Bugzilla – Bug 936690
VUL-1: CVE-2015-5146: ntp,xntp: ntpd control message crash: Crafted NUL-byte in configuration directive. VU#668167
Last modified: 2016-11-22 17:20:30 UTC
http://support.ntp.org/bin/view/Main/SecurityNotice#June_2015_NTP_Security_Vulnerabi ntpd control message crash: Crafted NUL-byte in configuration directive. Date Resolved: Stable (4.2.8p3) 29 Jun 2015 References: Sec 2853/ CVE-2015-5146 / VU#668167 / CERT-FI Case 829967 Affects: 4.2.5p3 up to, but not including 4.2.8p3-RC1, and 4.3.0 up to, but not including 4.3.25 CVSS: (AV:A/AC:M/Au:S/C:P/I:P/A:P) Base Score: 4.9 at likely worst, 1.4 or less at likely best Summary: Under limited and specific circumstances an attacker can send a crafted packet to cause a vulnerable ntpd instance to crash. This requires each of the following to be true: ntpd set up to allow for remote configuration (not allowed by default), and knowledge of the configuration password, and access to a computer entrusted to perform remote configuration. Mitigation: Upgrade to 4.2.8p3-RC1 or 4.3.25, or later, from the NTP Project Download Page or the NTP Public Services Project Download Page Be prudent when deciding what IP addresses can perform remote configuration of an ntpd instance. Monitor your ntpd instances. Credit: This weakness was discovered by Aleksis Kauppinen of Codenomicon.
CERT VU#668167
"This bug affects ntpd-4.2.5p3 until 4.2.8p3, or 4.3.0 until 4.3.25." SLE 11 SP3 and earlier not affected. SLE 11 SP4 affected SLE 12 affected openSUSE 13.1 affected openSUSE 13.2 affected
bugbot adjusting priority
An update workflow for this issue was started. This issue was rated as "low". Please submit fixed packages until "Jan. 14, 2016". When done, reassign the bug to "security-team@suse.de". /update/121227/.
Fix contained in the 4.2.8p6/p7 update.
released