Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMC4DD18470154754FC0A6F0182FD4D272EA32B73F0AEEEF60CD8D0B51D7ABD454
HistoryJan 31, 2019 - 2:25 a.m.

Security Bulletin: Vulnerabilities in NTP and GNU C Library (glibc) affect IBM Flex System EN6131 40Gb Ethernet / IB6131 40Gb Infiniband Switch Firmware

2019-01-3102:25:02
www.ibm.com
15

0.971 High

EPSS

Percentile

99.8%

JSON

Summary

IBM Flex System EN6131 40Gb Ethernet / IB6131 40Gb Infiniband Switch Firmware has addressed the following vulnerabilities in NTP and GNU C Library (glibc).

Vulnerability Details

Summary

IBM Flex System EN6131 40Gb Ethernet / IB6131 40Gb Infiniband Switch Firmware has addressed the following vulnerabilities in NTP and GNU C Library (glibc).

Vulnerability Details

CVE-ID: CVE-2014-8121

Description: GNU C Library (glibc) is vulnerable to a denial of service, caused by the failure to properly check if a file is open by DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS). By performing a look-up on a database while iterating over it, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop.

CVSS Base Score: 5
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/102652&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-ID: CVE-2015-1781

Description: GNU C Library (glibc) is vulnerable to a buffer overflow, caused by improper bounds checking by the gethostbyname_r() and other related functions. By sending a specially-crafted argument, a remote attacker could overflow a buffer and execute arbitrary code on the system elevated privileges or cause the application to crash.

CVSS Base Score: 5.1
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/102500&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:P/A:P)

CVE-ID: CVE-2015-7855

Description: Network Time Protocol (NTP) is vulnerable to a denial of service, caused by ASSERT botch instead of returning FAIL on some invalid values by the decodenetnum() function. An attacker could exploit this vulnerability to cause a denial of service.

CVSS Base Score: 5.3
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/107448&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVE-ID: CVE-2015-7853

Description: Network Time Protocol (NTP) is vulnerable to a buffer overflow, caused by improper bounds checking by the refclock of ntpd. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.

CVSS Base Score: 7.3
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/107438&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVE-ID: CVE-2015-7692

Description: Network Time Protocol (NTP) is vulnerable to a denial of service, caused by an error in ntp_crypto.c. An attacker could exploit this vulnerability using a packet containing an extension field with an invalid value for the length of its value field to cause ntpd to crash.

CVSS Base Score: 5.3
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/107450&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVE-ID: CVE-2015-7871

Description: Network Time Protocol (NTP) could allow a remote attacker to bypass restrictions, caused by a logic error when handling specific crypto-NAK packets. By sending an NTP symmetric active crypto-NAK packet, an attacker could exploit this vulnerability to bypass the symmetric association authentication process and make arbitrary changes to system time.

CVSS Base Score: 7.2
CVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/107436&gt; for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L)

Affected products and versions

Product Affected Version
IBM FLEX System EN6131 40Gb
Ethernet & IB6131 8 Gb Infiniband
Switch Firmware 3.2-3.4

Remediation/Fixes

Firmware fix versions are available on Fix Central:
<http://www.ibm.com/support/fixcentral/&gt;

You should verify applying the fix does not cause any compatibility issues.

Product Fixed Version
IBM FLEX System EN6131 40Gb Ethernet & IB6131 8 Gb Infiniband Switch Firmware
(mlnx_fw_ppc_m460ex-sx-3.5.1000_anyos_noarch) 3.5.1000

Workarounds and Mitigations

None

References

Related Information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

None

Change History
23 March 2016: Original version published

  • The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Related

openvas 33
nessus 51
mageia 3
ibm 19
suse 2
ics 1
aix 1
f5 10
cvelist 6
osv 4
debian 5
prion 6
archlinux 3
cve 6
ubuntucve 5
talos 2
debiancve 6
nvd 6
checkpoint_advisories 3
exploitpack 1
packetstorm 1
freebsd 1
arista 1
exploitdb 1
securityvulns 4
slackware 1
cisco 1
centos 2
amazon 3
redhat 2
oraclelinux 1
veracode 1
symantec 1
ubuntu 3
freebsd_advisory 1
fedora 2
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2015:1844-1)
2021-04-19 00:00:00
SUSE: Security Advisory (SUSE-SU-2015:1424-1)
2021-06-09 00:00:00
Mageia: Security Advisory (MGASA-2015-0418)
2015-11-08 00:00:00
nessus
nessus
openSUSE Security Update : glibc / glibc-testsuite / glibc-utils / etc (openSUSE-2015-383)
2015-05-28 00:00:00
SUSE SLED12 / SLES12 Security Update : glibc (SUSE-SU-2015:1844-1)
2015-11-02 00:00:00
SUSE SLED11 / SLES11 Security Update : glibc (SUSE-SU-2015:1424-1)
2015-08-25 00:00:00
mageia
mageia
Updated ntp package fixes security vulnerabilities
2015-10-30 23:11:10
Updated glibc packages fix security vulnerabilities
2015-05-06 18:16:01
Updated ntp packages fixes security vulnerabilities
2015-10-26 00:50:36
ibm
ibm
Security Bulletin: Vulnerabilities in GNU glibc affect IBM Security Network Intrusion Prevention System (CVE-2013-2207, CVE-2014-8121, and CVE-2015-1781 )
2022-02-23 19:48:26
Security Bulletin: Vulnerabilities in the GNU C Libraries (glibc) affect IBM Flex System Manager(FSM) (CVE-2013-2207, CVE-2014-8121, CVE-2015-1781)
2018-06-18 01:30:10
Security Bulletin: GNU C library (glibc) vulnerabilities affect IBM SmartCloud Entry (CVE-2014-8121)
2020-07-19 00:49:12
suse
suse
Security update for glibc (important)
2015-08-21 18:10:09
Security update for glibc (important)
2016-02-16 20:15:44
ics
ics
Siemens RUGGEDCOM ROX-based Devices NTP Vulnerabilities
2018-08-27 12:00:00
aix
aix
Vulnerabilities in NTP affect AIX,Vulnerabilities in NTP affect VIOS
2016-01-21 09:13:20
f5
f5
SOL17518 - NTP vulnerability CVE-2015-7871
2015-11-02 00:00:00
SOL17525 - NTP vulnerability CVE-2015-7853
2015-11-02 00:00:00
K17525 : NTP vulnerability CVE-2015-7853
2015-11-06 00:00:00
cvelist
cvelist
CVE-2014-8121
2015-03-27 14:00:00
CVE-2015-7871
2017-08-07 20:00:00
CVE-2015-7853
2017-08-07 20:00:00
osv
osv
eglibc - security update
2015-09-27 00:00:00
eglibc - security update
2016-02-16 00:00:00
ntp - security update
2015-11-01 00:00:00
debian
debian
[SECURITY] [DLA 316-1] eglibc security update
2015-09-27 15:20:31
[SECURITY] [DLA 230-1] eglibc security update
2015-05-27 18:03:22
[SECURITY] [DSA 3480-1] eglibc security update
2016-02-16 14:18:16
prion
prion
Design/Logic Flaw
2015-03-27 14:59:00
Code injection
2017-08-07 20:29:00
Input validation
2017-08-07 20:29:00
archlinux
archlinux
glibc: denial of service
2015-08-16 00:00:00
glibc: arbitrary code execution
2015-04-23 00:00:00
ntp: multiple issues
2015-10-22 00:00:00
cve
cve
CVE-2014-8121
2015-03-27 14:59:03
CVE-2015-7855
2017-08-07 20:29:00
CVE-2015-7871
2017-08-07 20:29:00
ubuntucve
ubuntucve
CVE-2014-8121
2015-03-27 00:00:00
CVE-2015-7853
2015-10-22 00:00:00
CVE-2015-7871
2015-10-22 00:00:00
talos
talos
Network Time Protocol Reference Clock Memory Corruption Vulnerability
2015-10-21 00:00:00
NAK to the Future: NTP Symmetric Association Authentication Bypass Vulnerability
2015-10-21 00:00:00
debiancve
debiancve
CVE-2015-7853
2017-08-07 20:29:00
CVE-2014-8121
2015-03-27 14:59:03
CVE-2015-7871
2017-08-07 20:29:00
nvd
nvd
CVE-2015-7855
2017-08-07 20:29:00
CVE-2015-7853
2017-08-07 20:29:00
CVE-2014-8121
2015-03-27 14:59:03
checkpoint_advisories
checkpoint_advisories
NTP Servers Symmetric Association Authentication Bypass (CVE-2015-7871)
2015-10-24 00:00:00
Network Time Protocol Daemon decodenetnum Assertion Failure (CVE-2015-7855)
2015-10-29 00:00:00
GNU C Library glibc getanswer_r Buffer Overflow (CVE-2015-1781)
2015-05-07 00:00:00
exploitpack
exploitpack
NTP 4.2.8p3 - Denial of Service
2016-11-28 00:00:00
packetstorm
packetstorm
NTP 4.2.8p3 Denial Of Service
2016-11-25 00:00:00
freebsd
freebsd
ntp -- 13 low- and medium-severity vulnerabilities
2015-10-21 00:00:00
arista
arista
Security Advisory 0016
2015-11-04 00:00:00
exploitdb
exploitdb
NTP 4.2.8p3 - Denial of Service
2016-11-28 00:00:00
securityvulns
securityvulns
ntp multiple security vulnerabilities
2015-11-01 00:00:00
[ MDVSA-2015:218 ] glibc
2015-05-05 00:00:00
GNU glibc security vulnerabilities
2015-05-05 00:00:00
slackware
slackware
[slackware-security] ntp
2015-10-29 22:49:05
cisco
cisco
Multiple Vulnerabilities in ntpd Affecting Cisco Products - October 2015
2015-10-21 23:00:00
centos
centos
glibc, nscd security update
2015-03-17 13:28:04
glibc, nscd security update
2015-04-21 13:07:39
amazon
amazon
Medium: glibc
2015-03-23 08:30:00
Medium: glibc
2015-04-22 16:12:00
Important: ntp
2015-10-27 16:42:00
redhat
redhat
(RHSA-2015:0327) Moderate: glibc security and bug fix update
2015-03-05 00:00:00
(RHSA-2015:0863) Moderate: glibc security and bug fix update
2015-04-21 00:00:00
oraclelinux
oraclelinux
glibc security and bug fix update
2015-04-21 00:00:00
veracode
veracode
Denial Of Service (DoS)
2019-05-02 05:29:36
symantec
symantec
SA103 : October 2015 NTP Security Vulnerabilities
2015-11-24 08:00:00
ubuntu
ubuntu
NTP vulnerabilities
2015-10-27 00:00:00
GNU C Library vulnerabilities
2016-05-25 00:00:00
GNU C Library regression
2016-05-26 00:00:00
freebsd_advisory
freebsd_advisory
FreeBSD-SA-15:25.ntp
2015-10-26 00:00:00
fedora
fedora
[SECURITY] Fedora 23 Update: ntp-4.2.6p5-34.fc23
2015-11-02 18:55:43
[SECURITY] Fedora 22 Update: glibc-2.21-11.fc22
2016-02-17 12:51:37

0.971 High

EPSS

Percentile

99.8%

JSON
Related for C4DD18470154754FC0A6F0182FD4D272EA32B73F0AEEEF60CD8D0B51D7ABD454
openvas33nessus51mageia3ibm19suse2ics1aix1f510cvelist6osv4debian5prion6archlinux3cve6ubuntucve5talos2debiancve6nvd6checkpoint_advisories3exploitpack1packetstorm1freebsd1arista1exploitdb1securityvulns4slackware1cisco1centos2amazon3redhat2oraclelinux1veracode1symantec1ubuntu3freebsd_advisory1fedora2