SUSE SLED12 / SLES12 Security Update : ntp (SUSE-SU-2016:1291-1)

This script is Copyright (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote SUSE host is missing one or more security updates.

Description :

This update for ntp to 4.2.8p7 fixes the following issues :

- CVE-2016-1547, bsc#977459: Validate crypto-NAKs, AKA:
CRYPTO-NAK DoS.

- CVE-2016-1548, bsc#977461: Interleave-pivot

- CVE-2016-1549, bsc#977451: Sybil vulnerability:
ephemeral association attack.

- CVE-2016-1550, bsc#977464: Improve NTP security against
buffer comparison timing attacks.

- CVE-2016-1551, bsc#977450: Refclock impersonation
vulnerability

- CVE-2016-2516, bsc#977452: Duplicate IPs on unconfig
directives will cause an assertion botch in ntpd.

- CVE-2016-2517, bsc#977455: remote configuration
trustedkey/ requestkey/controlkey values are not
properly validated.

- CVE-2016-2518, bsc#977457: Crafted addpeer with hmode >
7 causes array wraparound with MATCH_ASSOC.

- CVE-2016-2519, bsc#977458: ctl_getitem() return value
not always checked.

- This update also improves the fixes for: CVE-2015-7704,
CVE-2015-7705, CVE-2015-7974

Bugs fixed :

- Restrict the parser in the startup script to the first
occurrance of 'keys' and 'controlkey' in ntp.conf
(bsc#957226).

Note that Tenable Network Security has extracted the preceding
description block directly from the SUSE security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

https://bugzilla.suse.com/957226
https://bugzilla.suse.com/977446
https://bugzilla.suse.com/977450
https://bugzilla.suse.com/977451
https://bugzilla.suse.com/977452
https://bugzilla.suse.com/977455
https://bugzilla.suse.com/977457
https://bugzilla.suse.com/977458
https://bugzilla.suse.com/977459
https://bugzilla.suse.com/977461
https://bugzilla.suse.com/977464
https://www.suse.com/security/cve/CVE-2015-7704.html
https://www.suse.com/security/cve/CVE-2015-7705.html
https://www.suse.com/security/cve/CVE-2015-7974.html
https://www.suse.com/security/cve/CVE-2016-1547.html
https://www.suse.com/security/cve/CVE-2016-1548.html
https://www.suse.com/security/cve/CVE-2016-1549.html
https://www.suse.com/security/cve/CVE-2016-1550.html
https://www.suse.com/security/cve/CVE-2016-1551.html
https://www.suse.com/security/cve/CVE-2016-2516.html
https://www.suse.com/security/cve/CVE-2016-2517.html
https://www.suse.com/security/cve/CVE-2016-2518.html
https://www.suse.com/security/cve/CVE-2016-2519.html
http://www.nessus.org/u?d8baba8d

Solution :

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product :

SUSE Linux Enterprise Server 12-SP1 :

zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-764=1

SUSE Linux Enterprise Desktop 12-SP1 :

zypper in -t patch SUSE-SLE-DESKTOP-12-SP1-2016-764=1

To bring your system up-to-date, use 'zypper patch'.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.2
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now