cbcvebase.
CVE-2014-9295
published 2014-12-20

CVE-2014-9295: Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the…

PriorityP267high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
78.09%
99.5th percentile
Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authentication feature is used, (2) the ctl_putdata function, and (3) the configure function.

Affected

5 ranges
VendorProductVersion rangeFixed in
ciscoproducts
debianntp< ntp 1:4.2.6.p5+dfsg-3.2 (bullseye)ntp 1:4.2.6.p5+dfsg-3.2 (bullseye)
ntpntp<= 4.2.7
ntpntp>= 0 < 1:4.2.6.p5+dfsg-3.21:4.2.6.p5+dfsg-3.2
ntpntp>= 0 < 1:4.2.6.p5+dfsg-3ubuntu2.14.04.11:4.2.6.p5+dfsg-3ubuntu2.14.04.1

Detection & IOCsextracted from sources · hover to see the quote

portudp/123
porttcp/123
  • Trigger condition for crypto_recv() overflow: attacker sends a crafted packet when Autokey Authentication is enabled (e.g., 'crypto pw' directive present in ntp.conf)
  • Three vulnerable functions to target in ntpd: crypto_recv() (Autokey path), ctl_putdata(), and configure() — all susceptible to stack-based buffer overflow via crafted packets
  • Exploitation of ctl_putdata() is restricted to local attackers by default; configure() requires additional authentication — focus remote detection efforts on crypto_recv() path
  • Successful exploitation runs arbitrary code with privileges of the ntpd process, which is typically root — monitor for unexpected child processes or privilege escalation from ntpd
  • On Ubuntu, NTP AppArmor profile provides containment — alert on AppArmor denials from ntpd as a potential exploitation indicator
  • ·crypto_recv() overflow only reachable in non-default configurations where Autokey Authentication is active (requires 'crypto pw' or equivalent directive in ntp.conf)
  • ·ctl_putdata() overflow is only exploitable via local attackers in default configurations
  • ·configure() overflow requires additional authentication to exploit
  • ·Red Hat mitigation: add restrict lines to /etc/ntp.conf to limit server-type functionality to localhost; does not fully remediate but reduces attack surface

CVSS provenance

nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_cisco7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.