Lucene search

IBMCBF307F0CD0FAB70EF1F094DFBBA851C332F93754EC78E934EA16FFB9E00EDE5

HistoryJun 16, 2018 - 9:41 p.m.

Security Bulletin: Vulnerabilities in Network Time Protocol (NTP) affect IBM Security Identity Governance Appliance (CVE-2015-5300 CVE-2015-7704 CVE-2015-8138 )

2018-06-1621:41:35

www.ibm.com

0.86 High

EPSS

Percentile

98.6%

JSON

Summary

Vulnerabilities in Network Time Protocol (NTP) that is used by IBM Security Identity Governance

Vulnerability Details

CVEID: CVE-2015-5300**
DESCRIPTION:** Network Time Protocol (NTP) could allow a remote attacker to bypass security restrictions, caused by the failure to correctly implement the threshold limitation for the ‘-g’ option. An attacker could exploit this vulnerability using man-in-the-middle techniques to intercept NTP traffic and make multiple steps larger than the panic threshold.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107594 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

CVEID: CVE-2015-7704**
DESCRIPTION:** Network Time Protocol (NTP) is vulnerable to a denial of service, caused by an error in the rate-limiting mechanism. By sending spoofed Kiss-o’-Death packets, an attacker could exploit this vulnerability to disable NTP at a victim client.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107446 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2015-8138**
DESCRIPTION:** NTP could allow a remote attacker to bypass security restrictions. By sending a specially crafted packet with an origin timestamp of zero, an attacker could exploit this vulnerability to bypass the timestamp validation check.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/110025 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

IBM Security Identity Governance and Intelligence 5.2.1

Remediation/Fixes

IBM Security Identity Governance and Intelligence

| 5.2.1| None| 5.2.1.0-ISS-SIGI-IF0001
—|—|—|—

CPENameOperatorVersion
ibm security identity governance and intelligenceeq5.2.1

CPE	Name	Operator	Version
	ibm security identity governance and intelligence	eq	5.2.1

0.86 High

EPSS

Percentile

98.6%

JSON

Related for CBF307F0CD0FAB70EF1F094DFBBA851C332F93754EC78E934EA16FFB9E00EDE5