CVE-2015-7974 in Ubuntu

CVE-2015-7974

Priority

Description

NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer
associations of symmetric keys when authenticating packets, which might
allow remote attackers to conduct impersonation attacks via an arbitrary
trusted key, aka a "skeleton key."

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7974
http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p6_Securit
http://www.talosintel.com/reports/TALOS-2016-0071/
https://ubuntu.com/security/notices/USN-3096-1

Bugs

http://support.ntp.org/bin/view/Main/NtpBug2936

Notes

mdeslaur

fedora has an alternate fix
http://lists.ntp.org/pipermail/hackers/2016-January/007416.html

Package

Source: ntp (LP Ubuntu Debian)

Upstream:	released (4.2.8p6)
Ubuntu 16.04 ESM:	released (1:4.2.8p4+dfsg-3ubuntu5.3)
Ubuntu 14.04 ESM:	released (1:4.2.6.p5+dfsg-3ubuntu2.14.04.10)
Ubuntu 20.04 FIPS Compliant:	not-affected (1:4.2.8p4+dfsg-3ubuntu6)

Patches:

Upstream:	https://github.com/ntp-project/ntp/commit/71a962710bfe066f76da9679cf4cfdeffe34e95e
Vendor:	http://pkgs.fedoraproject.org/cgit/rpms/ntp.git/tree/ntp-4.2.6p5-cve-2015-7974.patch

More Information

Updated: 2022-04-13 12:06:47 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)