CVE-2014-9296
First published: Fri Dec 19 2014(Updated: )
As per upstream NTP security advisory: Code in ntp_proto.c:receive() was missing a 'return;' in the code path where an error was detected, which meant processing did not stop when a specific rare error occurred. We haven't found a way for this bug to affect system integrity. If there is no way to affect system integrity the base CVSS score for this bug is 0. If there is one avenue through which system integrity can be partially affected, the base score becomes a 5. If system integrity can be partially affected via all three integrity metrics, the CVSS base score become 7.5. This vulnerability was discovered by Stephen Roettger of the Google Security Team. Mitigation: Remove or comment out all configuration directives beginning with the crypto keyword in your ntp.conf file.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ntp | <4.2.8 | 4.2.8 |
| NTP ntp | <=4.2.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://advisories.mageia.org/MGASA-2014-0541.html
- http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548ad06feXHK1HlZoY-WZVyynwvwAg
- http://bugs.ntp.org/show_bug.cgi?id=2670
- http://lists.opensuse.org/opensuse-security-announce/2014-12/msg00020.html
- http://marc.info/?l=bugtraq&m=142590659431171&w=2
- http://marc.info/?l=bugtraq&m=142853370924302&w=2
- http://marc.info/?l=bugtraq&m=144182594518755&w=2
- http://rhn.redhat.com/errata/RHSA-2015-0104.html
- http://secunia.com/advisories/62209
- http://support.ntp.org/bin/view/Main/SecurityNotice
- http://www.kb.cert.org/vuls/id/852879
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:003
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- http://www.securityfocus.com/bid/71758
- https://bugzilla.redhat.com/show_bug.cgi?id=1176040
- https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04790232
- https://kc.mcafee.com/corporate/index?page=content&id=SB10103
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpd
- https://www.arista.com/en/support/advisories-notices/security-advisories/1047-security-advisory-8
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1176040#c0
- http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=5493dc3dofY6drKJde9W-5O1M3s4eg
- https://access.redhat.com/articles/1305723
- http://support.ntp.org/bin/view/Main/SecurityNotice#receive_missing_return_on_error
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1176191
- https://rhn.redhat.com/errata/RHSA-2014-2024.html
- https://rhn.redhat.com/errata/RHSA-2015-0104.html
- collector/nvd-index
- agent/weakness
- agent/severity
- agent/author
- agent/description
- agent/type
- agent/event
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- agent/tags
- agent/references
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-9296
- agent/software-canonical-lookup
- vendor/ntp
- canonical/ntp ntp
- version/ntp ntp/4.2.7
- package-manager/redhat