CVE-2015-5300
First published: Tue Oct 13 2015(Updated: )
It was found that ntpd did not correctly implement the -g option: -g Normally, ntpd exits with a message to the system log if the offset exceeds the panic threshold, which is 1000 s by default. This option allows the time to be set to any value without restriction; however, this can happen only once. If the thresh‐ old is exceeded after that, ntpd will exit with a message to the system log. This option can be used with the -q and -x options. See the tinker command for other options. ntpd could actually step the clock multiple times by more than the panic threshold if its clock discipline doesn't have enough time to reach the sync state and stay there for at least one update. If a man-in-the-middle attacker can control the NTP traffic since ntpd was started (or maybe up to 15-30 minutes after that), they can prevent the client from reaching the sync state and force it to step its clock by any amount any number of times, which can be used by attackers to expire certificates, etc. This is contrary to what the documentation says. Normally, the assumption is that an MITM attacker can step the clock more than the panic threshold only once when ntpd starts and to make a larger adjustment the attacker has to divide it into multiple smaller steps, each taking 15 minutes, which is slow.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ntp | <4.2.8 | 4.2.8 |
| Red Hat Fedora | =21 | |
| Red Hat Fedora | =22 | |
| SUSE Linux Enterprise Debuginfo | =11-sp2 | |
| SUSE Linux Enterprise Debuginfo | =11-sp3 | |
| SUSE Linux Enterprise Debuginfo | =11-sp4 | |
| SUSE Linux | =42.1 | |
| openSUSE | =13.2 | |
| SUSE Linux Enterprise Desktop | =12 | |
| SUSE Linux Enterprise Desktop | =12-sp1 | |
| SUSE Linux Enterprise Server | =10-sp4 | |
| SUSE Linux Enterprise Server | =11-sp2 | |
| SUSE Linux Enterprise Server | =11-sp3 | |
| SUSE Linux Enterprise Server | =11-sp4 | |
| SUSE Linux Enterprise Server | =12-sp1 | |
| SUSE Linux Enterprise Software Development Kit | =12 | |
| SUSE Linux Enterprise Software Development Kit | =12-sp1 | |
| SUSE Manager Server | =2.1 | |
| SUSE Manager Proxy | =2.1 | |
| openSUSE OpenStack Cloud | =5 | |
| SUSE Linux Enterprise Server | =12 | |
| Red Hat Enterprise Linux Desktop | =6.0 | |
| Red Hat Enterprise Linux Desktop | =7.0 | |
| Red Hat Enterprise Linux HPC Node | =6.0 | |
| Red Hat Enterprise Linux HPC Node | =7.0 | |
| Red Hat Enterprise Linux HPC Node | =7.1 | |
| Red Hat Enterprise Linux Server | =6.0 | |
| Red Hat Enterprise Linux Server | =7.0 | |
| Red Hat Enterprise Linux Server | =6.7.z | |
| Red Hat Enterprise Linux Server | =7.1 | |
| Red Hat Enterprise Linux Workstation | =6.0 | |
| Red Hat Enterprise Linux Workstation | =7.0 | |
| Debian Linux | =7.0 | |
| Debian Linux | =8.0 | |
| Ubuntu | =12.04 | |
| Ubuntu | =14.04 | |
| Ubuntu | =15.04 | |
| Ubuntu | =15.10 | |
| NTP | <=4.2.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1082271&action=diff
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1082271&action=edit
- https://access.redhat.com/security/cve/CVE-2015-5300
- https://www.cs.bu.edu/~goldbe/NTPattack.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1274166
- https://rhn.redhat.com/errata/RHSA-2015-1930.html
- https://access.redhat.com/support/policy/updates/errata/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1271076#c17
- http://support.ntp.org/bin/view/Main/SecurityNotice#October_2015_NTP_Security_Vulner
- https://bugzilla.redhat.com/show_bug.cgi?id=1271076
- http://aix.software.ibm.com/aix/efixes/security/ntp_advisory5.asc
- http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170684.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-November/170926.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177507.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00059.html
- http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00060.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00020.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00038.html
- http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00048.html
- http://lists.opensuse.org/opensuse-security-announce/2016-07/msg00026.html
- http://lists.opensuse.org/opensuse-security-announce/2016-08/msg00042.html
- http://lists.opensuse.org/opensuse-updates/2016-05/msg00114.html
- http://rhn.redhat.com/errata/RHSA-2015-1930.html
- http://seclists.org/bugtraq/2016/Feb/164
- http://support.ntp.org/bin/view/Main/NtpBug2956
- http://support.ntp.org/bin/view/Main/SecurityNotice#January_2016_NTP_4_2_8p5_Securit
- http://www.debian.org/security/2015/dsa-3388
- http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
- http://www.securityfocus.com/bid/77312
- http://www.securitytracker.com/id/1034670
- http://www.ubuntu.com/usn/USN-2783-1
- https://bto.bluecoat.com/security-advisory/sa113
- https://ics-cert.us-cert.gov/advisories/ICSA-15-356-01
- https://security.netapp.com/advisory/ntap-20171004-0001/
- https://support.citrix.com/article/CTX220112
- https://www-01.ibm.com/support/docview.wss?uid=isg3T1023885
- https://www-01.ibm.com/support/docview.wss?uid=isg3T1024073
- https://www-01.ibm.com/support/docview.wss?uid=nas8N1021264
- https://www-01.ibm.com/support/docview.wss?uid=ssg1S1005821
- https://www-01.ibm.com/support/docview.wss?uid=swg21979393
- https://www-01.ibm.com/support/docview.wss?uid=swg21980676
- https://www-01.ibm.com/support/docview.wss?uid=swg21983501
- https://www-01.ibm.com/support/docview.wss?uid=swg21983506
- https://www.freebsd.org/security/advisories/FreeBSD-SA-16:02.ntp.asc
- https://www.ibm.com/support/home/docdisplay?lndocid=migr-5099428
- https://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
- https://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
Frequently Asked Questions
What is the severity of CVE-2015-5300?
CVE-2015-5300 is classified as a high-severity vulnerability due to its potential impact on system time synchronization.
How do I fix CVE-2015-5300?
To fix CVE-2015-5300, upgrade your NTP software to version 4.2.8 or later.
What systems are affected by CVE-2015-5300?
CVE-2015-5300 affects various versions of NTP across multiple Linux distributions including Red Hat, Fedora, SUSE, and Ubuntu.
What does the -g option in NTP relate to CVE-2015-5300?
The -g option in NTP, while intended to allow setting time to any value, compromises safeguards against excessive time shifts, making systems vulnerable under certain conditions.
Is CVE-2015-5300 a remote exploit risk?
Yes, CVE-2015-5300 poses a remote exploit risk since it can be triggered by an attacker manipulating time settings without proper restrictions.
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/severity
- agent/author
- agent/references
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2015-5300
- agent/software-canonical-lookup
- agent/trending
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/fedoraproject
- canonical/red hat fedora
- version/red hat fedora/21
- version/red hat fedora/22
- vendor/suse
- canonical/suse linux enterprise debuginfo
- version/suse linux enterprise debuginfo/11-sp2
- version/suse linux enterprise debuginfo/11-sp3
- version/suse linux enterprise debuginfo/11-sp4
- vendor/opensuse
- canonical/suse linux
- version/suse linux/42.1
- canonical/opensuse
- version/opensuse/13.2
- canonical/suse linux enterprise desktop
- version/suse linux enterprise desktop/12
- version/suse linux enterprise desktop/12-sp1
- canonical/suse linux enterprise server
- version/suse linux enterprise server/10-sp4
- version/suse linux enterprise server/11-sp2
- version/suse linux enterprise server/11-sp3
- version/suse linux enterprise server/11-sp4
- version/suse linux enterprise server/12-sp1
- canonical/suse linux enterprise software development kit
- version/suse linux enterprise software development kit/12
- version/suse linux enterprise software development kit/12-sp1
- canonical/suse manager server
- version/suse manager server/2.1
- canonical/suse manager proxy
- version/suse manager proxy/2.1
- canonical/opensuse openstack cloud
- version/opensuse openstack cloud/5
- version/suse linux enterprise server/12
- vendor/redhat
- canonical/red hat enterprise linux desktop
- version/red hat enterprise linux desktop/6.0
- version/red hat enterprise linux desktop/7.0
- canonical/red hat enterprise linux hpc node
- version/red hat enterprise linux hpc node/6.0
- version/red hat enterprise linux hpc node/7.0
- version/red hat enterprise linux hpc node/7.1
- canonical/red hat enterprise linux server
- version/red hat enterprise linux server/6.0
- version/red hat enterprise linux server/7.0
- version/red hat enterprise linux server/6.7.z
- version/red hat enterprise linux server/7.1
- canonical/red hat enterprise linux workstation
- version/red hat enterprise linux workstation/6.0
- version/red hat enterprise linux workstation/7.0
- vendor/debian
- canonical/debian linux
- version/debian linux/7.0
- version/debian linux/8.0
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/12.04
- version/ubuntu/14.04
- version/ubuntu/15.04
- version/ubuntu/15.10
- vendor/ntp
- canonical/ntp
- version/ntp/4.2.8