Amazon Linux AMI update for ntp

Published: 2017-01-04

Risk	Medium
Patch available	YES
Number of vulnerabilities	5
CVE-ID	CVE-2016-7429 CVE-2016-7426 CVE-2016-9311 CVE-2016-7433 CVE-2016-9310
CWE-ID	CWE-19 CWE-399 CWE-476 CWE-682 CWE-284
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	Amazon Linux AMI Operating systems & Components / Operating system
Vendor	Amazon Web Services

Security Bulletin

This security bulletin contains information about 5 vulnerabilities.

1) Data handling

EUVDB-ID: #VU12302

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2016-7429

CWE-ID: CWE-19 - Data Handling

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to changing the peer structure to the interface NTP receives the response from a source. A remote attacker can send a response for a source to an interface the source does not use and cause the service to crash.

Mitigation

Update the affected packages.

i686:
    ntpdate-4.2.6p5-43.33.amzn1.i686
    ntp-4.2.6p5-43.33.amzn1.i686
    ntp-debuginfo-4.2.6p5-43.33.amzn1.i686

noarch:
    ntp-perl-4.2.6p5-43.33.amzn1.noarch
    ntp-doc-4.2.6p5-43.33.amzn1.noarch

src:
    ntp-4.2.6p5-43.33.amzn1.src

x86_64:
    ntp-4.2.6p5-43.33.amzn1.x86_64
    ntp-debuginfo-4.2.6p5-43.33.amzn1.x86_64
    ntpdate-4.2.6p5-43.33.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2017-781.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Resource management errors

EUVDB-ID: #VU12303

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2016-7426

CWE-ID: CWE-399 - Resource Management Errors

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to rate limits responses received from the configured sources when rate limiting for all associations is enabled. A remote attacker can send responses with a spoofed source address and cause the service to crash.

Mitigation

Update the affected packages.

i686:
    ntpdate-4.2.6p5-43.33.amzn1.i686
    ntp-4.2.6p5-43.33.amzn1.i686
    ntp-debuginfo-4.2.6p5-43.33.amzn1.i686

noarch:
    ntp-perl-4.2.6p5-43.33.amzn1.noarch
    ntp-doc-4.2.6p5-43.33.amzn1.noarch

src:
    ntp-4.2.6p5-43.33.amzn1.src

x86_64:
    ntp-4.2.6p5-43.33.amzn1.x86_64
    ntp-debuginfo-4.2.6p5-43.33.amzn1.x86_64
    ntpdate-4.2.6p5-43.33.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2017-781.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) NULL pointer dereference

EUVDB-ID: #VU12306

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2016-9311

CWE-ID: CWE-476 - NULL Pointer Dereference

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in ntpd due to NULL pointer dereference when the trap service is enabled. A remote attacker can submit a specially crafted packet and cause the service to crash.

Mitigation

Update the affected packages.

i686:
    ntpdate-4.2.6p5-43.33.amzn1.i686
    ntp-4.2.6p5-43.33.amzn1.i686
    ntp-debuginfo-4.2.6p5-43.33.amzn1.i686

noarch:
    ntp-perl-4.2.6p5-43.33.amzn1.noarch
    ntp-doc-4.2.6p5-43.33.amzn1.noarch

src:
    ntp-4.2.6p5-43.33.amzn1.src

x86_64:
    ntp-4.2.6p5-43.33.amzn1.x86_64
    ntp-debuginfo-4.2.6p5-43.33.amzn1.x86_64
    ntpdate-4.2.6p5-43.33.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2017-781.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

4) Incorrect calcualtion

EUVDB-ID: #VU12304

Risk: Medium

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2016-7433

CWE-ID: CWE-682 - Incorrect Calculation

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to improper performance of the initial sync calculations. A remote attacker can cause the service to crash via unknown vectors, related to a "root distance that did not include the peer dispersion."

Mitigation

Update the affected packages.

i686:
    ntpdate-4.2.6p5-43.33.amzn1.i686
    ntp-4.2.6p5-43.33.amzn1.i686
    ntp-debuginfo-4.2.6p5-43.33.amzn1.i686

noarch:
    ntp-perl-4.2.6p5-43.33.amzn1.noarch
    ntp-doc-4.2.6p5-43.33.amzn1.noarch

src:
    ntp-4.2.6p5-43.33.amzn1.src

x86_64:
    ntp-4.2.6p5-43.33.amzn1.x86_64
    ntp-debuginfo-4.2.6p5-43.33.amzn1.x86_64
    ntpdate-4.2.6p5-43.33.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2017-781.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

5) Improper access control

EUVDB-ID: #VU12305

Risk: Low

CVSSv4.0: 6.8 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2016-9310

CWE-ID: CWE-284 - Improper Access Control

Exploit availability: No

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information and cause DoS condition on the target system.

The weakness exists in the control mode (mode 6) functionality in ntpd due to improper access control. A remote attacker can set or unset traps via a specially crafted control mode packet, gain access to potentially sensitive information and cause the service to crash.

Mitigation

Update the affected packages.

i686:
    ntpdate-4.2.6p5-43.33.amzn1.i686
    ntp-4.2.6p5-43.33.amzn1.i686
    ntp-debuginfo-4.2.6p5-43.33.amzn1.i686

noarch:
    ntp-perl-4.2.6p5-43.33.amzn1.noarch
    ntp-doc-4.2.6p5-43.33.amzn1.noarch

src:
    ntp-4.2.6p5-43.33.amzn1.src

x86_64:
    ntp-4.2.6p5-43.33.amzn1.x86_64
    ntp-debuginfo-4.2.6p5-43.33.amzn1.x86_64
    ntpdate-4.2.6p5-43.33.amzn1.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

CPE2.3

cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*

External links

https://alas.aws.amazon.com/ALAS-2017-781.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.