CVE-2014-9294 — Improper Restriction of Operations within the Bounds of a Memory Buffer in NTP

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-20 — Improper Input Validation CWE-200 — Sensitive Information Exposure CWE-264 CWE-310 CWE-335 — Incorrect Usage of Seeds in Pseudo-Random Number Generator CWE-338 — Use of Cryptographically Weak Pseudo-Random Number Generator20 documents10 sources

Severity

7.5HIGHNVD

EPSS

33.3%

top 3.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

NTP Debian NTP Cisco Products

Timeline

PublishedDec 20

Latest updateMay 13

Description

util/ntp-keygen.c in ntp-keygen in NTP before 4.2.7p230 uses a weak RNG seed, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages5 packages

▶debiandebian/ntp< ntp 1:4.2.6.p5+dfsg-3.2 (bullseye)

▶Debianntp/ntp< 1:4.2.6.p5+dfsg-3.2

▶Ubuntuntp/ntp< 1:4.2.6.p5+dfsg-3ubuntu2.14.04.1

▶NVDntp/ntp4.2.7

▶ciscocisco/products

🔴Vulnerability Details

GHSA

GHSA-5385-7g23-qh96: util/ntp-keygen↗2022-05-13

▶

OSV

ntp vulnerabilities↗2014-12-22

▶

OSV

CVE-2014-9294: util/ntp-keygen↗2014-12-20

▶

📋Vendor Advisories

CISA ICS

Network Time Protocol Vulnerabilities (Supplement Update A)↗2015-02-05

▶

CISA ICS

Network Time Protocol Vulnerabilities (Update C)↗2015-02-04

▶

CISA ICS

Network Time Protocol Vulnerabilities (Update B)↗2014-12-23

▶

Cisco

Multiple Vulnerabilities in ntpd Affecting Cisco Products↗2014-12-23

▶

BSD

FreeBSD-SA-14:31.ntp: Multiple vulnerabilities in NTP suite↗2014-12-23

▶

💬Community

Bugzilla

CVE-2014-9296 CVE-2014-9294 CVE-2014-9295 CVE-2014-9293 ntp: various flaws [fedora-all]↗2014-12-19

▶

Bugzilla

CVE-2014-9294 ntp: ntp-keygen uses weak random number generator and seed when generating MD5 keys↗2014-12-19

▶