Alerts This Week
Warning Icon 1 535
Alerts This Week
Warning Icon 1 535

Scientific Linux 6: SLSA-2016:0780-1 Moderate NTP Security Advisory

Calendar Jun 08, 2016 User Avatar LinuxSecurity Advisories
2 - 3 min read
Scientific Large Esm H500
Topics%20covered

Topics Covered

security advisory moderate buffer overflow security fix remote attack ntp scientific linux
Moderate: ntp security and bug fix update 
Date: Wed, 8 Jun 2016 21:07:45 -0000
Reply-To: scientific-linux-users@
Sender: Security Errata for Scientific Linux
 
From: Kevin Hill 
Subject: Security ERRATA Moderate: ntp on SL6.x i386/x86_64
MIME-Version: 1.0
Message-ID: <20160608210745.26733.87274@slpackages.fnal.gov>

Synopsis: Moderate: ntp security and bug fix update
Advisory ID: SLSA-2016:0780-1
Issue Date: 2016-05-10
CVE Numbers: CVE-2015-5194
 CVE-2015-5195
 CVE-2015-7703
 CVE-2015-5219
 CVE-2015-7691
 CVE-2015-7692
 CVE-2015-7702
 CVE-2015-7701
 CVE-2015-7852
 CVE-2015-7977
 CVE-2015-7978
--

Security Fix(es):

* It was found that the fix for CVE-2014-9750 was incomplete: three issues
were found in the value length checks in NTP's ntp_crypto.c, where a
packet with particular autokey operations that contained malicious data
was not always being completely validated. A remote attacker could use a
specially crafted NTP packet to crash ntpd. (CVE-2015-7691, CVE-2015-7692,
CVE-2015-7702)

* A memory leak flaw was found in ntpd's CRYPTO_ASSOC. If ntpd was
configured to use autokey authentication, an attacker could send packets
to ntpd that would, after several days of ongoing attack, cause it to run
out of memory. (CVE-2015-7701)

* An off-by-one flaw, leading to a buffer overflow, was found in
cookedprint functionality of ntpq. A specially crafted NTP packet could
potentially cause ntpq to crash. (CVE-2015-7852)

* A NULL pointer dereference flaw was found in the way ntpd processed
'ntpdc reslist' commands that queried restriction lists with a large
amount of entries. A remote attacker could potentially use this flaw to
crash ntpd. (CVE-2015-7977)

* A stack-based buffer overflow flaw was found in the way ntpd processed
'ntpdc reslist' commands that queried restriction lists with a large
amount of entries. A remote attacker could use this flaw to crash ntpd.
(CVE-2015-7978)

* It was found that ntpd could crash due to an uninitialized variable when
processing malformed logconfig configuration commands. (CVE-2015-5194)

* It was found that ntpd would exit with a segmentation fault when a
statistics type that was not enabled during compilation (e.g. timingstats)
was referenced by the statistics or filegen configuration command.
(CVE-2015-5195)

* It was discovered that the sntp utility could become unresponsive due to
being caught in an infinite loop when processing a crafted NTP packet.
(CVE-2015-5219)

* It was found that NTP's:config command could be used to set the pidfile
and driftfile paths without any restrictions. A remote attacker could use
this flaw to overwrite a file on the file system with a file containing
the pid of the ntpd process (immediately) or the current estimated drift
of the system clock (in hourly intervals). (CVE-2015-7703)

The CVE-2015-5219 and CVE-2015-7703 issues were discovered by Miroslav
Lichvr (Red Hat).
--

SL6
 x86_64
 ntp-4.2.6p5-10.el6.x86_64.rpm
 ntp-debuginfo-4.2.6p5-10.el6.x86_64.rpm
 ntpdate-4.2.6p5-10.el6.x86_64.rpm
 ntp-perl-4.2.6p5-10.el6.x86_64.rpm
 i386
 ntp-4.2.6p5-10.el6.i686.rpm
 ntp-debuginfo-4.2.6p5-10.el6.i686.rpm
 ntpdate-4.2.6p5-10.el6.i686.rpm
 ntp-perl-4.2.6p5-10.el6.i686.rpm
 noarch
 ntp-doc-4.2.6p5-10.el6.noarch.rpm

- Scientific Linux Development Team

Related News

Your message here