Lucene search

K
mageiaGentoo FoundationMGASA-2016-0039
HistoryJan 29, 2016 - 2:02 p.m.

Updated ntp packages fix security vulnerability

2016-01-2914:02:50
Gentoo Foundation
advisories.mageia.org
38

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:P/A:P

CVSS3

7.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

EPSS

0.097

Percentile

94.8%

In ntpd before 4.2.8p6, when used with symmetric key encryption, the client would accept packets encrypted with keys for any configured server, allowing a server to impersonate other servers to clients, thus performing a man-in-the-middle attack. A server can be attacked by a client in a similar manner (CVE-2015-7974). A NULL pointer dereference flaw was found in the way ntpd processed ‘ntpdc reslist’ commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process (CVE-2015-7977). A stack-based buffer overflow was found in the way ntpd processed ‘ntpdc reslist’ commands that queried restriction lists with a large amount of entries. A remote attacker could use this flaw to crash the ntpd process (CVE-2015-7978). It was found that when NTP is configured in broadcast mode, an off-path attacker could broadcast packets with bad authentication (wrong key, mismatched key, incorrect MAC, etc) to all clients. The clients, upon receiving the malformed packets, would break the association with the broadcast server. This could cause the time on affected clients to become out of sync over a longer period of time (CVE-2015-7979). A faulty protection against spoofing and replay attacks allows an attacker to disrupt synchronization with kiss-of-death packets, take full control of the clock, or cause ntpd to crash (CVE-2015-8138). A flaw was found in the way the ntpq client certain processed incoming packets in a loop in the getresponse() function. A remote attacker could potentially use this flaw to crash an ntpq client instance (CVE-2015-8158). The ntp package has been patched to fix these issues and a few other bugs. Note that there are still some unfixed issues. Two of those issues, CVE-2015-8139 and CVE-2015-8140, are vulnerabilities to spoofing and replay attacks that can be mitigated by either adding the noquery option to all restrict entries in ntp.conf, configuring ntpd to get time from multiple sources, or using a restriction list to limit who is allowed to issue ntpq and ntpdc queries. Additionally, the other unfixed issues can also be mitigated. CVE-2015-7973, a replay attack issue, can be mitigated by not using broadcast mode, and CVE-2015-7976, a bug that can cause globbing issues on the server, can be mitigated by restricting use of the “saveconfig” command with the “restrict nomodify” directive.

OSVersionArchitecturePackageVersionFilename
Mageia5noarchntp< 4.2.6p5-24.4ntp-4.2.6p5-24.4.mga5

CVSS2

5.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:N/I:P/A:P

CVSS3

7.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N

EPSS

0.097

Percentile

94.8%