| Description: | Summary:
The remote host is missing an update for the Debian 'ntp' package(s) announced via the DLA-335-1 advisory.
Vulnerability Insight:
Several security issues where found in ntp:
CVE-2015-5146
A flaw was found in the way ntpd processed certain remote configuration packets. An attacker could use a specially crafted package to cause ntpd to crash if:
ntpd enabled remote configuration
The attacker had the knowledge of the configuration password
The attacker had access to a computer entrusted to perform remote configuration
Note that remote configuration is disabled by default in NTP.
CVE-2015-5194
It was found that ntpd could crash due to an uninitialized variable when processing malformed logconfig configuration commands.
CVE-2015-5195
It was found that ntpd exits with a segmentation fault when a statistics type that was not enabled during compilation (e.g. timingstats) is referenced by the statistics or filegen configuration command
CVE-2015-5219
It was discovered that sntp program would hang in an infinite loop when a crafted NTP packet was received, related to the conversion of the precision value in the packet to double.
CVE-2015-5300
It was found that ntpd did not correctly implement the -g option:
Normally, ntpd exits with a message to the system log if the offset exceeds the panic threshold, which is 1000 s by default. This option allows the time to be set to any value without restriction, however, this can happen only once. If the threshold is exceeded after that, ntpd will exit with a message to the system log. This option can be used with the -q and -x options.
ntpd could actually step the clock multiple times by more than the panic threshold if its clock discipline doesn't have enough time to reach the sync state and stay there for at least one update. If a man-in-the-middle attacker can control the NTP traffic since ntpd was started (or maybe up to 15-30 minutes after that), they can prevent the client from reaching the sync state and force it to step its clock by any amount any number of times, which can be used by attackers to expire certificates, etc.
This is contrary to what the documentation says. Normally, the assumption is that an MITM attacker can step the clock more than the panic threshold only once when ntpd starts and to make a larger adjustment the attacker has to divide it into multiple smaller steps, each taking 15 minutes, which is slow.
CVE-2015-7691, CVE-2015-7692, CVE-2015-7702 It was found that the fix for CVE-2014-9750 was incomplete: three issues were found in the value length checks in ntp_crypto.c, where a packet with particular autokey operations that contained malicious data was not always being completely validated. Receipt of these packets can cause ntpd to crash.
CVE-2015-7701
A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd is configured to use autokey authentication, an attacker could send packets to ntpd that would, after several days of ongoing attack, cause it to run out of memory.
CVE-2015-7703
Miroslav Lichvar of Red Hat ... [Please see the references for more information on the vulnerabilities]
Affected Software/OS:
'ntp' package(s) on Debian 6.
Solution:
Please install the updated package(s).
CVSS Score:
7.5
CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
