This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.
The remote NTP server is affected by multiple vulnerabilities.
The version of the remote NTP server is 4.x prior to 4.2.8p1. It is,
therefore, affected by the following vulnerabilities :
- A security weakness exists due to the config_auth()
function improperly generating default keys when no
authentication key is defined in the ntp.conf file.
Key size is limited to 31 bits and the insecure
ntp_random() function is used, resulting in
cryptographically-weak keys with insufficient entropy. A
remote attacker can exploit this to defeat cryptographic
protection mechanisms via a brute-force attack.
- A security weakness exists due the use of a weak seed to
prepare a random number generator used to generate
symmetric keys. This allows a remote attacker to defeat
cryptographic protection mechanisms via a brute-force
- Multiple stack-based buffer overflow conditions exist
due to improper validation of user-supplied input when
handling packets in the crypto_recv(), ctl_putdata(),
and configure() functions when using autokey
authentication. A remote attacker can exploit this, via
a specially crafted packet, to cause a denial of service
condition or the execution of arbitrary code.
- A unspecified vulnerability exists due to missing return
statements in the receive() function, resulting in
continued processing even when an authentication error
is encountered. This allows a remote attacker, via
specially crafted packets, to trigger unintended
association changes. (CVE-2014-9296)
- An information disclosure vulnerability exists due to
improper validation of the 'vallen' value in extension
fields in ntp_crypto.c. A remote attacker can exploit
this to disclose sensitive information. (CVE-2014-9750)
- A security bypass vulnerability exists due to a failure
to restrict ::1 source addresses on IPv6 interfaces. A
remote attacker can exploit this to bypass configured
ACLs based on ::1. (CVE-2014-9751)
Note that CVE-2014-9750 and CVE-2014-9751 supersede the discontinued
identifiers CVE-2014-9297 and CVE-2014-9298, which were originally
cited in the vendor advisory.
See also :
Upgrade to NTP version 4.2.8p1 or later.
Risk factor :
High / CVSS Base Score : 7.5
CVSS Temporal Score : 6.5
Public Exploit Available : false
Nessus Plugin ID: 81981 ()
Get Nessus Professional to scan unlimited IPs, run compliance checks & moreBuy Nessus Professional Now