[arch-security] [ASA-201504-8] ntp: multiple issues

Christian Rebischke chris.rebischke at gmail.com
Wed Apr 8 14:21:53 UTC 2015

Arch Linux Security Advisory ASA-201504-8

Severity: Medium
Date    : 2015-04-08
CVE-ID  : CVE-2015-1798 CVE-2015-1799
Package : ntp
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE


The package ntp before version 4.2.8p2-1 is vulnerable to multiple issues.


Upgrade to 4.2.8p2-1.

# pacman -Syu "ntp>=4.2.8p2-1"

The problems have been fixed upstream.




CVE-2015-1798 (accept unauthenticated packets):

When ntpd is configured to use a symmetric key to authenticate a remote NTP
server/peer, it checks if the NTP message authentication code (MAC) in received
packets is valid, but not if there actually is any MAC included. Packets without
a MAC are accepted as if they had a valid MAC. This allows a MITM attacker to
send false packets that are accepted by the client/peer without having to know
the symmetric key. The attacker needs to know the transmit timestamp of the
client to match it in the forged reply and the false reply needs to reach the
client before the genuine reply from the server. The attacker doesn't
necessarily need to be relaying the packets between the client and the server. 

CVE-2015-1799 (denial of service):

An attacker knowing that NTP hosts A and B are peering with each other
(symmetric association) can send a packet to host A with source address of B
which will set the NTP state variables on A to the values sent by the attacker.
Host A will then send on its next poll to B a packet with originate timestamp
that doesn't match the transmit timestamp of B and the packet will be dropped.
If the attacker does this periodically for both hosts, they won't be able to
synchronize to each other. This is a known denial-of-service attack


CVE-2015-1798 (accept unauthenticated packets):

A MITM attacker could send false packets. These packets could be being accepte
without knowing the symmetric key.

CVE-2015-1799 (denial of service):

An attacker could stop the synchronizing process of ntp. 



-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150408/8480a4ce/attachment.asc>

More information about the arch-security mailing list