[arch-security] [ASA-201412-24] ntp: multiple issues

Levente Polyak anthraxx at archlinux.org
Mon Dec 22 04:36:54 UTC 2014


Arch Linux Security Advisory ASA-201412-24
==========================================

Severity: Critical
Date    : 2014-12-22
CVE-ID  : CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 CVE-2014-9296
Package : ntp
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE-2014

Summary
=======

The package ntp before version 4.2.8-1 is vulnerable to multiple issues
including but not limited to arbitrary code execution, denial of service
and weak key generation.

Resolution
==========

Upgrade to 4.2.8-1.

# pacman -Syu "ntp>=4.2.8-1"

The problems have been fixed upstream in version 4.2.8.

Workaround
==========

None.

Description
===========

Keys explicitly generated by "ntp-keygen -M" should be regenerated.

- CVE-2014-9293 (weak key generation)
ntpd generated a weak key for its internal use, with full administrative
privileges. Attackers could use this key to reconfigure ntpd (or to
exploit other vulnerabilities).

- CVE-2014-9294 (weak key generation)
The ntp-keygen utility generated weak MD5 keys with insufficient
entropy, which makes it easier for remote attackers to defeat
cryptographic protection mechanisms via a brute-force attack.

- CVE-2014-9295 (arbitrary code execution)
Multiple stack-based buffer overflows in allow remote attackers to
execute arbitrary code via a crafted packet, related to (1) the
crypto_recv function when the Autokey Authentication feature is used,
(2) the ctl_putdata function, and (3) the configure function.

- CVE-2014-9296 (unintended association change)
The receive function in ntp_proto.c continues to execute after detecting
a certain authentication error, which might allow remote attackers to
trigger an unintended association change via crafted packets.

Impact
======

A remote attacker is able to craft packets leading to arbitrary code
execution, denial of service or make use of a weak key generation flaw
to perform cryptographic attacks against the authentication.

References
==========

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9293
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9294
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9295
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9296
https://bugs.ntp.org/show_bug.cgi?id=2665
https://bugs.ntp.org/show_bug.cgi?id=2666
https://bugs.ntp.org/show_bug.cgi?id=2667
https://bugs.ntp.org/show_bug.cgi?id=2670

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20141222/5d2cd01a/attachment.bin>


More information about the arch-security mailing list