1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
PublicDateAtUSN: 2016-01-26
Candidate: CVE-2015-7974
PublicDate: 2016-01-26
References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974
http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit
http://www.talosintel.com/reports/TALOS-2016-0071/
http://www.ubuntu.com/usn/usn-3096-1
Description:
NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer
associations of symmetric keys when authenticating packets, which might
allow remote attackers to conduct impersonation attacks via an arbitrary
trusted key, aka a "skeleton key."
Ubuntu-Description:
Notes:
mdeslaur> fedora has an alternate fix
mdeslaur> http://lists.ntp.org/pipermail/hackers/2016-January/007416.html
Bugs:
http://support.ntp.org/bin/view/Main/NtpBug2936
Priority: low
Discovered-by: Matt Street
Assigned-to:
Patches_ntp:
upstream: https://github.com/ntp-project/ntp/commit/71a962710bfe066f76da9679cf4cfdeffe34e95e
vendor: http://pkgs.fedoraproject.org/cgit/rpms/ntp.git/tree/ntp-4.2.6p5-cve-2015-7974.patch
upstream_ntp: released (4.2.8p6)
precise_ntp: released (1:4.2.6.p3+dfsg-1ubuntu3.11)
precise/esm_ntp: released (1:4.2.6.p3+dfsg-1ubuntu3.11)
trusty_ntp: released (1:4.2.6.p5+dfsg-3ubuntu2.14.04.10)
vivid_ntp: ignored (reached end-of-life)
vivid/stable-phone-overlay_ntp: ignored (reached end-of-life)
vivid/ubuntu-core_ntp: DNE
wily_ntp: ignored (reached end-of-life)
xenial_ntp: released (1:4.2.8p4+dfsg-3ubuntu5.3)
yakkety_ntp: not-affected (1:4.2.8p4+dfsg-3ubuntu6)
zesty_ntp: not-affected (1:4.2.8p4+dfsg-3ubuntu6)
devel_ntp: not-affected (1:4.2.8p4+dfsg-3ubuntu6)
|