CERT/CC Vulnerability Note VU#852879

Overview

The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client.

Description

The Network Time Protocol (NTP) provides networked systems and devices with a way to synchronize time for various services and applications. The reference implementation produced by the NTP Project (ntp.org) contains several vulnerabilities.

CWE-290: Authentication Bypass by Spoofing - CVE-2014-9298

The IPv6 address ::1 can be spoofed, allowing an attacker to bypass ACLs based on ::1.

CWE-754: Improper Check for Unusual or Exceptional Conditions - CVE-2014-9297

The length value in extension field pointers is not properly validated, allowing information leaks.

CWE-332: Insufficient Entropy in PRNG - CVE-2014-9293

If no authentication key is defined in the ntp.conf file, a cryptographically-weak default key is generated.

CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) - CVE-2014-9294

ntp-keygen before 4.2.7p230 uses a non-cryptographic random number generator with a weak seed to generate symmetric keys.

CWE-121: Stack Buffer Overflow - CVE-2014-9295

A remote unauthenticated attacker may craft special packets that trigger buffer overflows in the ntpd functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure(). The resulting buffer overflows may be exploited to allow arbitrary malicious code to be executed with the privilege of the ntpd process.

CWE-389: Error Conditions, Return Values, Status Codes - CVE-2014-9296

A section of code in ntpd handling a rare error is missing a return statement, therefore processing did not stop when the error was encountered. This situation may be exploitable by an attacker.

The NTP Project provides more information about these issues in their security advisory.

The NTP Project implementation is widely used in operating system distributions and network products. These vulnerabilities affect ntpd acting as a server or client. CERT/CC is not aware of any public exploit of these vulnerabilities at this time.

The CVSS score below is based on the buffer overflow vulnerabilities (CVE-2014-9295).

Impact

The buffer overflow vulnerabilities in ntpd may allow a remote unauthenticated attacker to execute arbitrary malicious code with the privilege level of the ntpd process. The weak default key and non-cryptographic random number generator in ntp-keygen may allow an attacker to gain information regarding the integrity checking and authentication encryption schemes. More specifically, the weak default key allows access to private mode and control mode queries that require authentication, if not restricted by the configuration.

Solution

Apply an update

These issues have been addressed in ntp-4.2.8p1. The update may be downloaded from ntp.org.

Restrict status queries

As noted in the announcement for ntp-4.2.8:

The vulnerabilities listed below can be significantly mitigated by following the BCP of putting restrict default ...noqueryin the ntp.conf file. With the exception of: receive(): missing return on error References: Sec 2670 / CVE-2014-9296 / VU#852879 below (which is a limited-risk vulnerability), none of the recent vulnerabilities listed below can be exploited if the source IP is restricted from sending a 'query'-class packet by your ntp.conf file.

Use firewall rules

Install firewall rules that block ::1 IPv6 address from inappropriate network interfaces.

Disable autokey authentication

Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file.

Vendor Information

852879

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Apple Affected

Notified: December 18, 2014 Updated: December 23, 2014

Status

Affected

Vendor Statement

From the Apple support advisory:

"OS X NTP Security Update - ntpd

Available for: OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5, OS X Yosemite v10.10.1

Impact: A remote attacker may be able to execute arbitrary code

Description: Several issues existed in ntpd that would have allowed an attacker to trigger buffer overflows. These issues were addressed through improved error checking.

To verify the ntpd version, type the following command in Terminal: what /usr/sbin/ntpd. This update includes the following versions:

Mountain Lion: ntp-77.1.1
Mavericks: ntp-88.1.1
Yosemite: ntp-92.5.1

CVE-ID

CVE-2014-9295 : Stephen Roettger of the Google Security Team"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.apple.com/en-us/HT6601

Cisco Systems, Inc. Affected

Notified: December 18, 2014 Updated: January 13, 2015

Statement Date: January 13, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Cisco Systems has released a Cisco Security Advisory on their products, available at the URL: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpd

Vendor References

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpd

EfficientIP Affected

Updated: December 24, 2014

Statement Date: December 24, 2014

Status

Affected

Vendor Statement

"All versions are affected by CWE-389 (CVE-2014-9296). Upgrade to the latest patch of your release: 5.0.4.p1a, 5.0.3.p4a or 4.0.2p13d. Available releases can be downloaded at: http://www.efficientip.com/support-services/"

Vendor Information

CVE-2014-9296 covers this vulnerability for ntpd.

Vendor References

http://www.efficientip.com/support-services/

F5 Networks, Inc. Affected

Notified: December 18, 2014 Updated: January 13, 2015

Statement Date: January 13, 2015

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

F5 has released a security advisory for its products at the URL: https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15936.html

Vendor References

https://support.f5.com/kb/en-us/solutions/public/15000/900/sol15936.html

FreeBSD Project Affected

Notified: December 18, 2014 Updated: April 10, 2015

Statement Date: December 19, 2014

Status

Affected

Vendor Statement

"All currently supported FreeBSD releases (8.4, 9.1, 9.2, 9.3, 10.0 and 10.1) include vulnerable versions of ntpd."

Vendor Information

FreeBSD has released advisories with patches; please see the Advisory URLs below.

Vendor References

Huawei Technologies Affected

Updated: December 23, 2014

Statement Date: December 23, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

NEC Corporation Affected

Updated: October 26, 2015

Status

Affected

Vendor Statement

We provide information on this issue at the following URL <http://jpn.nec.com/security-info/secinfo/nv15-009.html>(only in Japanese)

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://jpn.nec.com/security-info/secinfo/nv15-009.html

NTP Project Affected

Notified: December 03, 2014 Updated: December 22, 2014

Statement Date: December 19, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Please see the vendor Security Notice at the URL below.

Vendor References

OmniTI Affected

Notified: December 20, 2014 Updated: December 22, 2014

Statement Date: December 20, 2014

Status

Affected

Vendor Statement

"Affected, but Update now available"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Red Hat, Inc. Affected

Notified: December 18, 2014 Updated: December 30, 2014

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Red Hat has released updated packages for ntpd to address these vulnerabilities. You may find information about the vulnerabilities and the updated packages at the link below:

https://rhn.redhat.com/errata/RHSA-2014-2024.html

Vendor References

https://rhn.redhat.com/errata/RHSA-2014-2024.html

Watchguard Technologies, Inc. Affected

Notified: December 18, 2014 Updated: December 19, 2014

Statement Date: December 19, 2014

Status

Affected

Vendor Statement

"Our XTM and Firebox appliances (our main products) are not vulnerable to these flaws, since we use openntpd rather than ntpd.

Our wireless access points are not vulnerable since they only use the basic ntpclient.

However, our XCS appliances (mail security) are vulnerable to the ntpd flaws. We will be releasing a firmware update to fix these flaws as soon as practical. However, in the meantime, we are sharing simple steps to mitigate this issue (use out firewall to block NTP, and point to an internal, updated NTP server instead)."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Belkin, Inc. Not Affected

Notified: December 18, 2014 Updated: March 05, 2015

Statement Date: March 05, 2015

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Fortinet, Inc. Not Affected

Notified: December 18, 2014 Updated: December 24, 2014

Statement Date: December 24, 2014

Status

Not Affected

Vendor Statement

"Fortigate products are not vulnerable."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

OpenBSD Not Affected

Notified: December 18, 2014 Updated: December 19, 2014

Statement Date: December 19, 2014

Status

Not Affected

Vendor Statement

"OpenBSD does not use ntp.org code."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux Not Affected

Notified: December 18, 2014 Updated: December 21, 2014

Statement Date: December 20, 2014

Status

Not Affected

Vendor Statement

"Openwall GNU/*/Linux is not affected. We use OpenNTPD."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

m0n0wall Not Affected

Notified: December 18, 2014 Updated: December 19, 2014

Statement Date: December 19, 2014

Status

Not Affected

Vendor Statement

"m0n0wall does not include ntpd and is therefore not affected.".

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

ACCESS Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

AT&T Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Alcatel-Lucent Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Arch Linux Unknown

Notified: December 19, 2014 Updated: December 19, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Avaya, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Barracuda Networks Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Blue Coat Systems Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CA Technologies Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CentOS Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Check Point Software Technologies Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Cray Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

D-Link Systems, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Debian GNU/Linux Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DragonFly BSD Project Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

EMC Corporation Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Engarde Secure Linux Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Enterasys Networks Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ericsson Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Extreme Networks Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Fedora Project Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Force10 Networks, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Foundry Networks, Inc. Unknown

Notified: December 19, 2014 Updated: December 19, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Fujitsu Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Gentoo Linux Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Global Technology Associates, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Google Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hewlett-Packard Company Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hitachi Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM Corporation Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM Corporation (zseries) Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM eServer Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Infoblox Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Intel Corporation Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Intoto Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Juniper Networks, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Mandriva S. A. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

McAfee Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Microsemi Unknown

Notified: December 23, 2014 Updated: December 23, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Microsoft Corporation Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

MontaVista Software, Inc. Unknown

Notified: December 19, 2014 Updated: December 19, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NEC Corporation Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NetBSD Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Nokia Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Novell, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Oracle Corporation Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Palo Alto Networks Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Peplink Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Process Software Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Q1 Labs Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

QNX Software Systems Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Quagga Unknown

Notified: December 19, 2014 Updated: December 19, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SUSE Linux Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SafeNet Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Slackware Linux Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SmoothWall Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Snort Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sony Corporation Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sourcefire Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Stonesoft Unknown

Notified: December 19, 2014 Updated: December 19, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Symantec Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

The SCO Group Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

TippingPoint Technologies Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Turbolinux Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ubuntu Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Unisys Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

VMware Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Vyatta Unknown

Notified: December 19, 2014 Updated: December 19, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Wind River Systems, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

ZyXEL Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

eSoft, Inc. Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

netfilter Unknown

Notified: December 18, 2014 Updated: December 18, 2014

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

View all 87 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base	7.5	AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal	5.9	E:POC/RL:OF/RC:C
Environmental	5.9	CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Acknowledgements

The NTP Project credits Stephen Roettger and Neel Mehta of the Google Security Team for discovering these vulnerabilities.

This document was written by Garret Wassermann.

Other Information

CVE IDs:	CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296, CVE-2014-9297, CVE-2014-9298
Date Public:	2014-12-19
Date First Published:	2014-12-19
Date Last Updated:	2015-10-27 02:22 UTC
Document Revision:	124

Software Engineering Institute

CERT Coordination Center

NTP Project Network Time Protocol daemon (ntpd) contains multiple vulnerabilities (Updated)

Vulnerability Note VU#852879

Overview

Description

Impact

Solution

Vendor Information

Apple Affected

Status

Vendor Statement

Vendor Information

Vendor References

Cisco Systems, Inc. Affected

Status

Vendor Statement

Vendor Information

Vendor References

EfficientIP Affected

Status

Vendor Statement

Vendor Information

Vendor References

F5 Networks, Inc. Affected

Status

Vendor Statement

Vendor Information

Vendor References

FreeBSD Project Affected

Status

Vendor Statement

Vendor Information

Vendor References

Huawei Technologies Affected

Status

Vendor Statement

Vendor Information

NEC Corporation Affected

Status

Vendor Statement

Vendor Information

Vendor References

NTP Project Affected

Status

Vendor Statement

Vendor Information

Vendor References

OmniTI Affected

Status

Vendor Statement

Vendor Information

Red Hat, Inc. Affected

Status

Vendor Statement

Vendor Information

Vendor References

Watchguard Technologies, Inc. Affected

Status

Vendor Statement

Vendor Information

Belkin, Inc. Not Affected

Status

Vendor Statement

Vendor Information

Fortinet, Inc. Not Affected

Status

Vendor Statement

Vendor Information

OpenBSD Not Affected

Status

Vendor Statement

Vendor Information

Openwall GNU/*/Linux Not Affected

Status

Vendor Statement

Vendor Information

m0n0wall Not Affected

Status

Vendor Statement