CVE-2016-7433

Published: 13 January 2017

NTP before 4.2.8p9 does not properly perform the initial sync calculations, which allows remote attackers to unspecified impact via unknown vectors, related to a "root distance that did not include the peer dispersion."

Priority

Medium

CVSS 3 base score: 5.3

Status

Package Release Status
ntp
Launchpad, Ubuntu, Debian
Upstream
Released (1:4.2.8p9+dfsg-1, ntp-4.2.8p9)
Ubuntu 16.04 ESM (Xenial Xerus)
Released (1:4.2.8p4+dfsg-3ubuntu5.5)
Ubuntu 14.04 ESM (Trusty Tahr) Not vulnerable

Patches:
Vendor: https://git.centos.org/blob/rpms!ntp.git/4eb1db127a6177011bd913bf4f446e8f701179d6/SOURCES!ntp-4.2.6p5-cve-2016-7433.patch

Notes

AuthorNote
mdeslaur
ntp-4.2.7p385, up to but not including ntp-4.2.8p9, and
ntp-4.3.0 up to, but not including ntp-4.3.94. But the
root-distance calculation in general is incorrect in all
versions of ntp-4 until this release.
leosilva
for precise it's not needed since this issue seems to
be caused by some regression and precise hasn't the
code affect changed.
mdeslaur
trusty isn't vulnerable either

References

Bugs