Information is from http://support.ntp.org/bin/view/Main/SecurityNotice

CVE-2016-1551

NTP Bug 3020 Refclock impersonation vulnerability

• Affects: On a very limited number of OSes, all NTP releases up to, but not including 4.2.8p7, and 4.3.0 up to, but not including 4.3.92. By "very limited number of OSes" we mean no general-purpose OSes have yet been identified that have this vulnerability.
• Summary: While the majority OSes implement martian packet filtering in their network stack, at least regarding 127.0.0.0/8, a rare few will allow packets claiming to be from 127.0.0.0/8 that arrive over physical network. On these OSes, if ntpd is configured to use a reference clock an attacker can inject packets over the network that look like they are coming from that reference clock.
• CVSS3: LOW 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
  Response: The flaw exists but is not exploitable.

Impacts network time servers. The AM appliance is a client not a time server.

CVE-2016-1549

NTP Bug 3012 Sybil vulnerability: ephemeral association attack

• Summary: ntpd can be vulnerable to Sybil attacks. If a system is set up to use a trustedkey and if one is not using the feature introduced in ntp-4.2.8p6 allowing an optional 4th field in the ntp.keys file to specify which IPs can serve time, a malicious authenticated peer – i.e. one where the attacker knows the private symmetric key – can create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock.
• CVSS3: MED 5.3 - (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N)

Response: The flaw exists but is not exploitable.

Impacts network time servers. The AM appliance is a client not a time server.

CVE-2016-2516

NTP Bug 3011 Duplicate IPs on unconfig directives will cause an assertion botch in ntpd

• Summary: If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and if an existing association is unconfigured using the same IP twice on the unconfig directive line, ntpd will abort.
• CVSS3: MED 4.2 (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H)

Response: The flaw exists but is not exploitable.

While the ntpdc command is available locally, the exploit requires that ntpd be “expressly configured to allow for remote configuration” and it is not.

CVE-2016-2517

NTP Bug 3010 remote configuration trustedkey/requestkey/controlkey values are not properly validated

• Summary: If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted.
• CVSS3: MED 4.2 (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H)

Response: The flaw exists but is not exploitable.

While the ntpdc command is available locally, the exploit requires that ntpd be “expressly configured to allow for remote configuration” and it is not.

CVE-2016-2518

NTP Bug 3009 Crafted addpeer with hmode > 7 causes array wraparound with MATCH_ASSOC

• Summary: Using a crafted packet to create a peer association with hmode > 7 causes the MATCH_ASSOC() lookup to make an out-of-bounds reference.
• CVSS3: LOW 2.0 (CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:L)

Response: The flaw exists but is not exploitable.

Impacts network time servers. The AM appliance is a client not a time server.

CVE-2016-2519

NTP Bug 3008 ctl_getitem() return value not always checked

• Summary: ntpq and ntpdc can be used to store and retrieve information in ntpd. It is possible to store a data value that is larger than the size of the buffer that the ctl_getitem() function of ntpd uses to report the return value. If the length of the requested data value returned by ctl_getitem() is too large, the value NULL is returned instead. There are 2 cases where the return value from ctl_getitem() was not directly checked to make sure it's not NULL, but there are subsequent INSIST() checks that make sure the return value is not NULL. There are no data values ordinarily stored in ntpd that would exceed this buffer length. But if one has permission to store values and one stores a value that is "too large", then ntpd will abort if an attempt is made to read that oversized value.

• CVSS3: MED 4.2 CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H

Response: The flaw exists but does not add an additional security risk

While the vulnerability claims that it is exploitable from a network, in AM, NTPD is not setup to allow network configuration, so this would need to be a local attack. The commands exist locally and could be run by the appliance administrator (who is a privileged user and the only user who can log in to the AM appliance). Apparently, if this an administrator could store certain value in ntpd via one of the admin commands and then get the NTPD server to access the value, the NTPD server could abort. (Note that these commands are not supported for use on the appliance which performs NTPD admin via the operations console).

CVE-2016-1547

NTP Bug 3007 CRYPTO-NAK DoS

• Summary: For ntp-4 versions up to but not including ntp-4.2.8p7, an off-path attacker can cause a preemptible client association to be demobilized by sending a crypto NAK packet to a victim client with a spoofed source address of an existing associated peer. This is true even if authentication is enabled.

Furthermore, if the attacker keeps sending crypto NAK packets, for example one every second, the victim never has a chance to re-establish the association and synchronize time with that legitimate server.

• CVSS3: LOW 3.7 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Response: The flaw exists but is not exploitable.

The AM appliance is a client but not configured as a preemptible client.

CVE-2015-7704

NTP Bug 2952 Original fix for NTP Bug 2901 broke peer associations

• Summary: The fix for NtpBug2901 in ntp-4.2.8p4 went too far, breaking peer associations.

Response: The flaw exists but is not exploitable.

Impacts network time servers. The AM appliance is a client not a time server.

CVE-2016-1550

NTP Bug 2879 Improve NTP security against buffer comparison timing attacks

• Summary: Packet authentication tests have been performed using memcmp() or possibly bcmp(), and it is potentially possible for a local or perhaps LAN-based attacker to send a packet with an authentication payload and indirectly observe how much of the digest has matched.
• CVSS3: MED 4.0 (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)

Response: The flaw exists but is not exploitable.

Impacts network time servers. The AM appliance is a client not a time server.