CVE-2014-9750 — Improper Input Validation in NTP

CWE-20 — Improper Input Validation12 documents8 sources

Severity

5.8MEDIUMNVD

EPSS

4.4%

top 10.95%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

NTP Debian Linux Oracle Linux +3 more

Timeline

PublishedOct 6

Latest updateMay 13

Description

ntp_crypto.c in ntpd in NTP 4.x before 4.2.8p1, when Autokey Authentication is enabled, allows remote attackers to obtain sensitive information from process memory or cause a denial of service (daemon crash) via a packet containing an extension field with an invalid value for the length of its value field.

CVSS vector

AV:N/AC:M/C:P/I:N/A:PExploitability: 8.6 | Impact: 4.9

Affected Packages6 packages

▶NVDntp/ntp4.2.0 — 4.2.8+1

▶Debianntp/ntp< 1:4.2.6.p5+dfsg-5

▶NVDoracle/linux7

▶NVDredhat/enterprise_linux_server6.0

▶NVDredhat/enterprise_linux_desktop6.0

Also affects: Debian Linux 7.0, 8.0, 9.0

Patches

Patch: bugs.ntp.org ↗Patch: bugzilla.redhat.com ↗Patch: bugs.ntp.org ↗

🔴Vulnerability Details

GHSA

GHSA-2cf6-qqmm-m55v: ntp_crypto↗2022-05-13

▶

OSV

CVE-2014-9750: ntp_crypto↗2015-10-06

▶

CVEList

CVE-2014-9750: ntp_crypto↗2015-10-04

▶

📋Vendor Advisories

BSD

FreeBSD-SA-15:25.ntp: Multiple vulnerabilities of ntp [REVISED]↗2015-10-26

▶

Red Hat

ntp: incomplete checks in ntp_crypto.c↗2015-10-21

▶

Red Hat

ntp: incomplete checks in ntp_crypto.c↗2015-10-21

▶

Red Hat

ntp: incomplete checks in ntp_crypto.c↗2015-10-21

▶

Red Hat

ntp: vallen in extension fields are not validated↗2015-02-04

▶

💬Community

Bugzilla

CVE-2015-7691 CVE-2015-7692 CVE-2015-7702 ntp: incomplete checks in ntp_crypto.c↗2015-10-22

▶

Bugzilla

CVE-2014-9297 CVE-2014-9750 ntp: vallen in extension fields are not validated↗2015-01-21

▶