- Home
- CVEs with nessus.description==Updated+ntp+packages+that+fix+several+security+issues+are+now+available+for+Red+Hat+Enterprise+Linux+6.5+Extended+Update+Support.%0A%0ARed+Hat+Product+Security+has+rated+this+update+as+having+Important+security+impact.+Common+Vulnerability+Scoring+System+%28CVSS%29+base+scores%2C+which+give+detailed+severity+ratings%2C+are+available+for+each+vulnerability+from+the+CVE+links+in+the+References+section.%0A%0AThe+Network+Time+Protocol+%28NTP%29+is+used+to+synchronize+a+computer%27s+time+with+a+referenced+time+source.%0A%0AMultiple+buffer+overflow+flaws+were+discovered+in+ntpd%27s+crypto_recv%28%29%2C+ctl_putdata%28%29%2C+and+configure%28%29+functions.+A+remote+attacker+could+use+either+of+these+flaws+to+send+a+specially+crafted+request+packet+that+could+crash+ntpd+or%2C+potentially%2C+execute+arbitrary+code+with+the+privileges+of+the+ntp+user.+Note%3A+the+crypto_recv%28%29+flaw+requires+non-default+configurations+to+be+active%2C+while+the+ctl_putdata%28%29+flaw%2C+by+default%2C+can+only+be+exploited+via+local+attackers%2C+and+the+configure%28%29+flaw+requires+additional+authentication+to+exploit.+%28CVE-2014-9295%29%0A%0AIt+was+found+that+ntpd+automatically+generated+weak+keys+for+its+internal+use+if+no+ntpdc+request+authentication+key+was+specified+in+the+ntp.conf+configuration+file.+A+remote+attacker+able+to+match+the+configured+IP+restrictions+could+guess+the+generated+key%2C+and+possibly+use+it+to+send+ntpdc+query+or+configuration+requests.+%28CVE-2014-9293%29%0A%0AIt+was+found+that+ntp-keygen+used+a+weak+method+for+generating+MD5+keys.+This+could+possibly+allow+an+attacker+to+guess+generated+MD5+keys+that+could+then+be+used+to+spoof+an+NTP+client+or+server.+Note%3A%0Ait+is+recommended+to+regenerate+any+MD5+keys+that+had+explicitly+been+generated+with+ntp-keygen%3B+the+default+installation+does+not+contain+such+keys.+%28CVE-2014-9294%29%0A%0AA+missing+return+statement+in+the+receive%28%29+function+could+potentially+allow+a+remote+attacker+to+bypass+NTP%27s+authentication+mechanism.%0A%28CVE-2014-9296%29%0A%0AAll+ntp+users+are+advised+to+upgrade+to+this+updated+package%2C+which+contains+backported+patches+to+resolve+these+issues.+After+installing+the+update%2C+the+ntpd+daemon+will+restart+automatically
Max CVSS | 0 |
Min CVSS | 0 |
Total Count | 2 |
| ID | CVSS | Summary | Last (major) update | Published |
Back to Top
Mark selected
Back to Top