Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS : ntp vulnerabilities (USN-3096-1)

Ubuntu Security Notice (C) 2016-2017 Canonical, Inc. / NASL script (C) 2016-2017 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

Aanchal Malhotra discovered that NTP incorrectly handled authenticated
broadcast mode. A remote attacker could use this issue to perform a
replay attack. (CVE-2015-7973)

Matt Street discovered that NTP incorrectly verified peer associations
of symmetric keys. A remote attacker could use this issue to perform
an impersonation attack. (CVE-2015-7974)

Jonathan Gardner discovered that the NTP ntpq utility incorrectly
handled memory. An attacker could possibly use this issue to cause
ntpq to crash, resulting in a denial of service. This issue only
affected Ubuntu 16.04 LTS. (CVE-2015-7975)

Jonathan Gardner discovered that the NTP ntpq utility incorrectly
handled dangerous characters in filenames. An attacker could possibly
use this issue to overwrite arbitrary files. (CVE-2015-7976)

Stephen Gray discovered that NTP incorrectly handled large restrict
lists. An attacker could use this issue to cause NTP to crash,
resulting in a denial of service. (CVE-2015-7977, CVE-2015-7978)

Aanchal Malhotra discovered that NTP incorrectly handled authenticated
broadcast mode. A remote attacker could use this issue to cause NTP to
crash, resulting in a denial of service. (CVE-2015-7979)

Jonathan Gardner discovered that NTP incorrectly handled origin
timestamp checks. A remote attacker could use this issue to spoof peer
servers. (CVE-2015-8138)

Jonathan Gardner discovered that the NTP ntpq utility did not properly
handle certain incorrect values. An attacker could possibly use this
issue to cause ntpq to hang, resulting in a denial of service.
(CVE-2015-8158)

It was discovered that the NTP cronjob incorrectly cleaned up the
statistics directory. A local attacker could possibly use this to
escalate privileges. (CVE-2016-0727)

Stephen Gray and Matthew Van Gundy discovered that NTP incorrectly
validated crypto-NAKs. A remote attacker could possibly use this issue
to prevent clients from synchronizing. (CVE-2016-1547)

Miroslav Lichvar and Jonathan Gardner discovered that NTP incorrectly
handled switching to interleaved symmetric mode. A remote attacker
could possibly use this issue to prevent clients from synchronizing.
(CVE-2016-1548)

Matthew Van Gundy, Stephen Gray and Loganaden Velvindron discovered
that NTP incorrectly handled message authentication. A remote attacker
could possibly use this issue to recover the message digest key.
(CVE-2016-1550)

Yihan Lian discovered that NTP incorrectly handled duplicate IPs on
unconfig directives. An authenticated remote attacker could possibly
use this issue to cause NTP to crash, resulting in a denial of
service. (CVE-2016-2516)

Yihan Lian discovered that NTP incorrectly handled certail peer
associations. A remote attacker could possibly use this issue to cause
NTP to crash, resulting in a denial of service. (CVE-2016-2518)

Jakub Prokes discovered that NTP incorrectly handled certain spoofed
packets. A remote attacker could possibly use this issue to cause a
denial of service. (CVE-2016-4954)

Miroslav Lichvar discovered that NTP incorrectly handled certain
packets when autokey is enabled. A remote attacker could possibly use
this issue to cause a denial of service. (CVE-2016-4955)

Miroslav Lichvar discovered that NTP incorrectly handled certain
spoofed broadcast packets. A remote attacker could possibly use this
issue to cause a denial of service. (CVE-2016-4956)

In the default installation, attackers would be isolated by the NTP
AppArmor profile.

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected ntp package.

Risk factor :

High / CVSS Base Score : 7.2
(CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 6.8
(CVSS2#E:F/RL:ND/RC:ND)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now