SB2016112210 - Fedora 25 update for ntp 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2016112210

SB2016112210 - Fedora 25 update for ntp

Published: November 22, 2016 Updated: April 24, 2025

Security Bulletin ID SB2016112210
Severity
Medium
Patch available
YES
Number of vulnerabilities 5
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Medium 80% Low 20%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 5 secuirty vulnerabilities.


1) Incorrect calcualtion (CVE-ID: CVE-2016-7433)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to improper performance of the initial sync calculations. A remote attacker can cause the service to crash via unknown vectors, related to a "root distance that did not include the peer dispersion."

2) Resource management errors (CVE-ID: CVE-2016-7426)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to rate limits responses received from the configured sources when rate limiting for all associations is enabled. A remote attacker can send responses with a spoofed source address and cause the service to crash.

3) Data handling (CVE-ID: CVE-2016-7429)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to changing the peer structure to the interface NTP receives the response from a source. A remote attacker can send a response for a source to an interface the source does not use and cause the service to crash.

4) Improper access control (CVE-ID: CVE-2016-9310)

The vulnerability allows a remote attacker to obtain potentially sensitive information and cause DoS condition on the target system.

The weakness exists in the control mode (mode 6) functionality in ntpd due to improper access control. A remote attacker can set or unset traps via a specially crafted control mode packet, gain access to potentially sensitive information and cause the service to crash.

5) NULL pointer dereference (CVE-ID: CVE-2016-9311)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in ntpd due to NULL pointer dereference when the trap service is enabled. A remote attacker can submit a specially crafted packet and cause the service to crash.

Remediation

Install update from vendor's website.

References