(Oracle Issues Fix for Oracle Linux) ntp Multiple Bugs Let Remote Users Spoof Messages, Obtain Potentially Sensitive Information, Modify Time, and Deny Service
SecurityTracker Alert ID: 1036005|
SecurityTracker URL: http://securitytracker.com/id/1036005
CVE-2016-1547, CVE-2016-1548, CVE-2016-1550, CVE-2016-2518
(Links to External Site)
Date: Jun 1 2016
Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information|
Fix Available: Yes Vendor Confirmed: Yes |
Multiple vulnerabilities were reported in ntp. A remote or remote authenticated user can modify time on the target system. A remote user can cause denial of service conditions on the target system. A remote user can obtain potentially sensitive information on the target system.|
A remote user can send specially crafted crypto-NAK packets with a spoofed source address of an existing peer to trigger an error in 'ntp_proto.c' and cause the preemptable client association to be demobilized [CVE-2016-1547].
A remote user can send a spoofed packet with a specially crafted timestamp to cause the target ntpd client to reject future server responses from the spoofed server. As a result, the remote user can modify the time of the target client or cause denial of service conditions on the target client [CVE-2016-1548].
A remote authenticated peer can create an arbitrary number of ephemeral associations to modify the time on the target system [CVE-2016-1549].
A remote user can send a series of specially crafted messages to potentially recover the message digest key [CVE-2016-1550].
A remote user can send specially crafted spoofed packets to a target system that fails to implement martian packet filtering to modify the time on the target system [CVE-2016-1551].
A remote user with knowledge of the controlkey (for ntpq) or the requestkey (for ntpdc) can create a specially crafted session to cause ntpd to crash in certain cases [CVE-2016-2516].
A remote authenticated user with knowledge of the of the controlkey (for ntpq) or the requestkey (for ntpdc) can create a specially crafted session to prevent ntpd from processing authentication requests until the process is restarted [CVE-2016-2517].
A remote authenticated user can send a specially crafted packet to trigger an out-of-bounds memory reference error in the MATCH_ASSOC() function when creating a peer association with hmode > 7 [CVE-2016-2518].
A remote authenticated user can cause a specially crafted data value to be stored by ntpd and then cause ntpd to crash when attempting to read the value via ctl_getitem() [CVE-2016-2519].
Matt Street, Matthew Van Gundy, Stephen Gray, Jonathan Gardner, and others of Cisco ASIG, Yihan Lian (of the Cloud Security Team, Qihoo 360), Miroslav Lichvar of RedHat, Michael Tatarinov (NTP Project Developer Volunteer), and Loganaden Velvindron reported these vulnerabilities.
A remote or remote authenticated user can modify time on the target system.|
A remote user can cause denial of service conditions.
A remote user can obtain potentially sensitive information on the target system.
Oracle has issued a fix for CVE-2016-1547, CVE-2016-1548, CVE-2016-1550, and CVE-2016-2518.|
The Oracle Linux advisory is available at:
Vendor URL: linux.oracle.com/errata/ELSA-2016-1141.html (Links to External Site)
Access control error, Input validation error, State error|
|Underlying OS: Linux (Oracle)|
|Underlying OS Comments: 6, 7|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: [El-errata] ELSA-2016-1141 Moderate: Oracle Linux 7 ntp security update|
Oracle Linux Security Advisory ELSA-2016-1141
The following updated rpms for Oracle Linux 7 have been uploaded to the
Unbreakable Linux Network:
Description of changes:
- don't allow spoofed packets to demobilize associations (CVE-2015-7979,
- don't allow spoofed packet to enable symmetric interleaved mode
- check mode of new source in config command (CVE-2016-2518)
- make MAC check resilient against timing attack (CVE-2016-1550)
El-errata mailing list