CVE-2014-9296
First published: Fri Dec 19 2014(Updated: )
As per upstream NTP security advisory: Code in ntp_proto.c:receive() was missing a 'return;' in the code path where an error was detected, which meant processing did not stop when a specific rare error occurred. We haven't found a way for this bug to affect system integrity. If there is no way to affect system integrity the base CVSS score for this bug is 0. If there is one avenue through which system integrity can be partially affected, the base score becomes a 5. If system integrity can be partially affected via all three integrity metrics, the CVSS base score become 7.5. This vulnerability was discovered by Stephen Roettger of the Google Security Team. Mitigation: Remove or comment out all configuration directives beginning with the crypto keyword in your ntp.conf file.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ntp | <4.2.8 | 4.2.8 |
| NTP | <=4.2.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://advisories.mageia.org/MGASA-2014-0541.html
- http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548ad06feXHK1HlZoY-WZVyynwvwAg
- http://bugs.ntp.org/show_bug.cgi?id=2670
- http://lists.opensuse.org/opensuse-security-announce/2014-12/msg00020.html
- http://marc.info/?l=bugtraq&m=142590659431171&w=2
- http://marc.info/?l=bugtraq&m=142853370924302&w=2
- http://marc.info/?l=bugtraq&m=144182594518755&w=2
- http://rhn.redhat.com/errata/RHSA-2015-0104.html
- http://secunia.com/advisories/62209
- http://support.ntp.org/bin/view/Main/SecurityNotice
- http://www.kb.cert.org/vuls/id/852879
- http://www.mandriva.com/security/advisories?name=MDVSA-2015:003
- http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
- http://www.securityfocus.com/bid/71758
- https://bugzilla.redhat.com/show_bug.cgi?id=1176040
- https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04790232
- https://kc.mcafee.com/corporate/index?page=content&id=SB10103
- https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpd
- https://www.arista.com/en/support/advisories-notices/security-advisories/1047-security-advisory-8
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1176040#c0
- http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=5493dc3dofY6drKJde9W-5O1M3s4eg
- https://access.redhat.com/articles/1305723
- http://support.ntp.org/bin/view/Main/SecurityNotice#receive_missing_return_on_error
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1176191
- https://rhn.redhat.com/errata/RHSA-2014-2024.html
- https://rhn.redhat.com/errata/RHSA-2015-0104.html
Frequently Asked Questions
What is the severity of CVE-2014-9296?
CVE-2014-9296 is classified as a low severity vulnerability because it does not affect system integrity.
How do I fix CVE-2014-9296?
To fix CVE-2014-9296, upgrade to NTP version 4.2.8 or later.
What impact does CVE-2014-9296 have on my system?
CVE-2014-9296 may allow error processing to continue unexpectedly, but it has not been found to compromise system integrity.
Which versions of NTP are affected by CVE-2014-9296?
CVE-2014-9296 affects NTP versions up to and including 4.2.7.
Is CVE-2014-9296 exploitable remotely?
CVE-2014-9296 does not have a defined remote exploit mechanism due to its nature.
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/references
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-9296
- agent/software-canonical-lookup
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/ntp
- canonical/ntp
- version/ntp/4.2.7