FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

ntp -- multiple vulnerabilities

Affected packages
ntp < 4.2.8
ntp-devel < 4.2.8

Details

VuXML ID 4033d826-87dd-11e4-9079-3c970e169bc2
Discovery 2014-12-19
Entry 2014-12-20

CERT reports:

The Network Time Protocol (NTP) provides networked systems with a way to synchronize time for various services and applications. ntpd version 4.2.7 and previous versions allow attackers to overflow several buffers in a way that may allow malicious code to be executed. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys.

The buffer overflow vulnerabilities in ntpd may allow a remote unauthenticated attacker to execute arbitrary malicious code with the privilege level of the ntpd process. The weak default key and non-cryptographic random number generator in ntp-keygen may allow an attacker to gain information regarding the integrity checking and authentication encryption schemes.

References

CVE Name CVE-2014-9293
CVE Name CVE-2014-9294
CVE Name CVE-2014-9295
CVE Name CVE-2014-9296
URL http://www.kb.cert.org/vuls/id/852879