Network Time Protocol Daemon (ntpd) 4.x < 4.2.8p1 Multiple Vulnerabilities

High Nessus Plugin ID 81981

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 6.7


The remote NTP server is affected by multiple vulnerabilities.


The version of the remote NTP server is 4.x prior to 4.2.8p1. It is, therefore, affected by the following vulnerabilities :

- A security weakness exists due to the config_auth() function improperly generating default keys when no authentication key is defined in the ntp.conf file.
Key size is limited to 31 bits and the insecure ntp_random() function is used, resulting in cryptographically-weak keys with insufficient entropy. A remote attacker can exploit this to defeat cryptographic protection mechanisms via a brute-force attack.

- A security weakness exists due the use of a weak seed to prepare a random number generator used to generate symmetric keys. This allows a remote attacker to defeat cryptographic protection mechanisms via a brute-force attack. (CVE-2014-9294)

- Multiple stack-based buffer overflow conditions exist due to improper validation of user-supplied input when handling packets in the crypto_recv(), ctl_putdata(), and configure() functions when using autokey authentication. A remote attacker can exploit this, via a specially crafted packet, to cause a denial of service condition or the execution of arbitrary code.

- A unspecified vulnerability exists due to missing return statements in the receive() function, resulting in continued processing even when an authentication error is encountered. This allows a remote attacker, via specially crafted packets, to trigger unintended association changes. (CVE-2014-9296)

- An information disclosure vulnerability exists due to improper validation of the 'vallen' value in extension fields in ntp_crypto.c. A remote attacker can exploit this to disclose sensitive information. (CVE-2014-9750)

- A security bypass vulnerability exists due to a failure to restrict ::1 source addresses on IPv6 interfaces. A remote attacker can exploit this to bypass configured ACLs based on ::1. (CVE-2014-9751)

Note that CVE-2014-9750 and CVE-2014-9751 supersede the discontinued identifiers CVE-2014-9297 and CVE-2014-9298, which were originally cited in the vendor advisory.


Upgrade to NTP version 4.2.8p1 or later.

See Also

Plugin Details

Severity: High

ID: 81981

File Name: ntp_4_2_8.nasl

Version: 1.10

Type: remote

Family: Misc.

Published: 2015/03/20

Updated: 2018/07/16

Dependencies: 10884

Configuration: Enable paranoid mode

Risk Information

Risk Factor: High

VPR Score: 6.7

CVSS v2.0

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ntp:ntp

Required KB Items: NTP/Running, Settings/ParanoidReport

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2014/12/19

Vulnerability Publication Date: 2014/12/19

Reference Information

CVE: CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296, CVE-2014-9750, CVE-2014-9751

BID: 71757, 71758, 71761, 71762, 72583, 72584

CERT: 852879