[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Arch Linux alert ASA-201507-5 (ntp)



From:
    	      Levente Polyak <anthraxx@archlinux.org> 


To:
    	      arch-security@archlinux.org 


Subject:
    	      [arch-security] [ASA-201507-5] ntp: denial of service 


Date:
    	      Tue, 7 Jul 2015 02:44:18 +0200


Message-ID:
    	      <559B20E2.1010505@archlinux.org>


Arch Linux Security Advisory ASA-201507-5
=========================================

Severity: Low
Date    : 2015-07-07
CVE-ID  : CVE-2015-5146
Package : ntp
Type    : denial of service
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package ntp before version 4.2.8.p3-1 is vulnerable to denial of
service.

Resolution
==========

Upgrade to 4.2.8.p3-1.

# pacman -Syu "ntp>=4.2.8.p3-1"

The problem has been fixed upstream in version 4.2.8.p3.

Workaround
==========

Configure ntpd to not allow remote configuration (default setting).

Description
===========

Under limited and specific circumstances an attacker can send a crafted
remote-configuration packet containing a NUL-byte to cause a vulnerable
ntpd instance to crash. This requires each of the following to be true:
- ntpd set up to allow for remote configuration (not allowed by
  default)
- knowledge of the configuration password
- access to a computer entrusted to perform remote configuration

Impact
======

A remote attacker is able to send a specially crafted
remote-configuration packet that is leading to an application crash
resulting in denial of service.

References
==========

https://support.ntp.org/bin/view/Main/SecurityNotice#June...
https://access.redhat.com/security/cve/CVE-2015-5146
to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds