=========================================================================Ubuntu Security Notice USN-3349-1
July 05, 2017

ntp vulnerabilities
=========================================================================
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 17.04
- Ubuntu 16.10
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS

Summary:

Several security issues were fixed in NTP.

Software Description:
- ntp: Network Time Protocol daemon and utility programs

Details:

Yihan Lian discovered that NTP incorrectly handled certain large request
data values. A remote attacker could possibly use this issue to cause NTP
to crash, resulting in a denial of service. This issue only affected
Ubuntu 16.04 LTS. (CVE-2016-2519)

Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed
addresses when performing rate limiting. A remote attacker could possibly
use this issue to perform a denial of service. This issue only affected
Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7426)

Matthew Van Gundy discovered that NTP incorrectly handled certain crafted
broadcast mode packets. A remote attacker could possibly use this issue to
perform a denial of service. This issue only affected Ubuntu 14.04 LTS,
Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-7427, CVE-2016-7428)

Miroslav Lichvar discovered that NTP incorrectly handled certain responses.
A remote attacker could possibly use this issue to perform a denial of
service. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and
Ubuntu 16.10. (CVE-2016-7429)

Sharon Goldberg and Aanchal Malhotra discovered that NTP incorrectly
handled origin timestamps of zero. A remote attacker could possibly use
this issue to bypass the origin timestamp protection mechanism. This issue
only affected Ubuntu 16.10. (CVE-2016-7431)

Brian Utterback, Sharon Goldberg and Aanchal Malhotra discovered that NTP
incorrectly performed initial sync calculations. This issue only applied
to Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-7433)

Magnus Stubman discovered that NTP incorrectly handled certain mrulist
queries. A remote attacker could possibly use this issue to cause NTP to
crash, resulting in a denial of service. This issue only affected Ubuntu
16.04 LTS and Ubuntu 16.10. (CVE-2016-7434)

Matthew Van Gund discovered that NTP incorrectly handled origin timestamp
checks. A remote attacker could possibly use this issue to perform a denial
of service. This issue only affected Ubuntu Ubuntu 16.10, and Ubuntu 17.04.
(CVE-2016-9042)

Matthew Van Gundy discovered that NTP incorrectly handled certain control
mode packets. A remote attacker could use this issue to set or unset traps.
This issue only applied to Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu
16.10. (CVE-2016-9310)

Matthew Van Gundy discovered that NTP incorrectly handled the trap service.
A remote attacker could possibly use this issue to cause NTP to crash,
resulting in a denial of service. This issue only applied to Ubuntu 14.04
LTS, Ubuntu 16.04 LTS and Ubuntu 16.10. (CVE-2016-9311)

It was discovered that NTP incorrectly handled memory when processing long
variables. A remote authenticated user could possibly use this issue to
cause NTP to crash, resulting in a denial of service. (CVE-2017-6458)

It was discovered that NTP incorrectly handled memory when processing long
variables. A remote authenticated user could possibly use this issue to
cause NTP to crash, resulting in a denial of service. This issue only
applied to Ubuntu 16.04 LTS, Ubuntu 16.10 and Ubuntu 17.04. (CVE-2017-6460)

It was discovered that the NTP legacy DPTS refclock driver incorrectly
handled the /dev/datum device. A local attacker could possibly use this
issue to cause a denial of service. (CVE-2017-6462)

It was discovered that NTP incorrectly handled certain invalid settings
in a :config directive. A remote authenticated user could possibly use
this issue to cause NTP to crash, resulting in a denial of service.
(CVE-2017-6463)

It was discovered that NTP incorrectly handled certain invalid mode
configuration directives. A remote authenticated user could possibly use
this issue to cause NTP to crash, resulting in a denial of service.
(CVE-2017-6464)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 17.04:
  ntp                             1:4.2.8p9+dfsg-2ubuntu1.1

Ubuntu 16.10:
  ntp                             1:4.2.8p8+dfsg-1ubuntu2.1

Ubuntu 16.04 LTS:
  ntp                             1:4.2.8p4+dfsg-3ubuntu5.5

Ubuntu 14.04 LTS:
  ntp                             1:4.2.6.p5+dfsg-3ubuntu2.14.04.11

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-3349-1
  CVE-2016-2519, CVE-2016-7426, CVE-2016-7427, CVE-2016-7428,
  CVE-2016-7429, CVE-2016-7431, CVE-2016-7433, CVE-2016-7434,
  CVE-2016-9042, CVE-2016-9310, CVE-2016-9311, CVE-2017-6458,
  CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464

Package Information:
  https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p9+dfsg-2ubuntu1.1
  https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p8+dfsg-1ubuntu2.1
  https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p4+dfsg-3ubuntu5.5
  https://launchpad.net/ubuntu/+source/ntp/1:4.2.6.p5+dfsg-3ubuntu2.14.04.11

Ubuntu 3349-1: NTP vulnerabilities

July 5, 2017
Several security issues were fixed in NTP.

Summary

Update Instructions

The problem can be corrected by updating your system to the following package versions: Ubuntu 17.04: ntp 1:4.2.8p9+dfsg-2ubuntu1.1 Ubuntu 16.10: ntp 1:4.2.8p8+dfsg-1ubuntu2.1 Ubuntu 16.04 LTS: ntp 1:4.2.8p4+dfsg-3ubuntu5.5 Ubuntu 14.04 LTS: ntp 1:4.2.6.p5+dfsg-3ubuntu2.14.04.11 In general, a standard system update will make all the necessary changes.

References

https://ubuntu.com/security/notices/USN-3349-1

CVE-2016-2519, CVE-2016-7426, CVE-2016-7427, CVE-2016-7428,

CVE-2016-7429, CVE-2016-7431, CVE-2016-7433, CVE-2016-7434,

CVE-2016-9042, CVE-2016-9310, CVE-2016-9311, CVE-2017-6458,

CVE-2017-6460, CVE-2017-6462, CVE-2017-6463, CVE-2017-6464

Severity
July 05, 2017

Package Information

https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p9+dfsg-2ubuntu1.1 https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p8+dfsg-1ubuntu2.1 https://launchpad.net/ubuntu/+source/ntp/1:4.2.8p4+dfsg-3ubuntu5.5 https://launchpad.net/ubuntu/+source/ntp/1:4.2.6.p5+dfsg-3ubuntu2.14.04.11

Related News

4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
5.ShakingHands Esm H320
2 - 3 min read
At The Linux Foundation's Open Source Summit North America , Linus Torvalds, the creator of Linux, discussed various topics related to Linux
30.Lock Globe Motherboard Esm H320
1 - 2 min read
The SPDX 3.0 release marks a significant milestone in software management, particularly for Linux admins, infosec professionals, internet security
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved