// For flags

CVE-2014-9295

ntp: Multiple buffer overflows via specially-crafted packets

Severity Score

8.1
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

4
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Multiple stack-based buffer overflows in ntpd in NTP before 4.2.8 allow remote attackers to execute arbitrary code via a crafted packet, related to (1) the crypto_recv function when the Autokey Authentication feature is used, (2) the ctl_putdata function, and (3) the configure function.

Múltiples desbordamientos de buffer en ntpd en NTP anterior a 4.2.8, permite a atacantes remotos la ejecución de código arbitrario mediante un paquete manipulado, relacionado con (1) la función crypto_recv cuando se utiliza la característica Autokey Authentication, (2) la función ctl_putdata y (3) la función de configuración.

Multiple buffer overflow flaws were discovered in ntpd's crypto_recv(), ctl_putdata(), and configure() functions. A remote attacker could use either of these flaws to send a specially crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the ntp user. Note: the crypto_recv() flaw requires non default configurations to be active, while the ctl_putdata() flaw, by default, can only be exploited via local attackers, and the configure() flaw requires additional authentication to exploit.

If no authentication key is defined in the ntp.conf file, a cryptographically-weak default key is generated. ntp-keygen before 4.2.7p230 uses a non-cryptographic random number generator with a weak seed to generate symmetric keys. A remote unauthenticated attacker may craft special packets that trigger buffer overflows in the ntpd functions crypto_recv() (when using autokey authentication), ctl_putdata(), and configure(). The resulting buffer overflows may be exploited to allow arbitrary malicious code to be executed with the privilege of the ntpd process. A section of code in ntpd handling a rare error is missing a return statement, therefore processing did not stop when the error was encountered. This situation may be exploitable by an attacker. Stephen Roettger of the Google Security Team, Sebastian Krahmer of the SUSE Security Team and Harlan Stenn of Network Time Foundation discovered that the length value in extension fields is not properly validated in several code paths in ntp_crypto.c, which could lead to information leakage or denial of service. Stephen Roettger of the Google Security Team reported that ACLs based on IPv6 ::1 addresses can be bypassed. The ntp package has been patched to fix these issues.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2014-12-05 CVE Reserved
  • 2014-12-20 CVE Published
  • 2020-06-02 First Exploit
  • 2024-08-06 CVE Updated
  • 2025-03-18 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CAPEC
References (31)
URL Tag Source
http://advisories.mageia.org/MGASA-2014-0541.html X_refsource_confirm
http://bugs.ntp.org/show_bug.cgi?id=2667 X_refsource_confirm
http://bugs.ntp.org/show_bug.cgi?id=2668 X_refsource_confirm
http://bugs.ntp.org/show_bug.cgi?id=2669 X_refsource_confirm
http://secunia.com/advisories/62209 Third Party Advisory
http://www.kb.cert.org/vuls/id/852879 Third Party Advisory
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html X_refsource_confirm
http://www.securityfocus.com/bid/71761 Vdb Entry
http://www1.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-417665.htm X_refsource_confirm
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04790232 X_refsource_confirm
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04916783 X_refsource_confirm
https://help.ecostruxureit.com/display/public/UADCO8x/StruxureWare+Data+Center+Operation+Software+Vulnerability+Fixes X_refsource_confirm
https://kc.mcafee.com/corporate/index?page=content&id=SB10103 X_refsource_confirm
https://www.arista.com/en/support/advisories-notices/security-advisories/1047-security-advisory-8 X_refsource_misc
URL Date SRC
https://github.com/MacMiniVault/NTPUpdateSnowLeopard 2020-06-02
http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548acc4dN1TbM1tRJrbPcA4yc1aTdA 2024-08-06
http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548acdf3tUSFizXcv_X4b77Jt_Y-cg 2024-08-06
http://bk1.ntp.org/ntp-dev/?PAGE=patch&REV=548acf55dxKfhb6MuYQwzu8eDlS97g 2024-08-06
URL Date SRC
URL Date SRC
http://lists.opensuse.org/opensuse-security-announce/2014-12/msg00020.html 2021-11-17
http://marc.info/?l=bugtraq&m=142469153211996&w=2 2021-11-17
http://marc.info/?l=bugtraq&m=142590659431171&w=2 2021-11-17
http://marc.info/?l=bugtraq&m=142853370924302&w=2 2021-11-17
http://marc.info/?l=bugtraq&m=144182594518755&w=2 2021-11-17
http://rhn.redhat.com/errata/RHSA-2014-2025.html 2021-11-17
http://rhn.redhat.com/errata/RHSA-2015-0104.html 2021-11-17
http://support.ntp.org/bin/view/Main/SecurityNotice 2021-11-17
http://www.mandriva.com/security/advisories?name=MDVSA-2015:003 2021-11-17
https://bugzilla.redhat.com/show_bug.cgi?id=1176037 2015-01-28
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141222-ntpd 2021-11-17
https://access.redhat.com/security/cve/CVE-2014-9295 2015-01-28
https://access.redhat.com/articles/1305723 2015-01-28
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Ntp
Search vendor "Ntp"
 Ntp
Search vendor "Ntp" for product "Ntp"
 <= 4.2.7
Search vendor "Ntp" for product "Ntp" and version " <= 4.2.7"
-
Affected