9.5 High
AI Score
Confidence
High
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.966 High
EPSS
Percentile
99.6%
Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authentication feature is used, (2) the ctl_putdata function, and (3) the configure function.
(
CVE-2014-9295
)
Impact
An attacker may be able to run arbitrary code using a crafted NTP packet.
There are multiple parts to this NTP vulnerability:
(1) The crypoto_rec function is not used in a default NTP configuration. The BIG-IP system is vulnerable only if Autokey Authentication is enabled through manual customizations to NTP configuration files.
(2) Thectl_putdatafunction impacts the BIG-IP system as a local-only vulnerability where the attacker must already be on the system using shell. The BIG-IP system is vulnerable with a default NTP configuration.
(3) The configure() function is not found to be used by the BIG-IP system and the components needed for the vulnerability are not enabled. The BIG-IP system is not vulnerable to this part of the vulnerability.
CPE | Name | Operator | Version |
---|---|---|---|
big-ip afm | eq | 11.3.0 | |
big-ip afm | eq | 11.4.0 | |
big-ip afm | eq | 11.4.1 | |
big-ip afm | eq | 11.5.0 | |
big-ip afm | eq | 11.5.1 | |
big-ip afm | eq | 11.5.2 | |
big-ip afm | eq | 11.5.3 | |
big-ip afm | eq | 11.6.0 | |
big-ip afm | eq | 12.0.0 | |
big-ip analytics | eq | 11.0.0 |