USN-3707-2: NTP vulnerabilities

23 January 2019

Several security issues were fixed in NTP.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

  • ntp - Network Time Protocol daemon and utility programs

Details

USN-3707-1 and USN-3349-1 fixed several vulnerabilities in NTP. This update
provides the corresponding update for Ubuntu 12.04 ESM.

Original advisory details:

Miroslav Lichvar discovered that NTP incorrectly handled certain spoofed
addresses when performing rate limiting. A remote attacker could possibly
use this issue to perform a denial of service. (CVE-2016-7426)

Matthew Van Gundy discovered that NTP incorrectly handled certain crafted
broadcast mode packets. A remote attacker could possibly use this issue to
perform a denial of service. (CVE-2016-7427, CVE-2016-7428)

Matthew Van Gundy discovered that NTP incorrectly handled certain control
mode packets. A remote attacker could use this issue to set or unset traps.
(CVE-2016-9310)

Matthew Van Gundy discovered that NTP incorrectly handled the trap service.
A remote attacker could possibly use this issue to cause NTP to crash, resulting
in a denial of service. (CVE-2016-9311)

It was discovered that the NTP legacy DPTS refclock driver incorrectly handled
the /dev/datum device. A local attacker could possibly use this issue to cause
a denial of service. (CVE-2017-6462)

It was discovered that NTP incorrectly handled certain invalid settings in a
:config directive. A remote authenticated user could possibly use this issue
to cause NTP to crash, resulting in a denial of service. (CVE-2017-6463)

Michael Macnair discovered that NTP incorrectly handled certain responses.
A remote attacker could possibly use this issue to execute arbitrary code.
(CVE-2018-7183)

Miroslav Lichvar discovered that NTP incorrectly handled certain
zero-origin timestamps. A remote attacker could possibly use this issue to
cause a denial of service. (CVE-2018-7185)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 12.04

In general, a standard system update will make all the necessary changes.

Related notices