Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 494
Alerts This Week
Warning Icon 1 494

Ubuntu 14.10 USN-2449-1 Critical: NTP Buffer Overflow and Spoofing

ubuntu
Calendar Grey December 22, 2014
Dist Ubuntu Esm H88
Critical NTP flaws found in Ubuntu necessitate urgent updates to avert potential remote attacks and service disruptions. Take action now!
Several security issues were fixed in NTP.

Summary

Several security issues were fixed in NTP.

Software Description:

- ntp: Network Time Protocol daemon and utility programs

Details:

Neel Mehta discovered that NTP generated weak authentication keys. A remote

attacker could possibly use this issue to brute force the authentication

key and send requests if permitted by IP restrictions. (CVE-2014-9293)

Stephen Roettger discovered that NTP generated weak MD5 keys. A remote

attacker could possibly use this issue to brute force the MD5 key and spoof

a client or server. (CVE-2014-9294)

Stephen Roettger discovered that NTP contained buffer overflows in the

crypto_recv(), ctl_putdata() and configure() functions. In non-default

configurations, a remote attacker could use these issues to cause NTP to

crash, resulting in a denial of service, or possibly execute arbitrary

code. The default compiler options for affected releases should reduce the

vulnerability to a denial of service. In addition, attackers would be

isol...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 14.10:
  ntp                             1:4.2.6.p5+dfsg-3ubuntu2.14.10.1

Ubuntu 14.04 LTS:
  ntp                             1:4.2.6.p5+dfsg-3ubuntu2.14.04.1

Ubuntu 12.04 LTS:
  ntp                             1:4.2.6.p3+dfsg-1ubuntu3.2

Ubuntu 10.04 LTS:
  ntp                             1:4.2.4p8+dfsg-1ubuntu2.2

After a standard system update you need to regenerate any MD5 keys that
were manually created with ntp-keygen.

References

https://ubuntu.com/security/notices/USN-2449-1

CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296

Severity
critical
Lowest
Low
Medium
High
Critical

December 22, 2014

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.