Medium: ntp

Issue Overview:

2023-10-25: CVE-2013-5211 was added to this advisory.

The monlist feature in ntp_request.c in ntpd in NTP before 4.2.7p26 allows remote attackers to cause a denial of service (traffic amplification) via forged (1) REQ_MON_GETLIST or (2) REQ_MON_GETLIST_1 requests, as exploited in the wild in December 2013. (CVE-2013-5211)

A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim’s clock. (CVE-2016-1549)

A flaw was found in ntpd making it vulnerable to Sybil attacks. An authenticated attacker could target systems configured to use a trusted key in certain configurations and to create an arbitrary number of associations and subsequently modify a victim’s clock. (CVE-2018-7170)

The ctl_getitem method in ntpd in ntp-4.2.8p6 before 4.2.8p11 allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted mode 6 packet with a ntpd instance from 4.2.8p6 through 4.2.8p10. (CVE-2018-7182)

Buffer overflow in the decodearr function in ntpq in ntp 4.2.8p6 through 4.2.8p10 allows remote attackers to execute arbitrary code by leveraging an ntpq query and sending a response with a crafted array. (CVE-2018-7183)

ntpd in ntp 4.2.8p4 before 4.2.8p11 drops bad packets before updating the “received” timestamp, which allows remote attackers to cause a denial of service (disruption) by sending a packet with a zero-origin timestamp causing the association to reset and setting the contents of the packet as the most recent timestamp. This issue is a result of an incomplete fix for CVE-2015-7704. (CVE-2018-7184)

The protocol engine in ntp 4.2.6 before 4.2.8p11 allows a remote attackers to cause a denial of service (disruption) by continually sending a packet with a zero-origin timestamp and source IP address of the “other side” of an interleaved association causing the victim ntpd to reset its association. (CVE-2018-7185)

Affected Packages:

ntp

Issue Correction:
Run yum update ntp to update your system.

New Packages:

i686:  
    ntpdate-4.2.8p11-1.37.amzn1.i686  
    ntp-4.2.8p11-1.37.amzn1.i686  
    ntp-debuginfo-4.2.8p11-1.37.amzn1.i686  
  
noarch:  
    ntp-doc-4.2.8p11-1.37.amzn1.noarch  
    ntp-perl-4.2.8p11-1.37.amzn1.noarch  
  
src:  
    ntp-4.2.8p11-1.37.amzn1.src  
  
x86_64:  
    ntpdate-4.2.8p11-1.37.amzn1.x86_64  
    ntp-4.2.8p11-1.37.amzn1.x86_64  
    ntp-debuginfo-4.2.8p11-1.37.amzn1.x86_64  

Additional References

Red Hat: CVE-2013-5211, CVE-2016-1549, CVE-2018-7170, CVE-2018-7182, CVE-2018-7183, CVE-2018-7184, CVE-2018-7185

Mitre: CVE-2013-5211, CVE-2016-1549, CVE-2018-7170, CVE-2018-7182, CVE-2018-7183, CVE-2018-7184, CVE-2018-7185