SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   ntp Vendors:   ntp.org
(Red Hat Issues Fix) ntp Multiple Bugs Let Remote Users Cause the Target Service to Crash
SecurityTracker Alert ID:  1037780
SecurityTracker URL:  http://securitytracker.com/id/1037780
CVE Reference:   CVE-2016-7426, CVE-2016-7429, CVE-2016-7433, CVE-2016-9310, CVE-2016-9311   (Links to External Site)
Date:  Feb 6 2017
Impact:   Denial of service via network, Disclosure of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 4.2.8p9
Description:   Multiple vulnerabilities were reported in ntp. A remote user can cause the target service to crash.

On Windows-based systems with the trap service enabled, a remote user can send a specially crafted packet to trigger a null pointer dereference and cause the ntpd daemon to crash [CVE-2016-9311].

A remote user can send a specially crafted control mode packet to set and unset ntpd traps. As a result, a remote user can obtain potentially sensitive information, conduct denial of service amplification attacks, or cause monitoring to become disabled [CVE-2016-9310].

A remote user with access to the target NTP broadcast domain can inject specially crafted broadcast mode NTP packets into the NTP broadcast domain to exploit a flaw in the replay prevention function cause the target ntpd daemon to reject broadcast mode NTP packets from legitimate NTP broadcast servers [CVE-2016-7427].

A remote user with access to the target NTP broadcast domain can inject specially crafted broadcast mode NTP packets into the NTP broadcast domain to exploit a flaw in the broadcast mode poll interval enforcement function and cause the target ntpd daemon to reject broadcast mode NTP packets from legitimate NTP broadcast servers [CVE-2016-7428].

A remote user can send a specially crafted, large UDP packet to cause the target ntpd daemon to stop functioning [CVE-2016-9312]. Windows based systems are affected.

A regression error exists in the validation of zero origin timestamps [CVE-2016-7431].

On systems with ntpd configured to allow mrulist query requests from the remote user, a remote user can send a specially crafted mrulist query request packet to cause the target ntpd daemon to crash [CVE-2016-7434].

On systems with multiple interfaces on separate networks and where the operating system does not validate source addresses in received packets, a remote user can send a specially crafted packet to trigger an error in selecting the proper interface and temporarily prevent the target ntpd daemon from sending new requests [CVE-2016-7429].

On systems with ntpd configured with rate limiting for all associations, a remote user can send packets with specially crafted source addresses to keep the rate limiting function active and prevent the target ntpd daemon from accepting valid responses [CVE-2016-7426].

An error may occur in the calculation of root sync delay, causing the jitter value to be higher than expected [CVE-2016-7433].

Matthew Van Gundy of Cisco ASIG, Robert Pajak of ABB, Magnus Stubman, Miroslav Lichvar of Red Hat, Brian Utterback of Oracle, and Sharon Goldberg and Aanchal Malhotra of Boston University reported these vulnerabilities.

Impact:   A remote user can cause the target service to crash.

A remote user can obtain potentially sensitive information from the target system.

A remote user can conduct denial of service amplification attacks against other targets.

Solution:   Red Hat has issued a fix for CVE-2016-7426, CVE-2016-7429, CVE-2016-7433, CVE-2016-9310, and CVE-2016-9311.

The Red Hat advisory is available at:

https://rhn.redhat.com/errata/RHSA-2017-0252.html

Vendor URL:  rhn.redhat.com/errata/RHSA-2017-0252.html (Links to External Site)
Cause:   Access control error, Boundary error, Input validation error, State error
Underlying OS:  Linux (Red Hat Enterprise)
Underlying OS Comments:  6, 7

Message History:   This archive entry is a follow-up to the message listed below.
Nov 29 2016 ntp Multiple Bugs Let Remote Users Cause the Target Service to Crash



 Source Message Contents

Date:  Mon, 6 Feb 2017 06:24:51 +0000
Subject:  [RHSA-2017:0252-01] Moderate: ntp security update

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: ntp security update
Advisory ID:       RHSA-2017:0252-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2017-0252.html
Issue date:        2017-02-06
CVE Names:         CVE-2016-7426 CVE-2016-7429 CVE-2016-7433 
                   CVE-2016-9310 CVE-2016-9311 
=====================================================================

1. Summary:

An update for ntp is now available for Red Hat Enterprise Linux 6 and Red
Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux Client Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch, x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux Desktop Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch, x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server (v. 7) - aarch64, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 6) - i386, noarch, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - aarch64, noarch, ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 6) - i386, noarch, x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch, x86_64

3. Description:

The Network Time Protocol (NTP) is used to synchronize a computer's time
with another referenced time source. These packages include the ntpd
service which continuously adjusts system time and utilities used to query
and configure the ntpd service.

Security Fix(es):

* It was found that when ntp is configured with rate limiting for all
associations the limits are also applied to responses received from its
configured sources. A remote attacker who knows the sources can cause a
denial of service by preventing ntpd from accepting valid responses from
its sources. (CVE-2016-7426)

* A flaw was found in the control mode functionality of ntpd. A remote
attacker could send a crafted control mode packet which could lead to
information disclosure or result in DDoS amplification attacks.
(CVE-2016-9310)

* A flaw was found in the way ntpd implemented the trap service. A remote
attacker could send a specially crafted packet to cause a null pointer
dereference that will crash ntpd, resulting in a denial of service.
(CVE-2016-9311)

* A flaw was found in the way ntpd running on a host with multiple network
interfaces handled certain server responses. A remote attacker could use
this flaw which would cause ntpd to not synchronize with the source.
(CVE-2016-7429)

* A flaw was found in the way ntpd calculated the root delay. A remote
attacker could send a specially-crafted spoofed packet to cause denial of
service or in some special cases even crash. (CVE-2016-7433)

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the ntpd daemon will restart automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

1397319 - CVE-2016-9310 ntp: Mode 6 unauthenticated trap information disclosure and DDoS vector
1397341 - CVE-2016-7429 ntp: Attack on interface selection
1397345 - CVE-2016-7426 ntp: Client rate limiting and server responses
1397347 - CVE-2016-7433 ntp: Broken initial sync calculations regression
1398350 - CVE-2016-9311 ntp: Null pointer dereference when trap service is enabled

6. Package List:

Red Hat Enterprise Linux Desktop (v. 6):

Source:
ntp-4.2.6p5-10.el6_8.2.src.rpm

i386:
ntp-4.2.6p5-10.el6_8.2.i686.rpm
ntp-debuginfo-4.2.6p5-10.el6_8.2.i686.rpm
ntpdate-4.2.6p5-10.el6_8.2.i686.rpm

x86_64:
ntp-4.2.6p5-10.el6_8.2.x86_64.rpm
ntp-debuginfo-4.2.6p5-10.el6_8.2.x86_64.rpm
ntpdate-4.2.6p5-10.el6_8.2.x86_64.rpm

Red Hat Enterprise Linux Desktop Optional (v. 6):

i386:
ntp-debuginfo-4.2.6p5-10.el6_8.2.i686.rpm
ntp-perl-4.2.6p5-10.el6_8.2.i686.rpm

noarch:
ntp-doc-4.2.6p5-10.el6_8.2.noarch.rpm

x86_64:
ntp-debuginfo-4.2.6p5-10.el6_8.2.x86_64.rpm
ntp-perl-4.2.6p5-10.el6_8.2.x86_64.rpm

Red Hat Enterprise Linux HPC Node (v. 6):

Source:
ntp-4.2.6p5-10.el6_8.2.src.rpm

x86_64:
ntp-4.2.6p5-10.el6_8.2.x86_64.rpm
ntp-debuginfo-4.2.6p5-10.el6_8.2.x86_64.rpm
ntpdate-4.2.6p5-10.el6_8.2.x86_64.rpm

Red Hat Enterprise Linux HPC Node Optional (v. 6):

noarch:
ntp-doc-4.2.6p5-10.el6_8.2.noarch.rpm

x86_64:
ntp-debuginfo-4.2.6p5-10.el6_8.2.x86_64.rpm
ntp-perl-4.2.6p5-10.el6_8.2.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source:
ntp-4.2.6p5-10.el6_8.2.src.rpm

i386:
ntp-4.2.6p5-10.el6_8.2.i686.rpm
ntp-debuginfo-4.2.6p5-10.el6_8.2.i686.rpm
ntpdate-4.2.6p5-10.el6_8.2.i686.rpm

ppc64:
ntp-4.2.6p5-10.el6_8.2.ppc64.rpm
ntp-debuginfo-4.2.6p5-10.el6_8.2.ppc64.rpm
ntpdate-4.2.6p5-10.el6_8.2.ppc64.rpm

s390x:
ntp-4.2.6p5-10.el6_8.2.s390x.rpm
ntp-debuginfo-4.2.6p5-10.el6_8.2.s390x.rpm
ntpdate-4.2.6p5-10.el6_8.2.s390x.rpm

x86_64:
ntp-4.2.6p5-10.el6_8.2.x86_64.rpm
ntp-debuginfo-4.2.6p5-10.el6_8.2.x86_64.rpm
ntpdate-4.2.6p5-10.el6_8.2.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 6):

i386:
ntp-debuginfo-4.2.6p5-10.el6_8.2.i686.rpm
ntp-perl-4.2.6p5-10.el6_8.2.i686.rpm

noarch:
ntp-doc-4.2.6p5-10.el6_8.2.noarch.rpm

ppc64:
ntp-debuginfo-4.2.6p5-10.el6_8.2.ppc64.rpm
ntp-perl-4.2.6p5-10.el6_8.2.ppc64.rpm

s390x:
ntp-debuginfo-4.2.6p5-10.el6_8.2.s390x.rpm
ntp-perl-4.2.6p5-10.el6_8.2.s390x.rpm

x86_64:
ntp-debuginfo-4.2.6p5-10.el6_8.2.x86_64.rpm
ntp-perl-4.2.6p5-10.el6_8.2.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
ntp-4.2.6p5-10.el6_8.2.src.rpm

i386:
ntp-4.2.6p5-10.el6_8.2.i686.rpm
ntp-debuginfo-4.2.6p5-10.el6_8.2.i686.rpm
ntpdate-4.2.6p5-10.el6_8.2.i686.rpm

x86_64:
ntp-4.2.6p5-10.el6_8.2.x86_64.rpm
ntp-debuginfo-4.2.6p5-10.el6_8.2.x86_64.rpm
ntpdate-4.2.6p5-10.el6_8.2.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 6):

i386:
ntp-debuginfo-4.2.6p5-10.el6_8.2.i686.rpm
ntp-perl-4.2.6p5-10.el6_8.2.i686.rpm

noarch:
ntp-doc-4.2.6p5-10.el6_8.2.noarch.rpm

x86_64:
ntp-debuginfo-4.2.6p5-10.el6_8.2.x86_64.rpm
ntp-perl-4.2.6p5-10.el6_8.2.x86_64.rpm

Red Hat Enterprise Linux Client (v. 7):

Source:
ntp-4.2.6p5-25.el7_3.1.src.rpm

x86_64:
ntp-4.2.6p5-25.el7_3.1.x86_64.rpm
ntp-debuginfo-4.2.6p5-25.el7_3.1.x86_64.rpm
ntpdate-4.2.6p5-25.el7_3.1.x86_64.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:
ntp-doc-4.2.6p5-25.el7_3.1.noarch.rpm
ntp-perl-4.2.6p5-25.el7_3.1.noarch.rpm

x86_64:
ntp-debuginfo-4.2.6p5-25.el7_3.1.x86_64.rpm
sntp-4.2.6p5-25.el7_3.1.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
ntp-4.2.6p5-25.el7_3.1.src.rpm

x86_64:
ntp-4.2.6p5-25.el7_3.1.x86_64.rpm
ntp-debuginfo-4.2.6p5-25.el7_3.1.x86_64.rpm
ntpdate-4.2.6p5-25.el7_3.1.x86_64.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

noarch:
ntp-doc-4.2.6p5-25.el7_3.1.noarch.rpm
ntp-perl-4.2.6p5-25.el7_3.1.noarch.rpm

x86_64:
ntp-debuginfo-4.2.6p5-25.el7_3.1.x86_64.rpm
sntp-4.2.6p5-25.el7_3.1.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
ntp-4.2.6p5-25.el7_3.1.src.rpm

aarch64:
ntp-4.2.6p5-25.el7_3.1.aarch64.rpm
ntp-debuginfo-4.2.6p5-25.el7_3.1.aarch64.rpm
ntpdate-4.2.6p5-25.el7_3.1.aarch64.rpm

ppc64:
ntp-4.2.6p5-25.el7_3.1.ppc64.rpm
ntp-debuginfo-4.2.6p5-25.el7_3.1.ppc64.rpm
ntpdate-4.2.6p5-25.el7_3.1.ppc64.rpm

ppc64le:
ntp-4.2.6p5-25.el7_3.1.ppc64le.rpm
ntp-debuginfo-4.2.6p5-25.el7_3.1.ppc64le.rpm
ntpdate-4.2.6p5-25.el7_3.1.ppc64le.rpm

s390x:
ntp-4.2.6p5-25.el7_3.1.s390x.rpm
ntp-debuginfo-4.2.6p5-25.el7_3.1.s390x.rpm
ntpdate-4.2.6p5-25.el7_3.1.s390x.rpm

x86_64:
ntp-4.2.6p5-25.el7_3.1.x86_64.rpm
ntp-debuginfo-4.2.6p5-25.el7_3.1.x86_64.rpm
ntpdate-4.2.6p5-25.el7_3.1.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

aarch64:
ntp-debuginfo-4.2.6p5-25.el7_3.1.aarch64.rpm
sntp-4.2.6p5-25.el7_3.1.aarch64.rpm

noarch:
ntp-doc-4.2.6p5-25.el7_3.1.noarch.rpm
ntp-perl-4.2.6p5-25.el7_3.1.noarch.rpm

ppc64:
ntp-debuginfo-4.2.6p5-25.el7_3.1.ppc64.rpm
sntp-4.2.6p5-25.el7_3.1.ppc64.rpm

ppc64le:
ntp-debuginfo-4.2.6p5-25.el7_3.1.ppc64le.rpm
sntp-4.2.6p5-25.el7_3.1.ppc64le.rpm

s390x:
ntp-debuginfo-4.2.6p5-25.el7_3.1.s390x.rpm
sntp-4.2.6p5-25.el7_3.1.s390x.rpm

x86_64:
ntp-debuginfo-4.2.6p5-25.el7_3.1.x86_64.rpm
sntp-4.2.6p5-25.el7_3.1.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
ntp-4.2.6p5-25.el7_3.1.src.rpm

x86_64:
ntp-4.2.6p5-25.el7_3.1.x86_64.rpm
ntp-debuginfo-4.2.6p5-25.el7_3.1.x86_64.rpm
ntpdate-4.2.6p5-25.el7_3.1.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:
ntp-doc-4.2.6p5-25.el7_3.1.noarch.rpm
ntp-perl-4.2.6p5-25.el7_3.1.noarch.rpm

x86_64:
ntp-debuginfo-4.2.6p5-25.el7_3.1.x86_64.rpm
sntp-4.2.6p5-25.el7_3.1.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-7426
https://access.redhat.com/security/cve/CVE-2016-7429
https://access.redhat.com/security/cve/CVE-2016-7433
https://access.redhat.com/security/cve/CVE-2016-9310
https://access.redhat.com/security/cve/CVE-2016-9311
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFYmBasXlSAg2UNWIIRAtaKAKCm2dAxAx1w4jCUz0puJyIXXpuaeQCgtbPU
QI1oAu3rHY96U/5WIC/xF4g=
=qaRk
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, SecurityGlobal.net LLC