SB2018042473 - Multiple vulnerabilities in IBM Virtualization Engine TS7700

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Resource exhaustion (CVE-ID: CVE-2016-7427)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The broadcast mode replay prevention functionality in ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via a crafted broadcast mode packet.

2) Resource exhaustion (CVE-ID: CVE-2016-7428)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

ntpd in NTP before 4.2.8p9 allows remote attackers to cause a denial of service (reject broadcast mode packets) via the poll interval in a broadcast packet.

3) Improper access control (CVE-ID: CVE-2016-9310)

The vulnerability allows a remote attacker to obtain potentially sensitive information and cause DoS condition on the target system.

The weakness exists in the control mode (mode 6) functionality in ntpd due to improper access control. A remote attacker can set or unset traps via a specially crafted control mode packet, gain access to potentially sensitive information and cause the service to crash.

4) NULL pointer dereference (CVE-ID: CVE-2016-9311)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in ntpd due to NULL pointer dereference when the trap service is enabled. A remote attacker can submit a specially crafted packet and cause the service to crash.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/650205