K15934 : NTP vulnerability CVE-2014-9293

2015-04-2200:00:00

my.f5.com

5.7 Medium

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.044 Low

EPSS

Percentile

91.6%

JSON

Security Advisory Description

The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.
(
CVE-2014-9293
)
Impact
Default NTP configurations composed through the Configuration utility or the Traffic Management Shell (tmsh) are not vulnerable becauseauthor** keyvalues are omitted on the BIG-IP system.
However, if the NTP configuration has been manually customized by modifying NTP configuration files to include the vulnerable values, such as auth,key, orautokey** options, and there are no configured keys, the NTP daemon is vulnerable. A remote attacker may then be able to access private mode and control mode queries that require authentication. However, exploitation of this vulnerability is considered highly unlikely because the attacker would also need prior knowledge of the NTP destination and be able to guess the key. Additionally, this configuration would likely not work since matching keys are a requirement for NTP** auth** to work.

CPENameOperatorVersion
big-ip afmeq11.3.0
big-ip afmeq11.4.0
big-ip afmeq11.4.1
big-ip afmeq11.5.0
big-ip afmeq11.5.1
big-ip afmeq11.5.2
big-ip afmeq11.6.0
big-ip analyticseq11.0.0
big-ip analyticseq11.1.0
big-ip analyticseq11.2.0

Name	Operator	Version
big-ip afm	eq	11.3.0
big-ip afm	eq	11.4.0
big-ip afm	eq	11.4.1
big-ip afm	eq	11.5.0
big-ip afm	eq	11.5.1
big-ip afm	eq	11.5.2
big-ip afm	eq	11.6.0
big-ip analytics	eq	11.0.0
big-ip analytics	eq	11.1.0
big-ip analytics	eq	11.2.0