October 2015 NTP Security Vulnerability Announcement

Solution Verified - Updated -


  • Red Hat Enterprise Linux
  • ntp-4.2.6p5


  • NTP Vulnerability Announcement October 21st 2015
Red Hat Security Bugzillas Rated Important

    Bug 1274265 - CVE-2015-7871 - ntp: crypto-NAK symmetric association authentication bypass vulnerability
    Bug 1271070 - (CVE-2015-7704) CVE-2015-7704 - ntp: disabling synchronization via crafted KoD packet

Red Hat Security Bugzillas Rated Moderate

    Bug 1274263 - (CVE-2015-7854) CVE-2015-7854 ntp: password length memory corruption vulnerability
    Bug 1274262 - (CVE-2015-7853) CVE-2015-7853 ntp: reference clock memory corruption vulnerability
    Bug 1274261 - (CVE-2015-7852) CVE-2015-7852 ntp: ntpq atoascii memory corruption vulnerability
    Bug 1274260 - (CVE-2015-7851) CVE-2015-7851 ntp: saveconfig directory traversal vulnerability
    Bug 1274257 - (CVE-2015-7849) CVE-2015-7849 ntp: trusted keys memory corruption vulnerability
    Bug 1274256 - (CVE-2015-7848) CVE-2015-7848 ntp: multiple integer overflow read access violations
    Bug 1274255 - (CVE-2015-7701) CVE-2015-7701 ntp: unspecified slow memory leak in CRYPTO_ASSOC
    Bug 1274184 - (CVE-2015-7705) CVE-2015-7705 ntp: denial of service by trigerring rate limiting on NTP server
    Bug 1274254 - (CVE-2015-7691, CVE-2015-7692, CVE-2015-7702) CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 ntp: incomplete checks in ntp_crypto.c

Red Hat Security Bugzillas Rated Low

    Bug 1274264 - (CVE-2015-7855) CVE-2015-7855 ntp: ASSERT in decodenetnum() on invalid values
    Bug 1274258 - (CVE-2015-7850) CVE-2015-7850 ntp: remote configuration denial of service vulnerability
    Bug 1254547 - (CVE-2015-7703) CVE-2015-7703 ntp: config command can be used to set the pidfile and drift file paths


Red Hat Enterprise Linux are affected by these CVEs.
This issue is addressed in the following updates:

CVE Bugzilla Affected OS Impact Errata Remarks
CVE-2015-7704 Bug 1271070 RHEL7,RHEL6 Important RHSA-2015-1930 ntp-4.2.6p5-5.el6_7.2/ntp-4.2.6p5-19.el7_1.3
CVE-2015-7871 Bug 1274265 Not Affected Important - -
CVE-2015-7854 Bug 1274263 Not Affected Moderate - -
CVE-2015-7853 Bug 1274262 Not Affected Moderate - -
CVE-2015-7852 Bug 1274261 RHEL7,RHEL6,RHEL5 Moderate RHSA-2016:0780 ntp-4.2.6p5-10.el6
CVE-2015-7851 Bug 1274260 Not Affected Moderate - -
CVE-2015-7849 Bug 1274257 Not Affected Moderate - -
CVE-2015-7848 Bug 1274256 Not Affected Moderate - -
CVE-2015-7701 Bug 1274255 RHEL7,RHEL6,RHEL5 Moderate RHSA-2016:0780 ntp-4.2.6p5-10.el6
CVE-2015-7705 Bug 1274184 RHEL7,RHEL6,RHEL5 Moderate Will not fix Mitigation
CVE-2015-7691 Bug 1274254 RHEL7,RHEL6,RHEL5 Moderate RHSA-2016:0780 ntp-4.2.6p5-10.el6
CVE-2015-7692 Bug 1274254 RHEL7,RHEL6,RHEL5 Moderate RHSA-2016:0780 ntp-4.2.6p5-10.el6
CVE-2015-7702 Bug 1274254 RHEL7,RHEL6,RHEL5 Moderate RHSA-2016:0780 ntp-4.2.6p5-10.el6
CVE-2015-7855 Bug 1274264 Not Affected Low - -
CVE-2015-7850 Bug 1274258 RHEL7,RHEL6,RHEL5 Low Will not fix Limited
CVE-2015-7703 Bug 1254547 RHEL6 Low RHSA-2016:0780 ntp-4.2.6p5-10.el6

CVE-2015-7705 : Do not add the "limited" configuration option to any restrict lines in the ntp.conf file.

CVE-2015-7850 : The issue relies on the fact that an attacker could provide a crafted config file that could cause ntpd loop infinitely. Fixing this one case does not prevent the attacker from pointing ntpd to the e.g. /dev/zero file, which would have the same effect. This issue is limited to users who are able to use the :config command.

Root Cause

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.


Parts of these CVEs like CVE-2015-7691, just addressed in Red Hat Enterprise Linux 6. Why Red Hat Enterprise Linux 7 was still in affected state?