CVE-2014-9293 — Improper Restriction of Operations within the Bounds of a Memory Buffer in NTP

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-20 — Improper Input Validation CWE-200 — Sensitive Information Exposure CWE-264 CWE-310 CWE-338 — Use of Cryptographically Weak Pseudo-Random Number Generator20 documents10 sources

Severity

7.5HIGHNVD

EPSS

33.3%

top 3.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

NTP Debian NTP Cisco Products

Timeline

PublishedDec 20

Latest updateMay 13

Description

The config_auth function in ntpd in NTP before 4.2.7p11, when an auth key is not configured, improperly generates a key, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages5 packages

▶debiandebian/ntp< ntp 1:4.2.6.p5+dfsg-3.2 (bullseye)

▶Debianntp/ntp< 1:4.2.6.p5+dfsg-3.2

▶Ubuntuntp/ntp< 1:4.2.6.p5+dfsg-3ubuntu2.14.04.1

▶NVDntp/ntp4.2.7

▶ciscocisco/products

🔴Vulnerability Details

GHSA

GHSA-39gg-qjj7-qm8m: The config_auth function in ntpd in NTP before 4↗2022-05-13

▶

OSV

ntp vulnerabilities↗2014-12-22

▶

OSV

CVE-2014-9293: The config_auth function in ntpd in NTP before 4↗2014-12-20

▶

📋Vendor Advisories

CISA ICS

Network Time Protocol Vulnerabilities (Supplement Update A)↗2015-02-05

▶

CISA ICS

Network Time Protocol Vulnerabilities (Update C)↗2015-02-04

▶

CISA ICS

Network Time Protocol Vulnerabilities (Update B)↗2014-12-23

▶

Cisco

Multiple Vulnerabilities in ntpd Affecting Cisco Products↗2014-12-23

▶

BSD

FreeBSD-SA-14:31.ntp: Multiple vulnerabilities in NTP suite↗2014-12-23

▶

💬Community

Bugzilla

CVE-2014-9296 CVE-2014-9294 CVE-2014-9295 CVE-2014-9293 ntp: various flaws [fedora-all]↗2014-12-19

▶

Bugzilla

CVE-2014-9293 ntp: automatic generation of weak default key in config_auth()↗2014-12-19

▶