ID CVE-2014-9296
Summary The receive function in ntp_proto.c in ntpd in NTP before 4.2.8 continues to execute after detecting a certain authentication error, which might allow remote attackers to trigger an unintended association change via crafted packets.
References
Vulnerable Configurations
  • NTP 4.2.7
    cpe:2.3:a:ntp:ntp:4.2.7
CVSS
Base: 5.0 (as of 01-11-2016 - 13:05)
Impact:
Exploitability:
CWE CWE-17
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-116.NASL
    description Several vulnerabilities were discovered in the ntp package, an implementation of the Network Time Protocol. CVE-2014-9293 ntpd generated a weak key for its internal use, with full administrative privileges. Attackers could use this key to reconfigure ntpd (or to exploit other vulnerabilities). CVE-2014-9294 The ntp-keygen utility generated weak MD5 keys with insufficient entropy. CVE-2014-9295 ntpd had several buffer overflows (both on the stack and in the data section), allowing remote authenticated attackers to crash ntpd or potentially execute arbitrary code. CVE-2014-9296 The general packet processing function in ntpd did not handle an error case correctly. The default ntpd configuration in Debian restricts access to localhost (and possible the adjacent network in case of IPv6). Keys explicitly generated by 'ntp-keygen -M' should be regenerated. For the oldstable distribution (squeeze), these problems have been fixed in version 4.2.6.p2+dfsg-1+deb6u1. We recommend that you upgrade your heirloom-mailx packages. Thanks to the Florian Weimer for the Red Hat security update. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2015-12-02
    plugin id 82099
    published 2015-03-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82099
    title Debian DLA-116-1 : ntp security update
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-17367.NASL
    description Security fix for CVE-2014-9294, CVE-2014-9295, CVE-2014-9293, CVE-2014-9296 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2015-11-01
    plugin id 80237
    published 2014-12-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80237
    title Fedora 21 : ntp-4.2.6p5-25.fc21 (2014-17367)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2014-0085.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - don't generate weak control key for resolver (CVE-2014-9293) - don't generate weak MD5 keys in ntp-keygen (CVE-2014-9294) - fix buffer overflows via specially-crafted packets (CVE-2014-9295) - don't mobilize passive association when authentication fails (CVE-2014-9296)
    last seen 2017-10-29
    modified 2017-02-14
    plugin id 80248
    published 2014-12-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80248
    title OracleVM 3.3 : ntp (OVMSA-2014-0085)
  • NASL family CISCO
    NASL id CISCO-SN-CSCUS27229-IOSXR.NASL
    description The remote Cisco device is running a version of IOS XR software that is affected by the following vulnerabilities : - Errors exist related to weak cryptographic pseudorandom number generation (PRNG), the functions 'ntp_random' and and 'config_auth', and the 'ntp-keygen' utility. A man-in-the-middle attacker can exploit these to disclose sensitive information. (CVE-2014-9293, CVE-2014-9294) - Multiple stack-based buffer overflow errors exist in the Network Time Protocol daemon (ntpd), which a remote attacker can exploit to execute arbitrary code or cause a denial of service by using a specially crafted packet. (CVE-2014-9295) - An error exists in the 'receive' function in the Network Time Protocol daemon (ntpd) that allows denial of service attacks. (CVE-2014-9296)
    last seen 2017-10-29
    modified 2015-11-01
    plugin id 81913
    published 2015-03-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81913
    title Cisco IOS XR NCS 6000 Multiple ntpd Vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2014-2024.NASL
    description Updated ntp packages that fix several security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non-default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit. (CVE-2014-9295) It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc query or configuration requests. (CVE-2014-9293) It was found that ntp-keygen used a weak method for generating MD5 keys. This could possibly allow an attacker to guess generated MD5 keys that could then be used to spoof an NTP client or server. Note: it is recommended to regenerate any MD5 keys that had explicitly been generated with ntp-keygen; the default installation does not contain such keys). (CVE-2014-9294) A missing return statement in the receive() function could potentially allow a remote attacker to bypass NTP's authentication mechanism. (CVE-2014-9296) All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will restart automatically.
    last seen 2017-10-29
    modified 2017-01-06
    plugin id 80160
    published 2014-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80160
    title RHEL 6 / 7 : ntp (RHSA-2014:2024)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_4033D82687DD11E490793C970E169BC2.NASL
    description CERT reports : The Network Time Protocol (NTP) provides networked systems with a way to synchronize time for various services and applications. ntpd version 4.2.7 and previous versions allow attackers to overflow several buffers in a way that may allow malicious code to be executed. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. The buffer overflow vulnerabilities in ntpd may allow a remote unauthenticated attacker to execute arbitrary malicious code with the privilege level of the ntpd process. The weak default key and non-cryptographic random number generator in ntp-keygen may allow an attacker to gain information regarding the integrity checking and authentication encryption schemes.
    last seen 2017-10-29
    modified 2017-07-06
    plugin id 80149
    published 2014-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80149
    title FreeBSD : ntp -- multiple vulnerabilities (4033d826-87dd-11e4-9079-3c970e169bc2)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_NTP_20150120.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authentication feature is used, (2) the ctl_putdata function, and (3) the configure function. (CVE-2014-9295) - The receive function in ntp_proto.c in ntpd in NTP before 4.2.8 continues to execute after detecting a certain authentication error, which might allow remote attackers to trigger an unintended association change via crafted packets. (CVE-2014-9296)
    last seen 2017-10-29
    modified 2015-11-01
    plugin id 80934
    published 2015-01-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80934
    title Oracle Solaris Third-Party Patch Update : ntp (multiple_vulnerabilities_in_ntp)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-140.NASL
    description Updated ntp packages fix security vulnerabilities : If no authentication key is defined in the ntp.conf file, a cryptographically-weak default key is generated (CVE-2014-9293). ntp-keygen before 4.2.7p230 uses a non-cryptographic random number generator with a weak seed to generate symmetric keys (CVE-2014-9294). A remote unauthenticated attacker may craft special packets that trigger buffer overflows in the ntpd functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure(). The resulting buffer overflows may be exploited to allow arbitrary malicious code to be executed with the privilege of the ntpd process (CVE-2014-9295). A section of code in ntpd handling a rare error is missing a return statement, therefore processing did not stop when the error was encountered. This situation may be exploitable by an attacker (CVE-2014-9296). Stephen Roettger of the Google Security Team, Sebastian Krahmer of the SUSE Security Team and Harlan Stenn of Network Time Foundation discovered that the length value in extension fields is not properly validated in several code paths in ntp_crypto.c, which could lead to information leakage or denial of service (CVE-2014-9297). Stephen Roettger of the Google Security Team reported that ACLs based on IPv6 ::1 (localhost) addresses can be bypassed (CVE-2014-9298). The ntp package has been patched to fix these issues.
    last seen 2017-10-29
    modified 2015-11-01
    plugin id 82393
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82393
    title Mandriva Linux Security Advisory : ntp (MDVSA-2015:140)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2014-356-01.NASL
    description New ntp packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.
    last seen 2017-10-29
    modified 2015-11-01
    plugin id 80204
    published 2014-12-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80204
    title Slackware 13.0 / 13.1 / 13.37 / 14.0 / 14.1 / current : ntp (SSA:2014-356-01)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2014-792.NASL
    description The network timeservice ntp was updated to fix critical security issues (bnc#910764, CERT VU#852879) - A potential remote code execution problem was found inside ntpd. The functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure() where updated to avoid buffer overflows that could be exploited. (CVE-2014-9295) - Furthermore a problem inside the ntpd error handling was found that is missing a return statement. This could also lead to a potentially attack vector. (CVE-2014-9296)
    last seen 2017-10-29
    modified 2015-11-01
    plugin id 80151
    published 2014-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80151
    title openSUSE Security Update : ntp (openSUSE-SU-2014:1670-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-0104.NASL
    description Updated ntp packages that fix several security issues are now available for Red Hat Enterprise Linux 6.5 Extended Update Support. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non-default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit. (CVE-2014-9295) It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc query or configuration requests. (CVE-2014-9293) It was found that ntp-keygen used a weak method for generating MD5 keys. This could possibly allow an attacker to guess generated MD5 keys that could then be used to spoof an NTP client or server. Note: it is recommended to regenerate any MD5 keys that had explicitly been generated with ntp-keygen; the default installation does not contain such keys. (CVE-2014-9294) A missing return statement in the receive() function could potentially allow a remote attacker to bypass NTP's authentication mechanism. (CVE-2014-9296) All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will restart automatically.
    last seen 2017-10-29
    modified 2017-01-06
    plugin id 81071
    published 2015-01-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81071
    title RHEL 6 : ntp (RHSA-2015:0104)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-003.NASL
    description Updated ntp packages fix security vulnerabilities : If no authentication key is defined in the ntp.conf file, a cryptographically-weak default key is generated (CVE-2014-9293). ntp-keygen before 4.2.7p230 uses a non-cryptographic random number generator with a weak seed to generate symmetric keys (CVE-2014-9294). A remote unauthenticated attacker may craft special packets that trigger buffer overflows in the ntpd functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure(). The resulting buffer overflows may be exploited to allow arbitrary malicious code to be executed with the privilege of the ntpd process (CVE-2014-9295). A section of code in ntpd handling a rare error is missing a return statement, therefore processing did not stop when the error was encountered. This situation may be exploitable by an attacker (CVE-2014-9296). The ntp package has been patched to fix these issues.
    last seen 2017-10-29
    modified 2015-11-01
    plugin id 80384
    published 2015-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80384
    title Mandriva Linux Security Advisory : ntp (MDVSA-2015:003)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-17395.NASL
    description Security fix for CVE-2014-9294, CVE-2014-9295, CVE-2014-9293, CVE-2014-9296 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2015-11-01
    plugin id 80310
    published 2015-01-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80310
    title Fedora 19 : ntp-4.2.6p5-13.fc19 (2014-17395)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2014-462.NASL
    description It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc query or configuration requests. (CVE-2014-9293) It was found that ntp-keygen used a weak method for generating MD5 keys. This could possibly allow an attacker to guess generated MD5 keys that could then be used to spoof an NTP client or server. Note: it is recommended to regenerate any MD5 keys that had explicitly been generated with ntp-keygen; the default installation does not contain such keys). (CVE-2014-9294) Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit. (CVE-2014-9295) A missing return statement in the receive() function could potentially allow a remote attacker to bypass NTP's authentication mechanism. (CVE-2014-9296)
    last seen 2017-10-29
    modified 2015-11-01
    plugin id 80122
    published 2014-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80122
    title Amazon Linux AMI : ntp (ALAS-2014-462)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2014-2024.NASL
    description Updated ntp packages that fix several security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non-default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit. (CVE-2014-9295) It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc query or configuration requests. (CVE-2014-9293) It was found that ntp-keygen used a weak method for generating MD5 keys. This could possibly allow an attacker to guess generated MD5 keys that could then be used to spoof an NTP client or server. Note: it is recommended to regenerate any MD5 keys that had explicitly been generated with ntp-keygen; the default installation does not contain such keys). (CVE-2014-9294) A missing return statement in the receive() function could potentially allow a remote attacker to bypass NTP's authentication mechanism. (CVE-2014-9296) All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will restart automatically.
    last seen 2017-10-29
    modified 2015-11-01
    plugin id 80124
    published 2014-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80124
    title CentOS 6 / 7 : ntp (CESA-2014:2024)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201412-34.NASL
    description The remote host is affected by the vulnerability described in GLSA-201412-34 (NTP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in NTP. Please review the CVE identifiers referenced below for details. Impact : A remote unauthenticated attacker may be able to execute arbitrary code with the privileges of the process, cause a Denial of Service condition, and obtain sensitive information that could assist in other attacks. Workaround : There is no known workaround at this time.
    last seen 2017-10-29
    modified 2015-11-01
    plugin id 80239
    published 2014-12-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80239
    title GLSA-201412-34 : NTP: Multiple vulnerabilities
  • NASL family CISCO
    NASL id CISCO-SA-20141222-NTPD-PRIME_DCNM.NASL
    description According to its self-reported version number, the Cisco Prime Data Center Network Manager (DCNM) running on the remote host is affected by multiple vulnerabilities : - A security weakness exists due to the config_auth() function improperly generating default keys when no authentication key is defined in the 'ntp.conf' file. Key size is limited to 31 bits and the insecure ntp_random() function is used, resulting in cryptographically weak keys with insufficient entropy. This allows a remote attacker to defeat cryptographic protection mechanisms via a brute-force attack. (CVE-2014-9293) - A security weakness exists due the use of a weak seed to prepare a random number generator used to generate symmetric keys. This allows remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. (CVE-2014-9294) - Multiple stack-based buffer overflows exist due to improperly validated user-supplied input when handling packets in the crypto_recv(), ctl_putdata(), and configure() functions when using autokey authentication. This allows a remote attacker, via a specially crafted packet, to cause a denial of service condition or execute arbitrary code. (CVE-2014-9295) - A unspecified vulnerability exists due to missing return statements in the receive() function, resulting in continued processing even when an authentication error is encountered. This allows a remote attacker, via crafted packets, to trigger unintended association changes. (CVE-2014-9296) - A security bypass vulnerability exists in the function read_network_packet() due to a failure to restrict ::1 source addresses on IPv6 interfaces. This allows a remote attacker to bypass configured ACLs based on ::1. (CVE-2014-9298) This plugin determines if DCNM is vulnerable by checking the version number displayed in the web interface. The web interface is not available in older versions of DCNM.
    last seen 2017-10-29
    modified 2015-11-01
    plugin id 83876
    published 2015-05-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83876
    title Cisco Prime Data Center Network Manager ntpd Multiple Vulnerabilities (uncredentialed check)
  • NASL family CGI abuses
    NASL id CISCO-SA-20141222-NTPD-PRSM.NASL
    description According to its self-reported version number, the version of Cisco Prime Security Manager running on the remote host is prior to 9.3.3.2. It is, therefore, affected by multiple vulnerabilities in the bundled NTP libraries : - A security weakness exists due to the config_auth() function improperly generating default keys when no authentication key is defined in the 'ntp.conf' file. Key size is limited to 31 bits and the insecure ntp_random() function is used, resulting in cryptographically-weak keys with insufficient entropy. This allows a remote attacker to defeat cryptographic protection mechanisms via a brute-force attack. (CVE-2014-9293) - A security weakness exists due the use of a weak seed to prepare a random number generator used to generate symmetric keys. This allows remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. (CVE-2014-9294) - Multiple stack-based buffer overflows exist due to improperly validated user-supplied input when handling packets in the crypto_recv(), ctl_putdata(), and configure() functions when using autokey authentication. This allows a remote attacker, via a specially crafted packet, to cause a denial of service condition or execute arbitrary code. (CVE-2014-9295) - A unspecified vulnerability exists due to missing return statements in the receive() function, resulting in continued processing even when an authentication error is encountered. This allows a remote attacker, via crafted packets, to trigger unintended association changes. (CVE-2014-9296)
    last seen 2017-10-29
    modified 2015-11-01
    plugin id 81980
    published 2015-03-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81980
    title Cisco Prime Security Manager Network Time Protocol Daemon (ntpd) Multiple Vulnerabilities (cisco-sa-20141222-ntpd)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2014-2024.NASL
    description From Red Hat Security Advisory 2014:2024 : Updated ntp packages that fix several security issues are now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non-default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit. (CVE-2014-9295) It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc query or configuration requests. (CVE-2014-9293) It was found that ntp-keygen used a weak method for generating MD5 keys. This could possibly allow an attacker to guess generated MD5 keys that could then be used to spoof an NTP client or server. Note: it is recommended to regenerate any MD5 keys that had explicitly been generated with ntp-keygen; the default installation does not contain such keys). (CVE-2014-9294) A missing return statement in the receive() function could potentially allow a remote attacker to bypass NTP's authentication mechanism. (CVE-2014-9296) All ntp users are advised to upgrade to this updated package, which contains backported patches to resolve these issues. After installing the update, the ntpd daemon will restart automatically.
    last seen 2017-10-29
    modified 2015-12-01
    plugin id 80154
    published 2014-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80154
    title Oracle Linux 6 / 7 : ntp (ELSA-2014-2024)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2014-17361.NASL
    description Security fix for CVE-2014-9294, CVE-2014-9295, CVE-2014-9293, CVE-2014-9296 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2015-11-01
    plugin id 80147
    published 2014-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80147
    title Fedora 20 : ntp-4.2.6p5-19.fc20 (2014-17361)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-3108.NASL
    description Several vulnerabilities were discovered in the ntp package, an implementation of the Network Time Protocol. - CVE-2014-9293 ntpd generated a weak key for its internal use, with full administrative privileges. Attackers could use this key to reconfigure ntpd (or to exploit other vulnerabilities). - CVE-2014-9294 The ntp-keygen utility generated weak MD5 keys with insufficient entropy. - CVE-2014-9295 ntpd had several buffer overflows (both on the stack and in the data section), allowing remote authenticated attackers to crash ntpd or potentially execute arbitrary code. - CVE-2014-9296 The general packet processing function in ntpd did not handle an error case correctly. The default ntpd configuration in Debian restricts access to localhost (and possible the adjacent network in case of IPv6). Keys explicitly generated by 'ntp-keygen -M' should be regenerated.
    last seen 2017-10-29
    modified 2015-11-01
    plugin id 80208
    published 2014-12-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80208
    title Debian DSA-3108-1 : ntp - security update
  • NASL family HP-UX Local Security Checks
    NASL id HPUX_PHNE_44235.NASL
    description s700_800 11.11 NTP timeservices upgrade plus utilities : Potential security vulnerabilities have been identified with HP-UX running NTP. These could be exploited remotely to execute code, create a Denial of Service (DoS), or other vulnerabilities. References: CVE-2014-9293 - Insufficient Entropy in Pseudo-Random Number Generator (PRNG) (CWE-332) CVE-2014-9294 - Use of Cryptographically Weak PRNG (CWE-338) CVE-2014-9295 - Stack Buffer Overflow (CWE-121) CVE-2014-9296 - Error Conditions, Return Values, Status Codes (CWE-389) CVE-2014-9297 - Improper Check for Unusual or Exceptional Conditions (CWE-754) SSRT101872 VU#852879.
    last seen 2017-10-29
    modified 2015-11-01
    plugin id 82682
    published 2015-04-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82682
    title HP-UX PHNE_44235 : s700_800 11.11 NTP timeservices upgrade plus utilities
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20141220_NTP_ON_SL6_X.NASL
    description Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non- default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit. (CVE-2014-9295) It was found that ntpd automatically generated weak keys for its internal use if no ntpdc request authentication key was specified in the ntp.conf configuration file. A remote attacker able to match the configured IP restrictions could guess the generated key, and possibly use it to send ntpdc query or configuration requests. (CVE-2014-9293) It was found that ntp-keygen used a weak method for generating MD5 keys. This could possibly allow an attacker to guess generated MD5 keys that could then be used to spoof an NTP client or server. Note: it is recommended to regenerate any MD5 keys that had explicitly been generated with ntp-keygen; the default installation does not contain such keys). (CVE-2014-9294) A missing return statement in the receive() function could potentially allow a remote attacker to bypass NTP's authentication mechanism. (CVE-2014-9296) After installing the update, the ntpd daemon will restart automatically.
    last seen 2017-10-29
    modified 2015-11-01
    plugin id 80164
    published 2014-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80164
    title Scientific Linux Security Update : ntp on SL6.x, SL7.x i386/x86_64
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2449-1.NASL
    description Neel Mehta discovered that NTP generated weak authentication keys. A remote attacker could possibly use this issue to brute force the authentication key and send requests if permitted by IP restrictions. (CVE-2014-9293) Stephen Roettger discovered that NTP generated weak MD5 keys. A remote attacker could possibly use this issue to brute force the MD5 key and spoof a client or server. (CVE-2014-9294) Stephen Roettger discovered that NTP contained buffer overflows in the crypto_recv(), ctl_putdata() and configure() functions. In non-default configurations, a remote attacker could use these issues to cause NTP to crash, resulting in a denial of service, or possibly execute arbitrary code. The default compiler options for affected releases should reduce the vulnerability to a denial of service. In addition, attackers would be isolated by the NTP AppArmor profile. (CVE-2014-9295) Stephen Roettger discovered that NTP incorrectly continued processing when handling certain errors. (CVE-2014-9296). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2017-10-29
    modified 2016-05-24
    plugin id 80218
    published 2014-12-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80218
    title Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : ntp vulnerabilities (USN-2449-1)
  • NASL family CISCO
    NASL id CISCO-SN-CSCUS26956-IOSXR.NASL
    description The remote Cisco device is running a version of IOS XR software that is affected by the following vulnerabilities : - Errors exist related to weak cryptographic pseudorandom number generation (PRNG), the functions 'ntp_random' and and 'config_auth', and the 'ntp-keygen' utility. A man-in-the-middle attacker can exploit these to disclose sensitive information. (CVE-2014-9293, CVE-2014-9294) - Multiple stack-based buffer overflow errors exist in the Network Time Protocol daemon (ntpd), which a remote attacker can exploit to execute arbitrary code or cause a denial of service by using a specially crafted packet. (CVE-2014-9295) - An error exists in the 'receive' function in the Network Time Protocol daemon (ntpd) that allows denial of service attacks. (CVE-2014-9296)
    last seen 2017-10-29
    modified 2015-11-01
    plugin id 81912
    published 2015-03-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81912
    title Cisco IOS XR Multiple ntpd Vulnerabilities
  • NASL family Misc.
    NASL id NTP_4_2_8.NASL
    description The version of the remote NTP server is 4.x prior to 4.2.8p1. It is, therefore, affected by the following vulnerabilities : - A security weakness exists due to the config_auth() function improperly generating default keys when no authentication key is defined in the ntp.conf file. Key size is limited to 31 bits and the insecure ntp_random() function is used, resulting in cryptographically-weak keys with insufficient entropy. A remote attacker can exploit this to defeat cryptographic protection mechanisms via a brute-force attack. (CVE-2014-9293) - A security weakness exists due the use of a weak seed to prepare a random number generator used to generate symmetric keys. This allows a remote attacker to defeat cryptographic protection mechanisms via a brute-force attack. (CVE-2014-9294) - Multiple stack-based buffer overflow conditions exist due to improper validation of user-supplied input when handling packets in the crypto_recv(), ctl_putdata(), and configure() functions when using autokey authentication. A remote attacker can exploit this, via a specially crafted packet, to cause a denial of service condition or the execution of arbitrary code. (CVE-2014-9295) - A unspecified vulnerability exists due to missing return statements in the receive() function, resulting in continued processing even when an authentication error is encountered. This allows a remote attacker, via specially crafted packets, to trigger unintended association changes. (CVE-2014-9296) - An information disclosure vulnerability exists due to improper validation of the 'vallen' value in extension fields in ntp_crypto.c. A remote attacker can exploit this to disclose sensitive information. (CVE-2014-9750) - A security bypass vulnerability exists due to a failure to restrict ::1 source addresses on IPv6 interfaces. A remote attacker can exploit this to bypass configured ACLs based on ::1. (CVE-2014-9751) Note that CVE-2014-9750 and CVE-2014-9751 supersede the discontinued identifiers CVE-2014-9297 and CVE-2014-9298, which were originally cited in the vendor advisory.
    last seen 2017-10-29
    modified 2016-12-07
    plugin id 81981
    published 2015-03-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81981
    title Network Time Protocol Daemon (ntpd) 4.x < 4.2.8p1 Multiple Vulnerabilities
  • NASL family HP-UX Local Security Checks
    NASL id HPUX_PHNE_44236.NASL
    description s700_800 11.23 NTP timeservices upgrade plus utilities : Potential security vulnerabilities have been identified with HP-UX running NTP. These could be exploited remotely to execute code, create a Denial of Service (DoS), or other vulnerabilities. References: CVE-2014-9293 - Insufficient Entropy in Pseudo-Random Number Generator (PRNG) (CWE-332) CVE-2014-9294 - Use of Cryptographically Weak PRNG (CWE-338) CVE-2014-9295 - Stack Buffer Overflow (CWE-121) CVE-2014-9296 - Error Conditions, Return Values, Status Codes (CWE-389) CVE-2014-9297 - Improper Check for Unusual or Exceptional Conditions (CWE-754) SSRT101872 VU#852879.
    last seen 2017-10-29
    modified 2015-11-01
    plugin id 82683
    published 2015-04-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82683
    title HP-UX PHNE_44236 : s700_800 11.23 NTP timeservices upgrade plus utilities
  • NASL family CISCO
    NASL id CISCO_PRIME_LMS_SA-20141222-NTPD.NASL
    description According to its self-reported version number, the Cisco Prime LAN Management Solution running on the remote host is affected by multiple vulnerabilities : - A security weakness exists due to the config_auth() function improperly generating default keys when no authentication key is defined in the 'ntp.conf' file. Key size is limited to 31 bits and the insecure ntp_random() function is used, resulting in cryptographically weak keys with insufficient entropy. This allows a remote attacker to defeat cryptographic protection mechanisms via a brute-force attack. (CVE-2014-9293) - A security weakness exists due the use of a weak seed to prepare a random number generator used to generate symmetric keys. This allows remote attackers to defeat cryptographic protection mechanisms via a brute-force attack. (CVE-2014-9294) - Multiple stack-based buffer overflows exist due to improperly validated user-supplied input when handling packets in the crypto_recv(), ctl_putdata(), and configure() functions when using autokey authentication. This allows a remote attacker, via a specially crafted packet, to cause a denial of service condition or execute arbitrary code. (CVE-2014-9295) - A unspecified vulnerability exists due to missing return statements in the receive() function, resulting in continued processing even when an authentication error is encountered. This allows a remote attacker, via crafted packets, to trigger unintended association changes. (CVE-2014-9296)
    last seen 2017-10-29
    modified 2015-11-01
    plugin id 83877
    published 2015-05-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83877
    title Cisco Prime LAN Management Solution ntpd Multiple Vulnerabilities
  • NASL family CISCO
    NASL id CISCO-SA-20141222-NTPD-NXOS.NASL
    description The remote Cisco device is running a version of NX-OS software that is affected by the following vulnerabilities : - Errors exist related to weak cryptographic pseudorandom number generation (PRNG), the functions 'ntp_random' and and 'config_auth', and the 'ntp-keygen' utility. A man-in-the-middle attacker can exploit these to disclose sensitive information. (CVE-2014-9293, CVE-2014-9294) - Multiple stack-based buffer overflow errors exist in the Network Time Protocol daemon (ntpd), which a remote attacker can exploit to execute arbitrary code or cause a denial of service by using a specially crafted packet. (CVE-2014-9295) - An error exists in the 'receive' function in the Network Time Protocol daemon (ntpd) that allows denial of service attacks. (CVE-2014-9296)
    last seen 2017-10-29
    modified 2015-11-01
    plugin id 81911
    published 2015-03-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81911
    title Cisco NX-OS Multiple ntpd Vulnerabilities
redhat via4
advisories
  • bugzilla
    id 1176040
    title CVE-2014-9296 ntp: receive() missing return on error
    oval
    OR
    • AND
      • OR
        • comment Red Hat Enterprise Linux 7 Client is installed
          oval oval:com.redhat.rhsa:tst:20140675001
        • comment Red Hat Enterprise Linux 7 Server is installed
          oval oval:com.redhat.rhsa:tst:20140675002
        • comment Red Hat Enterprise Linux 7 Workstation is installed
          oval oval:com.redhat.rhsa:tst:20140675003
        • comment Red Hat Enterprise Linux 7 ComputeNode is installed
          oval oval:com.redhat.rhsa:tst:20140675004
      • OR
        • AND
          • comment ntp is earlier than 0:4.2.6p5-19.el7_0
            oval oval:com.redhat.rhsa:tst:20142024005
          • comment ntp is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20142024006
        • AND
          • comment ntp-doc is earlier than 0:4.2.6p5-19.el7_0
            oval oval:com.redhat.rhsa:tst:20142024009
          • comment ntp-doc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20142024010
        • AND
          • comment ntp-perl is earlier than 0:4.2.6p5-19.el7_0
            oval oval:com.redhat.rhsa:tst:20142024013
          • comment ntp-perl is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20142024014
        • AND
          • comment ntpdate is earlier than 0:4.2.6p5-19.el7_0
            oval oval:com.redhat.rhsa:tst:20142024011
          • comment ntpdate is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20142024012
        • AND
          • comment sntp is earlier than 0:4.2.6p5-19.el7_0
            oval oval:com.redhat.rhsa:tst:20142024007
          • comment sntp is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20142024008
    • AND
      • OR
        • comment Red Hat Enterprise Linux 6 Client is installed
          oval oval:com.redhat.rhsa:tst:20100842001
        • comment Red Hat Enterprise Linux 6 Server is installed
          oval oval:com.redhat.rhsa:tst:20100842002
        • comment Red Hat Enterprise Linux 6 Workstation is installed
          oval oval:com.redhat.rhsa:tst:20100842003
        • comment Red Hat Enterprise Linux 6 ComputeNode is installed
          oval oval:com.redhat.rhsa:tst:20100842004
      • OR
        • AND
          • comment ntp is earlier than 0:4.2.6p5-2.el6_6
            oval oval:com.redhat.rhsa:tst:20142024019
          • comment ntp is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20142024006
        • AND
          • comment ntp-doc is earlier than 0:4.2.6p5-2.el6_6
            oval oval:com.redhat.rhsa:tst:20142024022
          • comment ntp-doc is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20142024010
        • AND
          • comment ntp-perl is earlier than 0:4.2.6p5-2.el6_6
            oval oval:com.redhat.rhsa:tst:20142024020
          • comment ntp-perl is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20142024014
        • AND
          • comment ntpdate is earlier than 0:4.2.6p5-2.el6_6
            oval oval:com.redhat.rhsa:tst:20142024021
          • comment ntpdate is signed with Red Hat redhatrelease2 key
            oval oval:com.redhat.rhsa:tst:20142024012
    rhsa
    id RHSA-2014:2024
    released 2014-12-20
    severity Important
    title RHSA-2014:2024: ntp security update (Important)
  • rhsa
    id RHSA-2015:0104
rpms
  • ntp-0:4.2.6p5-19.el7_0
  • ntp-doc-0:4.2.6p5-19.el7_0
  • ntp-perl-0:4.2.6p5-19.el7_0
  • ntpdate-0:4.2.6p5-19.el7_0
  • sntp-0:4.2.6p5-19.el7_0
  • ntp-0:4.2.6p5-2.el6_6
  • ntp-doc-0:4.2.6p5-2.el6_6
  • ntp-perl-0:4.2.6p5-2.el6_6
  • ntpdate-0:4.2.6p5-2.el6_6
refmap via4
bid 71758
cert-vn VU#852879
cisco 20141222 Multiple Vulnerabilities in ntpd Affecting Cisco Products
confirm
hp
  • HPSBGN03277
  • HPSBOV03505
  • HPSBUX03240
  • SSRT101872
mandriva MDVSA-2015:003
secunia 62209
suse openSUSE-SU-2014:1670
Last major update 02-01-2017 - 21:59
Published 19-12-2014 - 21:59
Last modified 09-11-2017 - 21:29
Back to Top