CVE-2015-1798

Publication date 8 April 2015

Last updated 24 July 2024

Ubuntu priority

The symmetric-key feature in the receive function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p2 requires a correct MAC only if the MAC field has a nonzero length, which makes it easier for man-in-the-middle attackers to spoof packets by omitting the MAC.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
ntp	14.10 utopic	Fixed 1:4.2.6.p5+dfsg-3ubuntu2.14.10.3
	14.04 LTS trusty	Fixed 1:4.2.6.p5+dfsg-3ubuntu2.14.04.3
	12.04 LTS precise	Fixed 1:4.2.6.p3+dfsg-1ubuntu3.4
	10.04 LTS lucid	Not affected

How can I get the fixes?
What do statuses mean?
Patch details

Notes

mdeslaur

4.2.5p99+ only

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
ntp	Upstream: http://bk.ntp.org/ntp-stable/?PAGE=patch&REV=550a80b0iGyIv4t9J1GJ_74V_eEx4A

References

MITRE
NVD
Launchpad
Debian

Related Ubuntu Security Notices (USN)

USN-2567-1
NTP vulnerabilities
13 April 2015

Other references

http://support.ntp.org/bin/view/Main/SecurityNotice#Recent_Vulnerabilities
https://www.cve.org/CVERecord?id=CVE-2015-1798