Magnus Klaaborg Stubman

**Name of the Vulnerable Software and Affected Versions** NTPsec versions prior to 1.1.3 **Description** An issue was discovered in NTPsec due to a bug in `ctl getitem`, resulting in a stack-based buffer over-read in `read sysvars` in `ntpd`. **Recommendations** For versions prior to 1.1.3, update to version 1.1.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** NTPsec versions prior to 1.1.3 **Description** An issue was discovered in NTPsec where the process control() function in ntp control.c has a stack-based buffer over-read. This occurs because attacker-controlled data is dereferenced by ntohl() in ntpd. **Recommendations** For versions prior to 1.1.3, update to version 1.1.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** NTPsec versions prior to 1.1.3 **Description** An issue was discovered that allows an authenticated attacker to cause a NULL pointer dereference and crash in ntp control.c, related to ctl getitem. **Recommendations** For versions prior to 1.1.3, update to version 1.1.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** NTPsec versions prior to 1.1.3 **Description** An issue in NTPsec allows an authenticated attacker to write one byte out of bounds in ntpd via a malformed config request. This is related to functions such as `config remotely` in `ntp config.c`, `yyparse` in `ntp parser.tab.c`, and `yyerror` in `ntp parser.y`. The vulnerability can be exploited by a remote attacker using an improperly formatted configuration request, potentially leading to a denial of service. **Recommendations** For versions prior to 1.1.3, update to version 1.1.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the config request functionality to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Net-SNMP versions prior to 5.8 PAN-OS (affected versions not specified) **Description** The issue is related to a NULL Pointer Exception bug in the ` set key` function, which can be exploited by an authenticated attacker to cause a Denial of Service via a crafted UDP packet, resulting in the instance crashing. This can be achieved remotely. **Recommendations** For Net-SNMP versions prior to 5.8, update to version 5.8 or later to resolve the issue. For PAN-OS, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** NTP versions prior to 4.2.8p9 **Description** The issue allows remote attackers to cause a denial of service (crash) via a crafted mrulist query. Multiple vulnerabilities could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or modify the time being advertised by a device acting as a Network Time Protocol (NTP) server. These vulnerabilities include Network Time Protocol Trap Service Denial of Service, Network Time Protocol Broadcast Mode Denial of Service, Network Time Protocol Insufficient Resource Pool Denial of Service, Network Time Protocol Configuration Modification Denial of Service, Network Time Protocol mrulist Query Requests Denial of Service, Network Time Protocol Multiple Binds to the Same Port, and Network Time Protocol Rate Limiting Denial of Service. **Recommendations** For NTP versions prior to 4.2.8p9, update to version 4.2.8p9 or later to resolve the issue. As a temporary workaround, consider restricting access to the `read mru list` function until a patch is available. Additionally, workarounds that address one or more of these vulnerabilities may be available and are documented in the Cisco bug for each affected product.