7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.966 High
EPSS
Percentile
99.5%
Keys explicitly generated by "ntp-keygen -M" should be regenerated.
CVE-2014-9293 (weak key generation)
ntpd generated a weak key for its internal use, with full administrative
privileges. Attackers could use this key to reconfigure ntpd (or to
exploit other vulnerabilities).
CVE-2014-9294 (weak key generation)
The ntp-keygen utility generated weak MD5 keys with insufficient
entropy, which makes it easier for remote attackers to defeat
cryptographic protection mechanisms via a brute-force attack.
CVE-2014-9295 (arbitrary code execution)
Multiple stack-based buffer overflows in allow remote attackers to
execute arbitrary code via a crafted packet, related to (1) the
crypto_recv function when the Autokey Authentication feature is used,
(2) the ctl_putdata function, and (3) the configure function.
CVE-2014-9296 (unintended association change)
The receive function in ntp_proto.c continues to execute after detecting
a certain authentication error, which might allow remote attackers to
trigger an unintended association change via crafted packets.
bugs.ntp.org/show_bug.cgi?id=2665
bugs.ntp.org/show_bug.cgi?id=2666
bugs.ntp.org/show_bug.cgi?id=2667
bugs.ntp.org/show_bug.cgi?id=2670
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9293
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9294
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9296