4.3 Medium
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:M/Au:N/C:N/I:P/A:P
0.008 Low
EPSS
Percentile
81.4%
Issue Overview:
The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC. (CVE-2015-1798)
The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 3.x and 4.x before 4.2.8p2 performs state-variable updates upon receiving certain invalid packets, which makes it easier for man-in-the-middle attackers to cause a denial of service (synchronization loss) by spoofing the source IP address of a peer. (CVE-2015-1799)
This update also addresses leap-second handling (https://bugzilla.redhat.com/show_bug.cgi?id=1196635). With older ntp versions, the -x option was sometimes used as a workaround to avoid kernel inserting/deleting leap seconds by stepping the clock and possibly upsetting running applications. That no longer works with 4.2.6 as ntpd steps the clock itself when a leap second occurs. The fix is to treat the one second offset gained during leap second as a normal offset and check the stepping threshold (set by -x or tinker step) to decide if a step should be applied. See this forum post (https://forums.aws.amazon.com/ann.jspa?annID=3064) for more information on the Amazon Linux AMI’s leap-second handling.
Affected Packages:
ntp
Issue Correction:
Run yum update ntp to update your system.
New Packages:
i686:
ntp-debuginfo-4.2.6p5-30.24.amzn1.i686
ntp-4.2.6p5-30.24.amzn1.i686
ntpdate-4.2.6p5-30.24.amzn1.i686
noarch:
ntp-doc-4.2.6p5-30.24.amzn1.noarch
ntp-perl-4.2.6p5-30.24.amzn1.noarch
src:
ntp-4.2.6p5-30.24.amzn1.src
x86_64:
ntp-4.2.6p5-30.24.amzn1.x86_64
ntpdate-4.2.6p5-30.24.amzn1.x86_64
ntp-debuginfo-4.2.6p5-30.24.amzn1.x86_64
Red Hat: CVE-2015-1798, CVE-2015-1799
Mitre: CVE-2015-1798, CVE-2015-1799
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Amazon Linux | 1 | i686 | ntp-debuginfo | < 4.2.6p5-30.24.amzn1 | ntp-debuginfo-4.2.6p5-30.24.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | ntp | < 4.2.6p5-30.24.amzn1 | ntp-4.2.6p5-30.24.amzn1.i686.rpm |
Amazon Linux | 1 | i686 | ntpdate | < 4.2.6p5-30.24.amzn1 | ntpdate-4.2.6p5-30.24.amzn1.i686.rpm |
Amazon Linux | 1 | noarch | ntp-doc | < 4.2.6p5-30.24.amzn1 | ntp-doc-4.2.6p5-30.24.amzn1.noarch.rpm |
Amazon Linux | 1 | noarch | ntp-perl | < 4.2.6p5-30.24.amzn1 | ntp-perl-4.2.6p5-30.24.amzn1.noarch.rpm |
Amazon Linux | 1 | x86_64 | ntp | < 4.2.6p5-30.24.amzn1 | ntp-4.2.6p5-30.24.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | ntpdate | < 4.2.6p5-30.24.amzn1 | ntpdate-4.2.6p5-30.24.amzn1.x86_64.rpm |
Amazon Linux | 1 | x86_64 | ntp-debuginfo | < 4.2.6p5-30.24.amzn1 | ntp-debuginfo-4.2.6p5-30.24.amzn1.x86_64.rpm |