FreeBSD Local Security Checks : FreeBSD Security Advisory (FreeBSD-SA-09:03.ntpd.asc)

Búsqueda de Vulnerabilidad		Buscar 324607 Descripciones CVE y 146377 Descripciones de Pruebas, accesos 10,000+ referencias cruzadas.
	Pruebas CVE Todos

ID de Prueba: 1.3.6.1.4.1.25623.1.0.63242

Categoría: FreeBSD Local Security Checks

Título: FreeBSD Security Advisory (FreeBSD-SA-09:03.ntpd.asc)

Resumen: The remote host is missing an update to the system; as announced in the referenced advisory FreeBSD-SA-09:03.ntpd.asc

Descripción: Summary:
The remote host is missing an update to the system
as announced in the referenced advisory FreeBSD-SA-09:03.ntpd.asc

Vulnerability Insight:
The ntpd daemon is an implementation of the Network Time Protocol
(NTP) used to synchronize the time of a computer system to a reference
time source.

FreeBSD includes software from the OpenSSL Project. The OpenSSL
Project is a collaborative effort to develop a robust,
commercial-grade, full-featured Open Source toolkit implementing the
Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols as well as a full-strength general purpose cryptography
library.

The EVP_VerifyFinal() function from OpenSSL is used to determine if a
digital signature is valid. When ntpd(8) is set to cryptographically
authenticate NTP data it incorrectly checks the return value from
EVP_VerifyFinal().

Solution:
Upgrade your system to the appropriate stable release
or security branch dated after the correction date.

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Referencia Cruzada: Common Vulnerability Exposure (CVE) ID: CVE-2009-0021
1021533
http://www.securitytracker.com/id?1021533
20090107 [oCERT-2008-016] Multiple OpenSSL signature verification API misuses
http://www.securityfocus.com/archive/1/499827/100/0/threaded
33406
http://secunia.com/advisories/33406
33558
http://secunia.com/advisories/33558
33648
http://secunia.com/advisories/33648
34642
http://secunia.com/advisories/34642
35074
http://secunia.com/advisories/35074
ADV-2009-0042
http://www.vupen.com/english/advisories/2009/0042
ADV-2009-1297
http://www.vupen.com/english/advisories/2009/1297
APPLE-SA-2009-05-12
http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
RHSA-2009:0046
http://www.redhat.com/support/errata/RHSA-2009-0046.html
SSA:2009-014-03
http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.531177
SUSE-SR:2009:005
http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00000.html
SUSE-SR:2009:008
http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html
TA09-133A
http://www.us-cert.gov/cas/techalerts/TA09-133A.html
[announce] 20090108 NTP 4.2.4p6 Released
https://lists.ntp.org/pipermail/announce/2009-January/000055.html
http://support.apple.com/kb/HT3549
http://www.ocert.org/advisories/ocert-2008-016.html
oval:org.mitre.oval:def:10035
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10035

Copyright Copyright (C) 2009 E-Soft Inc.

Esta es sólo una de 146377 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa.
Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.

ID de Prueba:	1.3.6.1.4.1.25623.1.0.63242
Categoría:	FreeBSD Local Security Checks
Título:	FreeBSD Security Advisory (FreeBSD-SA-09:03.ntpd.asc)
Resumen:	The remote host is missing an update to the system; as announced in the referenced advisory FreeBSD-SA-09:03.ntpd.asc
Descripción:	Summary: The remote host is missing an update to the system as announced in the referenced advisory FreeBSD-SA-09:03.ntpd.asc Vulnerability Insight: The ntpd daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The EVP_VerifyFinal() function from OpenSSL is used to determine if a digital signature is valid. When ntpd(8) is set to cryptographically authenticate NTP data it incorrectly checks the return value from EVP_VerifyFinal(). Solution: Upgrade your system to the appropriate stable release or security branch dated after the correction date. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2009-0021 1021533 http://www.securitytracker.com/id?1021533 20090107 [oCERT-2008-016] Multiple OpenSSL signature verification API misuses http://www.securityfocus.com/archive/1/499827/100/0/threaded 33406 http://secunia.com/advisories/33406 33558 http://secunia.com/advisories/33558 33648 http://secunia.com/advisories/33648 34642 http://secunia.com/advisories/34642 35074 http://secunia.com/advisories/35074 ADV-2009-0042 http://www.vupen.com/english/advisories/2009/0042 ADV-2009-1297 http://www.vupen.com/english/advisories/2009/1297 APPLE-SA-2009-05-12 http://lists.apple.com/archives/security-announce/2009/May/msg00002.html RHSA-2009:0046 http://www.redhat.com/support/errata/RHSA-2009-0046.html SSA:2009-014-03 http://slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.531177 SUSE-SR:2009:005 http://lists.opensuse.org/opensuse-security-announce/2009-03/msg00000.html SUSE-SR:2009:008 http://lists.opensuse.org/opensuse-security-announce/2009-04/msg00003.html TA09-133A http://www.us-cert.gov/cas/techalerts/TA09-133A.html [announce] 20090108 NTP 4.2.4p6 Released https://lists.ntp.org/pipermail/announce/2009-January/000055.html http://support.apple.com/kb/HT3549 http://www.ocert.org/advisories/ocert-2008-016.html oval:org.mitre.oval:def:10035 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10035
Copyright	Copyright (C) 2009 E-Soft Inc.