CVE-2015-7703
It was found that NTP's :config command could be used to set the pidfile and driftfile paths without any restrictions. A remote attacker could use this flaw to overwrite a file on the file system with a file containing the pid of the ntpd process (immediately) or the current estimated drift of the system clock (in hourly intervals).
Find out more about CVE-2015-7703 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v2 metrics
| Base Score | 4 |
|---|---|
| Base Metrics | AV:N/AC:L/Au:S/C:N/I:P/A:N |
| Access Vector | Network |
| Access Complexity | Low |
| Authentication | Single |
| Confidentiality Impact | None |
| Integrity Impact | Partial |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 6 (ntp) | RHSA-2016:0780 | 2016-05-10 |
| Red Hat Enterprise Linux 7 (ntp) | RHSA-2016:2583 | 2016-11-03 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 5 | ntp | Will not fix |
Acknowledgements
This issue was discovered by Miroslav Lichvár of Red Hat.Mitigation
Disable remote runtime configuration with ntpq or ntpdc. In the default NTP configuration on Red Hat Enterprise Linux, runtime configuration with ntpq or ntpdc is limited to localhost.