Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
certCERTVU:852879
HistoryDec 19, 2014 - 12:00 a.m.

NTP Project Network Time Protocol daemon (ntpd) contains multiple vulnerabilities (Updated)

2014-12-1900:00:00
www.kb.cert.org
126

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.966 High

EPSS

Percentile

99.6%

JSON

Overview

The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client.

Description

The Network Time Protocol (NTP) provides networked systems and devices with a way to synchronize time for various services and applications. The reference implementation produced by the NTP Project (ntp.org) contains several vulnerabilities.

CWE-290:**Authentication Bypass by Spoofing - **CVE-2014-9298

The IPv6 address ::1 can be spoofed, allowing an attacker to bypass ACLs based on ::1.

CWE-754**: Improper Check for Unusual or Exceptional Conditions -**CVE-2014-9297

The length value in extension field pointers is not properly validated, allowing information leaks.

CWE-332**: Insufficient Entropy in PRNG -**CVE-2014-9293

If no authentication key is defined in the ntp.conf file, a cryptographically-weak default key is generated.

CWE-338**: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) -**CVE-2014-9294

ntp-keygen before 4.2.7p230 uses a non-cryptographic random number generator with a weak seed to generate symmetric keys.

CWE-121**: Stack Buffer Overflow -**CVE-2014-9295

A remote unauthenticated attacker may craft special packets that trigger buffer overflows in the ntpd functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure(). The resulting buffer overflows may be exploited to allow arbitrary malicious code to be executed with the privilege of the ntpd process.

CWE-389**: Error Conditions, Return Values, Status Codes -**CVE-2014-9296

A section of code in ntpd handling a rare error is missing a return statement, therefore processing did not stop when the error was encountered. This situation may be exploitable by an attacker.

The NTP Project provides more information about these issues in their security advisory.

The NTP Project implementation is widely used in operating system distributions and network products. These vulnerabilities affect ntpd acting as a server or client. CERT/CC is not aware of any public exploit of these vulnerabilities at this time.

The CVSS score below is based on the buffer overflow vulnerabilities (CVE-2014-9295).

Impact

The buffer overflow vulnerabilities in ntpd may allow a remote unauthenticated attacker to execute arbitrary malicious code with the privilege level of the ntpd process. The weak default key and non-cryptographic random number generator in ntp-keygen may allow an attacker to gain information regarding the integrity checking and authentication encryption schemes. More specifically, the weak default key allows access to private mode and control mode queries that require authentication, if not restricted by the configuration.

Solution

Apply an update

These issues have been addressed in ntp-4.2.8p1. The update may be downloaded from ntp.org.

Restrict status queries

As noted in the announcement for ntp-4.2.8:

`The vulnerabilities listed below can be significantly mitigated by following the BCP of putting

restrict default … [noquery](<http://support.ntp.org/bin/view/Support/AccessRestrictions#Section_6.5.2>)

in the ntp.conf file. With the exception of:

receive(): missing return on error
References: Sec 2670 / CVE-2014-9296 / VU#852879

below (which is a limited-risk vulnerability), none of the recent vulnerabilities listed below can be exploited if the source IP is restricted from sending a ‘query’-class packet by your ntp.conf file.`

Use firewall rules

Install firewall rules that block ::1 IPv6 address from inappropriate network interfaces.

Disable autokey authentication

Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file.

Vendor Information

852879

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Apple __ Affected

Notified: December 18, 2014 Updated: December 23, 2014

Status

Affected

Vendor Statement

From the Apple support advisory:

"**OS X NTP Security Update -**ntpd

Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10.1

Impact: A remote attacker may be able to execute arbitrary code

Description: Several issues existed in ntpd that would have allowed an attacker to trigger buffer overflows. These issues were addressed through improved error checking.

To verify the ntpd version, type the following command in Terminal: what /usr/sbin/ntpd. This update includes the following versions:

* Mountain Lion: ntp-77.1.1
* Mavericks: ntp-88.1.1
* Yosemite: ntp-92.5.1

CVE-ID

CVE-2014-9295 : Stephen Roettger of the Google Security Team"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Cisco Systems, Inc. __ Affected

Notified: December 18, 2014 Updated: January 13, 2015

Statement Date: January 13, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Cisco Systems has released a Cisco Security Advisory on their products, available at the URL: <http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpd&gt;

Vendor References

EfficientIP __ Affected

Updated: December 24, 2014

Statement Date: December 24, 2014

Status

Affected

Vendor Statement

"`All versions are affected by CWE-389 (CVE-2014-9296).

Upgrade to the latest patch of your release: 5.0.4.p1a, 5.0.3.p4a or 4.0.2p13d.

Available releases can be downloaded at: <http://www.efficientip.com/support-services/&gt;`"

Vendor Information

CVE-2014-9296 covers this vulnerability for ntpd.

Vendor References

F5 Networks, Inc. __ Affected

Notified: December 18, 2014 Updated: January 13, 2015

Statement Date: January 13, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

F5 has released a security advisory for its products at the URL: &lt;https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15936.html&gt;

Vendor References

FreeBSD Project __ Affected

Notified: December 18, 2014 Updated: April 10, 2015

Statement Date: December 19, 2014

Status

Affected

Vendor Statement

All currently supported FreeBSD releases (8.4, 9.1, 9.2, 9.3, 10.0 and 10.1) include vulnerable versions of ntpd.

Vendor Information

FreeBSD has released advisories with patches; please see the Advisory URLs below.

Vendor References

Huawei Technologies Affected

Updated: December 23, 2014

Statement Date: December 23, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation __ Affected

Updated: October 26, 2015

Status

Affected

Vendor Statement

We provide information on this issue at the following URL <<http://jpn.nec.com/security-info/secinfo/nv15-009.html&gt;&gt;(only in Japanese)

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

NTP Project __ Affected

Notified: December 03, 2014 Updated: December 22, 2014

Statement Date: December 19, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Please see the vendor Security Notice at the URL below.

Vendor References

OmniTI __ Affected

Notified: December 20, 2014 Updated: December 22, 2014

Statement Date: December 20, 2014

Status

Affected

Vendor Statement

Affected, but Update now available

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. __ Affected

Notified: December 18, 2014 Updated: December 30, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Red Hat has released updated packages for ntpd to address these vulnerabilities. You may find information about the vulnerabilities and the updated packages at the link below:

<https://rhn.redhat.com/errata/RHSA-2014-2024.html&gt;

Vendor References

Watchguard Technologies, Inc. __ Affected

Notified: December 18, 2014 Updated: December 19, 2014

Statement Date: December 19, 2014

Status

Affected

Vendor Statement

"Our XTM and Firebox appliances (our main products) are not vulnerable to these flaws, since we use openntpd rather than ntpd.

Our wireless access points are not vulnerable since they only use the basic ntpclient.

However, our XCS appliances (mail security) are vulnerable to the ntpd flaws. We will be releasing a firmware update to fix these flaws as soon as practical. However, in the meantime, we are sharing simple steps to mitigate this issue (use out firewall to block NTP, and point to an internal, updated NTP server instead)."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Belkin, Inc. Not Affected

Notified: December 18, 2014 Updated: March 05, 2015

Statement Date: March 05, 2015

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fortinet, Inc. __ Not Affected

Notified: December 18, 2014 Updated: December 24, 2014

Statement Date: December 24, 2014

Status

Not Affected

Vendor Statement

"Fortigate products are not vulnerable."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD __ Not Affected

Notified: December 18, 2014 Updated: December 19, 2014

Statement Date: December 19, 2014

Status

Not Affected

Vendor Statement

OpenBSD does not use ntp.org code.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux __ Not Affected

Notified: December 18, 2014 Updated: December 21, 2014

Statement Date: December 20, 2014

Status

Not Affected

Vendor Statement

"Openwall GNU/*/Linux is not affected. We use OpenNTPD."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

m0n0wall __ Not Affected

Notified: December 18, 2014 Updated: December 19, 2014

Statement Date: December 19, 2014

Status

Not Affected

Vendor Statement

m0n0wall does not include ntpd and is therefore not affected.”.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

AT&T Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Alcatel-Lucent Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Arch Linux Unknown

Notified: December 19, 2014 Updated: December 19, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Avaya, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Barracuda Networks Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Blue Coat Systems Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CA Technologies Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CentOS Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Check Point Software Technologies Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Cray Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

D-Link Systems, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Debian GNU/Linux Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DragonFly BSD Project Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

EMC Corporation Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Engarde Secure Linux Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Enterasys Networks Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ericsson Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Extreme Networks Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Fedora Project Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Force10 Networks, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Foundry Networks, Inc. Unknown

Notified: December 19, 2014 Updated: December 19, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Fujitsu Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Gentoo Linux Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Global Technology Associates, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Google Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hewlett-Packard Company Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hitachi Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM Corporation Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM Corporation (zseries) Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM eServer Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Infoblox Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Intel Corporation Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Intoto Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Juniper Networks, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Mandriva S. A. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

McAfee Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Microsemi Unknown

Notified: December 23, 2014 Updated: December 23, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

MontaVista Software, Inc. Unknown

Notified: December 19, 2014 Updated: December 19, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NEC Corporation Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NetBSD Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Nokia Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Novell, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Oracle Corporation Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Palo Alto Networks Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Peplink Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Process Software Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Q1 Labs Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

QNX Software Systems Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Quagga Unknown

Notified: December 19, 2014 Updated: December 19, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SUSE Linux Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SafeNet Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Slackware Linux Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SmoothWall Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Snort Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sony Corporation Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sourcefire Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Stonesoft Unknown

Notified: December 19, 2014 Updated: December 19, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Symantec Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

The SCO Group Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

TippingPoint Technologies Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Turbolinux Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ubuntu Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Unisys Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

VMware Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Vyatta Unknown

Notified: December 19, 2014 Updated: December 19, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Wind River Systems, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

ZyXEL Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

eSoft, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

netfilter Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

View all 87 vendors __View less vendors __

CVSS Metrics

Group Score Vector
Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal 5.9 E:POC/RL:OF/RC:C
Environmental 5.9 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Acknowledgements

The NTP Project credits Stephen Roettger and Neel Mehta of the Google Security Team for discovering these vulnerabilities.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296, CVE-2014-9297, CVE-2014-9298
Date Public: 2014-12-19 Date First Published:

Related

cisco 1
nessus 55
openvas 41
ics 3
securityvulns 6
fedora 7
ibm 11
citrix 1
centos 2
slackware 1
arista 1
suse 11
oraclelinux 3
archlinux 2
redhat 3
veracode 9
freebsd 1
osv 3
mageia 2
gentoo 1
freebsd_advisory 1
ubuntu 2
checkpoint_security 1
debian 6
amazon 2
aix 1
huawei 1
myhack58 1
f5 6
debiancve 3
googleprojectzero 1
cve 2
ubuntucve 3
prion 3
checkpoint_advisories 1
thn 1
cisco
cisco
Multiple Vulnerabilities in ntpd Affecting Cisco Products
2014-12-22 16:00:00
nessus
nessus
Mandriva Linux Security Advisory : ntp (MDVSA-2015:140)
2015-03-30 00:00:00
HP-UX PHNE_44235 : s700_800 11.11 NTP timeservices upgrade plus utilities
2015-04-10 00:00:00
Cisco Prime Data Center Network Manager ntpd Multiple Vulnerabilities (uncredentialed check)
2015-05-28 00:00:00
openvas
openvas
Fedora Update for ntp FEDORA-2015-1736
2015-02-15 00:00:00
Fedora Update for ntp FEDORA-2015-1759
2015-02-15 00:00:00
Gentoo Security Advisory GLSA 201412-34
2015-09-29 00:00:00
ics
ics
Network Time Protocol Vulnerabilities (Update C)
2018-08-29 12:00:00
Network Time Protocol Vulnerabilities (Update B)
2018-09-10 12:00:00
Network Time Protocol Vulnerabilities (Supplement Update A)
2015-03-05 12:00:00
securityvulns
securityvulns
ntpd multiple security vulnerabilities
2015-02-11 00:00:00
[SECURITY] [DSA 3108-1] ntp security update
2014-12-23 00:00:00
FreeBSD Security Advisory FreeBSD-SA-14:31.ntp
2014-12-25 00:00:00
fedora
fedora
[SECURITY] Fedora 20 Update: ntp-4.2.6p5-20.fc20
2015-02-15 03:17:24
[SECURITY] Fedora 21 Update: ntp-4.2.6p5-27.fc21
2015-02-15 03:25:41
[SECURITY] Fedora 21 Update: ntp-4.2.6p5-25.fc21
2014-12-23 18:28:40
ibm
ibm
Security Bulletin: IBM Smart Analytics System 7600, 7700, 7710 and IBM PureData System for Operational Analytics is affected by multiple vulnerabilities in Network Time Protocol
2019-10-18 03:50:04
Security Bulletin: Security Vulnerabilities in Network Time Protocol Daemon affect Intel Manycore Platform Software Stack for use on Intel Xeon Phi 3120A, Intel Xeon Phi 5110P, Intel Xeon Phi 7120A, and Intel Xeon Phi 7120P PCI-Express add-in cards
2019-01-31 01:45:01
Security Bulletin: Vulnerabilities in Network Time Protocol (NTP) affect IBM SONAS (CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, and CVE-2014-9296)
2018-06-18 00:09:22
citrix
citrix
Citrix Security Advisory for NTP Vulnerabilities
2015-01-05 04:00:00
centos
centos
ntp, ntpdate, sntp security update
2014-12-20 02:57:22
ntp security update
2014-12-20 03:00:03
slackware
slackware
[slackware-security] ntp
2014-12-23 05:38:39
arista
arista
Security Advisory 0008
2015-01-09 00:00:00
suse
suse
Security update for ntp (important)
2015-02-16 19:05:42
Security update for ntp (important)
2015-02-12 03:06:04
Security update for ntp (important)
2015-02-12 21:04:54
oraclelinux
oraclelinux
ntp security update
2014-12-20 00:00:00
ntp security update
2014-12-20 00:00:00
ntp security, bug fix, and enhancement update
2015-07-28 00:00:00
archlinux
archlinux
ntp: multiple issues
2014-12-22 00:00:00
ntp: multiple issues
2015-02-06 00:00:00
redhat
redhat
(RHSA-2014:2024) Important: ntp security update
2014-12-20 00:00:00
(RHSA-2015:0104) Important: ntp security update
2015-01-28 00:00:00
(RHSA-2014:2025) Important: ntp security update
2014-12-20 00:00:00
veracode
veracode
Weak Authentication
2019-05-02 05:06:18
Arbitrary Code Execution
2019-05-02 05:06:18
Authentication Bypass
2019-05-02 05:06:19
freebsd
freebsd
ntp -- multiple vulnerabilities
2014-12-19 00:00:00
osv
osv
ntp - security update
2014-12-20 00:00:00
ntp - security update
2014-12-20 00:00:00
ntp - security update
2015-02-07 00:00:00
mageia
mageia
Updated ntp packages fix security vulnerabilities
2014-12-20 16:51:12
Updated ntp packages fix security vulnerabilities
2015-02-11 23:47:51
gentoo
gentoo
NTP: Multiple vulnerabilities
2014-12-24 00:00:00
freebsd_advisory
freebsd_advisory
FreeBSD-SA-14:31.ntp
2014-12-23 00:00:00
ubuntu
ubuntu
NTP vulnerabilities
2014-12-22 00:00:00
NTP vulnerabilities
2015-02-09 00:00:00
checkpoint_security
checkpoint_security
Check Point response to NTP vulnerabilities (CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296)
2014-12-20 22:00:00
debian
debian
[SECURITY] [DLA 116-1] ntp security update
2014-12-20 21:21:02
[SECURITY] [DSA 3108-1] ntp security update
2014-12-20 20:37:23
[SECURITY] [DLA 149-1] ntp security update
2015-02-07 15:26:18
amazon
amazon
Important: ntp
2014-12-19 14:00:00
Medium: ntp
2015-03-23 08:31:00
aix
aix
Network Time Protocol (NTP) vulnerability in AIX,Network Time Protocol (NTP) vulnerability in VIOS
2015-02-10 12:06:45
huawei
huawei
Security Advisory - NTPd Security Vulnerability in Multiple Huawei Products
2015-03-16 00:00:00
myhack58
myhack58
From the source perspective on the ntpd stack buffer overflow vulnerability(CVE-2 0 1 4-9 2 9 5)analysis-vulnerability warning-the black bar safety net
2014-12-25 00:00:00
f5
f5
SOL15936 - NTP vulnerability CVE-2014-9295
2014-12-23 00:00:00
K15934 : NTP vulnerability CVE-2014-9293
2015-04-22 00:00:00
SOL15934 - NTP vulnerability CVE-2014-9293
2014-12-23 00:00:00
debiancve
debiancve
CVE-2014-9295
2014-12-20 02:59:00
CVE-2014-9296
2014-12-20 02:59:00
CVE-2014-9293
2014-12-20 02:59:00
googleprojectzero
googleprojectzero
Finding and exploiting ntpd vulnerabilities
2015-01-02 00:00:00
cve
cve
CVE-2014-9296
2014-12-20 02:59:00
CVE-2014-9293
2014-12-20 02:59:00
ubuntucve
ubuntucve
CVE-2014-9296
2014-12-19 00:00:00
CVE-2014-9293
2014-12-19 00:00:00
CVE-2014-9295
2014-12-19 00:00:00
prion
prion
Design/Logic Flaw
2014-12-20 02:59:00
Authentication flaw
2014-12-20 02:59:00
Stack overflow
2014-12-20 02:59:00
checkpoint_advisories
checkpoint_advisories
NTP Daemon Configure Buffer Overflow (CVE-2014-9295)
2015-01-14 00:00:00
thn
thn
First Time Ever Apple Automatically Pushes Security Patch for Mac OS
2014-12-23 22:17:00

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.966 High

EPSS

Percentile

99.6%

JSON
Related for VU:852879
cisco1nessus55openvas41ics3securityvulns6fedora7ibm11citrix1centos2slackware1arista1suse11oraclelinux3archlinux2redhat3veracode9freebsd1osv3mageia2gentoo1freebsd_advisory1ubuntu2checkpoint_security1debian6amazon2aix1huawei1myhack581f56debiancve3googleprojectzero1cve2ubuntucve3prion3checkpoint_advisories1thn1