpd

Leave a Reply