Bug 1331461 (CVE-2016-1547)

Summary: CVE-2016-1547 ntp: crypto-NAK preemptable association denial of service
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: apmukher, jaeshin, mdshaikh, mlichvar, sardella, slawomir
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: ntp 4.2.8p7 Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in the way NTP handled preemptable client associations. A remote attacker could send several crypto NAK packets to a victim client, each with a spoofed source address of an existing associated peer, preventing that client from synchronizing its time.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-05-31 08:23:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1332478, 1332479, 1332480, 1332481, 1356967    
Bug Blocks: 1331437    

Description Martin Prpič 2016-04-28 14:50:51 UTC
The following flaw was found in NTP:

An off-path attacker can cause a preemptable client association to be demobilized by sending a crypto NAK packet to a victim client with a spoofed source address of an existing associated peer. This is true even if authentication is enabled.

Furthermore, if the attacker keeps sending crypto NAK packets, for example every one second, the victim never has a chance to reestablish the association and synchronize time with the legitimate server.

Upstream bugs:

http://support.ntp.org/bin/view/Main/NtpBug3007

External References:

http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security
http://www.talosintel.com/reports/TALOS-2016-0081/

Comment 2 Miroslav Lichvar 2016-05-10 13:51:11 UTC
In Fedora this bug was fixed in ntp-4.2.6p5-36.fc22 and ntp-4.2.6p5-36.fc23 as a part of the fix for CVE-2015-7979.

Comment 3 errata-xmlrpc 2016-05-31 08:12:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2016:1141 https://access.redhat.com/errata/RHSA-2016:1141

Comment 5 errata-xmlrpc 2016-08-03 07:43:39 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2016:1552 https://rhn.redhat.com/errata/RHSA-2016-1552.html