7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
A fix is available for IBM SONAS, for the security vulnerabilities in Network Time Protocol (NTP) being used.
Network Time Protocol (NTP) is used in IBM SONAS for synchronizing time.
CVEID: CVE-2014-9293 **DESCRIPTION: **Network Time Protocol (NTP) Project NTP daemon (ntpd) could provide weaker than expected security, caused by the improper generation of a key by the config_auth function when an auth key is not configured. A remote attacker could exploit this vulnerability using brute force techniques to guess the generated key.
CVSS Base Score: 5
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99576> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-9294 **DESCRIPTION: **Network Time Protocol (NTP) Project NTP daemon (ntpd) could provide weaker than expected security, caused by the use of a weak RNG seed by ntp-keygen.c. A remote attacker could exploit this vulnerability using brute force techniques to defeat cryptographic protection mechanisms.
CVSS Base Score: 5
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99577> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID: CVE-2014-9295 **DESCRIPTION: **Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable to multiple stack-based buffer overflows, caused by improper bounds checking by ntpd. By sending specially-crafted packets, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVSS Base Score: 7.5
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99578> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVEID: CVE-2014-9296 **DESCRIPTION: **Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable to a denial of service, caused by the continual execution of the receive function after detecting an error. By sending specially-crafted packets, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 5
CVSS Temporal Score: See <http://xforce.iss.net/xforce/xfdb/99579> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
IBM SONAS
All products are affected when running code releases 1.3, 1.4 and 1.5 except for version 1.5.2.0 and above.
A fix for these issues is in version 1.5.2.0 of IBM SONAS. Customers running an affected version of SONAS should upgrade to 1.5.2.0 or a later version, so that the fix gets applied.
Please contact IBM support for assistance in upgrading your system.
Workaround(s): None
Mitigation(s): Ensure that all users who have access to the system are authenticated by another security system such as a firewall.