CVE-2016-2517

Published: 30 January 2017

NTP before 4.2.8p7 and 4.3.x before 4.3.92 allows remote attackers to cause a denial of service (prevent subsequent authentication) by leveraging knowledge of the controlkey or requestkey and sending a crafted packet to ntpd, which changes the value of trustedkey, controlkey, or requestkey. NOTE: this vulnerability exists because of a CVE-2016-2516 regression.

Priority

Negligible

CVSS 3 base score: 5.3

Status

Package Release Status
ntp
Launchpad, Ubuntu, Debian
Upstream
Released (1:4.2.8p7+dfsg-1)
Ubuntu 16.04 ESM (Xenial Xerus) Ignored

Ubuntu 14.04 ESM (Trusty Tahr) Ignored

Patches:
Upstream: http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=56c78c41-oKNCUhyU5kKQCxLjnp0Fw
Upstream: http://bk1.ntp.org/ntp-stable/?PAGE=patch&REV=56c977bdf6CLtHiqg1_rd2II7E0dqA

Notes

AuthorNote
mdeslaur
isn't really considered a security issue since remote user
can do other equivalent configuration changes, ignoring.

References

Bugs