Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : ntp vulnerabilities (USN-2449-1)

Ubuntu Security Notice (C) 2014-2016 Canonical, Inc. / NASL script (C) 2014-2016 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing a security-related patch.

Description :

Neel Mehta discovered that NTP generated weak authentication keys. A
remote attacker could possibly use this issue to brute force the
authentication key and send requests if permitted by IP restrictions.
(CVE-2014-9293)

Stephen Roettger discovered that NTP generated weak MD5 keys. A remote
attacker could possibly use this issue to brute force the MD5 key and
spoof a client or server. (CVE-2014-9294)

Stephen Roettger discovered that NTP contained buffer overflows in the
crypto_recv(), ctl_putdata() and configure() functions. In non-default
configurations, a remote attacker could use these issues to cause NTP
to crash, resulting in a denial of service, or possibly execute
arbitrary code. The default compiler options for affected releases
should reduce the vulnerability to a denial of service. In addition,
attackers would be isolated by the NTP AppArmor profile.
(CVE-2014-9295)

Stephen Roettger discovered that NTP incorrectly continued processing
when handling certain errors. (CVE-2014-9296).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected ntp package.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.5
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 80218 ()

Bugtraq ID: 71757
71758
71761
71762

CVE ID: CVE-2014-9293
CVE-2014-9294
CVE-2014-9295
CVE-2014-9296

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now