(Oracle Issues Fix for Oracle Linux) ntp Multiple Bugs Let Remote or Local Users Cause the Target Service to Crash
SecurityTracker Alert ID: 1039667|
SecurityTracker URL: http://securitytracker.com/id/1039667
CVE-2017-6462, CVE-2017-6463, CVE-2017-6464
(Links to External Site)
Date: Oct 26 2017
Denial of service via local system, Denial of service via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 4.2.8p9 and prior|
Multiple vulnerabilities were reported in ntp. A remote or local user can cause the target service to crash.|
A remote authenticated user can set a specially crafted configuration directive to cause the target ntpd service to crash [CVE-2017-6464].
A local user that can load a specially crafted '/dev/datum/' device can trigger a buffer overflow in datum_pts_receive() in the legacy Datum Programmable Time Server refclock driver and cause denial of service conditions [CVE-2017-6462].
A remote authenticated user can send a specially crafted ':config' directive to trigger a segmentation fault on the target NTP server [CVE-2017-6463].
A local user can cause DLLs to be executed with elevated privileges and cause denial of service conditions on Windows-based systems [CVE-2017-6455].
A local user can supply specially crafted command line parameters to trigger a stack overflow in addSourceToRegistry() on Windows-based systems [CVE-2017-6452].
A remote user can cause a data structure to be terminated incorrectly on Windows-based systems [CVE-2017-6459].
A remote user can send specially crafted data to trigger an overflow in the ctl_put() function and cause the target service to crash [CVE-2017-6458].
A remote user may be able to trigger an out-of-bounds memory write error in mx4200_send() on systems with the legacy MX4200 refclock enabled and cause the target service to crash [CVE-2017-6451].
A remote ntpd server can trigger a stack buffer overflow in ntpq when return a restriction list to cause the target ntpq service to crash [CVE-2017-6460].
A remote user that can spoof servers can exploit a timestamp origin check flaw and cause timestamp reset replies to be dropped [CVE-2016-9042].
Cure53 and Matthew Van Gundy of Cisco ASIG reported these vulnerabilities.
A remote or local user can cause the target service to crash.|
Oracle has issued a fix for CVE-2017-6462, CVE-2017-6463, and CVE-2017-6464.|
The Oracle Linux advisory is available at:
Vendor URL: linux.oracle.com/errata/ELSA-2017-3071.html (Links to External Site)
Access control error, Boundary error, Input validation error, State error|
|Underlying OS: Linux (Oracle)|
|Underlying OS Comments: 6|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: [El-errata] ELSA-2017-3071 Moderate: Oracle Linux 6 ntp security update|
Oracle Linux Security Advisory ELSA-2017-3071
The following updated rpms for Oracle Linux 6 have been uploaded to the
Unbreakable Linux Network:
Description of changes:
- add disable monitor to default ntp.conf [CVE-2013-5211]
- fix buffer overflow in datum refclock driver (CVE-2017-6462)
- fix crash with invalid unpeer command (CVE-2017-6463)
- fix potential crash with invalid server command (CVE-2017-6464)
- don't limit rate of packets from sources (CVE-2016-7426)
- don't change interface from received packets (CVE-2016-7429)
- fix calculation of root distance again (CVE-2016-7433)
- require authentication for trap commands (CVE-2016-9310)
- fix crash when reporting peer event to trappers (CVE-2016-9311)
- don't allow spoofed packets to demobilize associations (CVE-2015-7979,
- don't allow spoofed packet to enable symmetric interleaved mode
- check mode of new source in config command (CVE-2016-2518)
- make MAC check resilient against timing attack (CVE-2016-1550)
El-errata mailing list