CVE-2016-7433

Published: 13 January 2017

NTP before 4.2.8p9 does not properly perform the initial sync calculations, which allows remote attackers to unspecified impact via unknown vectors, related to a "root distance that did not include the peer dispersion."

Priority

Medium

CVSS 3 base score: 5.3

Status

Package Release Status
ntp
Launchpad, Ubuntu, Debian
Upstream
Released (1:4.2.8p9+dfsg-1, ntp-4.2.8p9)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (1:4.2.8p4+dfsg-3ubuntu5.5)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable

Ubuntu 12.04 ESM (Precise Pangolin) Not vulnerable

Patches:
Vendor: https://git.centos.org/blob/rpms!ntp.git/4eb1db127a6177011bd913bf4f446e8f701179d6/SOURCES!ntp-4.2.6p5-cve-2016-7433.patch

Notes

AuthorNote
mdeslaur ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and ntp-4.3.0 up to, but not including ntp-4.3.94. But the root-distance calculation in general is incorrect in all versions of ntp-4 until this release.
leosilva for precise it's not needed since this issue seems to be caused by some regression and precise hasn't the code affect changed.
mdeslaur trusty isn't vulnerable either

References

Bugs