Amazon Linux AMI : ntp (ALAS-2018-1083)
High Nessus Plugin ID 117607
SynopsisThe remote Amazon Linux AMI host is missing a security update.
Descriptionntpd in ntp 4.2.x before 4.2.8p7 allows authenticated users that know the private symmetric key to create arbitrarily-many ephemeral associations in order to win the clock selection of ntpd and modify a victim's clock via a Sybil attack. This issue exists because of an incomplete fix for CVE-2016-1549 .(CVE-2018-7170)
The ntpq and ntpdc command-line utilities that are part of ntp package are vulnerable to stack-based buffer overflow via crafted hostname.
Applications using these vulnerable utilities with an untrusted input may be potentially exploited, resulting in a crash or arbitrary code execution under privileges of that application.(CVE-2018-12327)
SolutionRun 'yum update ntp' to update your system.