Arch Linux Security Advisory ASA-201502-7 ========================================= Severity: Medium Date : 2015-02-06 CVE-ID : CVE-2014-9297 CVE-2014-9298 Package : ntp Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package ntp before version 4.2.8.p1-1 is vulnerable to multiple issues including information disclosure, denial of service and configuration restriction bypass. Resolution ========== Upgrade to 4.2.8.p1-1. # pacman -Syu "ntp>=4.2.8.p1-1" The problems have been fixed upstream in version 4.2.8.p1. Workaround ========== - CVE-2014-9297 Disable Autokey Authentication by removing, or commenting out, all configuration directives beginning with the crypto keyword in your ntp.conf file. - CVE-2014-9298 Install firewall rules to block packets claiming to come from ::1 from inappropriate network interfaces. Description =========== - CVE-2014-9297 (information disclosure, denial of service) The vallen packet value is not validated in several code paths in ntp_crypto.c which can lead to information leakage or a possible crash. - CVE-2014-9298 (access restriction bypass) While available kernels will prevent 127.0.0.1 addresses from "appearing" on non-localhost IPv4 interfaces, some kernels do not offer the same protection for ::1 source addresses on IPv6 interfaces. Since NTP's access control is based on source address and localhost addresses generally have no restrictions, an attacker can send malicious control and configuration packets by spoofing ::1 addresses from the outside. Impact ====== A remote attacker is able to send specially crafted packets to perform information disclosure, denial of service or bypass the configuration restriction by claiming to come from ::1. References ========== http://support.ntp.org/bin/view/Main/SecurityNotice#1_can_be_spoofed_on_some... http://support.ntp.org/bin/view/Main/SecurityNotice#vallen_is_not_validated_... https://access.redhat.com/security/cve/CVE-2014-9297 https://access.redhat.com/security/cve/CVE-2014-9298