CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
AI Score
Confidence
High
EPSS
Percentile
99.6%
The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client.
The Network Time Protocol (NTP) provides networked systems and devices with a way to synchronize time for various services and applications. The reference implementation produced by the NTP Project (ntp.org) contains several vulnerabilities.CWE-290:Authentication Bypass by Spoofing - CVE-2014-9298
The IPv6 address ::1
can be spoofed, allowing an attacker to bypass ACLs based on ::1
.
CWE-754**: Improper Check for Unusual or Exceptional Conditions -** CVE-2014-9297
The length value in extension field pointers is not properly validated, allowing information leaks.
CWE-332**: Insufficient Entropy in PRNG -** CVE-2014-9293
If no authentication key is defined in the ntp.conf file, a cryptographically-weak default key is generated.
CWE-338**: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) -** CVE-2014-9294
ntp-keygen before 4.2.7p230 uses a non-cryptographic random number generator with a weak seed to generate symmetric keys.
CWE-121**: Stack Buffer Overflow -** CVE-2014-9295
A remote unauthenticated attacker may craft special packets that trigger buffer overflows in the ntpd functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure(). The resulting buffer overflows may be exploited to allow arbitrary malicious code to be executed with the privilege of the ntpd process.
CWE-389**: Error Conditions, Return Values, Status Codes -** CVE-2014-9296
A section of code in ntpd handling a rare error is missing a return statement, therefore processing did not stop when the error was encountered. This situation may be exploitable by an attacker.
The NTP Project provides more information about these issues in their security advisory.
The NTP Project implementation is widely used in operating system distributions and network products. These vulnerabilities affect ntpd acting as a server or client. CERT/CC is not aware of any public exploit of these vulnerabilities at this time.
Apply an update
Restrict status queries
As noted in the announcement for ntp-4.2.8:
`The vulnerabilities listed below can be significantly mitigated by following the BCP of putting
restrict default … noquery
in the ntp.conf file. With the exception of:
receive(): missing return on error
References: Sec 2670 / CVE-2014-9296 / VU#852879
below (which is a limited-risk vulnerability), none of the recent vulnerabilities listed below can be exploited if the source IP is restricted from sending a ‘query’-class packet by your ntp.conf file.`
Use firewall rules
Install firewall rules that block ::1
IPv6 address from inappropriate network interfaces.
Disable autokey authentication
crypto
keyword in your ntp.conf
file.852879
Filter by status: All Affected Not Affected Unknown
Filter by content: __Additional information available
__Sort by: Status Alphabetical
Expand all
Javascript is disabled. Clickhere to view vendors.
Notified: December 18, 2014 Updated: December 23, 2014
Affected
From the Apple support advisory:
"**OS X NTP Security Update -**ntpd
Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10.1
Impact: A remote attacker may be able to execute arbitrary code
Description: Several issues existed in ntpd that would have allowed an attacker to trigger buffer overflows. These issues were addressed through improved error checking.
To verify the ntpd version, type the following command in Terminal: what /usr/sbin/ntpd. This update includes the following versions:
* Mountain Lion: ntp-77.1.1
* Mavericks: ntp-88.1.1
* Yosemite: ntp-92.5.1
CVE-ID
CVE-2014-9295 : Stephen Roettger of the Google Security Team"
We are not aware of further vendor information regarding this vulnerability.
Notified: December 18, 2014 Updated: January 13, 2015
Statement Date: January 13, 2015
Affected
We have not received a statement from the vendor.
Cisco Systems has released a Cisco Security Advisory on their products, available at the URL: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpd
Updated: December 24, 2014
Statement Date: December 24, 2014
Affected
"`All versions are affected by CWE-389 (CVE-2014-9296).
Upgrade to the latest patch of your release: 5.0.4.p1a, 5.0.3.p4a or 4.0.2p13d.
Available releases can be downloaded at: http://www.efficientip.com/support-services/`"
CVE-2014-9296 covers this vulnerability for ntpd.
Notified: December 18, 2014 Updated: January 13, 2015
Statement Date: January 13, 2015
Affected
We have not received a statement from the vendor.
F5 has released a security advisory for its products at the URL: https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15936.html
Notified: December 18, 2014 Updated: April 10, 2015
Statement Date: December 19, 2014
Affected
“All currently supported FreeBSD releases (8.4, 9.1, 9.2, 9.3, 10.0 and 10.1) include vulnerable versions of ntpd.
”
FreeBSD has released advisories with patches; please see the Advisory URLs below.
Updated: December 23, 2014
Statement Date: December 23, 2014
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Updated: October 26, 2015
Affected
We provide information on this issue at the following URL <http://jpn.nec.com/security-info/secinfo/nv15-009.html>(only in Japanese)
We are not aware of further vendor information regarding this vulnerability.
Notified: December 03, 2014 Updated: December 22, 2014
Statement Date: December 19, 2014
Affected
We have not received a statement from the vendor.
Please see the vendor Security Notice at the URL below.
Notified: December 20, 2014 Updated: December 22, 2014
Statement Date: December 20, 2014
Affected
“Affected, but Update now available
”
We are not aware of further vendor information regarding this vulnerability.
Notified: December 18, 2014 Updated: December 30, 2014
Affected
We have not received a statement from the vendor.
Red Hat has released updated packages for ntpd to address these vulnerabilities. You may find information about the vulnerabilities and the updated packages at the link below:
https://rhn.redhat.com/errata/RHSA-2014-2024.html
Notified: December 18, 2014 Updated: December 19, 2014
Statement Date: December 19, 2014
Affected
"Our XTM and Firebox appliances (our main products) are not vulnerable to these flaws, since we use openntpd rather than ntpd.
Our wireless access points are not vulnerable since they only use the basic ntpclient.
However, our XCS appliances (mail security) are vulnerable to the ntpd flaws. We will be releasing a firmware update to fix these flaws as soon as practical. However, in the meantime, we are sharing simple steps to mitigate this issue (use out firewall to block NTP, and point to an internal, updated NTP server instead)."
We are not aware of further vendor information regarding this vulnerability.
Notified: December 18, 2014 Updated: March 05, 2015
Statement Date: March 05, 2015
Not Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: December 18, 2014 Updated: December 24, 2014
Statement Date: December 24, 2014
Not Affected
"Fortigate products are not vulnerable."
We are not aware of further vendor information regarding this vulnerability.
Notified: December 18, 2014 Updated: December 19, 2014
Statement Date: December 19, 2014
Not Affected
“OpenBSD does not use ntp.org code.
”
We are not aware of further vendor information regarding this vulnerability.
Notified: December 18, 2014 Updated: December 21, 2014
Statement Date: December 20, 2014
Not Affected
"Openwall GNU/*/Linux is not affected. We use OpenNTPD."
We are not aware of further vendor information regarding this vulnerability.
Notified: December 18, 2014 Updated: December 19, 2014
Statement Date: December 19, 2014
Not Affected
“m0n0wall does not include ntpd and is therefore not affected.
”.
We are not aware of further vendor information regarding this vulnerability.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 19, 2014 Updated: December 19, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 19, 2014 Updated: December 19, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 23, 2014 Updated: December 23, 2014
Unknown
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 19, 2014 Updated: December 19, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 19, 2014 Updated: December 19, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 19, 2014 Updated: December 19, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 19, 2014 Updated: December 19, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
Notified: December 18, 2014 Updated: December 18, 2014
Unknown
We have not received a statement from the vendor.
View all 87 vendors __View less vendors __
Group | Score | Vector |
---|---|---|
Base | 7.5 | AV:N/AC:L/Au:N/C:P/I:P/A:P |
Temporal | 5.9 | E:POC/RL:OF/RC:C |
Environmental | 5.9 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
The NTP Project credits Stephen Roettger and Neel Mehta of the Google Security Team for discovering these vulnerabilities.
This document was written by Garret Wassermann.
CVE IDs: | CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296, CVE-2014-9297, CVE-2014-9298 |
---|---|
Date Public: | 2014-12-19 Date First Published: |
googleprojectzero.blogspot.com/2015/01/finding-and-exploiting-ntpd.html
lists.ntp.org/pipermail/announce/2014-December/000122.html
support.ntp.org/bin/view/Main/SecurityNotice
support.ntp.org/bin/view/Support/AccessRestrictions#Section_6.5.2
www.ntp.org/downloads.html
www.ntp.org/ntpfaq/NTP-s-algo-crypt.htm
ics-cert.us-cert.gov/advisories/ICSA-14-353-01