ID CVE-2014-9293
Summary The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.
References
Vulnerable Configurations
  • NTP 4.2.7
    cpe:2.3:a:ntp:ntp:4.2.7
CVSS
Base: 7.5 (as of 01-11-2016 - 13:05)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-0322-1.NASL
    description xntp has been updated to fix two security issues : - CVE-2014-9298: ::1 can be spoofed on some OSes, so ACLs based on IPv6 ::1 addresses can be bypassed (bnc#911792). - CVE-2014-9297: vallen is not validated in several places in ntp_crypto.c, leading to potential info leak (bnc#911792). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 83685
    published 2015-05-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83685
    title SUSE SLES10 Security Update : xntp (SUSE-SU-2015:0322-1)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0002.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - don't generate weak control key for resolver (CVE-2014-9293) - don't generate weak MD5 keys in ntp-keygen (CVE-2014-9294) - fix buffer overflows via specially-crafted packets (CVE-2014-9295) - increase memlock limit again (#1035198) - allow selection of cipher for private key files (#741573) - revert init script priority (#470945, #689636) - drop tentative patch (#489835) - move restorecon call to %posttrans - call restorecon on ntpd and ntpdate on start (#470945) - don't crash with more than 512 local addresses (#661934) - add -I option (#528799) - fix -L option to not require argument (#460434) - move ntpd and ntpdate to /sbin and start earlier on boot (#470945, #689636) - increase memlock limit (#575874) - ignore tentative addresses (#489835) - print synchronization distance instead of dispersion in ntpstat (#679034) - fix typos in ntpq and ntp-keygen man pages (#664524, #664525) - clarify ntpd -q description (#591838) - don't verify ntp.conf (#481151) - replace Prereq tag - fix DoS with mode 7 packets (#532640, CVE-2009-3563) - compile with -fno-strict-aliasing - fix buffer overflow when parsing Autokey association message (#500784, CVE-2009-1252) - fix buffer overflow in ntpq (#500784, CVE-2009-0159) - fix check for malformed signatures (#479699, CVE-2009-0021)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 80395
    published 2015-01-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80395
    title OracleVM 2.2 : ntp (OVMSA-2015-0002)
  • NASL family Misc.
    NASL id NTP_4_2_8.NASL
    description The version of the remote NTP server is 4.x prior to 4.2.8p1. It is, therefore, affected by the following vulnerabilities : - A security weakness exists due to the config_auth() function improperly generating default keys when no authentication key is defined in the ntp.conf file. Key size is limited to 31 bits and the insecure ntp_random() function is used, resulting in cryptographically-weak keys with insufficient entropy. A remote attacker can exploit this to defeat cryptographic protection mechanisms via a brute-force attack. (CVE-2014-9293) - A security weakness exists due the use of a weak seed to prepare a random number generator used to generate symmetric keys. This allows a remote attacker to defeat cryptographic protection mechanisms via a brute-force attack. (CVE-2014-9294) - Multiple stack-based buffer overflow conditions exist due to improper validation of user-supplied input when handling packets in the crypto_recv(), ctl_putdata(), and configure() functions when using autokey authentication. A remote attacker can exploit this, via a specially crafted packet, to cause a denial of service condition or the execution of arbitrary code. (CVE-2014-9295) - A unspecified vulnerability exists due to missing return statements in the receive() function, resulting in continued processing even when an authentication error is encountered. This allows a remote attacker, via specially crafted packets, to trigger unintended association changes. (CVE-2014-9296) - An information disclosure vulnerability exists due to improper validation of the 'vallen' value in extension fields in ntp_crypto.c. A remote attacker can exploit this to disclose sensitive information. (CVE-2014-9750) - A security bypass vulnerability exists due to a failure to restrict ::1 source addresses on IPv6 interfaces. A remote attacker can exploit this to bypass configured ACLs based on ::1. (CVE-2014-9751) Note that CVE-2014-9750 and CVE-2014-9751 supersede the discontinued identifiers CVE-2014-9297 and CVE-2014-9298, which were originally cited in the vendor advisory.
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 81981
    published 2015-03-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81981
    title Network Time Protocol Daemon (ntpd) 4.x < 4.2.8p1 Multiple Vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-140.NASL
    description Updated ntp packages fix security vulnerabilities : If no authentication key is defined in the ntp.conf file, a cryptographically-weak default key is generated (CVE-2014-9293). ntp-keygen before 4.2.7p230 uses a non-cryptographic random number generator with a weak seed to generate symmetric keys (CVE-2014-9294). A remote unauthenticated attacker may craft special packets that trigger buffer overflows in the ntpd functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure(). The resulting buffer overflows may be exploited to allow arbitrary malicious code to be executed with the privilege of the ntpd process (CVE-2014-9295). A section of code in ntpd handling a rare error is missing a return statement, therefore processing did not stop when the error was encountered. This situation may be exploitable by an attacker (CVE-2014-9296). Stephen Roettger of the Google Security Team, Sebastian Krahmer of the SUSE Security Team and Harlan Stenn of Network Time Foundation discovered that the length value in extension fields is not properly validated in several code paths in ntp_crypto.c, which could lead to information leakage or denial of service (CVE-2014-9297). Stephen Roettger of the Google Security Team reported that ACLs based on IPv6 ::1 (localhost) addresses can be bypassed (CVE-2014-9298). The ntp package has been patched to fix these issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 82393
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82393
    title Mandriva Linux Security Advisory : ntp (MDVSA-2015:140)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_NTP-150209.NASL
    description ntp has been updated to fix four security issues : - ntp-keygen used a weak RNG seed, which made it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. (bsc#910764). (CVE-2014-9294) - The config_auth function, when an auth key is not configured, improperly generated a key, which made it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. (bsc#910764). (CVE-2014-9293) - ::1 can be spoofed on some operating systems, so ACLs based on IPv6 ::1 addresses could be bypassed. (bsc#910764). (CVE-2014-9298) - vallen is not validated in several places in ntp_crypto.c, leading to potential information leak. (bsc#910764). (CVE-2014-9297)
    last seen 2019-02-21
    modified 2015-11-01
    plugin id 81313
    published 2015-02-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81313
    title SuSE 11.3 Security Update : ntp (SAT Patch Number 10293)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0001.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Remove default ntp servers in ntp.conf [bug 14342986] - don't generate weak control key for resolver (CVE-2014-9293) - don't generate weak MD5 keys in ntp-keygen (CVE-2014-9294) - fix buffer overflows via specially-crafted packets (CVE-2014-9295) - increase memlock limit again (#1035198) - allow selection of cipher for private key files (#741573) - revert init script priority (#470945, #689636) - drop tentative patch (#489835) - move restorecon call to %posttrans - call restorecon on ntpd and ntpdate on start (#470945) - don't crash with more than 512 local addresses (#661934) - add -I option (#528799) - fix -L option to not require argument (#460434) - move ntpd and ntpdate to /sbin and start earlier on boot (#470945, #689636) - increase memlock limit (#575874) - ignore tentative addresses (#489835) - print synchronization distance instead of dispersion in ntpstat (#679034) - fix typos in ntpq and ntp-keygen man pages (#664524, #664525) - clarify ntpd -q description (#591838) - don't verify ntp.conf (#481151) - replace Prereq tag - fix DoS with mode 7 packets (#532640, CVE-2009-3563) - compile with -fno-strict-aliasing - fix buffer overflow when parsing Autokey association message (#500784, CVE-2009-1252) - fix buffer overflow in ntpq (#500784, CVE-2009-0159) - fix check for malformed signatures (#479699, CVE-2009-0021)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 80394
    published 2015-01-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80394
    title OracleVM 3.2 : ntp (OVMSA-2015-0001)
  • NASL family HP-UX Local Security Checks
    NASL id HPUX_PHNE_44235.NASL
    description s700_800 11.11 NTP timeservices upgrade plus utilities : Potential security vulnerabilities have been identified with HP-UX running NTP. These could be exploited remotely to execute code, create a Denial of Service (DoS), or other vulnerabilities. References: CVE-2014-9293 - Insufficient Entropy in Pseudo-Random Number Generator (PRNG) (CWE-332) CVE-2014-9294 - Use of Cryptographically Weak PRNG (CWE-338) CVE-2014-9295 - Stack Buffer Overflow (CWE-121) CVE-2014-9296 - Error Conditions, Return Values, Status Codes (CWE-389) CVE-2014-9297 - Improper Check for Unusual or Exceptional Conditions (CWE-754) SSRT101872 VU#852879.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 82682
    published 2015-04-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82682
    title HP-UX PHNE_44235 : s700_800 11.11 NTP timeservices upgrade plus utilities
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-2024.NASL
    description From Red Hat Security Advisory 2014:2024 : Updated ntp packages that fix several security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non-default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit. (CVE-2014-9295) It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc query or configuration requests. (CVE-2014-9293) It was found that ntp-keygen used a weak method for generating MD5 keys. This could possibly allow an attacker to guess generated MD5 keys that could then be used to spoof an NTP client or server. Note: it is recommended to regenerate any MD5 keys that had explicitly been generated with ntp-keygen; the default installation does not contain such keys). (CVE-2014-9294) A missing return statement in the receive() function could potentially allow a remote attacker to bypass NTP's authentication mechanism. (CVE-2014-9296) All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will restart automatically.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 80154
    published 2014-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80154
    title Oracle Linux 6 / 7 : ntp (ELSA-2014-2024)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2014-2024.NASL
    description Updated ntp packages that fix several security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non-default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit. (CVE-2014-9295) It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc query or configuration requests. (CVE-2014-9293) It was found that ntp-keygen used a weak method for generating MD5 keys. This could possibly allow an attacker to guess generated MD5 keys that could then be used to spoof an NTP client or server. Note: it is recommended to regenerate any MD5 keys that had explicitly been generated with ntp-keygen; the default installation does not contain such keys). (CVE-2014-9294) A missing return statement in the receive() function could potentially allow a remote attacker to bypass NTP's authentication mechanism. (CVE-2014-9296) All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will restart automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 80124
    published 2014-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80124
    title CentOS 6 / 7 : ntp (CESA-2014:2024)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-17395.NASL
    description Security fix for CVE-2014-9294, CVE-2014-9295, CVE-2014-9293, CVE-2014-9296 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2015-11-01
    plugin id 80310
    published 2015-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80310
    title Fedora 19 : ntp-4.2.6p5-13.fc19 (2014-17395)
  • NASL family CISCO
    NASL id CISCO-SA-20141222-NTPD-PRIME_DCNM.NASL
    description According to its self-reported version number, the Cisco Prime Data Center Network Manager (DCNM) running on the remote host is affected by multiple vulnerabilities : - A security weakness exists due to the config_auth() function improperly generating default keys when no authentication key is defined in the 'ntp.conf' file. Key size is limited to 31 bits and the insecure ntp_random() function is used, resulting in cryptographically weak keys with insufficient entropy. This allows a remote attacker to defeat cryptographic protection mechanisms via a brute-force attack. (CVE-2014-9293) - A security weakness exists due the use of a weak seed to prepare a random number generator used to generate symmetric keys. This allows remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. (CVE-2014-9294) - Multiple stack-based buffer overflows exist due to improperly validated user-supplied input when handling packets in the crypto_recv(), ctl_putdata(), and configure() functions when using autokey authentication. This allows a remote attacker, via a specially crafted packet, to cause a denial of service condition or execute arbitrary code. (CVE-2014-9295) - A unspecified vulnerability exists due to missing return statements in the receive() function, resulting in continued processing even when an authentication error is encountered. This allows a remote attacker, via crafted packets, to trigger unintended association changes. (CVE-2014-9296) - A security bypass vulnerability exists in the function read_network_packet() due to a failure to restrict ::1 source addresses on IPv6 interfaces. This allows a remote attacker to bypass configured ACLs based on ::1. (CVE-2014-9298) This plugin determines if DCNM is vulnerable by checking the version number displayed in the web interface. The web interface is not available in older versions of DCNM.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 83876
    published 2015-05-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83876
    title Cisco Prime Data Center Network Manager ntpd Multiple Vulnerabilities (uncredentialed check)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201412-34.NASL
    description The remote host is affected by the vulnerability described in GLSA-201412-34 (NTP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. Impact : A remote unauthenticated attacker may be able to execute arbitrary code with the privileges of the process, cause a Denial of Service condition, and obtain sensitive information that could assist in other attacks. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2015-11-01
    plugin id 80239
    published 2014-12-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80239
    title GLSA-201412-34 : NTP: Multiple vulnerabilities
  • NASL family CGI abuses
    NASL id CISCO-SA-20141222-NTPD-PRSM.NASL
    description According to its self-reported version number, the version of Cisco Prime Security Manager running on the remote host is prior to 9.3.3.2. It is, therefore, affected by multiple vulnerabilities in the bundled NTP libraries : - A security weakness exists due to the config_auth() function improperly generating default keys when no authentication key is defined in the 'ntp.conf' file. Key size is limited to 31 bits and the insecure ntp_random() function is used, resulting in cryptographically-weak keys with insufficient entropy. This allows a remote attacker to defeat cryptographic protection mechanisms via a brute-force attack. (CVE-2014-9293) - A security weakness exists due the use of a weak seed to prepare a random number generator used to generate symmetric keys. This allows remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. (CVE-2014-9294) - Multiple stack-based buffer overflows exist due to improperly validated user-supplied input when handling packets in the crypto_recv(), ctl_putdata(), and configure() functions when using autokey authentication. This allows a remote attacker, via a specially crafted packet, to cause a denial of service condition or execute arbitrary code. (CVE-2014-9295) - A unspecified vulnerability exists due to missing return statements in the receive() function, resulting in continued processing even when an authentication error is encountered. This allows a remote attacker, via crafted packets, to trigger unintended association changes. (CVE-2014-9296)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 81980
    published 2015-03-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81980
    title Cisco Prime Security Manager Network Time Protocol Daemon (ntpd) Multiple Vulnerabilities (cisco-sa-20141222-ntpd)
  • NASL family HP-UX Local Security Checks
    NASL id HPUX_PHNE_44236.NASL
    description s700_800 11.23 NTP timeservices upgrade plus utilities : Potential security vulnerabilities have been identified with HP-UX running NTP. These could be exploited remotely to execute code, create a Denial of Service (DoS), or other vulnerabilities. References: CVE-2014-9293 - Insufficient Entropy in Pseudo-Random Number Generator (PRNG) (CWE-332) CVE-2014-9294 - Use of Cryptographically Weak PRNG (CWE-338) CVE-2014-9295 - Stack Buffer Overflow (CWE-121) CVE-2014-9296 - Error Conditions, Return Values, Status Codes (CWE-389) CVE-2014-9297 - Improper Check for Unusual or Exceptional Conditions (CWE-754) SSRT101872 VU#852879.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 82683
    published 2015-04-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82683
    title HP-UX PHNE_44236 : s700_800 11.23 NTP timeservices upgrade plus utilities
  • NASL family Firewalls
    NASL id CHECK_POINT_GAIA_SK103825.NASL
    description The remote host is running a version of Gaia Operating System that is prior to R77.20 and thus, is potentially affected by multiple NTP client vulnerabilities. Note that NTP client is disabled by default. Further note that if the vendor's suggested mitigations are in place, this can be considered a false positive.
    last seen 2019-02-21
    modified 2017-12-08
    plugin id 105085
    published 2017-12-07
    reporter Tenable
    source https://www.t