ID CVE-2014-9296
Summary The receive function in ntp_proto.c in ntpd in NTP before 4.2.8 continues to execute after detecting a certain authentication error, which might allow remote attackers to trigger an unintended association change via crafted packets.
References
Vulnerable Configurations
  • NTP 4.2.7
    cpe:2.3:a:ntp:ntp:4.2.7
CVSS
Base: 5.0 (as of 22-12-2014 - 04:04)
Impact: 2.9
Exploitability:10.0
CWE CWE-17
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
Certvn vFeed
certvuid VU#852879
certvulink http://www.kb.cert.org/vuls/id/852879
Hp vFeed
hpid HPSBGN03277
hplink http://marc.info/?l=bugtraq&m=142590659431171&w=2
Mandriva vFeed
mandrivaid MDVSA-2015:003
Nessus vFeed
nessus_script_family Red Hat Local Security Checks
nessus_script_file redhat-RHSA-2014-2024.nasl
nessus_script_id 80160
nessus_script_name RHEL 6 / 7 : ntp (RHSA-2014:2024)
Openvas vFeed
openvas_script_family Debian Local Security Checks
openvas_script_file deb_3108.nasl
openvas_script_id 703108
openvas_script_name Debian Security Advisory DSA 3108-1 (ntp - security update)
Oval vFeed
cpeid
ovalclass patch
ovalid oval:org.mitre.oval:def:28264
ovaltitle USN-2449-1 -- NTP vulnerabilities
Redhat vFeed
redhatid RHSA-2014:2024
redhatovalid oval:com.redhat.rhsa:def:20142024
redhatupdatedesc RHSA-2014:2024: ntp security update (Important)
Scip vFeed
scipid 68455
sciplink http://www.scip.ch/en/?vuldb.68455
Redhat_Bugzilla vFeed
advisory_dateissue 2014-12-20
bugzillaid 1176040
bugzillatitle CVE-2014-9296 ntp: receive() missing return on error
redhatid RHSA-2014:2024
Last major update 12-03-2015 - 02:01
Published 20-12-2014 - 02:59
Last modified 03-01-2017 - 02:59
Back to Top