Number: AV16-091
Date: 3 June 2016
Purpose
The purpose of this advisory is to bring attention to a Security Notice for Network Time Protocol Daemon (ntpd).
Assessment
CCIRC is aware of vulnerabilities (1 high, 4 low) in the Network Time Protocol Daemon (ntpd) which if exploited, could allow a remote unauthenticated attacker to cause a denial-of-service condition in ntpd.
Affected versions: ntpd versions prior to 4.2.8p8
CVE References: CVE-2016-4953, CVE-2016-4954, CVE-2016-4955, CVE-2016-4956, CVE-2016-4957
Suggested Action
CCIRC recommends that system administrators identify their affected assets and potential interdependencies with their organization’s critical services, and follow their patch management process accordingly or consider applying the workarounds.
References:
NTP Security Notice - June 2016 ntp-4.2.8p8 NTP:
http://support.ntp.org/bin/view/Main/SecurityNotice
CERT/CC Vulnerability Note 321640:
https://www.kb.cert.org/vuls/id/321640