Problem Description:
Multiple vulnerabilities have been discovered in the NTP
suite:
The fix for Sec 3007 in ntp-4.2.8p7 contained a bug that
could cause ntpd to crash. [CVE-2016-4957, Reported by
Nicolas Edet of Cisco]
An attacker who knows the origin timestamp and can send
a spoofed packet containing a CRYPTO-NAK to an ephemeral
peer target before any other response is sent can demobilize
that association. [CVE-2016-4953, Reported by Miroslav
Lichvar of Red Hat]
An attacker who is able to spoof packets with correct
origin timestamps from enough servers before the expected
response packets arrive at the target machine can affect
some peer variables and, for example, cause a false leap
indication to be set. [CVE-2016-4954, Reported by Jakub
Prokes of Red Hat]
An attacker who is able to spoof a packet with a correct
origin timestamp before the expected response packet arrives
at the target machine can send a CRYPTO_NAK or a bad MAC
and cause the association's peer variables to be cleared.
If this can be done often enough, it will prevent that
association from working. [CVE-2016-4955, Reported by
Miroslav Lichvar of Red Hat]
The fix for NtpBug2978 does not cover broadcast associations,
so broadcast clients can be triggered to flip into interleave
mode. [CVE-2016-4956, Reported by Miroslav Lichvar of Red
Hat.]
Impact:
Malicious remote attackers may be able to break time
synchronization, or cause the ntpd(8) daemon to crash.