CVE-2016-0727
published 2017-04-14CVE-2016-0727: The crontab script in the ntp package before 1:4.2.6.p3+dfsg-1ubuntu3.11 on Ubuntu 12.04 LTS, before 1:4.2.6.p5+dfsg-3ubuntu2.14.04.10 on Ubuntu 14.04 LTS, on…
PriorityP344high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.25%
65.8th percentile
The crontab script in the ntp package before 1:4.2.6.p3+dfsg-1ubuntu3.11 on Ubuntu 12.04 LTS, before 1:4.2.6.p5+dfsg-3ubuntu2.14.04.10 on Ubuntu 14.04 LTS, on Ubuntu Wily, and before 1:4.2.8p4+dfsg-3ubuntu5.3 on Ubuntu 16.04 LTS allows local users with access to the ntp account to write to arbitrary files and consequently gain privileges via vectors involving statistics directory cleanup.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | ntp | < ntp 1:4.2.8p9+dfsg-2 (bullseye) | ntp 1:4.2.8p9+dfsg-2 (bullseye) |
| ntp | ntp | >= 0 < 1:4.2.8p9+dfsg-2 | 1:4.2.8p9+dfsg-2 |
| ntp | ntp | >= 0 < 1:4.2.6.p5+dfsg-3ubuntu2.14.04.10 | 1:4.2.6.p5+dfsg-3ubuntu2.14.04.10 |
| ntp | ntp | >= 0 < 1:4.2.8p4+dfsg-3ubuntu5.3 | 1:4.2.8p4+dfsg-3ubuntu5.3 |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_debian7.8LOW
vendor_redhat7.8HIGH
vendor_ubuntu6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
NTP vulnerabilities
vendor_ubuntu·2016-10-05·CVSS 6.5
CVE-2015-7973 [MEDIUM] NTP vulnerabilities
Title: NTP vulnerabilities
Summary: Several security issues were fixed in NTP.
Aanchal Malhotra discovered that NTP incorrectly handled authenticated
broadcast mode. A remote attacker could use this issue to perform a replay
attack. (CVE-2015-7973)
Matt Street discovered that NTP incorrectly verified peer associations of
symmetric keys. A remote attacker could use this issue to perform an
impersonation attack. (CVE-2015-7974)
Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled
memory. An attacker could possibly use this issue to cause ntpq to crash,
resulting in a denial of service. This issue only affected Ubuntu 16.04
LTS. (CVE-2015-7975)
Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled
dangerous characters in filenames. An attacker cou
Red Hat
ntp: Privilege escalation via cronjob
vendor_redhat·2016-01-21·CVSS 7.8
CVE-2016-0727 [HIGH] ntp: Privilege escalation via cronjob
ntp: Privilege escalation via cronjob
The crontab script in the ntp package before 1:4.2.6.p3+dfsg-1ubuntu3.11 on Ubuntu 12.04 LTS, before 1:4.2.6.p5+dfsg-3ubuntu2.14.04.10 on Ubuntu 14.04 LTS, on Ubuntu Wily, and before 1:4.2.8p4+dfsg-3ubuntu5.3 on Ubuntu 16.04 LTS allows local users with access to the ntp account to write to arbitrary files and consequently gain privileges via vectors involving statistics directory cleanup.
Statement: This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux 5, 6, or 7.
Package: ntp (Red Hat Enterprise Linux 5) - Not affected
Package: ntp (Red Hat Enterprise Linux 6) - Not affected
Package: ntp (Red Hat Enterprise Linux 7) - Not affected
Debian
CVE-2016-0727: ntp - The crontab script in the ntp package before 1:4.2.6.p3+dfsg-1ubuntu3.11 on Ubun...
vendor_debian·2016·CVSS 7.8
CVE-2016-0727 [HIGH] CVE-2016-0727: ntp - The crontab script in the ntp package before 1:4.2.6.p3+dfsg-1ubuntu3.11 on Ubun...
The crontab script in the ntp package before 1:4.2.6.p3+dfsg-1ubuntu3.11 on Ubuntu 12.04 LTS, before 1:4.2.6.p5+dfsg-3ubuntu2.14.04.10 on Ubuntu 14.04 LTS, on Ubuntu Wily, and before 1:4.2.8p4+dfsg-3ubuntu5.3 on Ubuntu 16.04 LTS allows local users with access to the ntp account to write to arbitrary files and consequently gain privileges via vectors involving statistics directory cleanup.
Scope: local
bullseye: resolved (fixed in 1:4.2.8p9+dfsg-2)
GHSA
GHSA-c7qx-m9c7-8wm7: The crontab script in the ntp package before 1:4
ghsa_unreviewed·2022-05-17
CVE-2016-0727 [HIGH] GHSA-c7qx-m9c7-8wm7: The crontab script in the ntp package before 1:4
The crontab script in the ntp package before 1:4.2.6.p3+dfsg-1ubuntu3.11 on Ubuntu 12.04 LTS, before 1:4.2.6.p5+dfsg-3ubuntu2.14.04.10 on Ubuntu 14.04 LTS, on Ubuntu Wily, and before 1:4.2.8p4+dfsg-3ubuntu5.3 on Ubuntu 16.04 LTS allows local users with access to the ntp account to write to arbitrary files and consequently gain privileges via vectors involving statistics directory cleanup.
OSV
CVE-2016-0727: The crontab script in the ntp package before 1:4
osv·2017-04-14·CVSS 7.8
CVE-2016-0727 [HIGH] CVE-2016-0727: The crontab script in the ntp package before 1:4
The crontab script in the ntp package before 1:4.2.6.p3+dfsg-1ubuntu3.11 on Ubuntu 12.04 LTS, before 1:4.2.6.p5+dfsg-3ubuntu2.14.04.10 on Ubuntu 14.04 LTS, on Ubuntu Wily, and before 1:4.2.8p4+dfsg-3ubuntu5.3 on Ubuntu 16.04 LTS allows local users with access to the ntp account to write to arbitrary files and consequently gain privileges via vectors involving statistics directory cleanup.
OSV
ntp vulnerabilities
osv·2016-10-05·CVSS 6.5
CVE-2015-7973 [MEDIUM] ntp vulnerabilities
ntp vulnerabilities
Aanchal Malhotra discovered that NTP incorrectly handled authenticated
broadcast mode. A remote attacker could use this issue to perform a replay
attack. (CVE-2015-7973)
Matt Street discovered that NTP incorrectly verified peer associations of
symmetric keys. A remote attacker could use this issue to perform an
impersonation attack. (CVE-2015-7974)
Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled
memory. An attacker could possibly use this issue to cause ntpq to crash,
resulting in a denial of service. This issue only affected Ubuntu 16.04
LTS. (CVE-2015-7975)
Jonathan Gardner discovered that the NTP ntpq utility incorrectly handled
dangerous characters in filenames. An attacker could possibly use this
issue to overwrite arbitrary files. (CV
No detection rules found.
Bugzilla
CVE-2016-0727 ntp: Privilege escalation via cronjob
bugzilla·2016-10-06·CVSS 7.8
CVE-2016-0727 [HIGH] CVE-2016-0727 ntp: Privilege escalation via cronjob
CVE-2016-0727 ntp: Privilege escalation via cronjob
Multiple bugs in cronjob script bundled with ntp package were found allowing malicious ntp user to make the backup process to overwrite arbitrary files with content controlled by the attacker, thus gaining root privileges.
External References:
http://www.halfdog.net/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/
Discussion:
Created ntp tracking bugs for this issue:
Affects: fedora-all [bug 1382370]
---
Statement:
This issue did not affect the versions of ntp as shipped with Red Hat Enterprise Linux 5, 6, or 7.
Bugzilla
CVE-2016-0727 ntp: Privilege escalation via cronjob [fedora-all]
bugzilla·2016-10-06·CVSS 7.8
CVE-2016-0727 [HIGH] CVE-2016-0727 ntp: Privilege escalation via cronjob [fedora-all]
CVE-2016-0727 ntp: Privilege escalation via cronjob [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While
http://packetstormsecurity.com/files/141913/NTP-Privilege-Escalation.htmlhttp://www.securityfocus.com/bid/81552http://www.securitytracker.com/id/1034808http://www.ubuntu.com/usn/USN-3096-1https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1528050https://bugzilla.redhat.com/show_bug.cgi?id=1382369http://packetstormsecurity.com/files/141913/NTP-Privilege-Escalation.htmlhttp://www.securityfocus.com/bid/81552http://www.securitytracker.com/id/1034808http://www.ubuntu.com/usn/USN-3096-1https://bugs.launchpad.net/ubuntu/+source/ntp/+bug/1528050https://bugzilla.redhat.com/show_bug.cgi?id=1382369
2017-04-14
Published