Bug 1331467 (CVE-2016-2517) - CVE-2016-2517 ntp: certain remote configuration values not properly validated
Summary: CVE-2016-2517 ntp: certain remote configuration values not properly validated
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2016-2517
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1332160
Blocks: 1331437
TreeView+ depends on / blocked
 
Reported: 2016-04-28 14:53 UTC by Martin Prpič
Modified: 2020-02-11 00:19 UTC (History)
5 users (show)

Fixed In Version: ntp 4.2.8p7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-05-02 12:51:14 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2300641 None None None 2016-05-06 01:29:16 UTC

Description Martin Prpič 2016-04-28 14:53:12 UTC
The following flaw was found in ntpd:

If ntpd was expressly configured to allow for remote configuration, a malicious user who knows the controlkey for ntpq or the requestkey for ntpdc (if mode7 is expressly enabled) can create a session with ntpd and then send a crafted packet to ntpd that will change the value of the trustedkey, controlkey, or requestkey to a value that will prevent any subsequent authentication with ntpd until ntpd is restarted. 

Upstream bugs:

http://support.ntp.org/bin/view/Main/NtpBug3010

External References:

http://support.ntp.org/bin/view/Main/SecurityNotice#April_2016_NTP_4_2_8p7_Security

Comment 1 Martin Prpič 2016-05-02 11:37:53 UTC
Created ntp tracking bugs for this issue:

Affects: fedora-all [bug 1332160]

Comment 2 Martin Prpič 2016-05-02 12:51:14 UTC
Statement:

Red Hat Product Security does not consider this to be a security issue. An authenticated user could use various other means to disable access to an NTP server (for example, using the 'restrict' command). To mitigate this issue, disable remote configuration of NTP, or restrict this ability to trusted users.


Note You need to log in before you can comment on or make changes to this bug.