CVE-2016-1549

Impact:
Low
Public Date:
2016-04-26
Bugzilla:
1331463: CVE-2016-1549 ntp: ephemeral association time spoofing

The MITRE CVE dictionary describes this issue as:

A malicious authenticated peer can create arbitrarily-many ephemeral associations in order to win the clock selection algorithm in ntpd in NTP 4.2.8p4 and earlier and NTPsec 3e160db8dc248a0bcb053b56a80167dc742d2b74 and a5fb34b9cc89b92a8fef2f459004865c93bb7f92 and modify a victim's clock.

Find out more about CVE-2016-1549 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Red Hat Product Security has rated this issue as having Low security impact: to exploit this issue, an attacker must have access to a trustedkey if one is configured in the /etc/ntp.key file. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 3.5
Base Metrics AV:N/AC:M/Au:S/C:N/I:P/A:N
Access Vector Network
Access Complexity Medium
Authentication Single
Confidentiality Impact None
Integrity Impact Partial
Availability Impact None

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Affected Packages State

Platform Package State
Red Hat Enterprise Linux 7 ntp Will not fix
Red Hat Enterprise Linux 6 ntp Will not fix
Red Hat Enterprise Linux 5 ntp Will not fix

Mitigation

Assure only trusted hosts have access to the trustedkey.

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.