7.2
CVSSv2

CVE-2016-0727

Published: 14/04/2017 Updated: 20/04/2017
CVSS v2 Base Score: 7.2 | Impact Score: 10 | Exploitability Score: 3.9
CVSS v3 Base Score: 7.8 | Impact Score: 5.9 | Exploitability Score: 1.8
VMScore: 725
Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Summary

The crontab script in the ntp package prior to 1:4.2.6.p3+dfsg-1ubuntu3.11 on Ubuntu 12.04 LTS, prior to 1:4.2.6.p5+dfsg-3ubuntu2.14.04.10 on Ubuntu 14.04 LTS, on Ubuntu Wily, and prior to 1:4.2.8p4+dfsg-3ubuntu5.3 on Ubuntu 16.04 LTS allows local users with access to the ntp account to write to arbitrary files and consequently gain privileges via vectors involving statistics directory cleanup.

Vendor Advisories

Debian Bug report logs - #839998 ntp: CVE-2016-0727: NTP statsdir cleanup cronjob insecure Package: src:ntp; Maintainer for src:ntp is Debian NTP Team <ntp@packagesdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Fri, 7 Oct 2016 11:12:02 UTC Severity: normal Tags: patch, security Found in v ...
The crontab script in the ntp package before 1:426p3+dfsg-1ubuntu311 on Ubuntu 1204 LTS, before 1:426p5+dfsg-3ubuntu2140410 on Ubuntu 1404 LTS, on Ubuntu Wily, and before 1:428p4+dfsg-3ubuntu53 on Ubuntu 1604 LTS allows local users with access to the ntp account to write to arbitrary files and consequently gain privileges via vector ...
Summary The cronjob script bundled with ntp package is intended to perform cleanup on statistics files produced by NTP daemon running with statistics enabled The script is run as root during the daily cronjobs all operations on the ntp-user controlled statistics directory without switching to user ntp Thus all steps are performed with ro ...
Several security issues were fixed in NTP ...

Exploits

Source: wwwhalfdognet/Security/2015/NtpCronjobUserNtpToRootPrivilegeEscalation/ ## Introduction ### Problem description: The cronjob script bundled with ntp package is intended to perform cleanup on statistics files produced by NTP daemon running with statistics enabled The script is run as root during the daily cronjobs all operations ...