5.7 Medium
AI Score
Confidence
Low
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.044 Low
EPSS
Percentile
91.6%
The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.
(
CVE-2014-9293
)
Impact
Default NTP configurations composed through the Configuration utility or the Traffic Management Shell (tmsh) are not vulnerable becauseauthor** keyvalues are omitted on the BIG-IP system.
However, if the NTP configuration has been manually customized by modifying NTP configuration files to include the vulnerable values, such as auth,key, orautokey** options, and there are no configured keys, the NTP daemon is vulnerable. A remote attacker may then be able to access private mode and control mode queries that require authentication. However, exploitation of this vulnerability is considered highly unlikely because the attacker would also need prior knowledge of the NTP destination and be able to guess the key. Additionally, this configuration would likely not work since matching keys are a requirement for NTP** auth** to work.