| nessus
via4
|
| NASL family | Ubuntu Local Security Checks | | NASL id | UBUNTU_USN-2449-1.NASL | | description | Neel Mehta discovered that NTP generated weak authentication keys. A remote attacker could possibly use this issue to brute force the authentication key and send requests if permitted by IP restrictions.
(CVE-2014-9293)
Stephen Roettger discovered that NTP generated weak MD5 keys. A remote attacker could possibly use this issue to brute force the MD5 key and spoof a client or server. (CVE-2014-9294)
Stephen Roettger discovered that NTP contained buffer overflows in the crypto_recv(), ctl_putdata() and configure() functions. In non-default configurations, a remote attacker could use these issues to cause NTP to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service. In addition, attackers would be isolated by the NTP AppArmor profile.
(CVE-2014-9295)
Stephen Roettger discovered that NTP incorrectly continued processing when handling certain errors. (CVE-2014-9296).
Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. | | last seen | 2017-10-29 | | modified | 2016-05-24 | | plugin id | 80218 | | published | 2014-12-23 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80218 | | title | Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : ntp vulnerabilities (USN-2449-1) |
| NASL family | Fedora Local Security Checks | | NASL id | FEDORA_2014-17395.NASL | | description | Security fix for CVE-2014-9294, CVE-2014-9295, CVE-2014-9293, CVE-2014-9296
Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. | | last seen | 2017-10-29 | | modified | 2015-11-01 | | plugin id | 80310 | | published | 2015-01-02 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80310 | | title | Fedora 19 : ntp-4.2.6p5-13.fc19 (2014-17395) |
| NASL family | CentOS Local Security Checks | | NASL id | CENTOS_RHSA-2014-2024.NASL | | description | Updated ntp packages that fix several security issues are now available for Red Hat Enterprise Linux 6 and 7.
Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source.
Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non-default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit. (CVE-2014-9295)
It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc query or configuration requests. (CVE-2014-9293)
It was found that ntp-keygen used a weak method for generating MD5 keys. This could possibly allow an attacker to guess generated MD5 keys that could then be used to spoof an NTP client or server. Note:
it is recommended to regenerate any MD5 keys that had explicitly been generated with ntp-keygen; the default installation does not contain such keys). (CVE-2014-9294)
A missing return statement in the receive() function could potentially allow a remote attacker to bypass NTP's authentication mechanism.
(CVE-2014-9296)
All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will restart automatically. | | last seen | 2017-10-29 | | modified | 2015-11-01 | | plugin id | 80124 | | published | 2014-12-22 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80124 | | title | CentOS 6 / 7 : ntp (CESA-2014:2024) |
| NASL family | Amazon Linux Local Security Checks | | NASL id | ALA_ALAS-2014-462.NASL | | description | It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc query or configuration requests. (CVE-2014-9293)
It was found that ntp-keygen used a weak method for generating MD5 keys. This could possibly allow an attacker to guess generated MD5 keys that could then be used to spoof an NTP client or server. Note:
it is recommended to regenerate any MD5 keys that had explicitly been generated with ntp-keygen; the default installation does not contain such keys). (CVE-2014-9294)
Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit. (CVE-2014-9295)
A missing return statement in the receive() function could potentially allow a remote attacker to bypass NTP's authentication mechanism.
(CVE-2014-9296) | | last seen | 2018-04-19 | | modified | 2018-04-18 | | plugin id | 80122 | | published | 2014-12-22 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80122 | | title | Amazon Linux AMI : ntp (ALAS-2014-462) |
| NASL family | Oracle Linux Local Security Checks | | NASL id | ORACLELINUX_ELSA-2014-2024.NASL | | description | From Red Hat Security Advisory 2014:2024 :
Updated ntp packages that fix several security issues are now available for Red Hat Enterprise Linux 6 and 7.
Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source.
Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non-default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit. (CVE-2014-9295)
It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc query or configuration requests. (CVE-2014-9293)
It was found that ntp-keygen used a weak method for generating MD5 keys. This could possibly allow an attacker to guess generated MD5 keys that could then be used to spoof an NTP client or server. Note:
it is recommended to regenerate any MD5 keys that had explicitly been generated with ntp-keygen; the default installation does not contain such keys). (CVE-2014-9294)
A missing return statement in the receive() function could potentially allow a remote attacker to bypass NTP's authentication mechanism.
(CVE-2014-9296)
All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will restart automatically. | | last seen | 2017-10-29 | | modified | 2015-12-01 | | plugin id | 80154 | | published | 2014-12-22 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80154 | | title | Oracle Linux 6 / 7 : ntp (ELSA-2014-2024) |
| NASL family | CISCO | | NASL id | CISCO-SN-CSCUS26956-IOSXR.NASL | | description | The remote Cisco device is running a version of IOS XR software that is affected by the following vulnerabilities :
- Errors exist related to weak cryptographic pseudorandom number generation (PRNG), the functions 'ntp_random' and and 'config_auth', and the 'ntp-keygen' utility. A man-in-the-middle attacker can exploit these to disclose sensitive information. (CVE-2014-9293, CVE-2014-9294)
- Multiple stack-based buffer overflow errors exist in the Network Time Protocol daemon (ntpd), which a remote attacker can exploit to execute arbitrary code or cause a denial of service by using a specially crafted packet.
(CVE-2014-9295)
- An error exists in the 'receive' function in the Network Time Protocol daemon (ntpd) that allows denial of service attacks. (CVE-2014-9296) | | last seen | 2017-10-29 | | modified | 2015-11-01 | | plugin id | 81912 | | published | 2015-03-18 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81912 | | title | Cisco IOS XR Multiple ntpd Vulnerabilities |
| NASL family | Fedora Local Security Checks | | NASL id | FEDORA_2014-17361.NASL | | description | Security fix for CVE-2014-9294, CVE-2014-9295, CVE-2014-9293, CVE-2014-9296
Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. | | last seen | 2017-10-29 | | modified | 2015-11-01 | | plugin id | 80147 | | published | 2014-12-22 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80147 | | title | Fedora 20 : ntp-4.2.6p5-19.fc20 (2014-17361) |
| NASL family | Scientific Linux Local Security Checks | | NASL id | SL_20141220_NTP_ON_SL6_X.NASL | | description | Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non- default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit. (CVE-2014-9295)
It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc query or configuration requests. (CVE-2014-9293)
It was found that ntp-keygen used a weak method for generating MD5 keys. This could possibly allow an attacker to guess generated MD5 keys that could then be used to spoof an NTP client or server. Note:
it is recommended to regenerate any MD5 keys that had explicitly been generated with ntp-keygen; the default installation does not contain such keys). (CVE-2014-9294)
A missing return statement in the receive() function could potentially allow a remote attacker to bypass NTP's authentication mechanism.
(CVE-2014-9296)
After installing the update, the ntpd daemon will restart automatically. | | last seen | 2017-10-29 | | modified | 2015-11-01 | | plugin id | 80164 | | published | 2014-12-22 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80164 | | title | Scientific Linux Security Update : ntp on SL6.x, SL7.x i386/x86_64 |
| NASL family | Fedora Local Security Checks | | NASL id | FEDORA_2014-17367.NASL | | description | Security fix for CVE-2014-9294, CVE-2014-9295, CVE-2014-9293, CVE-2014-9296
Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. | | last seen | 2017-10-29 | | modified | 2015-11-01 | | plugin id | 80237 | | published | 2014-12-26 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80237 | | title | Fedora 21 : ntp-4.2.6p5-25.fc21 (2014-17367) |
| NASL family | Gentoo Local Security Checks | | NASL id | GENTOO_GLSA-201412-34.NASL | | description | The remote host is affected by the vulnerability described in GLSA-201412-34 (NTP: Multiple vulnerabilities)
Multiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details.
Impact :
A remote unauthenticated attacker may be able to execute arbitrary code with the privileges of the process, cause a Denial of Service condition, and obtain sensitive information that could assist in other attacks.
Workaround :
There is no known workaround at this time. | | last seen | 2017-10-29 | | modified | 2015-11-01 | | plugin id | 80239 | | published | 2014-12-26 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80239 | | title | GLSA-201412-34 : NTP: Multiple vulnerabilities |
| NASL family | Mandriva Local Security Checks | | NASL id | MANDRIVA_MDVSA-2015-140.NASL | | description | Updated ntp packages fix security vulnerabilities :
If no authentication key is defined in the ntp.conf file, a cryptographically-weak default key is generated (CVE-2014-9293).
ntp-keygen before 4.2.7p230 uses a non-cryptographic random number generator with a weak seed to generate symmetric keys (CVE-2014-9294).
A remote unauthenticated attacker may craft special packets that trigger buffer overflows in the ntpd functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure(). The resulting buffer overflows may be exploited to allow arbitrary malicious code to be executed with the privilege of the ntpd process (CVE-2014-9295).
A section of code in ntpd handling a rare error is missing a return statement, therefore processing did not stop when the error was encountered. This situation may be exploitable by an attacker (CVE-2014-9296).
Stephen Roettger of the Google Security Team, Sebastian Krahmer of the SUSE Security Team and Harlan Stenn of Network Time Foundation discovered that the length value in extension fields is not properly validated in several code paths in ntp_crypto.c, which could lead to information leakage or denial of service (CVE-2014-9297).
Stephen Roettger of the Google Security Team reported that ACLs based on IPv6 ::1 (localhost) addresses can be bypassed (CVE-2014-9298).
The ntp package has been patched to fix these issues. | | last seen | 2017-10-29 | | modified | 2015-11-01 | | plugin id | 82393 | | published | 2015-03-30 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=82393 | | title | Mandriva Linux Security Advisory : ntp (MDVSA-2015:140) |
| NASL family | Debian Local Security Checks | | NASL id | DEBIAN_DSA-3108.NASL | | description | Several vulnerabilities were discovered in the ntp package, an implementation of the Network Time Protocol.
- CVE-2014-9293 ntpd generated a weak key for its internal use, with full administrative privileges. Attackers could use this key to reconfigure ntpd (or to exploit other vulnerabilities).
- CVE-2014-9294 The ntp-keygen utility generated weak MD5 keys with insufficient entropy.
- CVE-2014-9295 ntpd had several buffer overflows (both on the stack and in the data section), allowing remote authenticated attackers to crash ntpd or potentially execute arbitrary code.
- CVE-2014-9296 The general packet processing function in ntpd did not handle an error case correctly.
The default ntpd configuration in Debian restricts access to localhost (and possible the adjacent network in case of IPv6).
Keys explicitly generated by 'ntp-keygen -M' should be regenerated. | | last seen | 2017-10-29 | | modified | 2015-11-01 | | plugin id | 80208 | | published | 2014-12-23 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80208 | | title | Debian DSA-3108-1 : ntp - security update |
| NASL family | HP-UX Local Security Checks | | NASL id | HPUX_PHNE_44235.NASL | | description | s700_800 11.11 NTP timeservices upgrade plus utilities :
Potential security vulnerabilities have been identified with HP-UX running NTP. These could be exploited remotely to execute code, create a Denial of Service (DoS), or other vulnerabilities. References:
CVE-2014-9293 - Insufficient Entropy in Pseudo-Random Number Generator (PRNG) (CWE-332) CVE-2014-9294 - Use of Cryptographically Weak PRNG (CWE-338) CVE-2014-9295 - Stack Buffer Overflow (CWE-121) CVE-2014-9296 - Error Conditions, Return Values, Status Codes (CWE-389) CVE-2014-9297 - Improper Check for Unusual or Exceptional Conditions (CWE-754) SSRT101872 VU#852879. | | last seen | 2017-10-29 | | modified | 2015-11-01 | | plugin id | 82682 | | published | 2015-04-10 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=82682 | | title | HP-UX PHNE_44235 : s700_800 11.11 NTP timeservices upgrade plus utilities |
| NASL family | CISCO | | NASL id | CISCO-SA-20141222-NTPD-PRIME_DCNM.NASL | | description | According to its self-reported version number, the Cisco Prime Data Center Network Manager (DCNM) running on the remote host is affected by multiple vulnerabilities :
- A security weakness exists due to the config_auth() function improperly generating default keys when no authentication key is defined in the 'ntp.conf' file.
Key size is limited to 31 bits and the insecure ntp_random() function is used, resulting in cryptographically weak keys with insufficient entropy.
This allows a remote attacker to defeat cryptographic protection mechanisms via a brute-force attack.
(CVE-2014-9293)
- A security weakness exists due the use of a weak seed to prepare a random number generator used to generate symmetric keys. This allows remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. (CVE-2014-9294)
- Multiple stack-based buffer overflows exist due to improperly validated user-supplied input when handling packets in the crypto_recv(), ctl_putdata(), and configure() functions when using autokey authentication.
This allows a remote attacker, via a specially crafted packet, to cause a denial of service condition or execute arbitrary code. (CVE-2014-9295)
- A unspecified vulnerability exists due to missing return statements in the receive() function, resulting in continued processing even when an authentication error is encountered. This allows a remote attacker, via crafted packets, to trigger unintended association changes. (CVE-2014-9296)
- A security bypass vulnerability exists in the function read_network_packet() due to a failure to restrict ::1 source addresses on IPv6 interfaces. This allows a remote attacker to bypass configured ACLs based on ::1.
(CVE-2014-9298)
This plugin determines if DCNM is vulnerable by checking the version number displayed in the web interface. The web interface is not available in older versions of DCNM. | | last seen | 2017-10-29 | | modified | 2015-11-01 | | plugin id | 83876 | | published | 2015-05-28 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=83876 | | title | Cisco Prime Data Center Network Manager ntpd Multiple Vulnerabilities (uncredentialed check) |
| NASL family | Mandriva Local Security Checks | | NASL id | MANDRIVA_MDVSA-2015-003.NASL | | description | Updated ntp packages fix security vulnerabilities :
If no authentication key is defined in the ntp.conf file, a cryptographically-weak default key is generated (CVE-2014-9293).
ntp-keygen before 4.2.7p230 uses a non-cryptographic random number generator with a weak seed to generate symmetric keys (CVE-2014-9294).
A remote unauthenticated attacker may craft special packets that trigger buffer overflows in the ntpd functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure(). The resulting buffer overflows may be exploited to allow arbitrary malicious code to be executed with the privilege of the ntpd process (CVE-2014-9295).
A section of code in ntpd handling a rare error is missing a return statement, therefore processing did not stop when the error was encountered. This situation may be exploitable by an attacker (CVE-2014-9296).
The ntp package has been patched to fix these issues. | | last seen | 2017-10-29 | | modified | 2015-11-01 | | plugin id | 80384 | | published | 2015-01-06 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80384 | | title | Mandriva Linux Security Advisory : ntp (MDVSA-2015:003) |
| NASL family | Red Hat Local Security Checks | | NASL id | REDHAT-RHSA-2015-0104.NASL | | description | Updated ntp packages that fix several security issues are now available for Red Hat Enterprise Linux 6.5 Extended Update Support.
Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source.
Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non-default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit. (CVE-2014-9295)
It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc query or configuration requests. (CVE-2014-9293)
It was found that ntp-keygen used a weak method for generating MD5 keys. This could possibly allow an attacker to guess generated MD5 keys that could then be used to spoof an NTP client or server. Note:
it is recommended to regenerate any MD5 keys that had explicitly been generated with ntp-keygen; the default installation does not contain such keys. (CVE-2014-9294)
A missing return statement in the receive() function could potentially allow a remote attacker to bypass NTP's authentication mechanism.
(CVE-2014-9296)
All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will restart automatically. | | last seen | 2017-10-29 | | modified | 2017-01-06 | | plugin id | 81071 | | published | 2015-01-29 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81071 | | title | RHEL 6 : ntp (RHSA-2015:0104) |
| NASL family | Debian Local Security Checks | | NASL id | DEBIAN_DLA-116.NASL | | description | Several vulnerabilities were discovered in the ntp package, an implementation of the Network Time Protocol.
CVE-2014-9293
ntpd generated a weak key for its internal use, with full administrative privileges. Attackers could use this key to reconfigure ntpd (or to exploit other vulnerabilities).
CVE-2014-9294
The ntp-keygen utility generated weak MD5 keys with insufficient entropy.
CVE-2014-9295
ntpd had several buffer overflows (both on the stack and in the data section), allowing remote authenticated attackers to crash ntpd or potentially execute arbitrary code.
CVE-2014-9296
The general packet processing function in ntpd did not handle an error case correctly.
The default ntpd configuration in Debian restricts access to localhost (and possible the adjacent network in case of IPv6).
Keys explicitly generated by 'ntp-keygen -M' should be regenerated.
For the oldstable distribution (squeeze), these problems have been fixed in version 4.2.6.p2+dfsg-1+deb6u1.
We recommend that you upgrade your heirloom-mailx packages.
Thanks to the Florian Weimer for the Red Hat security update.
NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. | | last seen | 2017-10-29 | | modified | 2015-12-02 | | plugin id | 82099 | | published | 2015-03-26 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=82099 | | title | Debian DLA-116-1 : ntp security update |
| NASL family | Red Hat Local Security Checks | | NASL id | REDHAT-RHSA-2014-2024.NASL | | description | Updated ntp packages that fix several security issues are now available for Red Hat Enterprise Linux 6 and 7.
Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.
The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source.
Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non-default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit. (CVE-2014-9295)
It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc query or configuration requests. (CVE-2014-9293)
It was found that ntp-keygen used a weak method for generating MD5 keys. This could possibly allow an attacker to guess generated MD5 keys that could then be used to spoof an NTP client or server. Note:
it is recommended to regenerate any MD5 keys that had explicitly been generated with ntp-keygen; the default installation does not contain such keys). (CVE-2014-9294)
A missing return statement in the receive() function could potentially allow a remote attacker to bypass NTP's authentication mechanism.
(CVE-2014-9296)
All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will restart automatically. | | last seen | 2017-10-29 | | modified | 2017-01-06 | | plugin id | 80160 | | published | 2014-12-22 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80160 | | title | RHEL 6 / 7 : ntp (RHSA-2014:2024) |
| NASL family | FreeBSD Local Security Checks | | NASL id | FREEBSD_PKG_4033D82687DD11E490793C970E169BC2.NASL | | description | CERT reports :
The Network Time Protocol (NTP) provides networked systems with a way to synchronize time for various services and applications. ntpd version 4.2.7 and previous versions allow attackers to overflow several buffers in a way that may allow malicious code to be executed.
ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys.
The buffer overflow vulnerabilities in ntpd may allow a remote unauthenticated attacker to execute arbitrary malicious code with the privilege level of the ntpd process. The weak default key and non-cryptographic random number generator in ntp-keygen may allow an attacker to gain information regarding the integrity checking and authentication encryption schemes. | | last seen | 2017-10-29 | | modified | 2017-07-06 | | plugin id | 80149 | | published | 2014-12-22 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80149 | | title | FreeBSD : ntp -- multiple vulnerabilities (4033d826-87dd-11e4-9079-3c970e169bc2) |
| NASL family | OracleVM Local Security Checks | | NASL id | ORACLEVM_OVMSA-2014-0085.NASL | | description | The remote OracleVM system is missing necessary patches to address critical security updates :
- don't generate weak control key for resolver (CVE-2014-9293)
- don't generate weak MD5 keys in ntp-keygen (CVE-2014-9294)
- fix buffer overflows via specially-crafted packets (CVE-2014-9295)
- don't mobilize passive association when authentication fails (CVE-2014-9296) | | last seen | 2017-10-29 | | modified | 2017-02-14 | | plugin id | 80248 | | published | 2014-12-26 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80248 | | title | OracleVM 3.3 : ntp (OVMSA-2014-0085) |
| NASL family | Solaris Local Security Checks | | NASL id | SOLARIS11_NTP_20150120.NASL | | description | The remote Solaris system is missing necessary patches to address security updates :
- Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authentication feature is used, (2) the ctl_putdata function, and (3) the configure function. (CVE-2014-9295)
- The receive function in ntp_proto.c in ntpd in NTP before 4.2.8 continues to execute after detecting a certain authentication error, which might allow remote attackers to trigger an unintended association change via crafted packets. (CVE-2014-9296) | | last seen | 2017-10-29 | | modified | 2015-11-01 | | plugin id | 80934 | | published | 2015-01-23 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80934 | | title | Oracle Solaris Third-Party Patch Update : ntp (multiple_vulnerabilities_in_ntp) |
| NASL family | Slackware Local Security Checks | | NASL id | SLACKWARE_SSA_2014-356-01.NASL | | description | New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues. | | last seen | 2017-10-29 | | modified | 2015-11-01 | | plugin id | 80204 | | published | 2014-12-23 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80204 | | title | Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2014-356-01) |
| NASL family | SuSE Local Security Checks | | NASL id | OPENSUSE-2014-792.NASL | | description | The network timeservice ntp was updated to fix critical security issues (bnc#910764, CERT VU#852879)
- A potential remote code execution problem was found inside ntpd. The functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure() where updated to avoid buffer overflows that could be exploited. (CVE-2014-9295)
- Furthermore a problem inside the ntpd error handling was found that is missing a return statement. This could also lead to a potentially attack vector.
(CVE-2014-9296) | | last seen | 2017-10-29 | | modified | 2015-11-01 | | plugin id | 80151 | | published | 2014-12-22 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=80151 | | title | openSUSE Security Update : ntp (openSUSE-SU-2014:1670-1) |
| NASL family | CISCO | | NASL id | CISCO-SN-CSCUS27229-IOSXR.NASL | | description | The remote Cisco device is running a version of IOS XR software that is affected by the following vulnerabilities :
- Errors exist related to weak cryptographic pseudorandom number generation (PRNG), the functions 'ntp_random' and and 'config_auth', and the 'ntp-keygen' utility. A man-in-the-middle attacker can exploit these to disclose sensitive information. (CVE-2014-9293, CVE-2014-9294)
- Multiple stack-based buffer overflow errors exist in the Network Time Protocol daemon (ntpd), which a remote attacker can exploit to execute arbitrary code or cause a denial of service by using a specially crafted packet.
(CVE-2014-9295)
- An error exists in the 'receive' function in the Network Time Protocol daemon (ntpd) that allows denial of service attacks. (CVE-2014-9296) | | last seen | 2017-10-29 | | modified | 2015-11-01 | | plugin id | 81913 | | published | 2015-03-18 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81913 | | title | Cisco IOS XR NCS 6000 Multiple ntpd Vulnerabilities |
| NASL family | Misc. | | NASL id | NTP_4_2_8.NASL | | description | The version of the remote NTP server is 4.x prior to 4.2.8p1. It is, therefore, affected by the following vulnerabilities :
- A security weakness exists due to the config_auth() function improperly generating default keys when no authentication key is defined in the ntp.conf file.
Key size is limited to 31 bits and the insecure ntp_random() function is used, resulting in cryptographically-weak keys with insufficient entropy. A remote attacker can exploit this to defeat cryptographic protection mechanisms via a brute-force attack.
(CVE-2014-9293)
- A security weakness exists due the use of a weak seed to prepare a random number generator used to generate symmetric keys. This allows a remote attacker to defeat cryptographic protection mechanisms via a brute-force attack. (CVE-2014-9294)
- Multiple stack-based buffer overflow conditions exist due to improper validation of user-supplied input when handling packets in the crypto_recv(), ctl_putdata(), and configure() functions when using autokey authentication. A remote attacker can exploit this, via a specially crafted packet, to cause a denial of service condition or the execution of arbitrary code.
(CVE-2014-9295)
- A unspecified vulnerability exists due to missing return statements in the receive() function, resulting in continued processing even when an authentication error is encountered. This allows a remote attacker, via specially crafted packets, to trigger unintended association changes. (CVE-2014-9296)
- An information disclosure vulnerability exists due to improper validation of the 'vallen' value in extension fields in ntp_crypto.c. A remote attacker can exploit this to disclose sensitive information. (CVE-2014-9750)
- A security bypass vulnerability exists due to a failure to restrict ::1 source addresses on IPv6 interfaces. A remote attacker can exploit this to bypass configured ACLs based on ::1. (CVE-2014-9751)
Note that CVE-2014-9750 and CVE-2014-9751 supersede the discontinued identifiers CVE-2014-9297 and CVE-2014-9298, which were originally cited in the vendor advisory. | | last seen | 2017-10-29 | | modified | 2016-12-07 | | plugin id | 81981 | | published | 2015-03-20 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81981 | | title | Network Time Protocol Daemon (ntpd) 4.x < 4.2.8p1 Multiple Vulnerabilities |
| NASL family | CISCO | | NASL id | CISCO_PRIME_LMS_SA-20141222-NTPD.NASL | | description | According to its self-reported version number, the Cisco Prime LAN Management Solution running on the remote host is affected by multiple vulnerabilities :
- A security weakness exists due to the config_auth() function improperly generating default keys when no authentication key is defined in the 'ntp.conf' file.
Key size is limited to 31 bits and the insecure ntp_random() function is used, resulting in cryptographically weak keys with insufficient entropy.
This allows a remote attacker to defeat cryptographic protection mechanisms via a brute-force attack.
(CVE-2014-9293)
- A security weakness exists due the use of a weak seed to prepare a random number generator used to generate symmetric keys. This allows remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. (CVE-2014-9294)
- Multiple stack-based buffer overflows exist due to improperly validated user-supplied input when handling packets in the crypto_recv(), ctl_putdata(), and configure() functions when using autokey authentication.
This allows a remote attacker, via a specially crafted packet, to cause a denial of service condition or execute arbitrary code. (CVE-2014-9295)
- A unspecified vulnerability exists due to missing return statements in the receive() function, resulting in continued processing even when an authentication error is encountered. This allows a remote attacker, via crafted packets, to trigger unintended association changes. (CVE-2014-9296) | | last seen | 2017-10-29 | | modified | 2015-11-01 | | plugin id | 83877 | | published | 2015-05-28 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=83877 | | title | Cisco Prime LAN Management Solution ntpd Multiple Vulnerabilities |
| NASL family | HP-UX Local Security Checks | | NASL id | HPUX_PHNE_44236.NASL | | description | s700_800 11.23 NTP timeservices upgrade plus utilities :
Potential security vulnerabilities have been identified with HP-UX running NTP. These could be exploited remotely to execute code, create a Denial of Service (DoS), or other vulnerabilities. References:
CVE-2014-9293 - Insufficient Entropy in Pseudo-Random Number Generator (PRNG) (CWE-332) CVE-2014-9294 - Use of Cryptographically Weak PRNG (CWE-338) CVE-2014-9295 - Stack Buffer Overflow (CWE-121) CVE-2014-9296 - Error Conditions, Return Values, Status Codes (CWE-389) CVE-2014-9297 - Improper Check for Unusual or Exceptional Conditions (CWE-754) SSRT101872 VU#852879. | | last seen | 2017-10-29 | | modified | 2015-11-01 | | plugin id | 82683 | | published | 2015-04-10 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=82683 | | title | HP-UX PHNE_44236 : s700_800 11.23 NTP timeservices upgrade plus utilities |
| NASL family | CGI abuses | | NASL id | CISCO-SA-20141222-NTPD-PRSM.NASL | | description | According to its self-reported version number, the version of Cisco Prime Security Manager running on the remote host is prior to 9.3.3.2.
It is, therefore, affected by multiple vulnerabilities in the bundled NTP libraries :
- A security weakness exists due to the config_auth() function improperly generating default keys when no authentication key is defined in the 'ntp.conf' file.
Key size is limited to 31 bits and the insecure ntp_random() function is used, resulting in cryptographically-weak keys with insufficient entropy.
This allows a remote attacker to defeat cryptographic protection mechanisms via a brute-force attack.
(CVE-2014-9293)
- A security weakness exists due the use of a weak seed to prepare a random number generator used to generate symmetric keys. This allows remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. (CVE-2014-9294)
- Multiple stack-based buffer overflows exist due to improperly validated user-supplied input when handling packets in the crypto_recv(), ctl_putdata(), and configure() functions when using autokey authentication.
This allows a remote attacker, via a specially crafted packet, to cause a denial of service condition or execute arbitrary code. (CVE-2014-9295)
- A unspecified vulnerability exists due to missing return statements in the receive() function, resulting in continued processing even when an authentication error is encountered. This allows a remote attacker, via crafted packets, to trigger unintended association changes. (CVE-2014-9296) | | last seen | 2018-06-14 | | modified | 2018-06-13 | | plugin id | 81980 | | published | 2015-03-20 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81980 | | title | Cisco Prime Security Manager Network Time Protocol Daemon (ntpd) Multiple Vulnerabilities (cisco-sa-20141222-ntpd) |
| NASL family | CISCO | | NASL id | CISCO-SA-20141222-NTPD-NXOS.NASL | | description | The remote Cisco device is running a version of NX-OS software that is affected by the following vulnerabilities :
- Errors exist related to weak cryptographic pseudorandom number generation (PRNG), the functions 'ntp_random' and and 'config_auth', and the 'ntp-keygen' utility. A man-in-the-middle attacker can exploit these to disclose sensitive information. (CVE-2014-9293, CVE-2014-9294)
- Multiple stack-based buffer overflow errors exist in the Network Time Protocol daemon (ntpd), which a remote attacker can exploit to execute arbitrary code or cause a denial of service by using a specially crafted packet.
(CVE-2014-9295)
- An error exists in the 'receive' function in the Network Time Protocol daemon (ntpd) that allows denial of service attacks. (CVE-2014-9296) | | last seen | 2017-10-29 | | modified | 2015-11-01 | | plugin id | 81911 | | published | 2015-03-18 | | reporter | Tenable | | source | https://www.tenable.com/plugins/index.php?view=single&id=81911 | | title | Cisco NX-OS Multiple ntpd Vulnerabilities |
|
