Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 486
Alerts This Week
Warning Icon 1 486

Debian NTP Critical Denial of Service Advisory DSA-3223-1 CVE-2015-1798

debian
Calendar Grey April 12, 2015
Debian Logo
Debian DSA-3223-1 addresses critical NTP risks due to multiple vulnerabilities that may impact synchronization.
Multiple vulnerabilities were discovered in ntp, an implementation of the Network Time Protocol: CVE-2015-1798

Summary

CVE-2015-1798

When configured to use a symmetric key with an NTP peer, ntpd would
accept packets without MAC as if they had a valid MAC. This could
allow a remote attacker to bypass the packet authentication and send
malicious packets without having to know the symmetric key.

CVE-2015-1799

When peering with other NTP hosts using authenticated symmetric
association, ntpd would update its internal state variables before
the MAC of the NTP messages was validated. This could allow a remote
attacker to cause a denial of service by impeding synchronization
between NTP peers.

Additionally, it was discovered that generating MD5 keys using ntp-keygen
on big endian machines would either trigger an endless loop, or generate
non-random keys.

For the stable distribution (wheezy), these problems have been fixed in
version 1:4.2.6.p5+dfsg-2+deb7u4.

For the unstable distribution (sid), these problems have been fixed in
version 1:4.2.6.p5+dfsg-7.

We recommend that you upgrade your ...

Read the Full Advisory

Severity
critical
Lowest
Low
Medium
High
Critical

Package: ntp
CVE ID: CVE-2015-1798 CVE-2015-1799

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.