Lucene search

K
certCERTVU:852879
HistoryDec 19, 2014 - 12:00 a.m.

NTP Project Network Time Protocol daemon (ntpd) contains multiple vulnerabilities (Updated)

2014-12-1900:00:00
www.kb.cert.org
142
ntp project
ntpd
vulnerabilities
patch
version
4.2.8p1
network time protocol
authentication bypass
ipv6 spoofing
buffer overflow
insufficient entropy
crypto weak prng
restrict status
firewall rules
autokey authentication

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

8.9

Confidence

High

EPSS

0.964

Percentile

99.6%

Overview

The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client.

Description

The Network Time Protocol (NTP) provides networked systems and devices with a way to synchronize time for various services and applications. The reference implementation produced by the NTP Project (ntp.org) contains several vulnerabilities.CWE-290:Authentication Bypass by Spoofing - CVE-2014-9298

The IPv6 address ::1 can be spoofed, allowing an attacker to bypass ACLs based on ::1.

CWE-754**: Improper Check for Unusual or Exceptional Conditions -** CVE-2014-9297

The length value in extension field pointers is not properly validated, allowing information leaks.

CWE-332**: Insufficient Entropy in PRNG -** CVE-2014-9293

If no authentication key is defined in the ntp.conf file, a cryptographically-weak default key is generated.

CWE-338**: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) -** CVE-2014-9294

ntp-keygen before 4.2.7p230 uses a non-cryptographic random number generator with a weak seed to generate symmetric keys.

CWE-121**: Stack Buffer Overflow -** CVE-2014-9295

A remote unauthenticated attacker may craft special packets that trigger buffer overflows in the ntpd functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure(). The resulting buffer overflows may be exploited to allow arbitrary malicious code to be executed with the privilege of the ntpd process.

CWE-389**: Error Conditions, Return Values, Status Codes -** CVE-2014-9296

A section of code in ntpd handling a rare error is missing a return statement, therefore processing did not stop when the error was encountered. This situation may be exploitable by an attacker.

The NTP Project provides more information about these issues in their security advisory.

The NTP Project implementation is widely used in operating system distributions and network products. These vulnerabilities affect ntpd acting as a server or client. CERT/CC is not aware of any public exploit of these vulnerabilities at this time.

The CVSS score below is based on the buffer overflow vulnerabilities (CVE-2014-9295).

Impact

The buffer overflow vulnerabilities in ntpd may allow a remote unauthenticated attacker to execute arbitrary malicious code with the privilege level of the ntpd process. The weak default key and non-cryptographic random number generator in ntp-keygen may allow an attacker to gain information regarding the integrity checking and authentication encryption schemes. More specifically, the weak default key allows access to private mode and control mode queries that require authentication, if not restricted by the configuration.

Solution

Apply an update

These issues have been addressed in ntp-4.2.8p1. The update may be downloaded from ntp.org.

Restrict status queries

As noted in the announcement for ntp-4.2.8:

`The vulnerabilities listed below can be significantly mitigated by following the BCP of putting

restrict default … noquery

in the ntp.conf file. With the exception of:

receive(): missing return on error
References: Sec 2670 / CVE-2014-9296 / VU#852879

below (which is a limited-risk vulnerability), none of the recent vulnerabilities listed below can be exploited if the source IP is restricted from sending a ‘query’-class packet by your ntp.conf file.`

Use firewall rules

Install firewall rules that block ::1 IPv6 address from inappropriate network interfaces.

Disable autokey authentication

Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file.

Vendor Information

852879

Filter by status: All Affected Not Affected Unknown

Filter by content: __Additional information available

__Sort by: Status Alphabetical

Expand all

Javascript is disabled. Clickhere to view vendors.

Apple __ Affected

Notified: December 18, 2014 Updated: December 23, 2014

Status

Affected

Vendor Statement

From the Apple support advisory:

"**OS X NTP Security Update -**ntpd

Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10.1

Impact: A remote attacker may be able to execute arbitrary code

Description: Several issues existed in ntpd that would have allowed an attacker to trigger buffer overflows. These issues were addressed through improved error checking.

To verify the ntpd version, type the following command in Terminal: what /usr/sbin/ntpd. This update includes the following versions:

* Mountain Lion: ntp-77.1.1
* Mavericks: ntp-88.1.1
* Yosemite: ntp-92.5.1

CVE-ID

CVE-2014-9295 : Stephen Roettger of the Google Security Team"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

Cisco Systems, Inc. __ Affected

Notified: December 18, 2014 Updated: January 13, 2015

Statement Date: January 13, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Cisco Systems has released a Cisco Security Advisory on their products, available at the URL: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpd

Vendor References

EfficientIP __ Affected

Updated: December 24, 2014

Statement Date: December 24, 2014

Status

Affected

Vendor Statement

"`All versions are affected by CWE-389 (CVE-2014-9296).

Upgrade to the latest patch of your release: 5.0.4.p1a, 5.0.3.p4a or 4.0.2p13d.

Available releases can be downloaded at: http://www.efficientip.com/support-services/`"

Vendor Information

CVE-2014-9296 covers this vulnerability for ntpd.

Vendor References

F5 Networks, Inc. __ Affected

Notified: December 18, 2014 Updated: January 13, 2015

Statement Date: January 13, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

F5 has released a security advisory for its products at the URL: https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15936.html

Vendor References

FreeBSD Project __ Affected

Notified: December 18, 2014 Updated: April 10, 2015

Statement Date: December 19, 2014

Status

Affected

Vendor Statement

All currently supported FreeBSD releases (8.4, 9.1, 9.2, 9.3, 10.0 and 10.1) include vulnerable versions of ntpd.

Vendor Information

FreeBSD has released advisories with patches; please see the Advisory URLs below.

Vendor References

Huawei Technologies Affected

Updated: December 23, 2014

Statement Date: December 23, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation __ Affected

Updated: October 26, 2015

Status

Affected

Vendor Statement

We provide information on this issue at the following URL <http://jpn.nec.com/security-info/secinfo/nv15-009.html&gt;(only in Japanese)

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

NTP Project __ Affected

Notified: December 03, 2014 Updated: December 22, 2014

Statement Date: December 19, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Please see the vendor Security Notice at the URL below.

Vendor References

OmniTI __ Affected

Notified: December 20, 2014 Updated: December 22, 2014

Statement Date: December 20, 2014

Status

Affected

Vendor Statement

Affected, but Update now available

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. __ Affected

Notified: December 18, 2014 Updated: December 30, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Red Hat has released updated packages for ntpd to address these vulnerabilities. You may find information about the vulnerabilities and the updated packages at the link below:

https://rhn.redhat.com/errata/RHSA-2014-2024.html

Vendor References

Watchguard Technologies, Inc. __ Affected

Notified: December 18, 2014 Updated: December 19, 2014

Statement Date: December 19, 2014

Status

Affected

Vendor Statement

"Our XTM and Firebox appliances (our main products) are not vulnerable to these flaws, since we use openntpd rather than ntpd.

Our wireless access points are not vulnerable since they only use the basic ntpclient.

However, our XCS appliances (mail security) are vulnerable to the ntpd flaws. We will be releasing a firmware update to fix these flaws as soon as practical. However, in the meantime, we are sharing simple steps to mitigate this issue (use out firewall to block NTP, and point to an internal, updated NTP server instead)."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Belkin, Inc. Not Affected

Notified: December 18, 2014 Updated: March 05, 2015

Statement Date: March 05, 2015

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fortinet, Inc. __ Not Affected

Notified: December 18, 2014 Updated: December 24, 2014

Statement Date: December 24, 2014

Status

Not Affected

Vendor Statement

"Fortigate products are not vulnerable."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD __ Not Affected

Notified: December 18, 2014 Updated: December 19, 2014

Statement Date: December 19, 2014

Status

Not Affected

Vendor Statement

OpenBSD does not use ntp.org code.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux __ Not Affected

Notified: December 18, 2014 Updated: December 21, 2014

Statement Date: December 20, 2014

Status

Not Affected

Vendor Statement

"Openwall GNU/*/Linux is not affected. We use OpenNTPD."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

m0n0wall __ Not Affected

Notified: December 18, 2014 Updated: December 19, 2014

Statement Date: December 19, 2014

Status

Not Affected

Vendor Statement

m0n0wall does not include ntpd and is therefore not affected.”.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

AT&T Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Alcatel-Lucent Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Arch Linux Unknown

Notified: December 19, 2014 Updated: December 19, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Avaya, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Barracuda Networks Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Blue Coat Systems Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CA Technologies Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CentOS Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Check Point Software Technologies Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Cray Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

D-Link Systems, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Debian GNU/Linux Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DragonFly BSD Project Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

EMC Corporation Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Engarde Secure Linux Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Enterasys Networks Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ericsson Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Extreme Networks Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Fedora Project Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Force10 Networks, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Foundry Networks, Inc. Unknown

Notified: December 19, 2014 Updated: December 19, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Fujitsu Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Gentoo Linux Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Global Technology Associates, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Google Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hewlett-Packard Company Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hitachi Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM Corporation Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM Corporation (zseries) Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM eServer Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Infoblox Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Intel Corporation Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Intoto Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Juniper Networks, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Mandriva S. A. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

McAfee Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Microsemi Unknown

Notified: December 23, 2014 Updated: December 23, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

MontaVista Software, Inc. Unknown

Notified: December 19, 2014 Updated: December 19, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NEC Corporation Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NetBSD Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Nokia Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Novell, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Oracle Corporation Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Palo Alto Networks Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Peplink Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Process Software Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Q1 Labs Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

QNX Software Systems Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Quagga Unknown

Notified: December 19, 2014 Updated: December 19, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SUSE Linux Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SafeNet Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Slackware Linux Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SmoothWall Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Snort Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sony Corporation Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sourcefire Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Stonesoft Unknown

Notified: December 19, 2014 Updated: December 19, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Symantec Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

The SCO Group Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

TippingPoint Technologies Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Turbolinux Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ubuntu Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Unisys Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

VMware Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Vyatta Unknown

Notified: December 19, 2014 Updated: December 19, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Wind River Systems, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

ZyXEL Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

eSoft, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

netfilter Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

View all 87 vendors __View less vendors __

CVSS Metrics

Group Score Vector
Base 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal 5.9 E:POC/RL:OF/RC:C
Environmental 5.9 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Acknowledgements

The NTP Project credits Stephen Roettger and Neel Mehta of the Google Security Team for discovering these vulnerabilities.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296, CVE-2014-9297, CVE-2014-9298
Date Public: 2014-12-19 Date First Published:

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

AI Score

8.9

Confidence

High

EPSS

0.964

Percentile

99.6%