There are multiple vulnerabilities in Network Time Protocol (NTP) Project NTP daemon (ntpd) that is used by Power Hardware Management Console
CVE-ID: CVE-2014-9293 DESCRIPTION: Network Time Protocol (NTP) Project NTP daemon (ntpd) could provide weaker than expected security, caused by the improper generation of a key by the config_auth function when an auth key is not configured. A remote attacker could exploit this vulnerability using brute force techniques to guess the generated key.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99576***for more information
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2014-9294 DESCRIPTION: Network Time Protocol (NTP) Project NTP daemon (ntpd) could provide weaker than expected security, caused by the use of a weak RNG seed by ntp-keygen.c. A remote attacker could exploit this vulnerability using brute force techniques to defeat cryptographic protection mechanisms.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99577 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2014-9295 DESCRIPTION: Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable to multiple stack-based buffer overflows, caused by improper bounds checking by ntpd. By sending specially-crafted packets, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99578 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-ID: CVE-2014-9296 DESCRIPTION: Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable to a denial of service, caused by the continual execution of the receive function after detecting an error. By sending specially-crafted packets, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99579 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Power HMC V7.7.3.0
Power HMC V7.7.7.0
Power HMC V7.7.8.0
Power HMC V7.7.9.0
Power HMC V8.8.1.0
Power HMC V8.8.2.0
Fixes are available for the the HMC versions mentioned below:
Product | VRMF | APAR | Remediation/First Fix |
---|---|---|---|
Power HMC | V7.7.3.0 SP7 | MB03888 | Apply eFix MH01500 |
Power HMC | V7.7.7.0 SP4 | MB03889 | Apply eFix MH01501 |
Power HMC | V7.7.8.0 SP2 | MB03899 | Apply eFix MH01511 |
Power HMC | V7.7.9.0 SP1 | MB03900 | Apply eFix MH01512 |
Power HMC | V8.8.1.0 SP1 | MB03886 | Apply eFix MH01498 |
Power HMC | V8.8.2.0 | MB03837 | Apply service pack 1 (MH01455) |
Note:
1. After applying the PTF, you should restart the HMC.
2. HMC V7.7.3 support is extended only for managing the Power 775 (9125-F2C) also called “PERCS” and “IH”. End Of Service date for managing all other server models was 2013.05.31.
3. CVE-2014-9296 affects only HMC V8.8.1.0 and V8.8.2.0. Other versions are not affected.
None