{"id":"USN-2783-1","summary":"ntp vulnerabilities","details":"Aleksis Kauppinen discovered that NTP incorrectly handled certain remote\nconfig packets. In a non-default configuration, a remote authenticated\nattacker could possibly use this issue to cause NTP to crash, resulting in\na denial of service. (CVE-2015-5146)\n\nMiroslav Lichvar discovered that NTP incorrectly handled logconfig\ndirectives. In a non-default configuration, a remote authenticated attacker\ncould possibly use this issue to cause NTP to crash, resulting in a denial\nof service. (CVE-2015-5194)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain statistics\ntypes. In a non-default configuration, a remote authenticated attacker\ncould possibly use this issue to cause NTP to crash, resulting in a denial\nof service. (CVE-2015-5195)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain file\npaths. In a non-default configuration, a remote authenticated attacker\ncould possibly use this issue to cause NTP to crash, resulting in a denial\nof service, or overwrite certain files. (CVE-2015-5196, CVE-2015-7703)\n\nMiroslav Lichvar discovered that NTP incorrectly handled certain packets.\nA remote attacker could possibly use this issue to cause NTP to hang,\nresulting in a denial of service. (CVE-2015-5219)\n\nAanchal Malhotra, Isaac E. Cohen, and Sharon Goldberg discovered that NTP\nincorrectly handled restarting after hitting a panic threshold. A remote\nattacker could possibly use this issue to alter the system time on clients.\n(CVE-2015-5300)\n\nIt was discovered that NTP incorrectly handled autokey data packets. A\nremote attacker could possibly use this issue to cause NTP to crash,\nresulting in a denial of service, or possibly execute arbitrary code.\n(CVE-2015-7691, CVE-2015-7692, CVE-2015-7702)\n\nIt was discovered that NTP incorrectly handled memory when processing\ncertain autokey messages. A remote attacker could possibly use this issue\nto cause NTP to consume memory, resulting in a denial of service.\n(CVE-2015-7701)\n\nAanchal Malhotra, Isaac E. Cohen, and Sharon Goldberg discovered that NTP\nincorrectly handled rate limiting. A remote attacker could possibly use\nthis issue to cause clients to stop updating their clock. (CVE-2015-7704,\nCVE-2015-7705)\n\nYves Younan discovered that NTP incorrectly handled logfile and keyfile\ndirectives. In a non-default configuration, a remote authenticated attacker\ncould possibly use this issue to cause NTP to enter a loop, resulting in a\ndenial of service. (CVE-2015-7850)\n\nYves Younan and Aleksander Nikolich discovered that NTP incorrectly handled\nascii conversion. A remote attacker could possibly use this issue to cause\nNTP to crash, resulting in a denial of service, or possibly execute\narbitrary code. (CVE-2015-7852)\n\nYves Younan discovered that NTP incorrectly handled reference clock memory.\nA malicious refclock could possibly use this issue to cause NTP to crash,\nresulting in a denial of service, or possibly execute arbitrary code.\n(CVE-2015-7853)\n\nJohn D \"Doug\" Birdwell discovered that NTP incorrectly handled decoding\ncertain bogus values. An attacker could possibly use this issue to cause\nNTP to crash, resulting in a denial of service. (CVE-2015-7855)\n\nStephen Gray discovered that NTP incorrectly handled symmetric association\nauthentication. A remote attacker could use this issue to possibly bypass\nauthentication and alter the system clock. (CVE-2015-7871)\n\nIn the default installation, attackers would be isolated by the NTP\nAppArmor profile.\n","modified":"2026-02-10T04:40:56Z","published":"2015-10-27T17:02:35Z","related":["UBUNTU-CVE-2015-5146","UBUNTU-CVE-2015-5194","UBUNTU-CVE-2015-5195","UBUNTU-CVE-2015-5196","UBUNTU-CVE-2015-5219","UBUNTU-CVE-2015-5300","UBUNTU-CVE-2015-7691","UBUNTU-CVE-2015-7692","UBUNTU-CVE-2015-7701","UBUNTU-CVE-2015-7702","UBUNTU-CVE-2015-7703","UBUNTU-CVE-2015-7704","UBUNTU-CVE-2015-7705","UBUNTU-CVE-2015-7850","UBUNTU-CVE-2015-7852","UBUNTU-CVE-2015-7853","UBUNTU-CVE-2015-7855","UBUNTU-CVE-2015-7871"],"upstream":["CVE-2015-5146","CVE-2015-5194","CVE-2015-5195","CVE-2015-5196","CVE-2015-5219","CVE-2015-5300","CVE-2015-7691","CVE-2015-7692","CVE-2015-7701","CVE-2015-7702","CVE-2015-7703","CVE-2015-7704","CVE-2015-7705","CVE-2015-7850","CVE-2015-7852","CVE-2015-7853","CVE-2015-7855","CVE-2015-7871","UBUNTU-CVE-2015-5146","UBUNTU-CVE-2015-5194","UBUNTU-CVE-2015-5195","UBUNTU-CVE-2015-5196","UBUNTU-CVE-2015-5219","UBUNTU-CVE-2015-5300","UBUNTU-CVE-2015-7691","UBUNTU-CVE-2015-7692","UBUNTU-CVE-2015-7701","UBUNTU-CVE-2015-7702","UBUNTU-CVE-2015-7703","UBUNTU-CVE-2015-7704","UBUNTU-CVE-2015-7705","UBUNTU-CVE-2015-7850","UBUNTU-CVE-2015-7852","UBUNTU-CVE-2015-7853","UBUNTU-CVE-2015-7855","UBUNTU-CVE-2015-7871"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-2783-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-5146"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-5194"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-5195"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-5196"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-5219"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-5300"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-7691"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-7692"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-7701"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-7702"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-7703"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-7704"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-7705"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-7850"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-7852"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-7853"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-7855"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2015-7871"}],"affected":[{"package":{"name":"ntp","ecosystem":"Ubuntu:14.04:LTS","purl":"pkg:deb/ubuntu/ntp@1:4.2.6.p5+dfsg-3ubuntu2.14.04.5?arch=source&distro=trusty"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1:4.2.6.p5+dfsg-3ubuntu2.14.04.5"}]}],"versions":["1:4.2.6.p5+dfsg-3ubuntu2","1:4.2.6.p5+dfsg-3ubuntu2.14.04.1","1:4.2.6.p5+dfsg-3ubuntu2.14.04.2","1:4.2.6.p5+dfsg-3ubuntu2.14.04.3"],"ecosystem_specific":{"binaries":[{"binary_name":"ntp","binary_version":"1:4.2.6.p5+dfsg-3ubuntu2.14.04.5"},{"binary_name":"ntpdate","binary_version":"1:4.2.6.p5+dfsg-3ubuntu2.14.04.5"}],"availability":"No subscription required"},"database_specific":{"cves_map":{"cves":[{"id":"CVE-2015-5146","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2015-5194","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"negligible"}]},{"id":"CVE-2015-5195","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"negligible"}]},{"id":"CVE-2015-5196","severity":[{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2015-5219","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"low"}]},{"id":"CVE-2015-5300","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-7691","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-7692","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-7701","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-7702","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-7703","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-7704","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-7705","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-7850","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-7852","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-7853","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-7855","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}]},{"id":"CVE-2015-7871","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}]}],"ecosystem":"Ubuntu:14.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-2783-1.json"}}],"schema_version":"1.7.3"}